'AADSTS50126' "invalid_grant" Error validating credentials due to invalid username or password

Faraha 46 Reputation points
2020-06-19T15:57:33.767+00:00

I am doing a POC on ms graph api to read mails from mailbox.Since it is for a desktop app I am using Username/Password for authorization. Here is what I am doing

UsernamePasswordProvider authprovider = new UsernamePasswordProvider(clientId, scopes, userName, password,
NationalCloud.Global,/ AuthConstants.Tenants.Organizations*/tenantId, clientSecret);
IGraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider(authprovider)
.logger(logger).buildClient();
IMessageCollectionPage message = graphClient.me().messages().buildRequest().select("subject,sender,from,toRecipients").get();*

It internally calls an API which is mentioned below:

METHOD: POST

https://login.microsoftonline.com/\<myClientId>/oauth2/v2.0/token
Body:
{
"password":"500****on%24",
"grant_type":"password",
"scope":"user.read+openid+profile+offline_access",
"client_secret":".Dz%7Ep-S********%7EbAUqT9tK_5***g",
"client_id":"e056a210-*-44f7-99ef-*******a",
"username":"Fnu.*%40****.com"
}
I am getting the below error:
{
"error": "invalid_grant",
"error_description": "AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: e3c4d7f6-5e2d-41fb-b51d-875e9a7b4801\r\nCorrelation ID: e16fc3e8-a16f-4a47-851a-59ff680542cf\r\nTimestamp: 2020-06-19 14:51:33Z",
"error_codes": [
50126
],
"timestamp": "2020-06-19 14:51:33Z",
"trace_id": "e3c4d7f6-5e2d-41fb-b51d-875e9a7b4801",
"correlation_id": "e16fc3e8-a16f-4a47-851a-59ff680542cf",
"error_uri": "https://login.microsoftonline.com/error?code=50126"
}

I am using the correct username and password.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-06-24T14:17:49.207+00:00

    Hi @Faraha-6803

    Based on the Correlation ID and Trace ID, I tracked the request in our backend database and found that the account you are using is doing Federated authentication. Federated authentication doesn't mean that you are using ADFS, you can use 3rd party IDPs such as Auth0, OneLogin etc.

    Basically, if you see below redirect message while trying to sign-in via browser using the same account, you are using federated authentication.

    10606-capture.jpg

    If you are making an API call via an application like postman which can't do this redirection, credentials can't be verified and you get invalid username or password error. Since this error is not very descriptive, there is an active feedback regarding this, which was shared by Marilee.

    I would suggest you to create a new account with UPN like username@your_tenant.onmicrosoft.com to be sure you are not using federated authentication and test with that account. As your_tenant.onmicrosoft.com domain always use managed authentication, credentials are verified in Azure AD and no redirection to federated IDP is needed. That way you can isolate that the issue is due to federated authentication or not.

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    4 people found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2020-06-22T22:20:57.68+00:00

    Hi @Faraha-6803 ,

    Can you please try resetting the password to isolate if it's actually related to the credentials?

    There is an open bug and product feedback item out for this issue of the "invalid username or password" error showing up when the credentials are correct. https://feedback.azure.com/forums/34192--general-feedback/suggestions/40491214-aadsts50126-invalid-username-or-password-return

    Not sure what your full setup is, but if you have federated authentication enabled for user sign-in I would also check out Amanpreet's comment in this thread:

    If you have Federated authentication enabled for user sign-in, you get redirected to the federated IDP for credentials validation. Now when you are using ROPC flow via postman, this redirection is not possible and it results in Invalid username or password error.

    In order for this to work, you would need to disable federated authentication and use managed authentication so that AAD can verify the credentials locally and no redirection is required. You can confirm this by requesting a token for cloud only user account.

    As you supply your credentials in the request body in case of ROPC, the redirection won't happen based on UPN Suffix, If you use other flows like Implicit or Code Grant flow, you get ADAL prompt (as shown below) which supports redirection and federated auth would work in that case.

    10487-amanscreenshot.png

    So you may need to test the token request on a cloud only account to confirm if this is the same issue.