Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth2 with Azure AD - Not getting user consent

I am trying to get the OAuth2 workflow to perform correctly for Azure AD. I am following the directions from this source: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx

I can successfully get an authorization code response by using this request: https://login.microsoftonline.com/[app-endpoint-id]/oauth2/authorize?response_type=code&client_id=[client-id]&redirect_uri=[redirect-uri]

I then use the authorization code to request an access token with a http post like so (I am testing this using Postman):

POST /[app-endpoint-id]/oauth2/token HTTP/1.1 Host: login.microsoftonline.com Cache-Control: no-cache Postman-Token: ed098281-9aa4-6e5f-915d-0253d9a876d3 Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=[client-id]&code=[authorization_code]&redirect_uri=[redirect_uri]&client_secret=[client-secret]&resource=[app-url]

I get the following error message from the POST request:

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'app-id'. Send an interactive authorization request for this user and resource.\r\nTrace ID: trace-di\r\nCorrelation ID: correlation-id\r\nTimestamp: 2016-01-13 17:18:39Z","error_codes":[65001],"timestamp":"2016-01-13 17:18:39Z","trace_id":"trace-id","correlation_id":"correlation-id"}

If I clear my cache and make the first request for the authorization code I will be redirected to log in. However, I don't get any way to authorize my app after logging in like it says I should in this documentation:

//azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/

What am I doing wrong here? I am trying to get an access token.

like image 255
Spensaur Avatar asked Jan 13 '16 19:01

Spensaur


People also ask

Does Azure AD support oauth2?

Azure Active Directory (Azure AD) supports all OAuth 2.0 flows.

How do I validate access token in oauth2 Azure AD?

There are two steps to verify the token. First, verify the signature of the token to ensure the token was issued by Azure Active Directory. Second, verify the claims in the token based on the business logic. For example, we need to verify the iss and aud claim if you were developing a single tenant app.

What is user consent in oauth2?

If a user authenticates through a third-party application and the application requests authorization to access the user's information or perform some action at an API on their behalf, the user will see a consent dialog. For example, this request: GET /authorize?


1 Answers

The problem you are running in to is that the tenant you are using to access your app has not added your application to the list of applications that are supported. It's telling you to use the interactive flow as an administrator.

Consent is a two step process:

1) First, the administrator of the tenant must approve the app. This can be done either 1) in the Azure portal of the tenant wishing to use the app or 2) by launching the app and using admin credentials against the app when you sign in.

Example of the Azure portal approval:


(source: azurecomcdn.net)

2) Second, any additional user (non-admin) will be promoted to consent for their individual information when using the app for the first time after the admin has consented that the app can be used.

like image 87
Brandon Avatar answered Oct 09 '22 10:10

Brandon