You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On-Behalf-Of flow: The user or administrator has not consented to use the application with ID 'app-guid' named 'app-name'. Send an interactive authorization
#226
Open
ChuksObi opened this issue
Jul 22, 2022
· 0 comments
- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Minimal steps to reproduce
My setup
I have an ASP.NET Core MVC (net5.0) web app configured with Azure AD. I have an ASP.NET Core (net5.0) Web API configured Azure AD.
I login to the client and I obtain the token in the client web app and use it when requesting resources from the Web API through JS, this works fine. I get responses and I can obtain the current user making the request. I used this MS guide active-directory-aspnetcore-webapp-openidconnect-v2. I want to enable communication between the Web API and Microsoft Graph. I have followed part of this Azure sample Web API now calls Microsoft Graph
Any log messages given by the failure
The issue
I have had issues accessing the MS Graph API from my ASP.NET Core API. I have set up everything I think should be as seen in the code, however, I keep getting the error.
InnerException = {"AADSTS65001: The user or administrator has not consented to use the application with ID 'app-guid' named 'app-name. Send an interactive authorization request for this user and resource
I have granted admin consent in the API permissions section, the app uses delegated permissions, it is an organisational app, users must be on Azure AD to login. I have also added the client Id as a known client applications for service in the app manifest.
API Startup.cs services.AddMicrosoftIdentityWebApiAuthentication(Configuration) .EnableTokenAcquisitionToCallDownstreamApi() .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi")) .AddInMemoryTokenCaches(); Example Controller
`[Authorize]
[Route("api/[controller]/[action]")]
[RequiredScope("scope.name")]
[ApiController]
public class ExampleController : ControllerBase
{
private readonly GraphServiceClient _graphServiceClient;
public IEnumerable<Message> Messages { get; private set; }
public ExampleController(IHttpContextAccessor httpContextAccessor, GraphServiceClient graphServiceClient)
{
_graphServiceClient = graphServiceClient;
}
[HttpGet]
public async Task<ActionResult<IEnumerable<DealDto>>> GetDealsWithAccount()
{
try
{
User user = _graphServiceClient.Me.Request().GetAsync().GetAwaiter().GetResult();
}
catch (MsalException ex)
{
HttpContext.Response.ContentType = "text/plain";
HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
await HttpContext.Response.WriteAsync("An authentication error occurred while acquiring a token for downstream API\n" + ex.ErrorCode + "\n" + ex.Message);
}
catch (Exception ex)
{
if (ex.InnerException is Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException challengeException)
{
_tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(_graphOptions.Value.Scopes.Split(' '),
challengeException.MsalUiRequiredException);
}
else
{
HttpContext.Response.ContentType = "text/plain";
HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
await HttpContext.Response.WriteAsync("An error occurred while calling the downstream API\n" + ex.Message);
}
}
return Ok();
}
}`
Expected/desired behavior
It seems the On-Behalf-Of flow is not working as expected. I expect the web api to make the call to the downstream service and obtain the token for graph. Please correct me if I may be wrong.
This issue is for a: (mark with an
x
)Minimal steps to reproduce
My setup
I have an ASP.NET Core MVC (net5.0) web app configured with Azure AD. I have an ASP.NET Core (net5.0) Web API configured Azure AD.
I login to the client and I obtain the token in the client web app and use it when requesting resources from the Web API through JS, this works fine. I get responses and I can obtain the current user making the request. I used this MS guide active-directory-aspnetcore-webapp-openidconnect-v2. I want to enable communication between the Web API and Microsoft Graph. I have followed part of this Azure sample Web API now calls Microsoft Graph
Any log messages given by the failure
The issue
I have had issues accessing the MS Graph API from my ASP.NET Core API. I have set up everything I think should be as seen in the code, however, I keep getting the error.
InnerException = {"AADSTS65001: The user or administrator has not consented to use the application with ID 'app-guid' named 'app-name. Send an interactive authorization request for this user and resource
Message = IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.
I have granted admin consent in the API permissions section, the app uses delegated permissions, it is an organisational app, users must be on Azure AD to login. I have also added the client Id as a known client applications for service in the app manifest.
Azure permission granted for API
API appsettings
{ "AzureAd": { "Instance": "https://login.microsoftonline.com/", "Domain": "--", "TenantId": "--", "ClientId": "--", "ClientSecret": "--" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "DownstreamApi": { "BaseUrl": "https://graph.microsoft.com/v1.0", "Scopes": "user.read presence.read mailboxsettings.read mail.read calendars.read files.readwrite", "DefaultScope": "https://graph.microsoft.com/.default" }, "AllowedHosts": "*", "ConnectionStrings": { "DefaultConnection": "--" } }
Client appSettings
{ "AzureAd": { "Instance": "https://login.microsoftonline.com/", "Domain": "--", "TenantId": "--", "ClientId": "--", "ScopeForAccessToken": "--", "ClientSecret": "--" }, "DownstreamApi": { "BaseUrl": "https://graph.microsoft.com/v1.0", "Scopes": "user.read presence.read mailboxsettings.read mail.read calendars.read files.readwrite" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "NASAapi": { "ScopeForAccessToken": "api://guid/scope.name", "ApiBaseAddress": "" }, "AllowedHosts": "*"
API Startup.cs
services.AddMicrosoftIdentityWebApiAuthentication(Configuration) .EnableTokenAcquisitionToCallDownstreamApi() .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi")) .AddInMemoryTokenCaches();
Example Controller
`[Authorize]
[Route("api/[controller]/[action]")]
[RequiredScope("scope.name")]
[ApiController]
public class ExampleController : ControllerBase
{
private readonly GraphServiceClient _graphServiceClient;
}`
Expected/desired behavior
It seems the On-Behalf-Of flow is not working as expected. I expect the web api to make the call to the downstream service and obtain the token for graph. Please correct me if I may be wrong.
OS and Version?
Versions
Mention any other details that might be useful
stackoverflow link
The text was updated successfully, but these errors were encountered: