3

So I am writing a .NET 6 Core Web Api using Azure AD as authentication for the API.

Now when using Graph API as example, you need to setup Graph API scopes in the App Registration. Lets use a delegated "user.read" permission for this example.

I use Postman to receive the access token for the application by authenticating as an user against Azure AD for the API. I would expect to receive a consent-screen so I can consent to the usage of "user.read". This does not happen though.. I get logged in and receive a valid access token. In the Backend though, it will throw an error because the user / admin did not consent to the application.

How do I get around this? Why don't I get asked to consent the permissions set up in the app registration? Neither in Postman, nor in a Swagger oAuth Flow..

My current workaround for this is to use a React application and sign in over the frontend application. Using the frontend application, I get asked to consent to the permissions. After consenting, I can use postman without getting the "user didn't consent" - error.

Any ideas? What did I miss?

Improve this question
3
  • when you create a new azure ad app and use it to authentication and authorization, then the first time we sign in with it, it will appear the consent the page, we need to sign in but not generating the access token. generate token won't show us such a consent dialog. Commented Sep 23, 2022 at 5:34
  • You need to sign in everytime to generate the access token. Thus it should've shown the consent page. Commented Sep 23, 2022 at 9:51
  • @ZesaRex Can you please share details for how you have configured you API's app registration (did you define scopes?), how you are obtaining the token in Postman (what client ID are you using, what scope are you requesting?), and tell us more about what the API itself does (does it turn around and call Graph?) Commented Sep 27, 2022 at 16:16

1 Answer 1

Reset to default
0

Let's focus on the user-consent page first. When we created an azure ad app then add api permission for it, then use this azure ad app to make your .net 6 app/react app integrate azure ad to use azure authentication, and we go to the microsoft sign in page and successfully sign in, we will see a dialog which indicating that this app require you to consent a list of permissions. The permissions are correspond to the api permissions you set for the aad app. After consent once, then it won't ask you to consent again when sign in next time.

enter image description here

This consent only happened when users are signed in. Let's go back to the flows used to generate access token in Azure AD. Since you used delegate permission, then you may used the recommend Auth code flow(Another flow called ROPC flow can also generate delegate access token but not recommended). When we used auth code flow, we need to sign in first, the login url should look like this:

https://login.microsoftonline.com/tenant.onmicrosoft.com/oauth2/v2.0/authorize?client_id=azure_ad_app_id
&response_type=code
&redirect_uri=http://localhost/myapp/
&response_mode=query
&scope=user.read
&state=12345

We need to use it to get the auth code, then we can use the code to generate access token, per my test, I created a new azure ad app and when I directly hit this url in the browser and sign in, it still required me to give the consent. So I'm afraid the reason why you didn't see the dialog when test in post man is that you've consent it when test in react app, or you don't use auth code flow.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Hey, that sounds interesting. No, I am sure that I didn't consent before trying it in Postman. When using Postman to authenticate and receive the access token, it should use the auth code flow. It gets the auth code first, then retrieves the access token to use with the backend. After the sign in prompt, there still is no consent screen.
Using react app to let user sign in to get the auth code can make you see the consent the page, that means there's nothing wrong with the aad app. and I think once you click the consent button, the second time using react app to sign in won't show the consent page again.
Could you pls create a new aad app, and don't forget to set http://localhost/myapp/ as the redirect url when creating the app. Then using the url I provided above, replace tenant and client_id with your tenant name and app id to test if you can successfully get the auth code and check if the consent page appeared?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.