英文:
The app is asking for consent twice in "app calls api" scenario
问题
我正在使用两个应用程序注册并实现“公开API”场景。我的客户端应用是一个使用msal-angular库的Angular应用程序。我的服务器应用是一个.NET服务器,使用“公开API”功能并定义了一个范围。它还将客户端应用列为受信任的客户端应用程序。
实际上,客户端应用在系统中执行大部分重要工作,并且它直接使用directory.read.all访问Azure AD。服务器应用提供设置API,并且只关心用户的身份。
我的问题是,在进行初始注册时,用户被要求同意客户端应用的“查看个人资料”和“维护访问权限”。这没问题,但是在我进行服务器API调用以获取设置后,我得到另一个同意窗口,再次要求客户端应用的权限 - “查看个人资料”和“维护访问权限”。然而,在窗口中有一个段落:“如果您接受,服务器应用也将能够访问您的用户个人资料信息。”
是否有一种方法可以在一个步骤中完成这个同意过程?这种用户体验感觉非常令人困惑(特别是在第一次登录时)。
英文:
I'm using two app registrations and implement the "expose an api" scenario. My CLIENT_APP is an angular application using msal-angular library. My SERVER_APP is a .NET server that's using "Expose an API" feature and defines a scope. It also lists CLIENT_APP as a trusted client application.
CLIENT_APP is actually doing most of the heavy lifting in the system and it accesses Azure AD directly using a directory.read.all. The SERVER_APP provides settings API and is only interested in knowing the users identity.
My problem is that while doing the initial sign up the users are asked for consent for the CLIENT_APP to "View profile" and "Maintain access". That's ok, but immediately after I make a server API call to get settings I'm getting another consent window asking again asking for permissions for CLIENT_APP - "View profile" and "Maintain access". However, there's a paragraph in the window:
"If you accept, SERVER_APP will also have access to your user profile information."
Is there a way to do this consent thing in one step? It feels like a very confusing user experience (especially when signing in for the first time)
答案1
得分: 1
I tried to reproduce the same in my environment and got the results like below:
我尝试在我的环境中复制相同的操作,并获得如下结果:
I created an Azure AD Client App and added API permissions:
我创建了一个Azure AD 客户端应用程序 并添加了API权限:
I created an Azure AD Server App and Exposed an API like below:
我创建了一个Azure AD 服务器应用程序 并像下面这样公开了一个API:
Note that: It is inappropriate to get consent screen twice. The user must get the consent screen only once.
注意:获取同意屏幕两次是不合适的。用户只应获取同意屏幕一次。
For sample, I tried to authorize users by using below endpoint:
例如,我尝试使用以下端点来授权用户:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://AppID/test.read Directory.Read.All
&state=12345
When I tried to sign-in with the user account, I got the consent once as below:
当我尝试使用用户帐户登录时,我只收到了一次同意请求,如下所示:
After consenting, user successfully got redirected to the redirect page like below:
经同意后,用户成功被重定向到以下的重定向页面:
If still the issue persists, try the below:
如果问题仍然存在,请尝试以下操作:
-
Configure same API permissions for the Client App and the Server App and try.
-
为客户端应用程序和服务器应用程序配置相同的API权限,然后尝试。
-
Another approach is you can generate access token for Microsoft Graph and fetch the user profile by using the access token like below:
-
另一种方法是您可以生成Microsoft Graph的访问令牌,并像下面这样使用访问令牌获取用户配置文件:
https://graph.microsoft.com/v1.0/users/UserID
-
It is not possible to call two APIs at a time.
-
不可能同时调用两个API。
-
Try using the one Azure AD App for authorizing users.
-
尝试使用一个Azure AD应用程序来授权用户。
-
You can also make use of On-Behalf Flow to resolve the issue.
-
您还可以使用代表流程来解决问题。
英文:
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Client App and added API permissions:
I created an Azure AD Server App and Exposed an API like below:
> Note that: It is inappropriate to get consent screen twice. The user must get the consent screen only once.
For sample, I tried to authorize users by using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://AppID/test.read Directory.Read.All
&state=12345
When I tried to sign-in with the user account, I got the consent once as below:
After consenting, user successfully got redirected to the redirect page like below:
If still the issue persists, try the below:
- Configure same API permissions for the Client App and the Server App and try.
- Another approach is you can generate access token for Microsoft Graph and fetch the user profile by using the access token like below:
https://graph.microsoft.com/v1.0/users/UserID
- It is not possible to call two APIs at a time.
- Try using the one Azure AD App for authorizing users.
- You can also make use of On-Behalf Flow to resolve the issue.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论