AADSTS65001: 用户或管理员未同意使用该应用程序。

huangapple
go评论86阅读模式
英文:

AADSTS65001: The user or administrator has not consented to use the application

问题

我已经使用MSAL工作了将近三年,现在我面临一个问题,即使我已经阅读了很多帖子,也无法解决:

"AADSTS65001: 用户或管理员尚未同意使用ID为'c09036af-fd62-4db6-b27a-xxxxxxxxxxxx'的应用程序,名称为'mySite.com'。为该用户和资源发送交互式授权请求。跟踪ID:126a546f-a8b3-4176-8c74-e6a4c4851300 关联ID:6cc0a067-ec3b-4b25-9caa-215620991f24 时间戳:2023-06-28 08:14:16Z"

我知道,又是关于在Azure中授予应用程序权限的问题,但关键是不需要任何授权。在“配置的权限”下,没有待授予权限。我的应用程序是一个单一应用程序,没有API应用程序。这可能是一个范围的问题,直到今天我一直使用clientId作为范围,在这种情况下不起作用。

有什么想法吗?

编辑:

经过一些测试,我发现问题是范围。根据@Rukmini的建议,我将范围设置为"{clientId}./default"。现在登录正常工作了,但是从我的API(在同一域上)获取以下错误:

401 oidc:由不同提供程序签发的ID令牌,预期是"https://login.microsoftonline.com/9c0a3ae0-3f12-4197-a76d-xxxxxxxxxxxx/v2.0",实际是"https://sts.windows.net/9c0a3ae0-3f12-4197-a76d-xxxxxxxxxxxx/" []
英文:

I've been working with MSAL for almost three years, now I am facing a problem I am not able to fix, even if I've read a lot of posts:

"AADSTS65001: The user or administrator has not consented to use the application with ID 
'c09036af-fd62-4db6-b27a-xxxxxxxxxxxx' named 'mySite.com'. Send an interactive authorization
request for this user and resource. Trace ID: 126a546f-a8b3-4176-8c74-e6a4c4851300 Correlation ID: 6cc0a067-ec3b-4b25-9caa-215620991f24 Timestamp: 2023-06-28 08:14:16Z"

I know, another question about granting apps in azure, but the point is that there are no grants required. Under Configured permissions there are no pending consents to grant. My application is a single application with no API application. It might be a scope issue, up today I always used the clientId as scope, in this case it does not work.

Any idea?

Edit:

After some tests I figured out the problem IS the scope. As suggested by @Rukmini as scope I set "{clientId}./default". Now the login works, but from my api (on the same domain) I get the following error:

401 oidc: id token issued by a different provider, expected "https://login.microsoftonline.com/9c0a3ae0-3f12-4197-a76d-xxxxxxxxxxxx/v2.0" got "https://sts.windows.net/9c0a3ae0-3f12-4197-a76d-xxxxxxxxxxxx/" []

答案1

得分: 0

我创建了Azure AD应用程序并公开了一个API,如下所示:

AADSTS65001: 用户或管理员未同意使用该应用程序。

我尝试使用以下参数通过Postman生成访问令牌

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:ClientID 
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

我收到了与下面相同的错误:

AADSTS65001: 用户或管理员未同意使用该应用程序。

我之所以收到这个错误,是因为我将scope设置为ClientID并使用了v2.0终结点。

错误信息 "AADSTS65001: 用户或管理员尚未同意使用 ID 为 'xxxx' 的应用程序以及名称为 'abc' 的资源。为此用户和资源发送一个交互式授权请求" 通常会在管理员未同意用户试图访问的权限时发生。

要解决这个错误,请确保像下面这样授予管理员同意 API 权限

AADSTS65001: 用户或管理员未同意使用该应用程序。

请注意:Azure AD支持将ClientID作为scope传递,但这取决于您用来授权请求的终结点。

  • 使用**v2.0**终结点时,您必须将scope设置为ClientID/.defaultClientID/scopename,如下所示:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

scope:ClientID/.default  ClientID/test.read

AADSTS65001: 用户或管理员未同意使用该应用程序。

  • 使用**v1.0终结点时,您可以将资源**设置为ClientID,如下所示:
https://login.microsoftonline.com/TenantID/oauth2/token

resource:ClientID

AADSTS65001: 用户或管理员未同意使用该应用程序。

如果问题仍然存在,请检查是否传递了有效的ClientID,并已授予Azure AD应用程序所需的权限。

英文:

I created Azure AD Application and Exposed an API like below:

AADSTS65001: 用户或管理员未同意使用该应用程序。

I tried to generate access token using below parameters via Postman:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:ClientID 
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

And I got the same error as below:

AADSTS65001: 用户或管理员未同意使用该应用程序。

I got the error as I passed scope as ClientID and used v2.0 endpoint.

The error "AADSTS65001: The user or administrator has not consented to use the application with ID
'xxxx named 'abc'. Send an interactive authorization
request for this user and resource" usually occurs if the admin has not consented for the permissions the user is trying to access.

To resolve the error, make sure to grant Admin consent to the API permissions like below:

AADSTS65001: 用户或管理员未同意使用该应用程序。

Note that: Azure AD Supports passing ClientID as scope, but it depends on the endpoint you are making use of to authorize the request.

  • With v2.0 endpoint, you have to pass scope as ClientID/.default or ClientID/scopename like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

scope:ClientID/.default OR ClientID/test.read

AADSTS65001: 用户或管理员未同意使用该应用程序。

  • With v1.0 endpoint, you can pass resource as ClientID like below:
https://login.microsoftonline.com/TenantID/oauth2/token

resource:ClientID

AADSTS65001: 用户或管理员未同意使用该应用程序。

If still the issue persists, check whether you are passing valid ClientID and granted required permissions to the Azure AD Application.

huangapple
  • 本文由 发表于 2023年7月17日 19:50:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/76704158.html
  • azure-active-directory
  • correlation
  • single-sign-on
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定