英文:
AADSTS65001: The user or administrator has not consented to use the application
问题
我已经使用MSAL工作了将近三年,现在我面临一个问题,即使我已经阅读了很多帖子,也无法解决:
"AADSTS65001: 用户或管理员尚未同意使用ID为'c09036af-fd62-4db6-b27a-xxxxxxxxxxxx'的应用程序,名称为'mySite.com'。为该用户和资源发送交互式授权请求。跟踪ID:126a546f-a8b3-4176-8c74-e6a4c4851300 关联ID:6cc0a067-ec3b-4b25-9caa-215620991f24 时间戳:2023-06-28 08:14:16Z"
我知道,又是关于在Azure中授予应用程序权限的问题,但关键是不需要任何授权。在“配置的权限”下,没有待授予权限。我的应用程序是一个单一应用程序,没有API应用程序。这可能是一个范围的问题,直到今天我一直使用clientId作为范围,在这种情况下不起作用。
有什么想法吗?
编辑:
经过一些测试,我发现问题是范围。根据@Rukmini的建议,我将范围设置为"{clientId}./default"。现在登录正常工作了,但是从我的API(在同一域上)获取以下错误:
401 oidc:由不同提供程序签发的ID令牌,预期是"https://login.microsoftonline.com/9c0a3ae0-3f12-4197-a76d-xxxxxxxxxxxx/v2.0",实际是"https://sts.windows.net/9c0a3ae0-3f12-4197-a76d-xxxxxxxxxxxx/" []
英文:
I've been working with MSAL for almost three years, now I am facing a problem I am not able to fix, even if I've read a lot of posts:
"AADSTS65001: The user or administrator has not consented to use the application with ID
'c09036af-fd62-4db6-b27a-xxxxxxxxxxxx' named 'mySite.com'. Send an interactive authorization
request for this user and resource. Trace ID: 126a546f-a8b3-4176-8c74-e6a4c4851300 Correlation ID: 6cc0a067-ec3b-4b25-9caa-215620991f24 Timestamp: 2023-06-28 08:14:16Z"
I know, another question about granting apps in azure, but the point is that there are no grants required. Under Configured permissions
there are no pending consents to grant. My application is a single application with no API application. It might be a scope issue, up today I always used the clientId as scope, in this case it does not work.
Any idea?
Edit:
After some tests I figured out the problem IS the scope. As suggested by @Rukmini as scope I set "{clientId}./default". Now the login works, but from my api (on the same domain) I get the following error:
401 oidc: id token issued by a different provider, expected "https://login.microsoftonline.com/9c0a3ae0-3f12-4197-a76d-xxxxxxxxxxxx/v2.0" got "https://sts.windows.net/9c0a3ae0-3f12-4197-a76d-xxxxxxxxxxxx/" []
答案1
得分: 0
我创建了Azure AD应用程序并公开了一个API,如下所示:
我尝试使用以下参数通过Postman生成访问令牌:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:ClientID
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
我收到了与下面相同的错误:
我之所以收到这个错误,是因为我将scope设置为ClientID
并使用了v2.0
终结点。
错误信息 "AADSTS65001: 用户或管理员尚未同意使用 ID 为 'xxxx' 的应用程序以及名称为 'abc' 的资源。为此用户和资源发送一个交互式授权请求" 通常会在管理员未同意用户试图访问的权限时发生。
要解决这个错误,请确保像下面这样授予管理员同意 API 权限:
请注意:Azure AD支持将ClientID作为scope传递,但这取决于您用来授权请求的终结点。
- 使用**
v2.0
**终结点时,您必须将scope设置为ClientID/.default
或ClientID/scopename
,如下所示:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
scope:ClientID/.default 或 ClientID/test.read
- 使用**
v1.0
终结点时,您可以将资源**设置为ClientID
,如下所示:
https://login.microsoftonline.com/TenantID/oauth2/token
resource:ClientID
如果问题仍然存在,请检查是否传递了有效的ClientID,并已授予Azure AD应用程序所需的权限。
英文:
I created Azure AD Application and Exposed an API like below:
I tried to generate access token using below parameters via Postman:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
grant_type:authorization_code
scope:ClientID
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
And I got the same error as below:
I got the error as I passed scope as ClientID
and used v2.0
endpoint.
The error "AADSTS65001: The user or administrator has not consented to use the application with ID
'xxxx named 'abc'. Send an interactive authorization
request for this user and resource" usually occurs if the admin has not consented for the permissions the user is trying to access.
To resolve the error, make sure to grant Admin consent to the API permissions like below:
Note that: Azure AD Supports passing ClientID as scope, but it depends on the endpoint you are making use of to authorize the request.
- With
v2.0
endpoint, you have to pass scope asClientID/.default
orClientID/scopename
like below:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
scope:ClientID/.default OR ClientID/test.read
- With
v1.0
endpoint, you can pass resource asClientID
like below:
https://login.microsoftonline.com/TenantID/oauth2/token
resource:ClientID
If still the issue persists, check whether you are passing valid ClientID and granted required permissions to the Azure AD Application.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论