question

JohnJacko-9680 avatar image
0 Votes"
JohnJacko-9680 asked JohnJacko-9680 commented

microsoftonline authorize enddpoint does not let my User authorize the app but skips straight to 302

I'm trying to set up a Server Application and an Angular Client Application to co with it. My goal is to have the back end service manage information regarding users in an Azure Active Directory tenant.

Currently, a given flow is able to go something like this:

  1. New User Fills out a form for creating an account

  2. Upon Submission, the client sends the data to the server, which uses the Graph API to generate a new User under the given tenant.

  3. The Service randomly generates a state value and returns it to the Angular Client.

  4. The Angular Client takes the state value and redirects to https://login.microsoftonline.com/${environment.user_tenent_id}/oauth2/v2.0/authorize ... with all the required information

  5. The Microsoft endpoint immediately returns a 302 with a code directing the User back to the Angular Client (thus not giving the user the opportunity to go though the consent and login page)

  6. The Angular Client detects the state and code and sends these values to the service to access the token

  7. The Service is told "AADSTS65001: The user or administrator has not consented to use the application with ID '<app_id_here>' named 'TrecApps-User-Test'. Send an interactive authorization request for this user and resource" (because the User was never given the opportunity to "consent")

What SHOULD happen:

  1. New User Fills out a form for creating an account

  2. Upon Submission, the client sends the data to the server, which uses the Graph API to generate a new User under the given tenant.

  3. The Service randomly generates a state value and returns it to the Angular Client.

  4. The Angular Client takes the state value and redirects to https://login.microsoftonline.com/${environment.user_tenent_id}/oauth2/v2.0/authorize ... with all the required information

  5. The User is provided a consent page (and possibly login) before being redirected back to the Angular Client

  6. The Angular Client detects the state and code and sends these values to the service to access the token

  7. The Service retrieves token information and sends it back to the Angular Client. The User is now logged in and can look at his account.


Are there ways to ensure that either
1. The User is presented with the consent page
2. The Admin is able to provide this consent automatically so that AADSTS65001 does not happen. Evidently, specifying the relevant scopes at "Home" -> "Azure AD B2C" ->
"[Registered App Name]" -> " | API Permissions "is not enough

?

Extra Information: The Server-Side app uses Spring Boot with a Spring Security Configuration tailored to use the com.microsoft.azure:azure-active-directory-spring-boot-starter to work with my tenant for OAuth2 Authentication.
The Relevant Scopes I'm currently looking at are "user.read openid profile offline_access"

azure-active-directoryazure-ad-authentication
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JohnJacko-9680 Did you expose the Server Application api?

0 Votes 0 ·

I looked into that a little. It gave me a series of URLs based off of a specific permission I added but it wasn't intuitive what I was supposed to do with those URLs.

0 Votes 0 ·

Did you grant the scope of the service application to the Angular application and grant admin consent in the Azure portal?

0 Votes 0 ·

The App ID I'm using is tailored towards the Server application back-end. I tried to create a Client App Registration for the angular app, but the set up was not compatible with the Server Configuration.

I had also tried using the MSAL packages in Angular for the Back-end registration, but got an error saying that the App registration had to be a SPA app.

And I'm confident I granted Admin Consent in the Azure Portal.

0 Votes 0 ·

0 Answers