18

I am trying to get the OAuth2 workflow to perform correctly for Azure AD. I am following the directions from this source: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx

I can successfully get an authorization code response by using this request: https://login.microsoftonline.com/[app-endpoint-id]/oauth2/authorize?response_type=code&client_id=[client-id]&redirect_uri=[redirect-uri]

I then use the authorization code to request an access token with a http post like so (I am testing this using Postman):

POST /[app-endpoint-id]/oauth2/token HTTP/1.1 Host: login.microsoftonline.com Cache-Control: no-cache Postman-Token: ed098281-9aa4-6e5f-915d-0253d9a876d3 Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&client_id=[client-id]&code=[authorization_code]&redirect_uri=[redirect_uri]&client_secret=[client-secret]&resource=[app-url]

I get the following error message from the POST request:

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'app-id'. Send an interactive authorization request for this user and resource.\r\nTrace ID: trace-di\r\nCorrelation ID: correlation-id\r\nTimestamp: 2016-01-13 17:18:39Z","error_codes":[65001],"timestamp":"2016-01-13 17:18:39Z","trace_id":"trace-id","correlation_id":"correlation-id"}

If I clear my cache and make the first request for the authorization code I will be redirected to log in. However, I don't get any way to authorize my app after logging in like it says I should in this documentation:

//azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/

What am I doing wrong here? I am trying to get an access token.

James Jones
  • 3,850
  • 5
  • 25
  • 44
Spensaur
  • 213
  • 1
  • 2
  • 6

3 Answers3

12

The problem you are running in to is that the tenant you are using to access your app has not added your application to the list of applications that are supported. It's telling you to use the interactive flow as an administrator.

Consent is a two step process:

1) First, the administrator of the tenant must approve the app. This can be done either 1) in the Azure portal of the tenant wishing to use the app or 2) by launching the app and using admin credentials against the app when you sign in.

Example of the Azure portal approval:


(source: azurecomcdn.net)

2) Second, any additional user (non-admin) will be promoted to consent for their individual information when using the app for the first time after the admin has consented that the app can be used.

Glorfindel
  • 21,988
  • 13
  • 81
  • 109
Brandon Werner
  • 1,305
  • 10
  • 16
  • Thank you! For some reason I was under the impression I was an admin because I created the apps but your post made me realize I was not. I actually already gave Delegated permissions in the Azure portal of the tenant app before I posted my question here which also led me to believe I had admin permissions. – Spensaur Jan 19 '16 at 20:50
  • 3
    Update - I was able to log in with an admin account and I was prompted for consent. Afterwards I got an access token. With that same admin account I checked the permissions on the Azure portal and made sure the tenant had permission and it did. But I still run into the same error when trying to get an access token with a non-admin user. I have User assignment required set to no. But I did assign my user account anyways. Do I need to do anything special to get the permissions prompt for a non-admin user after signing in? – Spensaur Jan 19 '16 at 22:59
  • When I try a different non-admin user account that isn't my own. I get the following message: Sorry, but we’re having trouble signing you in. We received a bad request. Additional technical information: AADSTS90093: This operation can only be performed by an administrator. Sign out and sign in as an administrator or contact one of your organization's administrators. – Spensaur Jan 19 '16 at 23:23
  • 3
    I just tried removing the delegated permissions on the admin account and then re-enabling them and I can now get access tokens for non-admin tokens! – Spensaur Jan 20 '16 at 01:28
  • 2
    Hey man, the picture is not loading, could you please show the steps to add the application to the list of applications supported by the tenant, Thanks, – D.B Nov 30 '16 at 00:51
  • 2
    @D.B If you figure out how to do this, could you please comment with a new answer? I am trying to figure this out as well. – MirroredFate Dec 01 '16 at 18:41
  • @D.B This may or may not help you, but I added "&prompt=admin_consent" to the end of my authorize url and it worked for me. – MirroredFate Dec 01 '16 at 19:33
1

Try giving resource as 'https://graph.windows.net' in the post request.

It worked for me.

pooja karande
  • 619
  • 5
  • 3
  • 1
    This works. Note that a secured API will need the Allowed Audiences configured to include graph.windows.net as per https://stackoverflow.com/questions/44466189/oauth2-resource-owner-password-grant-via-api/44539932#44539932 – Sentinel Jul 12 '17 at 15:58
0

Make sure your Azure AD settings allow adding such apps. There are couple of properties under Azure AD Application > Manage > User settings that affect how the app is registered. Someone in your organization may have turned app registration off altogether, or limited the options severely. You could check these settings out. There are couple of solutions available here for this question.

Chamila Maddumage
  • 3,304
  • 2
  • 32
  • 43