Skip to content

On-Behalf-Of flow: The user or administrator has not consented to use the application with ID 'app-guid' named 'app-name'. Send an interactive authorization #226

New issue
New issue
Open
Open
On-Behalf-Of flow: The user or administrator has not consented to use the application with ID 'app-guid' named 'app-name'. Send an interactive authorization#226
Labels
questionFurther information is requested
@ChuksObi

Description

@ChuksObi
ChuksObi
opened on Jul 22, 2022

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

My setup

I have an ASP.NET Core MVC (net5.0) web app configured with Azure AD. I have an ASP.NET Core (net5.0) Web API configured Azure AD.

I login to the client and I obtain the token in the client web app and use it when requesting resources from the Web API through JS, this works fine. I get responses and I can obtain the current user making the request. I used this MS guide active-directory-aspnetcore-webapp-openidconnect-v2. I want to enable communication between the Web API and Microsoft Graph. I have followed part of this Azure sample Web API now calls Microsoft Graph

Any log messages given by the failure

The issue

I have had issues accessing the MS Graph API from my ASP.NET Core API. I have set up everything I think should be as seen in the code, however, I keep getting the error.

InnerException = {"AADSTS65001: The user or administrator has not consented to use the application with ID 'app-guid' named 'app-name. Send an interactive authorization request for this user and resource

Message = IDW10502: An MsalUiRequiredException was thrown due to a challenge for the user. See https://aka.ms/ms-id-web/ca_incremental-consent.

I have granted admin consent in the API permissions section, the app uses delegated permissions, it is an organisational app, users must be on Azure AD to login. I have also added the client Id as a known client applications for service in the app manifest.

Azure permission granted for API

API appsettings
{ "AzureAd": { "Instance": "https://login.microsoftonline.com/", "Domain": "--", "TenantId": "--", "ClientId": "--", "ClientSecret": "--" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "DownstreamApi": { "BaseUrl": "https://graph.microsoft.com/v1.0", "Scopes": "user.read presence.read mailboxsettings.read mail.read calendars.read files.readwrite", "DefaultScope": "https://graph.microsoft.com/.default" }, "AllowedHosts": "*", "ConnectionStrings": { "DefaultConnection": "--" } }
Client appSettings
{ "AzureAd": { "Instance": "https://login.microsoftonline.com/", "Domain": "--", "TenantId": "--", "ClientId": "--", "ScopeForAccessToken": "--", "ClientSecret": "--" }, "DownstreamApi": { "BaseUrl": "https://graph.microsoft.com/v1.0", "Scopes": "user.read presence.read mailboxsettings.read mail.read calendars.read files.readwrite" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "NASAapi": { "ScopeForAccessToken": "api://guid/scope.name", "ApiBaseAddress": "" }, "AllowedHosts": "*"

API Startup.cs
services.AddMicrosoftIdentityWebApiAuthentication(Configuration) .EnableTokenAcquisitionToCallDownstreamApi() .AddMicrosoftGraph(Configuration.GetSection("DownstreamApi")) .AddInMemoryTokenCaches();
Example Controller

`[Authorize]
[Route("api/[controller]/[action]")]
[RequiredScope("scope.name")]
[ApiController]
public class ExampleController : ControllerBase
{
private readonly GraphServiceClient _graphServiceClient;

public IEnumerable<Message> Messages { get; private set; }

public ExampleController(IHttpContextAccessor httpContextAccessor, GraphServiceClient graphServiceClient)
{
    _graphServiceClient = graphServiceClient;
}

[HttpGet]
public async Task<ActionResult<IEnumerable<DealDto>>> GetDealsWithAccount()
{
    try
    {
        User user = _graphServiceClient.Me.Request().GetAsync().GetAwaiter().GetResult();
    }
             catch (MsalException ex)
        {
            HttpContext.Response.ContentType = "text/plain";
            HttpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
            await HttpContext.Response.WriteAsync("An authentication error occurred while acquiring a token for downstream API\n" + ex.ErrorCode + "\n" + ex.Message);
        }
        catch (Exception ex)
        {
            if (ex.InnerException is Microsoft.Identity.Web.MicrosoftIdentityWebChallengeUserException challengeException)
            {
                _tokenAcquisition.ReplyForbiddenWithWwwAuthenticateHeader(_graphOptions.Value.Scopes.Split(' '),
                    challengeException.MsalUiRequiredException);
            }
            else
            {
                HttpContext.Response.ContentType = "text/plain";
                HttpContext.Response.StatusCode = (int)HttpStatusCode.BadRequest;
                await HttpContext.Response.WriteAsync("An error occurred while calling the downstream API\n" + ex.Message);
            }
        }

    return Ok();
}

}`

Expected/desired behavior

It seems the On-Behalf-Of flow is not working as expected. I expect the web api to make the call to the downstream service and obtain the token for graph. Please correct me if I may be wrong.

OS and Version?

Windows 10

Versions

21H2 (OS Build 19044.1826)

Mention any other details that might be useful

stackoverflow link

Thanks! We'll be in touch soon.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions