当需要新的委派权限时,不要求用户同意 [英] User not asked for consent when new delegated permissions are required
问题描述
我有一个ASP.NET应用程序,该应用程序使用OWIN中间件针对我的Azure Active Directory实例进行身份验证.
I've got an ASP.NET application which is using the OWIN middleware to authenticate against my Azure Active Directory instance.
在Azure门户中,我已经为ASP.NET应用程序创建了应用程序注册,并且身份验证效果很好.
In the Azure portal, I've created the app registration for my ASP.NET app, and authentication works great.
用户已经登录,我得到了他们的要求,一切都很好.
Users have been logging in, I get their claims, everything's good.
现在,我向我的应用程序添加了一个新功能,在登录后,我想查询Graph API以获取有关用户的更多信息(组名,电子邮件地址等).现在,访问图形API以获取此信息需要新的权限,因此我进入了Azure门户,并为ASP.NET应用程序选择了适当的委派权限.
Now, I'm adding a new feature to my application, where after login, I want to query the Graph API to get some more information about the user (group names, e-mail address, whatever). Now, accessing the graph API to get this information requires new permissions, so I've gone into the Azure portal, and checked off the appropriate delegated permissions for my ASP.NET application.
对于从未登录过该应用程序的用户,一切正常.但是,对于以前登录该应用程序的用户,不会提示他们同意新要求的权限,因此我对图形API的调用失败.
For users which never logged into the application, everything works fine. However, for users which had previously logged into the application, they are not prompted for consent to the newly-required permissions, so my calls to the graph API are failing.
当我的应用开始需要新权限时,如何才能使用户征求同意?
How can I make it so that users are asked for consent when my app starts requiring new permissions?
推荐答案
在我们更改了开发者租户的应用程序的许可后,已经同意的用户需要更新许可以获取更新的许可.
After we changed the permission from app of developer's tenant, the users who already give the consent need to update the consent to get the updated permission.
要为那些已经被授予许可的用户启动同意授予,我们需要指定值为同意的提示参数(请参考
To start a consent grant for those users who have already granted before we need to specify the prompt parameter with value consent( refer here about more parameters using for OAuth 2.0 code grant flow).
并且如果您使用的是Azure AD v2.0终结点,则需要更新请求中的新作用域,而不是在门户网站上对其进行配置. (有关v2,请此处 .0端点)
And if you were using the Azure AD v2.0 endpoint, we need to update the new scopes in the request instead of config it at the portal. (Refer here about the v2.0 endpoint)
这篇关于当需要新的委派权限时,不要求用户同意的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
