AADSTS65001:用户或管理员未同意使用 ID 为“<应用程序 ID>"的应用程序. [英] AADSTS65001: The user or administrator has not consented to use the application with ID &#39;&lt;application ID&gt;

问题描述

我们遵循 Microsoft 代码授权流程的 OAuth2 的 v2，如下所述，

解决方案

我无法重现您的问题.以下是我的步骤供您参考.

1. 创建一个具有 User.Read 和 profile 权限的应用程序.

2.由于我添加的权限不需要管理员同意，所以我第一次登录就同意了.

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=59437d85-46f8-409c-8211-b3db91a8b0e5&response_type=代码&redirect_uri=http://localhost&response_mode=查询&scope=https://graph.microsoft.com/User.Read&state=12345

3.使用我在step2得到的code获取token

要定位您的问题，请提供类似步骤 2(应用注册->您的应用程序->API 权限)的屏幕截图.以及您用来获取代码/令牌的范围的价值.

We following the v2 of the OAuth2 of Microsoft Code grant flow as documented in the following,

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

After we created an application in App Register under Microsoft Azure, and try to get the code from the following url

https://login.microsoftonline.com/concept4.net/oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=https://postman-echo.com/get&response_mode=query&scope=profile%20openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&state=skip_get_token2&prompt=consent

Then we got the following error

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'c4app2019'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 46424a2f-a3a2-45da-8902-888f5ca61c00\r\nCorrelation ID: 49d0a6ad-e158-4bc9-97b8-a6391c6470bb\r\nTimestamp: 2019-12-11 07:51:31Z","error_codes":[65001],"timestamp":"2019-12-11 07:51:31Z","trace_id":"46424a2f-a3a2-45da-8902-888f5ca61c00","correlation_id":"49d0a6ad-e158-4bc9-97b8-a6391c6470bb","suberror":"consent_required"}

Any idea what permission we need to grant to our application?

解决方案

I can not reproduce your issue on my side. Here are my steps for your reference.

1.Create an application with User.Read and profile permissions.

2.Since the permissions I added don't need admin consent, so I can consent by the first time I login.

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=59437d85-46f8-409c-8211-b3db91a8b0e5
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345

3.Get the token by using the code I got from step2

To locate your issue, please provide the screenshot like step2(App registrations->your application->API permissions). And the value of scope you used to get code/token.

这篇关于AADSTS65001:用户或管理员未同意使用 ID 为“<应用程序 ID>"的应用程序.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！