AADSTS65001:用户或管理员未同意使用 ID 为“<应用程序 ID>"的应用程序. [英] AADSTS65001: The user or administrator has not consented to use the application with ID '<application ID>
问题描述
我们遵循 Microsoft 代码授权流程的 OAuth2 的 v2,如下所述,
我无法重现您的问题.以下是我的步骤供您参考.
1. 创建一个具有 User.Read
和 profile
权限的应用程序.
2.由于我添加的权限不需要管理员同意,所以我第一次登录就同意了.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id=59437d85-46f8-409c-8211-b3db91a8b0e5&response_type=代码&redirect_uri=http://localhost&response_mode=查询&scope=https://graph.microsoft.com/User.Read&state=12345
3.使用我在step2得到的code获取token
要定位您的问题,请提供类似步骤 2(应用注册->您的应用程序->API 权限)的屏幕截图.以及您用来获取代码/令牌的范围的价值.
We following the v2 of the OAuth2 of Microsoft Code grant flow as documented in the following,
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
After we created an application in App Register under Microsoft Azure, and try to get the code from the following url
https://login.microsoftonline.com/concept4.net/oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=https://postman-echo.com/get&response_mode=query&scope=profile%20openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fuser.read&state=skip_get_token2&prompt=consent
Then we got the following error
{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'c4app2019'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 46424a2f-a3a2-45da-8902-888f5ca61c00\r\nCorrelation ID: 49d0a6ad-e158-4bc9-97b8-a6391c6470bb\r\nTimestamp: 2019-12-11 07:51:31Z","error_codes":[65001],"timestamp":"2019-12-11 07:51:31Z","trace_id":"46424a2f-a3a2-45da-8902-888f5ca61c00","correlation_id":"49d0a6ad-e158-4bc9-97b8-a6391c6470bb","suberror":"consent_required"}
Any idea what permission we need to grant to our application?
I can not reproduce your issue on my side. Here are my steps for your reference.
1.Create an application with User.Read
and profile
permissions.
2.Since the permissions I added don't need admin consent, so I can consent by the first time I login.
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=59437d85-46f8-409c-8211-b3db91a8b0e5
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://graph.microsoft.com/User.Read
&state=12345
3.Get the token by using the code I got from step2
To locate your issue, please provide the screenshot like step2(App registrations->your application->API permissions). And the value of scope you used to get code/token.
这篇关于AADSTS65001:用户或管理员未同意使用 ID 为“<应用程序 ID>"的应用程序.的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!