[英]Azure Active Directory Login: Web App Permissions, User Consent not triggered
I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it's working great. 目前,我已经建立了一个AAD实例,并且正在通过我的Web应用对其用户进行身份验证,并且该实例运行良好。
When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. 在AAD上添加和配置应用程序后,我添加了访问Office365 Calendar API所需的应用程序和委派权限。 However, the only thing that is missing is that during the login flow users aren't being prompted to grant consent for the permissions, as it should happen from what I've read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent
但是,唯一缺少的是,在登录流程期间,系统不会提示用户授予权限许可,因为这应该是我在您的文档中看到的: https : //msdn.microsoft.com /zh-CN/library/azure/dn132599.aspx#BKMK_Consent
I'm not sure what I'm missing. 我不确定我缺少什么。 Apparently, from the docs,
显然,从文档中
After the user has signed in, Azure AD will determine if the user needs to be shown a consent page.
用户登录后,Azure AD将确定是否需要向用户显示同意页面。 This determination is based on whether the user (or their organization's administrator) has already granted the application consent.
该确定基于用户(或其组织的管理员)是否已授予应用程序同意。 If consent has not already been granted, Azure AD will prompt the user for consent and will display the required permissions it needs to function.
如果尚未授予同意,Azure AD将提示用户同意并显示其运行所需的权限。 The set of permissions that is displayed in the consent dialog are the same as what was selected in the Permissions to other applications control in the Azure Management Portal.
同意对话框中显示的权限集与在Azure管理门户中的“其他应用程序的权限”控件中选择的权限集相同。
So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don't know how that happened. 因此,也许我已经以某种方式暗中授予了这些权限的管理员同意,但是我不知道那是怎么发生的。
I've attached the permissions I configured on the AAD App. 我已附加在AAD应用程序上配置的权限。
Any help would be appreciated. 任何帮助,将不胜感激。
If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. 如果管理员使用AUX门户(manage.windowsazure.com)在其租户中创建一个应用程序,并请求对其他应用程序的权限,则该租户中已预先同意了该租户中的用户。 Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com)
请注意,对于我们的其他应用程序注册门户(portal.azure.com或identity.microsoft.com),此行为不正确
I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. 我相信这就是为什么当您的租户中的用户登录到您的应用程序时,您不会看到同意对话框的原因。 If you would like to push the consent dialogue experience, there are a few different things you can do:
如果您想推动同意对话的经验,可以做一些不同的事情:
I hope this helps! 我希望这有帮助!
Shawn Tabrizi 肖恩·塔布里兹(Shawn Tabrizi)
Try this: 尝试这个:
What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification Windows Azure AD租户应用程序oAuth 2.0规范中的Resource参数是什么
Changing the resource parameter to https://graph.windows.net did the trick for me. 将资源参数更改为https://graph.windows.net对我有用。
Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. 此外,Microsoft支持建议禁用除“启用登录并读取用户的配置文件”之外的所有权限,这显然是为了避免与权限相关的问题。 I understand that this is not a solution in your case, but at least it gives you a test case.
我了解这不是您的解决方案,但至少可以为您提供一个测试案例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.