Azure Active Directory登录:Web应用程序权限,未触发用户同意
[英]Azure Active Directory Login: Web App Permissions, User Consent not triggered
问题描述
I have currently set up a AAD instance and I am authenticating my users against it via my web app, and it's working great. 
目前,我已经建立了一个AAD实例,并且正在通过我的Web应用对其用户进行身份验证,并且该实例运行良好。
When I added and configured the application on AAD, I added the required Application and Delegated Permissions to access the Office365 Calendar API. 在AAD上添加和配置应用程序后,我添加了访问Office365 Calendar API所需的应用程序和委派权限。 However, the only thing that is missing is that during the login flow users aren't being prompted to grant consent for the permissions, as it should happen from what I've read in your docs: https://msdn.microsoft.com/en-us/library/azure/dn132599.aspx#BKMK_Consent 但是,唯一缺少的是,在登录流程期间,系统不会提示用户授予权限许可,因为这应该是我在您的文档中看到的: https : //msdn.microsoft.com /zh-CN/library/azure/dn132599.aspx#BKMK_Consent
I'm not sure what I'm missing. 我不确定我缺少什么。 Apparently, from the docs, 显然,从文档中
After the user has signed in, Azure AD will determine if the user needs to be shown a consent page.
So maybe somehow I have already probably implicitly granted admin consent for those permissions, but I don't know how that happened. 因此,也许我已经以某种方式暗中授予了这些权限的管理员同意,但是我不知道那是怎么发生的。
I've attached the permissions I configured on the AAD App. 我已附加在AAD应用程序上配置的权限。
Any help would be appreciated. 任何帮助,将不胜感激。
2 个解决方案
解决方案1
7 已采纳 2015-06-11 17:58:57
If an admin creates an application in their tenant using the AUX portal (manage.windowsazure.com), and requests permissions to other applications, then users in that same tenant are pre-consented for that application. 如果管理员使用AUX门户(manage.windowsazure.com)在其租户中创建一个应用程序,并请求对其他应用程序的权限,则该租户中已预先同意了该租户中的用户。 Note this behavior is NOT true for our other App Registration Portals (portal.azure.com or identity.microsoft.com) 请注意,对于我们的其他应用程序注册门户(portal.azure.com或identity.microsoft.com),此行为不正确
I believe this is why you are not seeing the consent dialogue when user's in your tenant are signing into your application. 我相信这就是为什么当您的租户中的用户登录到您的应用程序时,您不会看到同意对话框的原因。 If you would like to push the consent dialogue experience, there are a few different things you can do: 如果您想推动同意对话的经验,可以做一些不同的事情:
- You can use query strings to prompt "consent" or "admin_consent" during login. 您可以使用查询字符串在登录过程中提示“同意”或“ admin_consent”。 Check here: https://msdn.microsoft.com/en-us/library/azure/dn645542.aspx 在这里检查: https : //msdn.microsoft.com/en-us/library/azure/dn645542.aspx
- You can delete the service principal for your application from your tenant using AAD PowerShell. 您可以使用AAD PowerShell从租户中删除应用程序的服务主体。 You can learn how to do that here: https://msdn.microsoft.com/en-us/library/azure/dn194113.aspx 您可以在此处了解如何执行此操作: https : //msdn.microsoft.com/zh-cn/library/azure/dn194113.aspx
- You can have a user from another tenant try to login to your multi-tenant application. 您可以让另一个租户的用户尝试登录到多租户应用程序。
- You can create your application under a non-admin account. 您可以使用非管理员帐户创建应用程序。
I hope this helps! 我希望这有帮助!
Shawn Tabrizi 肖恩·塔布里兹(Shawn Tabrizi)
解决方案2
1 2015-06-11 08:27:42
Try this: 尝试这个:
What is the Resource parameter in Windows Azure AD tenant application oAuth 2.0 specification Windows Azure AD租户应用程序oAuth 2.0规范中的Resource参数是什么
Changing the resource parameter to https://graph.windows.net did the trick for me. 将资源参数更改为https://graph.windows.net对我有用。
Furthermore, Microsoft support suggests disabling all permissions except "Enable sign-on and read users' profiles", apparently to avoid permission related problems. 此外,Microsoft支持建议禁用除“启用登录并读取用户的配置文件”之外的所有权限,这显然是为了避免与权限相关的问题。 I understand that this is not a solution in your case, but at least it gives you a test case. 我了解这不是您的解决方案,但至少可以为您提供一个测试案例。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.