[英]Error AADSTS90093 on Microsoft “converged” OAuth authorize for organizational O365 account
I'm developing an application that I registered with Microsoft at apps.dev.microsoft.com to use their new "converged" OAuth2 flow documented at https://azure.microsoft.com/en-us/documentation/articles/active-directory-v2-protocols-oauth-code/ . 我正在开发一个我在apps.dev.microsoft.com上向Microsoft注册的应用程序,以使用他们在https://azure.microsoft.com/en-us/documentation/articles/active-上记录的新“融合”OAuth2流程。 directory-v2-protocols-oauth-code / 。
I am requesting authorization for scope user.read
. 我正在请求范围user.read
授权。 Specifically, this is the authorize URL: 具体来说,这是授权URL:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=77ebf38a-23aa-4006-b947-aae863964ba7&redirect_uri=https%3A%2F%2Flocalhost%3A44302%2Fazure_connection%2Fcallback&response_type=code&scope=user.read
I expect this to work 100% of the time as I'm only asking for the user.read
scope, which is documented at https://graph.microsoft.io/en-us/docs/authorization/permission_scopes as not requiring delegation. 我希望这可以100%的时间工作,因为我只要求user.read
范围,在https://graph.microsoft.io/en-us/docs/authorization/permission_scopes中记录为不需要委托。 However, for my corporate (aka organizational) account, when I login to the authorize URL I get the error AADSTS90093: Does not have access to consent.
但是,对于我的公司(也称为组织)帐户,当我登录授权URL时,我收到错误AADSTS90093: Does not have access to consent.
My corp organizational account is a regular user role in our AAD. 我的公司组织帐户是我们AAD中的常规用户角色。
Every other authorize request works as expected. 每个其他授权请求都按预期工作。 I've tested this with other organizational accounts who are admins, contributors, and regular users in other Azure accounts I have. 我已经使用其他组织帐户对其进行了测试,这些帐户是我拥有的其他Azure帐户中的管理员,贡献者和常规用户。 I've tested this with "MSA" accounts (outlook.com, hotmail.com, other Live-registered accounts) too. 我用“MSA”帐户(outlook.com,hotmail.com,其他实时注册帐户)对此进行了测试。
The only differences in accounts that I can think of: 我能想到的唯一的帐户差异:
The account that fails is an Office 365 account. 失败的帐户是Office 365帐户。 (Every other test I've done with an organizational account has been me manually entering the account in AAD in "the old portal".) (我使用组织帐户完成的所有其他测试都是我在“旧门户”中手动输入AAD中的帐户。)
The account that fails is the account under which I registered the app on apps.dev.microsoft.com (Oh the irony!) 失败的帐户是我在apps.dev.microsoft.com上注册应用程序的帐户(讽刺的是哦!)
Anyone encountering this? 有没有人遇到这个? Do you see anything wrong with the authorize URL or the authorization scope? 您是否发现授权URL或授权范围有问题? Is there some setting in AAD or in Office 365 that could prevent third-party OAuth access to "myself"? AAD或Office 365中是否存在可能阻止第三方OAuth访问“我自己”的设置?
This is because the global administrator in your organization has blocked users from giving consent to applications. 这是因为组织中的全局管理员阻止用户同意应用程序。
You need to work with your global administrator(s) to have them allow users to provide consent to applications. 您需要与全局管理员合作,让他们允许用户同意应用程序。 This setting can be found in the classic Azure Management portal, in Active Directory -> Configure -> Integrated Applications: "USERS MAY GIVE APPLICATIONS PERMISSION TO ACCESS THEIR DATA" 此设置可在经典Azure管理门户中找到,在Active Directory中 - >配置 - >集成应用程序:“用户可以提供应用程序允许访问其数据”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.