[英]Is Azure Active Directory Consent Cached?
We're building a native application that makes use of Azure AD. 我们正在构建一个使用Azure AD的本机应用程序。 The application requires some permissions (like read user profile, execute Azure Service Management API etc.). 该应用程序需要一些权限(如读取用户配置文件,执行Azure Service Management API等)。
When a user uses our application the very first time, they are asked to sign in and once they sign in, they are presented with the consent screen (they grant consent to our application). 当用户首次使用我们的应用程序时,系统会要求他们登录,一旦登录,他们就会看到同意屏幕(他们同意我们的应用程序)。 Once the user grants the consent, they can see our app in their Azure AD (under "Applications" tab). 用户授予同意后,他们可以在其Azure AD中(在“应用程序”选项卡下)看到我们的应用程序。 So far so good. 到现在为止还挺好。
Now what this user does is removes our application manually from their Azure AD (again by going under "Applications" tab). 现在,该用户要做的是从其Azure AD中手动删除我们的应用程序(同样,请转到“应用程序”选项卡下)。 Based on our understanding of the consent model, what this means is that the user has removed the consent to our application. 根据我们对同意模型的理解,这意味着用户已删除对我们应用程序的同意。
Now when this user signs in into our application, what we are expecting is that the user is presented with a consent screen again (like the 1st time). 现在,当该用户登录到我们的应用程序时,我们期望的是再次向用户显示一个同意屏幕(如第一次)。 However the actual behavior is that the user is not presented with such screen and user is simply signed in into our application. 但是,实际的行为是不会向用户显示该屏幕,而只是将用户登录到我们的应用程序中。 Furthermore, when the user goes back into their Azure AD, they don't see our application in the list of consented apps. 此外,当用户返回其Azure AD时,他们不会在允许的应用程序列表中看到我们的应用程序。
So my questions are: 所以我的问题是:
Any insights into why is this happening would be highly appreciated. 对于为什么会发生这种情况的任何见解都将受到高度赞赏。
In Azure Active Directory, user consent is registered as a link between a User Object and a Service Principal Object representing the client application. 在Azure Active Directory中,用户同意被注册为用户对象和代表客户端应用程序的服务主体对象之间的链接。
This link is represented in the AAD Graph API as an OAuth2PermissionGrant 此链接在AAD Graph API中表示为OAuth2PermissionGrant
You said this: 你这样说:
Now what this user does is removes our application manually from their Azure AD (again by going under "Applications" tab). 现在,该用户要做的是从其Azure AD中手动删除我们的应用程序(同样,请转到“应用程序”选项卡下)。 Based on our understanding of the consent model, what this means is that the user has removed the consent to our application. 根据我们对同意模型的理解,这意味着用户已删除对我们应用程序的同意。
I want to clarify. 我想澄清一下。 As you might know, when you create a new AAD Application, you need to keep in mind the difference between an Application Object and a Service Principal . 如您所知,在创建新的AAD应用程序时,需要记住Application Object和Service Principal之间的区别。
Very specifically, if you delete the Service Principal representing the client application, all of the consent links connected to that Service Principal will be destroyed, thus effectively removing consent. 特别是,如果您删除代表客户端应用程序的服务主体,则与该服务主体相关的所有同意链接都将被销毁,从而有效地删除了同意。 The same cannot be said if you only remove the Application Object, which is likely where you are running into issues. 如果仅删除“应用程序对象”(可能是在您遇到问题的地方),则不能说相同的话。
I explain here the easiest steps required to revoke consent for an Azure Active Directory Application. 我在这里解释撤销对Azure Active Directory应用程序的同意所需的最简单步骤。 Let me know if this helps. 让我知道是否有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.