stackoom
  简体   繁体   中英

Is Azure Active Directory Consent Cached?

 原文  2017-10-17 06:42:01       azure/ azure-active-directory/ adal

Question

We're building a native application that makes use of Azure AD. The application requires some permissions (like read user profile, execute Azure Service Management API etc.).

When a user uses our application the very first time, they are asked to sign in and once they sign in, they are presented with the consent screen (they grant consent to our application). Once the user grants the consent, they can see our app in their Azure AD (under "Applications" tab). So far so good.

Now what this user does is removes our application manually from their Azure AD (again by going under "Applications" tab). Based on our understanding of the consent model, what this means is that the user has removed the consent to our application.

Now when this user signs in into our application, what we are expecting is that the user is presented with a consent screen again (like the 1st time). However the actual behavior is that the user is not presented with such screen and user is simply signed in into our application. Furthermore, when the user goes back into their Azure AD, they don't see our application in the list of consented apps.

So my questions are:

  1. Does Azure AD somehow cache the consent?
  2. If the consent is cached, for how long is this consent cached?
  3. If the consent is cached, is there a way to for us to clear this consent programmatically or otherwise?

Any insights into why is this happening would be highly appreciated.

1 answers

solution1
 1 ACCPTED  2017-10-17 20:51:10

In Azure Active Directory, user consent is registered as a link between a User Object and a Service Principal Object representing the client application.

This link is represented in the AAD Graph API as an OAuth2PermissionGrant

You said this:

Now what this user does is removes our application manually from their Azure AD (again by going under "Applications" tab). Based on our understanding of the consent model, what this means is that the user has removed the consent to our application.

I want to clarify. As you might know, when you create a new AAD Application, you need to keep in mind the difference between an Application Object and a Service Principal .

Very specifically, if you delete the Service Principal representing the client application, all of the consent links connected to that Service Principal will be destroyed, thus effectively removing consent. The same cannot be said if you only remove the Application Object, which is likely where you are running into issues.

I explain here the easiest steps required to revoke consent for an Azure Active Directory Application. Let me know if this helps.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Administrator Consent in Active Directory Azure active directory double consent, non-deterministic flow Azure Active Directory Login: Web App Permissions, User Consent not triggered Azure Active Directory needs Admin Approval after setting prompt =consent Notify client app when admin consent is revoked from Azure Active Directory How to consent to an Azure Active Directory Enterprise App for Multi-Tenant Login without Publisher Approval during development? .Net Core MVC app with IdentityServer4, login with Azure Active Directory. Problem with admin consent and permissions AADSTS90093:Calling principal cannot consent due to lack of permissions in Azure Active directory Grant consent failed with error on Active Directory Azure Active Directory + Active Directory
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM