invalid_grant - type = password: user or admin has not consented to use the application

1
votes

I am getting a consent error when trying to obtain a token. Because of our application, we can't show an interactive dialog to give consent.

"AADSTS65001: The user or administrator has not consented to use the application with ID <'my native client app id'>. Send an interactive authorization request for this user and resource.

AuthenticationContext ctx = new AuthenticationContext(
string.Format("https://login.microsoftonline.com/{0}","mytenant.onmicrosoft.com"));
UserPasswordCredential cred = new UserPasswordCredential("login@mytenant.onmicrosoft.com", "Password");
var result = ctx.AcquireTokenAsync("my api uri", "my native client id", cred);

We are using the grant_type=password and client_id is a Native app id, and resource is the Web API app URI.

Permissions-wise, from the client app, a delegated permission has been given to access the api app and have also tried setting oauth2AllowImplicitFlow : true in the manifest.

All applications have been created in the new preview Azure AD section of the new portal (portal.azure.com)

1
c#azure-active-directoryadalazure-api-apps

1 Answers

2
votes

Unfortunately if your application needs access to certain resources like the Graph API, you will need to prompt for consent at least one time.

Even if your app doesn't have an interactive login experience, you should be able to prompt this once to unblock your scenario in your tenant.

Use the following URL:

https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&resource=<ResourceURI>&prompt=admin_consent

You can see here we have just simply generated the login URL which would be generated as part of an interactive login experience. You will need to fill out your own specific data like Reply URL, App ID, Resource URI, etc...

Note that we added a final query string at the end where we are forcing a "consent" prompt. This should be done by an Administrator, who would be able to consent on behalf of the whole tenant. Once you have done that, the username/password flow should start working for you.

Also, as an additional note, implicit grant flow has nothing to do with consent. Please read this section in the OAuth 2 spec: https://tools.ietf.org/html/rfc6749#section-1.3.2

You should only use this setting if you are creating a single-page application with something like JavaScript; Otherwise, there are significant security concerns with this setting on applications that should not have it.