Azure AD error when fetching access token & login

1
votes

I got the error when I was trying to get an access key for one of our APIs. "AADSTS65001: The user or administrator has not consented to use the application with ID '{GUID}'

First of I was trying to prompt=consent during login, thinking that I had new consents that weren't prompted during login. And I got the following error. "AADSTS65005: The application '{GUID}' asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor." I removed prompt=consent and started fiddling with the permissions in Azure and now I was stuck on the same error.

I changed everything back as it was but I am still getting the error, however this only happens on my user. Everyone else can still login without problems.

So my problem is actually in two parts:

  1. The first error when trying to get access token for the API. Somehow I need to prompt the user with consent but I am using adal.js which uses a silent retrieval of the keys using an invisible iframe. I would like the consent to be when the user logs into the web app. Is this possible?

  2. My user can't log in to our web app anymore. Everyone else can, anyone encountered this before?

The product is a SPA Web App written in React and we use adal.js (adal-vanilla) as a library for authentication to azure ad.

Update Finally got some stuff working. Not all the way but atleast it's a start.

  1. The problem on this is that users registered on other tenants (this is a multi tenant app) don't get the consent to use the API. These users get the error. However I registered a user on the same tenant and everything worked as intended.
  2. Problem two got solved by removing all the permissions and adding them one by one and testing inbetween. Somehow this worked after two-three tries.

The problem now is that users from other tenants don't get consent prompt to access the API.

2
javascriptreactjsazureauthenticationazure-active-directory
Have you tried prompt=admin_consent?juunas
Yes I have tried both prompt=admin_consent and promt=consent. Sadly neither fixes any of the errors.Fralle

2 Answers

1
votes

Somehow the issue got fixed, I'm not 100% sure how or why but here are the steps I performed to fix it if someone finds themselves in a similar situation:

  1. Ensure that all permissions are correct (APIs are added as delegated permissions to the client)
  2. All services (web app & apis) are multitenant
  3. Update manifest with:

  "availableToOtherTenants": true,
  "knownClientApplications": [
    "{client app application id}"
  ],
(availableToOtherTenants was false for the API even though it was marked as multitenant in the settings)
0
votes

The consent might be possible to fix with prompt=admin_consent.

As for the second problem, you can add your web app as a known client application of the API. This will allow simultaneous consent when the user authenticates to the web app.

To do that, find the API app registration in Azure Portal's Azure AD blade. Then open its manifest (there is a Manifest button on the app blade). In there should be a "knownClientApplications" property. Add the client id of the web app in the array and save the manifest.

E.g.:

"knownClientApplications": [
  "bda6ffff-ffff-ffff-ffff-ffff8bf8c57f"
],