7
votes

I have a web app on Azure App Service that requires Azure Active Directory authentication. I can connect receive an access token for the secured app from within other apps using either the OAuth 2.0 flow for service-to-service communication or Managed Service Identity (MSI).

For MSI Microsoft provides a library,Microsoft.Azure.Services.AppAuthentication , for authentication that also supports using the credentials from the azure-cli tool.

However, the library is currently in preview and it does not work on my system, but I managed to find its source code on github.

The relevant part seems to call

$ az account get-access-token <resource>

However, when I try it with the resource name of the app I am trying to access I get the following error:

Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID <application id> named <application name>.

For the resource name I tried both the App ID URI and Client ID.

Has anyone managed to use azure-cli to get an access token in a similar scenario?

1

1 Answers

0
votes

That error indicates that you need to consent to that application (the CLI) accessing that API (the scope/resource).

The fastest way to do this would be to build a URL for consent for the CLI to let you consent to the CLI accessing your application. The cli app id is 04b07795-8ddb-461a-bbee-02f9e1bf7b46.

Something like this.

https://login.microsoftonline.com/<your-tenant-name-or-id>/oauth2/v2.0/authorize?response_type=code&client_id=04b07795-8ddb-461a-bbee-02f9e1bf7b46&scope=<the scope of the target app/api>