I've setup a .NET Core 2.0 webapp with Azure AD using OpenIdConnect (like this one: https://github.com/Azure-Samples/active-directory-dotnet-webapp-openidconnect-aspnetcore, all the OpenIDConnect configuration is located here).
I have the following scenario:
- call of http://localhost/my-api-function
- redirection to microsoftonline.com
- choose a Microsoft account I haven't already logged in to this app
- enter password
- accept the requested authorizations (the API app registration grants Graph API access to user profile). See the attached screenshot.
I get redirected to http://localhost/signin-oidc with the following error:
OpenIdConnectProtocolException: Message contains error: 'invalid_request', error_description: 'AADSTS90008: The user or administrator has not consented to use the application with ID 'xxxxx'. This happened because application is misconfigured: it must require access to Windows Azure Active Directory by specifying at least 'Sign in and read user profile' permission.
I think I may have an incorrect redirection after login. I expect to be redirected to http://localhost/my-api-function rather than http://localhost/signin-oidc
I have another working scenario:
- call of http://localhost/my-api-function
- redirection to microsoftonline.com
- choose a Microsoft account I have already logged in to this app then logged out
- enter password
- not prompted again to accept the requested authorizations (the API app registration grants Graph API access to user profile).
- I get redirected to http://localhost/my-api-function as expected and get my protected data.
In Azure AD, I've configured the following reply-url: http://localhost/signin-oidc and granted both "Windows Azure Active Directory" and "Microsoft Graph" APIs to "sign in and read user profile".
Thanks for any pointers.
Edit of 08/22: I understood that redirection seems to redirect to previous url in authentication flow so posted to MS Forums with this more specific indication to look for a solution.