Consent prompt does not ask for all permissions which are set in AD App after moving to v2.0 authority

0
votes

We have a multi-tenant AD App that we use for signing in users to our App using OpenID Connect. We recently moved to v2.0 authority endpoint, post which we are facing an issue wherein the consent prompt which is shown during the login process does not show all the permissions which have been configured in the 'Permissions' section of the App. This is unlike the behavior of v1.0 authority endpoint which used to show prompt for all the set permissions. Below is the relevant code snippet from our Startup.cs -

.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
            {
                options.CallbackPath = new PathString("/callback/");
                options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
                options.SaveTokens = true;
                options.ClientId = <clientId>;
                options.Authority = "https://login.microsoftonline.com/common/v2.0/";
                options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    ValidIssuer = <valid-issuer>,
                    IssuerValidator = MultiTenantIssuerValidator.Validate,
                    ValidateAudience = true,
                    ValidateLifetime = true,
                    ValidateIssuerSigningKey = true,
                    ValidAudience = <client-id>,
                    NameClaimType = "preferred_username"
                };

Redirect Uri with v2.0 endpoint - https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=&redirect_uri=&response_type=code id_token&scope=openid profile&response_mode=form_post

Redirect Uri with v1.0 endpoint - https://login.microsoftonline.com/common/oauth2/authorize?client_id=&redirect_uri=&response_type=code id_token&scope=openid profile&response_mode=form_post

I tried to go through the documentation for v2 endpoint and did not find any section which explains this behavior change.

Are we explicitly supposed to set all required scopes in OpenIdConnectOptions?

2
oauth-2.0azure-active-directoryopenid-connect
If my answer is helpful for you, you can accept it as answer( click on the check mark beside the answer to toggle it from greyed out to filled in.). See meta.stackexchange.com/questions/5234/…. This can be beneficial to other community members. Thank you.Allen Wu

2 Answers

2
votes

Yes. The behaviors are different between v1.0 and v2.0.

For v2.0 endpoint, you should include the resource in the scope.

For example, if your permission is Microsoft Graph, you should generate the request uri like this:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=&redirect_uri=&response_type=code id_token&scope=openid profile https//graph.microsoft.com/.default&response_mode=form_post

If your permission is for your custom web API, you just need to replace https//graph.microsoft.com/.default with api://*****/.default.

Then it will ask you to consent for all the permissions.

See the v2.0 sample Request an authorization code for details.

0
votes

In Azure AD V2.0, the permissions (scopes) have to be explicitly requested. It has a scope parameter that a developer should be using to request scopes. This also means that an app does not need to declare permissions in the App registration.

if you want the AAD v1 behavior.

  1. Declare the permissions that you app needs in the Api permissions blade.
  2. Use the './default' keyword as scope.

More detailed information is provided here