0
votes

Context:

  • Azure AD B2C for a Tenant
  • External Identity Provider configured
  • B2C login flow (sign-in sign-up) configured
  • API backend defined as Application with 2 scopes in AAD B2C of this Tenant
    • "Admins and users" can consent
  • External client/Third Party app (confidential) defined as Application in AAD B2C of this Tenant
  • External client/Third Party app has permissions on the 2 scopes
    • Status is "nothing", I did not grant admin consent, I want the users to give consent themselves
  • In Enterprise applications | User settings
    • Users can consent to apps accessing company data on their behalf: YES
  • In Consent and permissions | User consent settings => Allow user consent for apps - All users can consent for any app to access the organization's data.

Authorize URL:

https://xxx.b2clogin.com/xxx.onmicrosoft.com/oauth2/v2.0/authorize
?p=B2C_1_signup_login
&client_id=xxx
&nonce=defaultNonce
&redirect_uri=xxx
&scope=offline_access%20openid%20profile%20email%20https%3A%2F%xxx.onmicrosoft.com%2F6D6E9DF9-4546-47D8-8EDB-D65EC89A0E90%2Fproduct_scope_2
&response_type=code
&code_challenge=ThisIsntRandomButItNeedsToBe43CharactersLong
&code_challenge_method=plain

User is redirected to external IDP provider, logs in. User is not asked for consent. Callback url is called with a code, which can be exchanged for an id_token. Audience (aud) is the client_id of the Client Application, not the API.

If I grant admin consent, the code can be exchanged for an access_token and id_token, and the audience is OK (API's client_id).

What must I configure to have the users asked to give consent, for the Client Application + the scopes? I haven't been able to find any article about this: user consent AND external identity provider.

1

1 Answers

2
votes

You must do an Admin Consent in AAD B2C. It does not have an OAuth2.0 consent prompt for users. Instead it’s modelled with a terms of use. You never do an Oauth consent unless you share your data with a third party.

https://github.com/azure-ad-b2c/samples/blob/master/policies/terms-of-service

In Consent and permissions | User consent settings => Allow user consent for apps - All users can consent for any app to access the organization's data.

Irrelevant to AAD B2C apps.

If you still want some consent UX: https://github.com/azure-ad-b2c/samples/tree/master/policies/service-consent