Context:
- Azure AD B2C for a Tenant
- External Identity Provider configured
- B2C login flow (sign-in sign-up) configured
- API backend defined as Application with 2 scopes in AAD B2C of this Tenant
- "Admins and users" can consent
- External client/Third Party app (confidential) defined as Application in AAD B2C of this Tenant
- External client/Third Party app has permissions on the 2 scopes
- Status is "nothing", I did not grant admin consent, I want the users to give consent themselves
- In Enterprise applications | User settings
- Users can consent to apps accessing company data on their behalf: YES
- In Consent and permissions | User consent settings => Allow user consent for apps - All users can consent for any app to access the organization's data.
Authorize URL:
https://xxx.b2clogin.com/xxx.onmicrosoft.com/oauth2/v2.0/authorize
?p=B2C_1_signup_login
&client_id=xxx
&nonce=defaultNonce
&redirect_uri=xxx
&scope=offline_access%20openid%20profile%20email%20https%3A%2F%xxx.onmicrosoft.com%2F6D6E9DF9-4546-47D8-8EDB-D65EC89A0E90%2Fproduct_scope_2
&response_type=code
&code_challenge=ThisIsntRandomButItNeedsToBe43CharactersLong
&code_challenge_method=plain
User is redirected to external IDP provider, logs in. User is not asked for consent. Callback url is called with a code
, which can be exchanged for an id_token
. Audience (aud
) is the client_id
of the Client Application, not the API.
If I grant admin consent, the code
can be exchanged for an access_token
and id_token
, and the audience is OK (API's client_id
).
What must I configure to have the users asked to give consent, for the Client Application + the scopes? I haven't been able to find any article about this: user consent AND external identity provider.