Azure AD OBO Reconsent

0
votes

I'm currently developing an application which consists of a frontend SPA which makes request to a Node backend. The Node backend makes requests to MS Graph. For this usecase I set up the OBO flow which works fine.

The SPA uses MSAL.js to request a token for middle tier API with /.default scope. The middle tier API knows the client as 'knownclient' in its Manifest. On very first login the application wants the user to consent to the combined scopes from client and middle tier. (If the user never used the app before)

The problem now is the following: By going further in the development process, new scopes are added for MS Graph in the middle tier API. However the client doesn't show the consent prompt to the user for giving his consent to use the new backend scope although using the /.default scope in the client.

The first approach I had was settings prompt='consent' to the MSAL setting in the frontend. This approach works but results in asking the user for consent every time he logs in.

The intended behaviour would be to just ask for consent if the middle tier API changes its scopes.

How do I have to set up my applications to get this result?

1
azure-active-directorymsalmsal.js
If you add new permissions, why don’t you just grant the administrator consent directly in the Azure portal?Carl Zhao
I read about that. I just dont know if users are prompted to give consent after giving Admin-Consent. If thats the case thats probably my way to go.JellyBox
If the administrator has consent, the user will not be prompted to consent again.Carl Zhao
Okay, I see. Many Thaks for your answer!! Thats way to if I dont want to use prompt='consent' I guess, or are there any other approaches?JellyBox
As I said earlier, if you add new permissions, you only need to grant the administrator consent directly in the Azure portal. Or, use the url that the administrator consent to: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}.Carl Zhao

1 Answers

0
votes

As I said in the comments, if you just add new permissions, don't use prompt='consent', because this will cause the administrator consent page to be triggered every time you log in as a user.

When you add a new permission, you only need to grant the administrator's consent, and there is no need to request the user's consent again. So, you only need to grant the administrator consent in the Azure portal. Or, use the url that the administrator consent to: https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}.