Consent is not showing in Microsoft Identity auth with api://{BackendClientId}/.default scope
I am trying to configure WASM Blazor client with WebAPI server to use Microsoft identity authentication. I dug deep, followed many advice from StackOverflow (thanks for them) and these are the steps I have used for configuration:
Configured a pair of app registrations in Azure:
Configured delegated permissions in the backend registration:
Configured and exposed API scope:
Configured knownClientApplications to point to frontend registration:
Configured permissions in the frontend registration:
I am using Blazor WASM as the client - The configuration of the authentication client is as follows:
When I run the authentication, the proper token is issued (I have checked the content). The problem is, that the consent screen (with backend consents) is not presented to the user. Consents are not there (OBO flow fails with the backend not having consent) - I have also checked in the portal - no consents are there.
Does anyhow have any idea, why the consent screen is not showing? Is there something more I have to do?
Thank you very much.
- I have tried different scopes - ".default" - proper consent screen is presented, the token is issued for incorrect scopes (MS Graph ones)
- The auth itself is configured properly - when the consent is there, everything works correctly.
Note that: The on behalf of (OBO) flow defines the situation where a web API calls another web API using an identity other than its own.
Based on your configuration, the frontend application calls the backend Api and using the access token generated it calls the Microsoft Graph API using OBO flow.
I created an Azure AD Backend Application and added API permissions:
Now, I created Azure AD Frontend Application and added permissions:
To authorize users, I used below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://BackendAppID/.default
&state=12345
Frontend consent:
Backend Consent:
Auth-code got generated successfully:
By using the Frontend Application, I tried to call backend web Api via Postman:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:FrontendAppID
scope:api://BackendAppID/.default
code:code
redirect_uri:https://jwt.ms
grant_type:authorization_code
client_secret:ClientSecret
When I decoded the token aud is web Api:
Now by passing the above generated access token, I called Microsoft Graph API using OBO flow:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:urn:ietf:params:oauth:grant-type:jwt-bearer
assertion:access_token
requested_token_use:on_behalf_of
When I decoded the token, aud is Microsoft Graph:
By using the above token, you can call Microsoft Graph API.
- If you want to call only the web Api (
api://ClientID/.default) then you can implement Authorization code flow instead of OBO flow. - Refer this blog to know more about the consents by John Patrick Dandison.
- The Backend API doesn't ask consent for API as the web Api is not added in the API permissions.
References:
Microsoft identity platform and OAuth2.0 On-Behalf-Of flow - Microsoft Entra
- How can I define compile time constants in bicep configuration language?
- Outlook calendar don't render with FullCalendar
- Azure functions decoding error for IotHub device connection state message schema
- How do I set scope in Azure API Manager (APIM) when using D_application_id
- How to mount multiple disks in a loop using ansible
- How can I get sub value in nested json via KQL?
- Azure .NET SDK: Scale Azure SQL databases through SDK
- How can I invoke Azure Trusted Signing from a Linux OS?
- How to transfer "Set Variable" activity output into Json file using "Copy Data" activity or any other options?
- Verify Microsoft Access token on my ASP.NET Core Web API
- I'm trying to install the package from a private Azure DevOps repository using the pip install command, but I'm encountering an error
- Unable to define the sites for an App Registration for SahrePoint with Site.Selected
- Check if the resource exists before using data
- Not able to see azure 'LifecyclePolicyCompleted event' log
- Direct Web Push gives Error when used from Notification Hub
- Azure Remove User Consent to API
- Flutter-Azure Deviops pipelineThe discrepancy between the number of tests reported as passed or failed in the pipeline output and the test report
- App_location on deployment of a static webapp
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Reading values from a key value based file and passing these values to azure devops template
- Deleting an Azure Loadbalancer Frontend IP configuration from python?
- How to retrieve the front door id from a Microsoft CDN (classic)
- What is HEAD operation in CosmosDB reported in Azure Monitoring
- Deploying a Python App to Azure App Service with Github Actions
- How to Query User Access Logs for Azure Front Door
- How can I add email recipients to a Graph API request programmatically?
- How to create Azure Devops Service Connection Docker Registry Type Other
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Azure Document Intelligence Custom Classification Python API
- Azure Function App unaccounted for time in Application Insights Timeline