The app is asking for consent twice in "app calls api" scenario
I'm using two app registrations and implement the "expose an api" scenario. My CLIENT_APP is an angular application using msal-angular library. My SERVER_APP is a .NET server that's using "Expose an API" feature and defines a scope. It also lists CLIENT_APP as a trusted client application.
CLIENT_APP is actually doing most of the heavy lifting in the system and it accesses Azure AD directly using a directory.read.all. The SERVER_APP provides settings API and is only interested in knowing the users identity.
My problem is that while doing the initial sign up the users are asked for consent for the CLIENT_APP to "View profile" and "Maintain access". That's ok, but immediately after I make a server API call to get settings I'm getting another consent window asking again asking for permissions for CLIENT_APP - "View profile" and "Maintain access". However, there's a paragraph in the window: "If you accept, SERVER_APP will also have access to your user profile information."
Is there a way to do this consent thing in one step? It feels like a very confusing user experience (especially when signing in for the first time)
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Client App and added API permissions:
I created an Azure AD Server App and Exposed an API like below:
Note that: It is inappropriate to get consent screen twice. The user must get the consent screen only once.
For sample, I tried to authorize users by using below endpoint:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=api://AppID/test.read Directory.Read.All
&state=12345
When I tried to sign-in with the user account, I got the consent once as below:
After consenting, user successfully got redirected to the redirect page like below:
If still the issue persists, try the below:
- Configure same API permissions for the Client App and the Server App and try.
- Another approach is you can generate access token for Microsoft Graph and fetch the user profile by using the access token like below:
https://graph.microsoft.com/v1.0/users/UserID
- It is not possible to call two APIs at a time.
- Try using the one Azure AD App for authorizing users.
- You can also make use of On-Behalf Flow to resolve the issue.
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?