active-directory-dotnet-native-aspnetcore-v2
active-directory-dotnet-native-aspnetcore-v2 copied to clipboard
Experience overly complex - why not ask for consent upfront?
Please provide us with the following information:
This issue is for a: (mark with an x
)
- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)
Existing experience when trying to add an item, after user login:
- User logs in to client app by asking for a token for api://guid/access_as_user (consent is asked)
- client app calls web api with this token
- web api tries to exchange token for a token with scope "User.Read" via OBO
- this fails because of consent
- web api replies with 401 + WWWAuthenticate header
- client app decoded WWWAuthenticate header and understands that consent is missing
- client app opens a system browser and naviagates to authorize endpoint to ask for consent
Expected: todo item to be added; scenario to be achieved fast Actual: todo item was not added; consent roundtrip adds a lot of complexity and time
Proposed solution:
Upon login to the client app, just ask for consent for User.Read:
await _app.AcquireTokenInteractive("api://guid/access_as_user")
.WithAccount(accounts.FirstOrDefault())
.WithExtraScopesToConsent(new[] { "User.Read" } )
.WithPrompt(Prompt.SelectAccount)
.ExecuteAsync()
.ConfigureAwait(false);
This will eliminate steps 4-7.
@bgavrilMS : which chapter of the sample is it? the problem is that in multi-tenant applications, the web API needs to be approved by a tenant admin.
Let's discuss if i miss something/
This is chapter 2
When I tried to use the approach above (WithExtraScopesToConsent
) , this worked for me for both MSA (there is no tenant admin? )and AAD user. The consent screen asked me about "api://guid/access_as_user"
scope.
is this still an issue?