Experience overly complex - why not ask for consent upfront?

[bgavrilMS]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Existing experience when trying to add an item, after user login:

1. User logs in to client app by asking for a token for api://guid/access_as_user (consent is asked)
2. client app calls web api with this token
3. web api tries to exchange token for a token with scope "User.Read" via OBO
4. this fails because of consent
5. web api replies with 401 + WWWAuthenticate header
6. client app decoded WWWAuthenticate header and understands that consent is missing
7. client app opens a system browser and naviagates to authorize endpoint to ask for consent

Expected: todo item to be added; scenario to be achieved fast Actual: todo item was not added; consent roundtrip adds a lot of complexity and time

Proposed solution:

Upon login to the client app, just ask for consent for User.Read:

 await _app.AcquireTokenInteractive("api://guid/access_as_user")
                        .WithAccount(accounts.FirstOrDefault())
                        .WithExtraScopesToConsent(new[] { "User.Read"  } )
                        .WithPrompt(Prompt.SelectAccount)
                        .ExecuteAsync()
                        .ConfigureAwait(false);

This will eliminate steps 4-7.

[jmprieur]

@bgavrilMS : which chapter of the sample is it? the problem is that in multi-tenant applications, the web API needs to be approved by a tenant admin.

Let's discuss if i miss something/

[bgavrilMS]

This is chapter 2

[bgavrilMS]

When I tried to use the approach above (WithExtraScopesToConsent) , this worked for me for both MSA (there is no tenant admin? )and AAD user. The consent screen asked me about "api://guid/access_as_user" scope.

[jennyf19]

is this still an issue?