Forum Discussion

yoioreloaded's avatar
yoioreloaded
Copper Contributor
Aug 31, 2019
Solved

AADSTS65001: The user or administrator has not consented ... when using v2.0 endpoints

Hi all,   while developing an application that relies on Azure AD for authentication, I found out what seems to be an issue with v2.0 endpoints.   TL;DR: When requesting a Bearer Token using an au...
Azure Active Directory (AAD)
microsoft 365
  • Rishabh Srivastava's avatar
    Rishabh Srivastava
    Aug 31, 2019

    As per the details that you have mentioned, 

    Grant_type is the parameter used for V1.0 Endpoints, 
    https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code


    For v2.0, add scope in the initial request of requesting code, 

     

    GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
    client_id=6731de76-14a6-49ae-97bc-6eba6914391e
    &response_type=code
    &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
    &response_mode=query
    &scope=
    https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20
    https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
    &state=12345

     

    Let me know, if still it doesn't work.

     

    Thanks !!

     

     

Rishabh Srivastava's avatar
Rishabh Srivastava
Iron Contributor
Aug 31, 2019

As per the details that you have mentioned, 

Grant_type is the parameter used for V1.0 Endpoints, 
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code


For v2.0, add scope in the initial request of requesting code, 

 

GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345

 

Let me know, if still it doesn't work.

 

Thanks !!

 

 

yoioreloaded's avatar
yoioreloaded
Copper Contributor
Sep 01, 2019

Rishabh Srivastava

Hi Rishabh,

thank you very much for your quick reply, and for pointing me in the right direction.

 

Turns out it was, as expected, a mistake on my part: as I had all scopes set up correctly in the 1st request, but in the 2nd, the one that exchanges the code for the token, I was attempting to pass the scopes as comma separeted values instead of encoding them properly as URL encoded space separated values.
I speculate this let the auth server think I was requesting scopes that didn't actually exist, and therefore, for which no user or admin ever gave permission to use.
This should also explain why the v1.0 endpoint works, as the documentation says "For v1 Azure AD apps, scopes must be statically configured in the Azure Portal under the applications Settings, Required Permissions." and this parameter was in fact being ignored.

 

Now everything seems to be working as expected.

Thank you again for your time and interest, your contribution was of great help.

Best regards

Resources