SOLVED
Home

AADSTS65001: The user or administrator has not consented ... when using v2.0 endpoints

%3CLINGO-SUB%20id%3D%22lingo-sub-832187%22%20slang%3D%22en-US%22%3EAADSTS65001%3A%20The%20user%20or%20administrator%20has%20not%20consented%20...%20when%20using%20v2.0%20endpoints%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832187%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all%2C%3CBR%20%2F%3E%26nbsp%3B%20while%20developing%20an%20application%20that%20relies%20on%20Azure%20AD%20for%20authentication%2C%20I%20found%20out%20what%20seems%20to%20be%20an%20issue%20with%20v2.0%20endpoints.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETL%3BDR%3A%3C%2FSTRONG%3EWhen%20requesting%20a%20Bearer%20Token%20using%20an%20authorization%20code%20v1.0%20endpoints%20work%20fine%2C%20but%20v2.0%20endpoints%20keep%20saying%20that%20%22the%20user%20or%20administrator%20has%20not%20consented%20to%20use%20the%20application%20ID%20...%22%20even%20if%20the%20consent%20happened%20in%20the%20very%20same%20session.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EIn%20more%20details%3A%20i%3C%2FSTRONG%3En%20my%20application%2C%20an%20nw.js%20app%20leveraging%20the%20chrome.identity%20API%2C%20I%20call%20Azure%20AD%20oauth2%20authorization%20and%20token%20endpoint%20directly%20via%20HTTP%20requests.%3C%2FP%3E%3CP%3EInitalliy%20I%20make%20a%20GET%20request%20an%20authorization%20code%20to%20the%20endpoint%20%3CA%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%3CTENANT-ID%3E%2Foauth2%2Fv2.0%2Fauthorize%3Fresponse_type%3Dcode%26amp%3B%3C%2FTENANT-ID%3E%3C%2FA%3E...%20and%20the%20code%20is%20returned%20correctly.%3CBR%20%2F%3EAfter%20this%20first%20step%20I%20try%20to%20use%20this%20code%20to%20retrieve%20a%20Bearer%20token%20sending%20a%20POST%20request%20to%20the%20endpoint%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2F%2Foauth2%2Fv2.0%2Ftoken%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2F%3CTENANT-ID%3E%2Foauth2%2Fv2.0%2Ftoken%3C%2FTENANT-ID%3E%3C%2FA%3Ewith%20grant_type%3Dcode%26amp%3B...%20and%20all%20the%20needed%20parameters%20in%20the%20request%20body.%3CBR%20%2F%3EHere%20is%20where%20I%20can%20see%20that%20by%20using%20the%20v1.0%20token%20endpoint%20I%20recieve%20back%20a%20valid%20Bearer%20Token%2C%20while%20pointing%20to%20the%20v2.0%20token%20endpoint%20I%20always%20recieve%20the%20AADSTS65001%2C%20suberror%3A%20%3CSPAN%3E%22consent_required%22%3C%2FSPAN%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20tried%20many%20solution%20to%20get%20the%20token%20from%20the%20v2.0%20including%3A%3CBR%20%2F%3E-%20granting%20consent%20via%20App%20registration%20panel%2C%20in%20azure%20portal%3C%2FP%3E%3CP%3E-%20using%20the%20adminconsent%20endpoint%20to%20grant%20permission%3C%2FP%3E%3CP%3E-%20using%20the%20%22prompt%3Dconsent%22%20request%20parameter%20to%20explicitly%20ask%20the%20user%20(me)%20consent%20everytime%2C%20both%20ticking%20and%20leaving%20unticked%20the%20%22Consent%20on%20behalf%20of%20the%20organization%22%20option%3C%2FP%3E%3CP%3Eto%20no%20avail...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverytime%20the%20authentication%20flow%20seems%20to%20be%20completing%20correctly%20but%20it%20always%20replies%20I%20need%20to%20give%20consent%2C%20even%20when%20I%20just%20did.%3C%2FP%3E%3CP%3EBefore%20giving%20up%20I%20tried%20using%20the%20v1.0%20endpoint%2C%20and%20that's%20how%20I%20noticed%20this%20issue.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20actually%20didn't%20happen%20in%20a%20previous%20test%20I%20did%20using%20this%20method%3A%20in%20that%20test%20I%20was%20using%20an%20Azure%20subscription%20registered%20with%20a%20Microsoft%20Live%20account%2C%20and%20that%20didn't%20give%20any%20problem.%20Now%20that%20I%20switched%20to%20use%20the%20Azure%20subscription%20that%20pertains%20to%20the%20organization%20Azure%20AD%20(the%20one%20used%20to%20manage%20Office%20365%20accounts)%2C%20this%20problem%20happend.%20Even%20though%20I%20am%20global%20administrator%20in%20both%20situation.%3CBR%20%2F%3E%3CBR%20%2F%3EKnow%20I%20don't%20know%20if%20it's%20the%20v1.0%20endpoint%20that's%20operating%20properly%20or%20the%20other%20way%20around%2C%20either%20way%20I%20found%20this%20inconsistent%20behavior%20between%20the%20two%20version%20and%20though%20it%20was%20useful%20to%20point%20out.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20available%20to%20give%20more%20details%2C%20or%20to%20discuss%20this%20further%20if%20it%20may%20help.%3CBR%20%2F%3EIf%20you%20feel%20there%20is%20a%20more%20suitable%20place%20to%20post%20this%20type%20of%20questions%2C%20please%20do%20point%20out.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-832187%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832447%22%20slang%3D%22en-US%22%3ERe%3A%20AADSTS65001%3A%20The%20user%20or%20administrator%20has%20not%20consented%20...%20when%20using%20v2.0%20endpoints%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832447%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20per%20the%20details%20that%20you%20have%20mentioned%2C%26nbsp%3B%3C%2FP%3E%3CP%3EGrant_type%20is%20the%20parameter%20used%20for%20V1.0%20Endpoints%2C%26nbsp%3B%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv1-protocols-oauth-code%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fv1-protocols-oauth-code%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EFor%20v2.0%2C%20add%20scope%20in%20the%20initial%20request%20of%20requesting%20code%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGET%20%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Fauthorize%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fv2.0%2Fauthorize%3C%2FA%3E%3F%3CBR%20%2F%3Eclient_id%3D6731de76-14a6-49ae-97bc-6eba6914391e%3CBR%20%2F%3E%26amp%3Bresponse_type%3Dcode%3CBR%20%2F%3E%26amp%3Bredirect_uri%3Dhttp%253A%252F%252Flocalhost%252Fmyapp%252F%3CBR%20%2F%3E%26amp%3Bresponse_mode%3Dquery%3CBR%20%2F%3E%26amp%3Bscope%3D%3CBR%20%2F%3Ehttps%253A%252F%252Fgraph.microsoft.com%252Fcalendars.read%2520%3CBR%20%2F%3Ehttps%253A%252F%252Fgraph.microsoft.com%252Fmail.send%3CBR%20%2F%3E%26amp%3Bstate%3D12345%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELet%20me%20know%2C%20if%20still%20it%20doesn't%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20!!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-832727%22%20slang%3D%22en-US%22%3ERe%3A%20AADSTS65001%3A%20The%20user%20or%20administrator%20has%20not%20consented%20...%20when%20using%20v2.0%20endpoints%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-832727%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F145219%22%20target%3D%22_blank%22%3E%40Rishabh%20Srivastava%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHi%20Rishabh%2C%3C%2FP%3E%3CP%3Ethank%20you%20very%20much%20for%20your%20quick%20reply%2C%20and%20for%20pointing%20me%20in%20the%20right%20direction.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETurns%20out%20it%20was%2C%20as%20expected%2C%20a%20mistake%20on%20my%20part%3A%20as%20I%20had%20all%20scopes%20set%20up%20correctly%20in%20the%201st%20request%2C%20but%20in%20the%202nd%2C%20the%20one%20that%20exchanges%20the%20code%20for%20the%20token%2C%20I%20was%20attempting%20to%20pass%20the%20scopes%20as%20comma%20separeted%20values%20instead%20of%20encoding%20them%20properly%20as%20URL%20encoded%20space%20separated%20values.%3CBR%20%2F%3EI%20speculate%20this%20let%20the%20auth%20server%20think%20I%20was%20requesting%20scopes%20that%20didn't%20actually%20exist%2C%20and%20therefore%2C%20for%20which%20no%20user%20or%20admin%20ever%20gave%20permission%20to%20use.%3CBR%20%2F%3EThis%20should%20also%20explain%20why%20the%20v1.0%20endpoint%20works%2C%20as%20the%20documentation%20says%20%22For%20v1%20Azure%20AD%20apps%2C%20scopes%20must%20be%20statically%20configured%20in%20the%20Azure%20Portal%20under%20the%20applications%20%3CSTRONG%3ESettings%3C%2FSTRONG%3E%2C%20%3CSTRONG%3ERequired%20Permissions%3C%2FSTRONG%3E.%22%20and%20this%20parameter%20was%20in%20fact%20being%20ignored.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%20everything%20seems%20to%20be%20working%20as%20expected.%3C%2FP%3E%3CP%3EThank%20you%20again%20for%20your%20time%20and%20interest%2C%20your%20contribution%20was%20of%20great%20help.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E
yoioreloaded
New Contributor

Hi all,
  while developing an application that relies on Azure AD for authentication, I found out what seems to be an issue with v2.0 endpoints.

 

TL;DR: When requesting a Bearer Token using an authorization code v1.0 endpoints work fine, but v2.0 endpoints keep saying that "the user or administrator has not consented to use the application ID ..." even if the consent happened in the very same session.

 

In more details: in my application, an nw.js app leveraging the chrome.identity API, I call Azure AD oauth2 authorization and token endpoint directly via HTTP requests.

Initalliy I make a GET request an authorization code to the endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?response_type=code&... and the code is returned correctly.
After this first step I try to use this code to retrieve a Bearer token sending a POST request to the endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token with grant_type=code&... and all the needed parameters in the request body.
Here is where I can see that by using the v1.0 token endpoint I recieve back a valid Bearer Token, while pointing to the v2.0 token endpoint I always recieve the AADSTS65001, suberror: "consent_required".

I tried many solution to get the token from the v2.0 including:
- granting consent via App registration panel, in azure portal

- using the adminconsent endpoint to grant permission

- using the "prompt=consent" request parameter to explicitly ask the user (me) consent everytime, both ticking and leaving unticked the "Consent on behalf of the organization" option

to no avail...

 

Everytime the authentication flow seems to be completing correctly but it always replies I need to give consent, even when I just did.

Before giving up I tried using the v1.0 endpoint, and that's how I noticed this issue.

 

This actually didn't happen in a previous test I did using this method: in that test I was using an Azure subscription registered with a Microsoft Live account, and that didn't give any problem. Now that I switched to use the Azure subscription that pertains to the organization Azure AD (the one used to manage Office 365 accounts), this problem happend. Even though I am global administrator in both situation.

Know I don't know if it's the v1.0 endpoint that's operating properly or the other way around, either way I found this inconsistent behavior between the two version and though it was useful to point out.

I am available to give more details, or to discuss this further if it may help.
If you feel there is a more suitable place to post this type of questions, please do point out.

Best regards

 

2 Replies
Solution

As per the details that you have mentioned, 

Grant_type is the parameter used for V1.0 Endpoints, 
https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code


For v2.0, add scope in the initial request of requesting code, 

 

GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345

 

Let me know, if still it doesn't work.

 

Thanks !!

 

 

@Rishabh Srivastava

Hi Rishabh,

thank you very much for your quick reply, and for pointing me in the right direction.

 

Turns out it was, as expected, a mistake on my part: as I had all scopes set up correctly in the 1st request, but in the 2nd, the one that exchanges the code for the token, I was attempting to pass the scopes as comma separeted values instead of encoding them properly as URL encoded space separated values.
I speculate this let the auth server think I was requesting scopes that didn't actually exist, and therefore, for which no user or admin ever gave permission to use.
This should also explain why the v1.0 endpoint works, as the documentation says "For v1 Azure AD apps, scopes must be statically configured in the Azure Portal under the applications Settings, Required Permissions." and this parameter was in fact being ignored.

 

Now everything seems to be working as expected.

Thank you again for your time and interest, your contribution was of great help.

Best regards

Related Conversations
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies