Reputation: 121
Azure Data Lake Storage Gen2 access token generation - "AADSTS65001: The user or administrator has not consented to use the application with ID
I'm trying to generate access and refresh tokens to be able to sign in to the Azure Data Lake Storage Gen2 using external application with allows OAuth.
What was done:
Created Storage account using https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-quickstart-create-account
Created Azure AD application using https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
Granted admin consent to application from the 2nd step - https://i.sstatic.net/8LtSb.png
Also granted admin consent to enterprise apps with name as the app from step 2 https://i.sstatic.net/u8LkW.png
Steps 3 and 4 were done as described here - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent#grant-admin-consent-when-registering-an-app-in-the-azure-portal
Then I generated authorization code
https://login.microsoftonline.com/<TENANT ID>/oauth2/v2.0/authorize?client_id=<CLIENT ID>&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345
After that I tried to get the token
curl -X POST https://login.microsoftonline.com/<TENANT ID>/oauth2/token \
-F redirect_uri=https://localhost/myapp/ \
-F grant_type=authorization_code \
-F resource=https://management.core.windows.net/ \
-F client_id=<CLIENT ID> \
-F client_secret=<CLIENT SECRET> \
-F code=OAQABAAIAAAAP0wLlqdLVToOpA4kwzSnxLhHJrARX8557... (Authorization code)
As a result received the error below
"error":"invalid_grant","error_description":"AADSTS65001:
The user or administrator has not consented to use the application with ID
'<CLIENT ID>' named '<APP NAME>'. Send an interactive authorization request
for this user and resource.\r\nTrace ID: <TRACE ID>\r\nCorrelation ID:
<CORRELATION ID>\r\nTimestamp: 2019-09-03 13:31:50Z","error_codes":[65001],
"timestamp":"2019-09-03 13:31:50Z","trace_id":"<TRACE ID>",
"correlation_id":"<CORRELATION ID>","suberror":"consent_required"```
Upvotes: 0
Views: 1356
Answers (1)
Reputation: 15609
You got the authorization code by using V2.0 endpoint, but you used v1.0 when you got the token. And the value of resource is not correct.
Try with below
Get authorization code
https://login.microsoftonline.com/<TENANT ID>/oauth2/authorize?client_id=<CLIENT ID>&response_type=code&redirect_uri=https%3A%2F%2Flocalhost%2Fmyapp%2F&response_mode=query&resource=https://datalake.azure.net/&state=12345
get the token
curl -X POST https://login.microsoftonline.com/<TENANT ID>/oauth2/token \
-F redirect_uri=https://localhost/myapp/ \
-F grant_type=authorization_code \
-F resource=https://datalake.azure.net \
-F client_id=<CLIENT ID> \
-F client_secret=<CLIENT SECRET> \
-F code=OAQABAAIAAAAP0wLlqdLVToOpA4kwzSnxLhHJrARX8557... (Authorization code)
Upvotes: 2
Related Questions
- Azure ADLSGEN2 - API Error 400 - DatalakeStorageException The request URI is invalid
- Azure Data Lake: This request is not authorized to perform this operation
- AuthenticationException when creating Azure ML Dataset from Azure Data Lake Gen2 Datastore
- Azure Datalake operation returned an invalid status code forbidden
- OAuth token for REST API call to Azure Data Lake Storage Gen 2 using service principal
- Managed Service Identity configuration for Azure Data Lake Storage Gen2
- REST API call to Azure Data lake Storage Gen 2 not working. Giving me error "Audience validation failed. Audience did not match"
- Azure Data Lake Store access failure: Response status code indicates server error: 403 (Forbidden)
- Azure Data Lake : The request to Azure Data Lake Store was unauthorized
- Azure Data Lake Store "The access token is not provided in the 'Authorization' header" using HttpClient