CODEWITHSUNDEEP
oauth-2.0azure-active-directoryazure-ad-b2cscopes
Francois
Francois

Reputation: 10968

AAD B2C - User consent not asked

Context:

Authorize URL:

https://xxx.b2clogin.com/xxx.onmicrosoft.com/oauth2/v2.0/authorize
?p=B2C_1_signup_login
&client_id=xxx
&nonce=defaultNonce
&redirect_uri=xxx
&scope=offline_access%20openid%20profile%20email%20https%3A%2F%xxx.onmicrosoft.com%2F6D6E9DF9-4546-47D8-8EDB-D65EC89A0E90%2Fproduct_scope_2
&response_type=code
&code_challenge=ThisIsntRandomButItNeedsToBe43CharactersLong
&code_challenge_method=plain

User is redirected to external IDP provider, logs in. User is not asked for consent. Callback url is called with a code, which can be exchanged for an id_token. Audience (aud) is the client_id of the Client Application, not the API.

If I grant admin consent, the code can be exchanged for an access_token and id_token, and the audience is OK (API's client_id).

What must I configure to have the users asked to give consent, for the Client Application + the scopes? I haven't been able to find any article about this: user consent AND external identity provider.

Upvotes: 1

Views: 1191

Answers (1)

Jas Suri - MSFT
Jas Suri - MSFT

Reputation: 11315

You must do an Admin Consent in AAD B2C. It does not have an OAuth2.0 consent prompt for users. Instead it’s modelled with a terms of use. You never do an Oauth consent unless you share your data with a third party.

https://github.com/azure-ad-b2c/samples/blob/master/policies/terms-of-service

In Consent and permissions | User consent settings => Allow user consent for apps - All users can consent for any app to access the organization's data.

Irrelevant to AAD B2C apps.

If you still want some consent UX: https://github.com/azure-ad-b2c/samples/tree/master/policies/service-consent

Upvotes: 3

Related Questions