CODEWITHSUNDEEP
azure-active-directoryasp.net-core-webapiazure-ad-msalblazor-webassembly
abcd
abcd

Reputation: 51

AADSTS65001 in Blazor WASM PWA with Azure AD MSAL authentication

I've been trying to fix this issue for multiple Days now, without any success. I have a Blazor WebAssembly app, with an app registration in my AzureAD. I am able to log in and get the User Info and stuff but when I try to access an API (ASP.net Core, also has an App Registration in Azure AD) I get an HTTP Status Code 400 from https://login.microsoftonline.com/{Tenant-ID}/oauth2/v2.0/token, when the Blazor App tries to get the authentication token for the API. The error description says

"AADSTS65001: The user or administrator has not consented to use the application with ID [...]"

I did grant admin consent to both app registrations in the Azure Portal. I went through the steps described in the microsoft documentation multiple times trying to find anything that might cause this. When I tried googling the error code, all I was able to find were instructions like giving admin consent and stuff, which I already did.

Both the API and the Blazor App use .NET6

I'm new to MSAL authentication and AzureAD App Registrations and only used them once a few months ago, where I didn't have any issues like that.

Currently my last hope is that someone has had this issue before and can tell me a solution or that someone can point me in any direction that might help me.

Upvotes: 0

Views: 578

Answers (1)

kavya Saraboju
kavya Saraboju

Reputation: 10831

Please check if you have exposed API ,added Scope with API permissions having granted consent in portal. After that , please make sure the scopes present in app registration portal are given in the application configuration in scope .

To get the token from the v2.0 endpoint: TRY

  • Granting consent through App registration as said above.
  • By using adminconsent endpoint to grant permission.
  • Check if the authorization request has appId configured correctly .(appId of app not the appID of API )

Note that Grant_type is the parameter used for V1.0 Endpoints, For v2 enpoint , we need to add scope in the initial request of requesting code with url encoded , (example :to call graph api)

https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fcalendars.read%20
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345

Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft identity platform | Microsoft Docs

Upvotes: 1

Related Questions