Unable to generate access token. invalid_grant error, AADSTS65001:The user or administrator has not consented to use the application with ID

Question

Context: I'm building a web app that intends to provide insights and analysis on user's Sharepoint and OneDrive data. Users should be able to come to my web app, connect their Sharepoint and OneDrive data by going through some oauth flow and agreeing to 'read' scopes we want on their workspace data, and then we should be able to generate an access and refresh token on their behalf for usage in our app according to the scopes they agreed to. For example we want to be able to search over a user's sharepoint data given some input query.

Problem: I continue to face this error trying to generate an access token:

400 Bad Request: "{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'fa30181d-73e3-4ac8-bc74-cdb9323c19f6' named 'appTesting'. Send an interactive authorization request for this user and resource. Trace ID: 24846f12-6d9e-4a04-b3bf-abb970710e00 Correlation ID: c0886b13-403b-4843-8fbe-34525d564452 Timestamp: 2024-04-30 02:15:00Z","error_codes":[65001],"timestamp":"2024-04-30 02:15:00Z","trace_id":"24846f12-6d9e-4a04-b3bf-abb970710e00","correlation_id":"c0886b13-403b-4843-8fbe-34525d564452","suberror":"consent_required"}"

• I'm following this guide: https://learn.microsoft.com/en-us/graph/auth-v2-user?tabs=http
• Scopes I'm requesting: offline_access User.Read Files.Read
• My current set up works for generating the oauth url successfully per the guide, I see the scopes my app is requesting (User.Read, Files.Read, offline_access), I accept and am successfully redirected to a url containing the code, state, and session_state, however I get the invalid_grant error trying to generate the access token with the code returned from the oauth url flow following the specifications in the guide.
• I've added the APIs I want and granted admin consent for the APIs I want for permissions for in Application > API permissions > Grant admin consent, I. have also added the User.Read and Files.Read scopes to the 'Expore an API' tab.
• I can confirm the redirect uri, client secret, client id, and tenant ID being used in my code matches up to the values in the Azure UI
• In the web app I created in App Registrations, under Authentication sidebar tab, the Implicit grant and hybrid flows checkboxes are unchecked, also 'Allow public client flows' setting is set to false.

It seems to me like I'm following the guide precisely, and there's some issue in my Azure UI configuration somewhere that I don't know about and that isn't included in the guide. Any advice for resolving this issue would be much appreciated!

TLDR and main question, what is this error caused by when trying to generate an access token?

400 Bad Request: "{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'fa30181d-73e3-4ac8-bc74-cdb9323c19f6' named 'appTesting'. Send an interactive authorization request for this user and resource. Trace ID: 24846f12-6d9e-4a04-b3bf-abb970710e00 Correlation ID: c0886b13-403b-4843-8fbe-34525d564452 Timestamp: 2024-04-30 02:15:00Z","error_codes":[65001],"timestamp":"2024-04-30 02:15:00Z","trace_id":"24846f12-6d9e-4a04-b3bf-abb970710e00","correlation_id":"c0886b13-403b-4843-8fbe-34525d564452","suberror":"consent_required"}"

As described in problem detail.

Answer 1

The error "AADSTS65001: The user or administrator has not consented to use the application with ID 'xxx' named 'xxx'. Send an interactive authorization request for this user and resource" usually occurs if the application is not grated required API permissions and the admin consent to the permissions.

Hence if you want to access user's SharePoint and OneDrive, check the below:

Created a Microsoft Entra ID and grant Files.Read.All delegated API permission:

To authorize the user, make use of below endpoint:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=https://jwt.ms
&response_mode=query
&scope=offline_access User.Read Files.Read.All
&state=12345

Generate the access token by using below parameters:

https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret
scope:offline_access User.Read Files.Read.All

For sample, by using the above access token, I am able to access OneDrive and SharePoint site:

https://graph.microsoft.com/v1.0/sites/SiteID/drives/DriveID

https://graph.microsoft.com/v1.0/drives/DriveID/root

If still the issue persists, check the below:

• Files.Read API permissions allow the application to access signed in user information only hence try granting Files.Read.All delegated API permission.
• Try granting Sites.Read.All delegated API permission too if you face error.
• Make sure to grant admin consent to the API permissions.