search

Azure-Samples / ms-identity-javascript-angular-tutorial

A chapterwise tutorial that will take you through the fundamentals of modern authentication with Microsoft identity platform in Angular using MSAL Angular v2
MIT License
203 stars 176 forks source link

Question - multiple consents needed #6

Closed jeromechrist closed 3 years ago

jeromechrist commented 3 years ago

Issue

Please provide us with the following information:

This issue is for the sample

    - [ ] 1-1) Sign-in with Azure AD
    - [ ] 1-2) Sign-in with Azure AD B2C
    - [ ] 2-1) Acquire a Token and call Microsoft Graph
    - [x] 3-1) Protect and call a web API on Azure AD
    - [ ] 3-2) Protect and call a web API on Azure AD B2C
    - [ ]   4) Deploy to Azure Storage and App Service
    - [ ] 5-1) Call a web API using App Roles
    - [ ] 5-2) Call a web API using Security Groups
    - [ ] 6-1) Call a multi-tenant web API
    - [ ] 7-1) Call Microsoft Graph using on-behalf-of flow
    - [ ] 7-2) Call a web API using Proof of Possession tokens

This issue is for a

    - [ ] bug report -> please search issues before submitting
    - [x] question
    - [ ] feature request
    - [ ] documentation issue or request

Minimal steps to reproduce

follow the documentation for the scenario

Hello,

I went through the scenario 3-1 and i was wondering why do I have to consent 2 times ?

I had one popup after the Login

010-consent

And one when I first clicked the TodoList button

012-todolist

I was expecting to get only one consent

derisen commented 3 years ago

@jeromechrist this is expected. What happens here is called dynamic consent i.e. the app presents you with a consent screen only when the permission is actually needed. The first permission screen is for scopes that are requested during sign-in: openid, profileand offline_access(these are default OIDC scopes). The second screen is for the scope required for calling your web API (access_as_user in the sample). You get this screen later in the app when you are actually trying to call the web API.

jeromechrist commented 3 years ago

ah ok I get it.

all of this scope check dance is made my the MSAL library only on the client side ? Or with the combination of Identity.Web in the API ?

derisen commented 3 years ago

@jeromechrist that's right, this is carried out by MSAL Angular on the client side. Basically the user consents to the client app to access the web API on her behalf. The web API has no user interaction capability here, but if it was a user facing app, Identity.Web would have handled it (Identity.Web is a wrapper around MSAL .NET)

jeromechrist commented 3 years ago

Thank you :)

Great samples by the way, I really like that you covered a lot of useful scenarios