search

microsoft / azure-spring-boot

Spring Boot Starters for Azure services
MIT License
376 stars 460 forks source link

AADSTS65001 Error in multi-tenant app registration #483

Closed TimSin closed 5 years ago

TimSin commented 5 years ago

Environment

Summary

Accessing an application from another tenant results in an 'AADSTS65001: The user or administrator has not consented to use the application with ID' error, even though the service principle has been granted access from the Azure portal.

Reproduce steps

1) Create bare-bones Spring Boot AAD app. 2) Register this in AAD, following the steps outlined at https://docs.microsoft.com/en-us/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory?view=azure-java-stable 3) Verify a successful login in the original tenant 4) Add the application to another tenant, and grant admin access to the service principle via the azure console. 5) Observe the error 'AADSTS65001: The user or administrator has not consented to use the application with ID' when trying to log in with a user from the tenant other than that which the application is registered in

Expected Results

I expect to be able to log in with a user from a different tenant.

Incarnation-p-lee commented 5 years ago

@TimSin Could you please provide some version about your sample, like spring boot version and aad starter version ? Thanks in advance!

Incarnation-p-lee commented 5 years ago

@TimSin Or you can double check about that the login user name should be contained under your tenant.

TimSin commented 5 years ago

@Incarnation-p-lee Spring is version 2.0.6, Azure AD starter is 2.0.7. The user name definitely exists in the tenant that I am trying to log in from.

Incarnation-p-lee commented 5 years ago

@TimSin Can you reproduce that from chrome incognito mode ?

TimSin commented 5 years ago

@Incarnation-p-lee Yes, the error occurs in private/incognito mode in Chrome and Firefox.

TimSin commented 5 years ago

Looks like this was down to the tenant ID value being incorrect. Evidently this needs to be set to 'common' for multi tenant apps. Altering this has corrected the issue. For example:

 azure:
  activedirectory:
    tenant-id: common

Could this be added to the documentation on the intro page?

Incarnation-p-lee commented 5 years ago

@TimSin Thanks for your information. These tips lays in our sample README, you can find the information from FAQ section here. https://github.com/Microsoft/azure-spring-boot/tree/master/azure-spring-boot-samples/azure-active-directory-spring-boot-backend-sample