Closed TimSin closed 5 years ago
@TimSin Could you please provide some version about your sample, like spring boot version and aad starter version ? Thanks in advance!
@TimSin Or you can double check about that the login user name should be contained under your tenant.
@Incarnation-p-lee Spring is version 2.0.6, Azure AD starter is 2.0.7. The user name definitely exists in the tenant that I am trying to log in from.
@TimSin Can you reproduce that from chrome incognito mode ?
@Incarnation-p-lee Yes, the error occurs in private/incognito mode in Chrome and Firefox.
Looks like this was down to the tenant ID value being incorrect. Evidently this needs to be set to 'common' for multi tenant apps. Altering this has corrected the issue. For example:
azure:
activedirectory:
tenant-id: common
Could this be added to the documentation on the intro page?
@TimSin Thanks for your information. These tips lays in our sample README, you can find the information from FAQ section here. https://github.com/Microsoft/azure-spring-boot/tree/master/azure-spring-boot-samples/azure-active-directory-spring-boot-backend-sample
Environment
Spring boot starter:
OS Type: MacOS
Java version:
Summary
Accessing an application from another tenant results in an 'AADSTS65001: The user or administrator has not consented to use the application with ID' error, even though the service principle has been granted access from the Azure portal.
Reproduce steps
1) Create bare-bones Spring Boot AAD app. 2) Register this in AAD, following the steps outlined at https://docs.microsoft.com/en-us/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory?view=azure-java-stable 3) Verify a successful login in the original tenant 4) Add the application to another tenant, and grant admin access to the service principle via the azure console. 5) Observe the error 'AADSTS65001: The user or administrator has not consented to use the application with ID' when trying to log in with a user from the tenant other than that which the application is registered in
Expected Results
I expect to be able to log in with a user from a different tenant.