Sp-dev-docs: AADSTS65001: The user or administrator has not consented to use the application with ID 'c628c6f3-59aa-444d-93f0-e36d72996461' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource.

Created on 12 Dec 2018 · 12Comments · Source: SharePoint/sp-dev-docs

I am a attempting to get a access token in my SPFX webpart. Can you offer any insight on what I'm missing from this document?

I am hitting this error.

Uncaught (in promise) Error: AADSTS65001: The user or administrator has not consented to use the application with ID 'c628c6f3-59aa-444d-93f0-e36d72996461' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource.

this.context.aadTokenProviderFactory
.getTokenProvider()
.then((tokenProvider: AadTokenProvider): Promise<string> => {
  // retrieve access token for the enterprise API secured with Azure AD
  return tokenProvider.getToken('2e887b5a-f782-4dcf-9ba2-6091805ad0cc');
})
.then((accessToken: string): void => {
    console.log("GOT ACCESS TOKEN", accessToken);
});

My package-solution.json file has requested permissions

"webApiPermissionRequests": [
{
  "resource": "Windows Azure Active Directory",
  "scope": "User.Read"
},
{
  "resource": "Microsoft Graph",
  "scope": "User.Read.All"
},
{
  "resource": "Microsoft Graph",
  "scope": "User.ReadBasic.All"
},
{
  "resource": "Microsoft Graph",
  "scope": "profile"
}

I have approved all requested permissions:

I have also for good measure manually added and approved User.Read permission on Azure Active Directory.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 064cdc5a-e118-ceab-c42b-ae06ae3297c6
Version Independent ID: 95afcc6d-fd0b-90a0-5775-4871869abc83
Content: Connect to API secured with Azure Active Directory (Azure AD)
Content Source: docs/spfx/web-parts/guidance/connect-to-api-secured-with-aad.md
Product: sharepoint
GitHub Login: @spdevdocs
Microsoft Alias: spdevdocs

auth docs-comment answered question

Source

butchmarshall

All 12 comments

I want to say that the resource name "Windows Azure Active Directory" looks wrong - what are you wanting to access with it? Can you tell which resource request is failing?

patmill on 13 Dec 2018

I was following the thread here which references adding that resource scope: https://github.com/SharePoint/sp-dev-docs/issues/2473#issuecomment-419327768

I would like to see if this authentication method allows for silent SSO in the native mobile sharepoint application.

Right now when using adal-angular in the native mobile application you're redirected to sign in (since it seems the native mobile application does not share the authentication context?)

butchmarshall on 13 Dec 2018

In your code, you're requesting an access token to an API, that isn't among the permissions you requested. Could it be that you're missing an API permission grant to your enterprise API?

waldekmastykarz on 14 Dec 2018

@butchmarshall
try to call method _getToken_ with 'https://graph.windows.net' to get the JWT token
return tokenProvider.getToken('https://graph.windows.net');

cebud on 19 Dec 2018

Just getting back to this task. @cebud ... that seems to work!

Kind of. I get the access token, but curling with it gives...

curl -v --header "Accept: application/json" --header "Authorization: Bearer [...]" https://graph.microsoft.com/v1.0/me

{
  "error": {
    "code": "InvalidAuthenticationToken",
    "message": "Access token validation failure.",
    "innerError": {
      "request-id": "1715a345-65fb-4883-8509-c4e2578579b5",
      "date": "2019-01-25T19:34:53"
    }
  }

But they have been approved.

screenshot from 2019-01-25 14-35-35

Update:

I just needed https://graph.microsoft.com! It works!

butchmarshall on 25 Jan 2019

👍1

One more question.

Where do we get the public key to verify this token? None of the keys at https://login.microsoftonline.com/common/discovery/keys work

butchmarshall on 26 Jan 2019

facing the same issue
@VesaJuvonen

bilalkhan870 on 26 Jun 2019

@butchmarshall
try to call method _getToken_ with 'https://graph.windows.net' to get the JWT token
return tokenProvider.getToken('https://graph.windows.net');

I am getting token through graph.windows.net But how can I validate it manually in ASP.Net WCF application?

manjeetjagtap on 14 Aug 2019

I actually had a support call with Microsoft around this.

Basically, you can't validate it, apparently by design.

butchmarshall on 14 Aug 2019

👍1

Ooookay! Thank you for your response.
I tried with graph.windows.net because I am getting below error while trying to get a token for my registered azure app. I have been tried below code to get a token for my azure app.

this.props.context.aadTokenProviderFactory
    .getTokenProvider()
    .then((tokenProvider: AadTokenProvider): Promise<string> => {
       return tokenProvider.getToken(<AppID>);
})
.then((accessToken:string):void => {
     console.log('Token received - ' + accessToken);
})

_Error: AADSTS65001: The user or administrator has not consented to use the application with ID 'bb0e5f77-d3b6-470b-b79b-994ae0da5838' named 'SharePoint Online Client Extensibility Web Application Principal'. Send an interactive authorization request for this user and resource._

I have WCF web service hosted in our dedicated server and I have registered the app on Azure AD with redirect URL to web service domain path.
Could you please tell me a cause or advice on, why I am getting AADSTS65001 error when trying to get an access token. And if somehow I manage to get the token, then I am planning to pass it through Authorization header to a web service call from SPFx. And then I will validate the token in WCF implementation, Is it possible? We have chosen to host WCF web service on on-prem server, please advice if you have any alternative, in that case, to make it work. The final goal is to secure WCF web service hosted on-premises server.

manjeetjagtap on 15 Aug 2019

Appears OP's question was answered... there may be another question in this issue but can't tell. If so, please open a new issue.

andrewconnell on 1 Nov 2019

Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues