[Documentation]: Suggested update in walkthrough #45
Comments
|
Hi, while authorized clients will skip consenting, it shouldn't be required. Did you remember to check that users can consent as well when creating the scope? |
|
@bkmetzler ? 😊 |
|
Yes, "Admins and users" is selected. |
|
That's odd. Do you have control of the tenant? The only thing I can think of is that there might be a strict policy in place which don't allow users to consent anyway. I don't really know if that's possible though, but we have never encountered this in our tenant. We could add a info box guiding the user to set up authorized client applications for the API, if they don't want the user to need to consent. But I don't think it should be a required step, as hitting the admin consent screen is not the normal behavior when user consent is enabled. |
|
We're unable to reproduce this. Can you share some more information about your setup, @bkmetzler? Do you have |
|
After looking into this, it seems to be a related to the fact I am using an enterprise level tenant with limitations at the tenant level. There is no "prompt=admin" in the redirect URI. |
|
Thank you for getting back to us, @bkmetzler! I'd like to have a note in the docs which just links to this issue, for those who has issues with admin consent being asked for after following the tutorial. Would you like to create a PR, or should I do it? 😊 |
JonasKs
changed the title
JonasKs
added
good first issue
JonasKs
changed the title
- #62: Tutorial on how to use Python to interact with your APIs - #61: Tutorial on how to access user attributes in your APIs - #45: Added a page that explains how to solve admin consent when signing in. Thank you @bkmetzler - #40: Add tutorial on how to set up and use Graph APIs using the On Behalf Flow. Thank you @u-iandono & @h3rmanj - Add graph endpoint example
- #62: Tutorial on how to use Python to interact with your APIs - #61: Tutorial on how to access user attributes in your APIs - #45: Added a page that explains how to solve admin consent when signing in. Thank you @bkmetzler - #40: Add tutorial on how to set up and use Graph APIs using the On Behalf Flow. Thank you @u-iandono & @h3rmanj - Add graph endpoint example
|
Thank you so much @bkmetzler. I've added documentation for this here. |
- Intility#62: Tutorial on how to use Python to interact with your APIs - Intility#61: Tutorial on how to access user attributes in your APIs - Intility#45: Added a page that explains how to solve admin consent when signing in. Thank you @bkmetzler - Intility#40: Add tutorial on how to set up and use Graph APIs using the On Behalf Flow. Thank you @u-iandono & @h3rmanj - Add graph endpoint example
Documentation, closes Intility#40, Intility#45, Intility#61, Intility#62
Describe the issue
(https://intility.github.io/fastapi-azure-auth/single-tenant/azure_setup#step-4---allow-openapi-to-talk-to-the-backend)
There should be one final step on this walk through. Azure has added another section under "Exposing an API" called "Authorized client applications". If you do not link the OpenAPI back to the original application, the end-user will be prompted to request consent from an administrator.
To Reproduce
Manually go through the Single Tenant walkthrough (https://intility.github.io/fastapi-azure-auth/single-tenant/). Once fully complete, any attempt to log into Azure via OpenAPI will send the end-user to a page, as described below:
Fix
This is so the end-user doesn't see this prompt.
1.) Go to "Expose an API" under your Sample application (not the OpenAPI).
2.) Under "Authorized client applications" click "Add a client application"
3.) Copy the Application Id from your 'Sample - OpenAPI' into the 'Client ID' field.
4.) Select the exposed 'api://*' check box
5.) Click "Add Application"
Now when you click "Authorize"/"Login" via SwaggerUI, the end user will no longer require Admin consent.
I hope this helps,
-Brian
The text was updated successfully, but these errors were encountered: