[docs] How to handle consent and challenge for internal-only applications?

[BenjaminAbt]

This issue is for a: (mark with an x)

- [ ] bug report -> please search issues before submitting
- [ ] feature request
- [X] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

Minimal steps to reproduce

Any log messages given by the failure

Expected/desired behavior

OS and Version?

Any

Versions

Any

Mention any other details that might be useful

For me it is absolutely unclear how to implement APIs right now. Right know I would say the documentation is a big pain for me.

Our scenario is an internal single page application. This SPA communicates with different internal ASP.NET Core APIs.
So we only have internal users and we only have internal applications. We dont need any challenge to ask the user for consent.

We already spent over two weeks in the documentation and in samples. We found a lot of obsolete stuff in the docs, referenced to archived GitHub repos and samples with obsolete NuGet Packages.

At the end my question is still: what is the correct configuration of an internal API-based system, without consent? :-)
We dont want so show 17 consents because we have 17 applications to internal users.

I also tried to migrate this sample into a API.
But I always run into the event OnRedirectToIdentityProvider, but I dont know why.

[BenjaminAbt]

We reverted the change to a OpenID middleware and now using Jwt against /<tenant>/v2.0, which works so far.
Finally, I am able to call my API with MSAL 2.0 as Admin and I can request GraphSdk.Me.Request().GetAsync()

As user I get:

AADSTS65001: The user or administrator has not consented to use the application with ID '123' named 'MyApp'. Send an interactive authorization request for this user and resource.

To be honest I have right now no idea how to do that ( and no idea how to call user schema extensions ).
I got the consent question on the first admin login and on the first user login. For both I have accepted the dialog.

Our target is to have absolutely no consent questions for any user.

I know I have to configure something on the MSAL portal in the pre-auth'ed applications section.
But the documentation here is not clear, too.

[BenjaminAbt]

Okay, another step further.

You cannot set contents to a WebAPI platform only.
An admin consent can only bet set if a reply url exists, because a reply url is required - and this is only the case for a WebApp.

So even you have a Web API you have to add a Web App box to your Azure AD 2.0 App configuration.
This absolutely misses in every documentation and also makes no sense for me.

[jmprieur]

Thanks for your feedback @BenjaminAbt
We are currently working on this documentation and associated samples

The case of the Web API is handled in another sample: https://github.com/azure-samples/active-directory-dotnet-native-aspnetcore-v2

[jmprieur]

See also #24 which I just medged.