Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-4966

Azure Directory throws The user or administrator has not consented to use the application with ID

    • Icon: Bug Bug
    • Resolution: Not a bug
    • Icon: Low Low
    • None
    • 3.0.0
    • Documentation
    • None

      Summary

      When connecting to Microsoft Azure directory, Crowd receives the error

      2017-08-22 07:34:44,696 http-bio-8095-exec-6 INFO [microsoft.aad.adal4j.AuthenticationAuthority] [Correlation ID: 123456789-abcd-abcd-abcd-123456780ab] Instance discovery was successful
      2017-08-22 07:34:45,595 http-bio-8095-exec-6 INFO [microsoft.aad.adal4j.UserDiscoveryRequest] [Correlation ID: null] Sent (null) Correlation Id is not same as received (null).
      2017-08-22 07:34:45,645 http-bio-8095-exec-6 INFO [microsoft.aad.adal4j.AuthenticationAuthority] [Correlation ID: 123456789-abcd-abcd-abcd-123456780ab] Instance discovery was successful
      2017-08-22 07:34:46,095 http-bio-8095-exec-6 ERROR [microsoft.aad.adal4j.AuthenticationContext] [Correlation ID: 123456789-abcd-abcd-abcd-123456780ab] Request to acquire token failed.
      com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '12345678-1234-abcd-efab-123456789abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 12345678-abcd-efab-1234-1234567890abc\r\nCorrelation ID: 12345678-abcd-1234-abcd-1234567890ab\r\nTimestamp: 2017-08-22 07:34:45Z","error":"invalid_grant"}
      

      Environment

      • Microsoft Azure Connector

      Steps to Reproduce

      1. Following the steps in

      Expected Results

      Crowd connects to Azure correctly

      Actual Results

      The below exception is thrown in the atlassian-crowd.log file:

      2017-08-22 07:34:46,095 http-bio-8095-exec-6 ERROR [microsoft.aad.adal4j.AuthenticationContext] [Correlation ID: 12345678-abcd-defa-abcd-123456780ab] Request to acquire token failed.
      com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '12345678-1234-abcd-efab-123456789abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 12345678-abcd-efab-1234-1234567890abc\r\nCorrelation ID: 12345678-abcd-1234-abcd-1234567890ab\r\nTimestamp: 2017-08-22 07:34:45Z","error":"invalid_grant"}
      

      Workaround

      After creating the key in Azure as documented in

      • Configuring Azure Active Directory

        Create a key for the web application. Crowd will use this key to authenticate to Azure AD.

        1. Click your web application.
        2. In the API ACCESS section, click Keys.
        3. Choose a name and an expiry date for your key, then save it. Keep in mind that when the key expires and you don't replace it, Crowd will not be able to communicate with Azure AD.
        4. Copy and store the key value. You will not be able to view it after navigating away from the key settings.

        Following Step 1 - part 6 in this document

      • Cleito ODCC Installation Guide
        These permissions must now be validated by an Office 365 / Azure Active Directory administrator. Ask your Office 365 administrator to open a browser to the following address:
        https://login.microsoftonline.com/<DIRECTORY_ID>/adminconsent?client_id=<APPLICATION_ID>&state=12345&redirect_uri=<SIGN_ON_URL>

            [CWD-4966] Azure Directory throws The user or administrator has not consented to use the application with ID

            Andy Rusnak made changes -
            Remote Link Original: This issue links to "KRAK-835 (JIRA Server)" [ 322774 ] New: This issue links to "KRAK-835 (JIRA Server (Bulldog))" [ 322774 ]
            Andy Rusnak made changes -
            Remote Link Original: This issue links to "KRAK-834 (JIRA Server)" [ 322773 ] New: This issue links to "KRAK-834 (JIRA Server (Bulldog))" [ 322773 ]
            Monique Khairuliana (Inactive) made changes -
            Epic Link Original: CWD-4704 [ 600140 ]
            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 2427477 ] New: JAC Bug Workflow v3 [ 3365869 ]
            Owen made changes -
            Symptom Severity Original: Minor [ 14432 ] New: Severity 3 - Minor [ 15832 ]
            Patryk made changes -
            Resolution New: Not a bug [ 12 ]
            Status Original: Needs Verification [ 10004 ] New: Closed [ 6 ]

            Patryk added a comment - - edited

            Hello,

            The issue can either stem from a missing click on "Grant permissions" for either the web or the native application, or the permissions not yet being propagated. The URL posted in the description performs the same action as a click on "Grant permissions" in the configuration UI. Care must be taken however, as Azure AD takes time to propagate the permission updates, so it may take up to a few minutes for the permissions to become effective. I've attached a screenshot, showing the location of the "Grant permissions" button.

            As there's no indication that it's an actual bug with the implementation I'm closing the ticket.

            Best regards,
            Patryk Petrowski

            Patryk added a comment - - edited Hello, The issue can either stem from a missing click on "Grant permissions" for either the web or the native application, or the permissions not yet being propagated. The URL posted in the description performs the same action as a click on "Grant permissions" in the configuration UI. Care must be taken however, as Azure AD takes time to propagate the permission updates, so it may take up to a few minutes for the permissions to become effective. I've attached a screenshot, showing the location of the "Grant permissions" button. As there's no indication that it's an actual bug with the implementation I'm closing the ticket. Best regards, Patryk Petrowski
            Patryk made changes -
            Attachment New: Screen Shot 2018-07-24 at 09.25.48.png [ 320133 ]

            M Amine added a comment -

            Facing the same issue too. I'm using crowd 3.2.2.

             

            M Amine added a comment - Facing the same issue too. I'm using crowd 3.2.2.  
            Lukasz Pater made changes -
            Remote Link New: This issue links to "KRAK-835 (JIRA Server)" [ 322774 ]

              Unassigned Unassigned
              jrichards@atlassian.com James Richards
              Affected customers:
              1 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: