-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
3.0.0
-
None
-
Severity 3 - Minor
-
Summary
When connecting to Microsoft Azure directory, Crowd receives the error
2017-08-22 07:34:44,696 http-bio-8095-exec-6 INFO [microsoft.aad.adal4j.AuthenticationAuthority] [Correlation ID: 123456789-abcd-abcd-abcd-123456780ab] Instance discovery was successful 2017-08-22 07:34:45,595 http-bio-8095-exec-6 INFO [microsoft.aad.adal4j.UserDiscoveryRequest] [Correlation ID: null] Sent (null) Correlation Id is not same as received (null). 2017-08-22 07:34:45,645 http-bio-8095-exec-6 INFO [microsoft.aad.adal4j.AuthenticationAuthority] [Correlation ID: 123456789-abcd-abcd-abcd-123456780ab] Instance discovery was successful 2017-08-22 07:34:46,095 http-bio-8095-exec-6 ERROR [microsoft.aad.adal4j.AuthenticationContext] [Correlation ID: 123456789-abcd-abcd-abcd-123456780ab] Request to acquire token failed. com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '12345678-1234-abcd-efab-123456789abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 12345678-abcd-efab-1234-1234567890abc\r\nCorrelation ID: 12345678-abcd-1234-abcd-1234567890ab\r\nTimestamp: 2017-08-22 07:34:45Z","error":"invalid_grant"}
Environment
- Microsoft Azure Connector
Steps to Reproduce
- Following the steps in
Expected Results
Crowd connects to Azure correctly
Actual Results
The below exception is thrown in the atlassian-crowd.log file:
2017-08-22 07:34:46,095 http-bio-8095-exec-6 ERROR [microsoft.aad.adal4j.AuthenticationContext] [Correlation ID: 12345678-abcd-defa-abcd-123456780ab] Request to acquire token failed. com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '12345678-1234-abcd-efab-123456789abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 12345678-abcd-efab-1234-1234567890abc\r\nCorrelation ID: 12345678-abcd-1234-abcd-1234567890ab\r\nTimestamp: 2017-08-22 07:34:45Z","error":"invalid_grant"}
Workaround
After creating the key in Azure as documented in
- Configuring Azure Active Directory
Create a key for the web application. Crowd will use this key to authenticate to Azure AD.
- Click your web application.
- In the API ACCESS section, click Keys.
- Choose a name and an expiry date for your key, then save it. Keep in mind that when the key expires and you don't replace it, Crowd will not be able to communicate with Azure AD.
- Copy and store the key value. You will not be able to view it after navigating away from the key settings.
Following Step 1 - part 6 in this document
- Cleito ODCC Installation Guide
These permissions must now be validated by an Office 365 / Azure Active Directory administrator. Ask your Office 365 administrator to open a browser to the following address:
https://login.microsoftonline.com/<DIRECTORY_ID>/adminconsent?client_id=<APPLICATION_ID>&state=12345&redirect_uri=<SIGN_ON_URL>
[CWD-4966] Azure Directory throws The user or administrator has not consented to use the application with ID
Remote Link | Original: This issue links to "KRAK-835 (JIRA Server)" [ 322774 ] | New: This issue links to "KRAK-835 (JIRA Server (Bulldog))" [ 322774 ] |
Remote Link | Original: This issue links to "KRAK-834 (JIRA Server)" [ 322773 ] | New: This issue links to "KRAK-834 (JIRA Server (Bulldog))" [ 322773 ] |
Epic Link | Original: CWD-4704 [ 600140 ] |
Workflow | Original: Simplified Crowd Development Workflow v2 - restricted [ 2427477 ] | New: JAC Bug Workflow v3 [ 3365869 ] |
Symptom Severity | Original: Minor [ 14432 ] | New: Severity 3 - Minor [ 15832 ] |
Resolution | New: Not a bug [ 12 ] | |
Status | Original: Needs Verification [ 10004 ] | New: Closed [ 6 ] |
Attachment | New: Screen Shot 2018-07-24 at 09.25.48.png [ 320133 ] |
Remote Link | New: This issue links to "KRAK-835 (JIRA Server)" [ 322774 ] |
Hello,
The issue can either stem from a missing click on "Grant permissions" for either the web or the native application, or the permissions not yet being propagated. The URL posted in the description performs the same action as a click on "Grant permissions" in the configuration UI. Care must be taken however, as Azure AD takes time to propagate the permission updates, so it may take up to a few minutes for the permissions to become effective. I've attached a screenshot, showing the location of the "Grant permissions" button.
As there's no indication that it's an actual bug with the implementation I'm closing the ticket.
Best regards,
Patryk Petrowski