Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Error InteractionRequiredAuthError: invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID

See original GitHub issue

Core Library

@azure/msal-browser

Core Library Version

2.13.1

Wrapper Library

@azure/msal-react

Wrapper Library Version

1.0.0-beta.1

Description

I have a SPA application configured with AAD to authenticate users. I followed the below implementation in my application. https://github.com/Azure-Samples/ms-identity-javascript-react-spa-dotnetcore-webapi-obo

The SPA and WebAPI is working as expeted when only I access the application but throws the following error for other users. “Error InteractionRequiredAuthError: invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID”

Error Message

Error InteractionRequiredAuthError: invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID

Msal Logs

Error InteractionRequiredAuthError: invalid_grant: AADSTS65001: The user or administrator has not consented to use the application with ID ‘<client_id>’ named ‘<app_name>’. Send an interactive authorization request for this user and resource. Trace ID: 2b359993-5cfc-4db3-9c06-69269a2d5d00 Correlation ID: ff89059d-c127-410c-9a30-6da5f5fd438d Timestamp: 2021-04-08 02:58:05Z at InteractionRequiredAuthError.AuthError [as constructor] (http://localhost:3000/static/js/vendors~main.chunk.js:11407:20) at InteractionRequiredAuthError.ServerError [as constructor] (http://localhost:3000/static/js/vendors~main.chunk.js:14295:24) at new InteractionRequiredAuthError (http://localhost:3000/static/js/vendors~main.chunk.js:15351:24) at ResponseHandler.validateTokenResponse (http://localhost:3000/static/js/vendors~main.chunk.js:15978:15) at RefreshTokenClient.<anonymous> (http://localhost:3000/static/js/vendors~main.chunk.js:16950:29) at step (http://localhost:3000/static/js/vendors~main.chunk.js:10997:17) at Object.next (http://localhost:3000/static/js/vendors~main.chunk.js:10928:14) at fulfilled (http://localhost:3000/static/js/vendors~main.chunk.js:10882:24)

MSAL Configuration

{
 auth: {
        clientId: "client_id_azure_portal",
        redirectUri: "http://localhost:3000",
        authority: 'https://login.microsoftonline.com/<tenant_id>',
        navigateToLoginRequestUrl: false,
    },
    cache: {
        cacheLocation:  'localStorage'
    }
}

Relevant Code Snippets

This is an internal application.

Reproduction Steps

This is an internal application

Expected Behavior

I want the application retrieve tokens for other users as it does for me.

Identity Provider

Azure AD / MSA

Browsers Affected (Select all that apply)

Edge

Regression

No response

Source

External (Customer)

Issue Analytics

State:
Created 2 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

vinusoroutcommented, Apr 8, 2021

@senal

Yes the authority: ‘…’, part from your configuration plus /adminconsent?client_id= and plus your application id.

0reactions

senalcommented, Apr 11, 2021

Thanks @vinusorout,

I think we do have 2 AADs in place. The solution you gave worked fine for one and not the otherone. I must reach out to our admins to find out the different behaviour of these 2 ADs.

Thanks for your help.