问题
I'm building a POC multi-tenant app using IdentityServer 4 on asp.net core as the middleman between my client app and Azure Active Directory using openIdConnect. Is there a way to trigger the admin_consent flow when a user logs in from a new AAD tenant which is not yet authorized to use the app?
This Azure sample shows how to perform a manual consent using a controller on the client site which builds the AAD Uri from scratch, but I'm shooting for an experience where a user from a new directory hits my site, gets kicked to AAD common endpoint, logs in, and is presented with a UI to authorize the app in their directory.
Now that I type that, I'm thinking the problem is that AAD may not have a way to be told to skip the 'not registered with your directory' error screen, so an AAD admin from the new tenant would need to execute the admin_consent workflow on their own ahead of time anyway.
I'm still interested to know if IdentityServer can kick off that process (i.e - can the openIdConnect Uri be manipulated), because I'd like to run all identity workflows through IdentityServer, including my admin consent workflow.
回答1:
For a multi-tenant application, the initial registration for the application lives in the Azure AD tenant used by the developer. When a user from a different tenant signs in to the application for the first time, Azure AD asks them to consent to the permissions requested by the application.
This consent experience is affected by the permissions requested by the application. Azure AD supports two kinds of permissions, app-only and delegated. App-only permissions always require a tenant administrator’s consent. If your application requests an app-only permission and a normal user tries to sign in to the application, your application will get an error message saying the user isn’t able to consent, like :This application requires application permissions to another application. Consent for application permissions can only be performed by an administrator.
If your application uses permissions that require admin consent, you need to have a gesture in your application such as a button or link where the admin can initiate the action. The request your application sends for this action is a usual OAuth2/OpenID Connect authorization request, but that also includes the prompt=admin_consent query string parameter .eg:
https://login.microsoftonline.com/common/oauth2/authorize?client_id=&response_type=code&redirect_uri=&scope=openid&prompt=admin_consent
With this query string , admin consent is needed , if you use a normal user(not admin),you will get the error like:This operation can only be performed by an administrator You could check whether add the query string according to your requirement . In your scenario, you could click here for code sample about how to configure Identity Server4 with Azure AD external login . If you want to force the admin consent flow , you could handle the OnRedirectToIdentityProvider event when configuring the OpenIdConnectOptions, and add the prompt query string parameters by calling the ProtocolMessage.SetParameter method on the supplied RedirectContext :
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = schemeName,
DisplayName = "AzureAD",
SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,
ClientId = clientId,
Authority = $"https://login.microsoftonline.com/{tenantId}",
ResponseType = OpenIdConnectResponseType.IdToken,
StateDataFormat = dataFormat,
Events = new OpenIdConnectEvents
{
OnRedirectToIdentityProvider = context =>
{
context.ProtocolMessage.SetParameter("prompt", "admin_consent");
return Task.FromResult(0);
}
}
});
来源:https://stackoverflow.com/questions/42428091/how-do-i-trigger-the-admin-consent-flow-using-identityserver-4-for-a-multi-tenan