I use a typical OAuth 2 stream and send people for authentication using the template shown in the O365 samples:
https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&resource={1}&redirect_uri={2}&state={3}
Often, when a user follows a link to a site, he asks them to log in, but without asking permission for the application, he redirects them back to our site with:
error: access_denied
error_description: "AADSTS50020: Calling principal cannot consent due to lack of permissions.\r\nTrace ID: fb1d1e6a-d339-4cba-9c99-b53b50e921a5\r\nCorrelation ID: ac7ef3f1-e8eb-4b0a-b413-e186faf2892c\r\nTimestamp: 2014-07-11 22:11:27Z"
Why is this done, and what can I do to fix it?
A google search for "Caller Principal cannot agree due to lack of permissions" came up with nothing.
source
share