I'm following documentation at http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx
I'm redirecting the user to
https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fgraph.windows.net&client_id=fee76137-a1d9-4545-bf6d-7214e14d7017&redirect_uri=REPLY-URL-HERE
and sometimes (say 1 time in 10) the user gets stuck on https://login.windows.net/common/oauth2/authorize?... with an error message
Sign In
Sorry, but we’re having trouble signing you in.We received a bad request.
| Additional technical information: |
| Correlation ID: f05ab15f-cbd7-482d-a68a-05c48390baae |
| Timestamp: 2014-09-12 13:11:42Z |
AADSTS50020: Cannot use user consent. |
So, obviously the user consent is the problem.
I can fix the problem by adding "&prompt=consent" to the the redirect URL but in that case I'm losing Single Sign-On experience for 9 times out of 10 when it would work without enforced consent dialog.
I'd expect the user to be redirected to my reply URL where I could diagnose the problem and allow user to re-request the consent if needed. However, this does not happen and user is left on https://login.windows.net/common/oauth2/authorize?... without any hints about what to do next.
Is this a known problem or is there some way to request that any errors should always get redirected to my own reply URL?