search

Meeco / omniauth-azure_active_directory_b2c

Azure AD B2C Strategy for OmniAuth
MIT License
6 stars 16 forks source link

'access_token' required #2

Open ipepe opened 5 years ago

ipepe commented 5 years ago

I seem to have problem running this gem. When coming back from azure to my callback in rails I have exception:

AttrRequired::AttrMissing - 'access_token' required.:
  attr_required (1.0.1) lib/attr_required.rb:59:in `attr_missing!'
  rack-oauth2 (1.9.3) lib/rack/oauth2/access_token.rb:23:in `initialize'
  openid_connect (1.1.6) lib/openid_connect/access_token.rb:7:in `initialize'
  openid_connect (1.1.6) lib/openid_connect/client.rb:33:in `handle_success_response'
  rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:146:in `handle_response'
  rack-oauth2 (1.9.3) lib/rack/oauth2/client.rb:122:in `access_token!'
  omniauth-azure_active_directory_b2c (0.2.0) lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb:85:in `get_access_token!'
  omniauth-azure_active_directory_b2c (0.2.0) lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb:22:in `access_token'
  omniauth-azure_active_directory_b2c (0.2.0) lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb:90:in `get_id_token!'
  omniauth-azure_active_directory_b2c (0.2.0) lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb:26:in `id_token'
  omniauth-azure_active_directory_b2c (0.2.0) lib/omniauth/strategies/azure_active_directory_b2c/authentication_response.rb:116:in `validate_id_token'
  omniauth-azure_active_directory_b2c (0.2.0) lib/omniauth/strategies/azure_active_directory_b2c.rb:128:in `validate_id_token!'
  omniauth-azure_active_directory_b2c (0.2.0) lib/omniauth/strategies/azure_active_directory_b2c.rb:102:in `callback_phase'
  omniauth (1.3.1) lib/omniauth/strategy.rb:227:in `callback_call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:184:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  omniauth (1.3.1) lib/omniauth/strategy.rb:186:in `call!'
  omniauth (1.3.1) lib/omniauth/strategy.rb:164:in `call'
  warden (1.2.6) lib/warden/manager.rb:35:in `block in call'
  warden (1.2.6) lib/warden/manager.rb:34:in `call'
  rack (2.0.6) lib/rack/etag.rb:25:in `call'
  rack (2.0.6) lib/rack/conditional_get.rb:25:in `call'
  rack (2.0.6) lib/rack/head.rb:12:in `call'
  rack (2.0.6) lib/rack/session/abstract/id.rb:232:in `context'
  rack (2.0.6) lib/rack/session/abstract/id.rb:226:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/cookies.rb:613:in `call'
  activerecord (5.0.7.2) lib/active_record/migration.rb:553:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/callbacks.rb:38:in `block in call'
  activesupport (5.0.7.2) lib/active_support/callbacks.rb:97:in `__run_callbacks__'
  activesupport (5.0.7.2) lib/active_support/callbacks.rb:750:in `_run_call_callbacks'
  activesupport (5.0.7.2) lib/active_support/callbacks.rb:90:in `run_callbacks'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/callbacks.rb:36:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/executor.rb:12:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/remote_ip.rb:79:in `call'
  airbrake (4.3.8) lib/airbrake/rails/middleware.rb:13:in `call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:84:in `protected_app_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:79:in `better_errors_call'
  better_errors (2.1.1) lib/better_errors/middleware.rb:57:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/debug_exceptions.rb:49:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
  railties (5.0.7.2) lib/rails/rack/logger.rb:36:in `call_app'
  railties (5.0.7.2) lib/rails/rack/logger.rb:24:in `block in call'
  activesupport (5.0.7.2) lib/active_support/tagged_logging.rb:69:in `block in tagged'
  activesupport (5.0.7.2) lib/active_support/tagged_logging.rb:26:in `tagged'
  activesupport (5.0.7.2) lib/active_support/tagged_logging.rb:69:in `tagged'
  railties (5.0.7.2) lib/rails/rack/logger.rb:24:in `call'
  sprockets-rails (3.2.1) lib/sprockets/rails/quiet_assets.rb:13:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/request_id.rb:24:in `call'
  rack (2.0.6) lib/rack/method_override.rb:22:in `call'
  rack (2.0.6) lib/rack/runtime.rb:22:in `call'
  activesupport (5.0.7.2) lib/active_support/cache/strategy/local_cache_middleware.rb:28:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/executor.rb:12:in `call'
  actionpack (5.0.7.2) lib/action_dispatch/middleware/static.rb:136:in `call'
  rack (2.0.6) lib/rack/sendfile.rb:111:in `call'
  airbrake (4.3.8) lib/airbrake/user_informer.rb:16:in `_call'
  airbrake (4.3.8) lib/airbrake/user_informer.rb:12:in `call'
  railties (5.0.7.2) lib/rails/engine.rb:522:in `call'
  puma (3.6.0) lib/puma/configuration.rb:225:in `call'
  puma (3.6.0) lib/puma/server.rb:578:in `handle_request'
  puma (3.6.0) lib/puma/server.rb:415:in `process_client'
  puma (3.6.0) lib/puma/server.rb:275:in `block in run'
  puma (3.6.0) lib/puma/thread_pool.rb:116:in `block in spawn_thread'

Could You help @br3nt ?

ipepe commented 5 years ago

Ahhh. Sorry. I was using new V2 signin and I guess that's not compatible with Your implementation.

ipepe commented 5 years ago

Also implementation at github.com/xapix-io/omniauth-azure_active_directory_b2c seems more advanced. Maybe pull request it?

br3nt commented 5 years ago

@ipepe, it got to the callback_phase and it got past the checks for error codes and error messages. It seems the access_token is missing from the response, or the returned token hasn't been decoded correctly. Can you post the response you're getting in the callback_phase as well as the keys and what not?

Also, I checked out the fork by xapix-io. The auto-discovery functionality is cool, but it looks like it comes at the expense of being able to use multiple policies which I purposefully included. Additionally, I think it may fetch the well-known config on every request. I'm just not sure without further investigation. Either way, it would have been better if it was implemented as a subclass of policy or as injectable functionality.

ipepe commented 5 years ago

Currently I'm ussing xapix-io/omniauth-azure_active_directory_b2c with V1 because that's the only version that works for me. Going out for holidays tomorrow so I'm putting this feature on hold in my project for now.

kylegani commented 5 years ago

@br3nt I seem to be getting the same response. However when I do the process manually, the access_token is indeed not included from Microsoft's side

br3nt commented 5 years ago

@kylegani What is being returned from Microsoft? I'm assuming there should at least be an error message that's not being picked up by the validate_callback_response! method.

Also, what authorization flow are you using? If you're not using the code flow then that may be the problem.

If you haven't already, I would set up your strategy as per the Advanced Configuration docs. This will enable you to override some of the callback functions in the strategy and use a tool like pry to debug.

You'll then be able to look at the request object and request.params to see what is being returned from Microsoft.

Example:

module OmniAuth
  module Strategies
    class YourB2CStrategy < AzureActiveDirectoryB2C

      option :name, 'your_b2c_strategy'

      def request_phase
        binding.pry
        super
      rescue => e
        binding.pry
        raise
      end

      def callback_phase
        binding.pry
        super
      rescue => e
        binding.pry
        raise
      end

      def validate_callback_response!
        binding.pry
        super
      rescue => e
        binding.pry
        raise
      end

    end
  end
end
OmniAuth.config.add_camelization('your_b2c_strategy', 'YourB2C')

use OmniAuth::Builder do
  provider :your_b2c_strategy
end