search

SocialiteProviders / Providers

A Collection of Providers for Laravel Socialite
https://socialiteproviders.com
MIT License
504 stars 439 forks source link

Microsoft provider generates error for only some users - error AADSTS900144 #1118

Closed thepartnership-suman closed 8 months ago

thepartnership-suman commented 11 months ago

When I try from my Office365 account it works fine but when some clients try to login then system gets error below. No idea who is getting the error as we don't know the user -

Client error: POST https://login.microsoftonline.com/common/oauth2/v2.0/token resulted in a 400 Bad Request response: {"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'co (truncated...) {"exception":"[object] (GuzzleHttp\Exception\ClientException(code: 400): Client error: POST https://login.microsoftonline.com/common/oauth2/v2.0/token resulted in a 400 Bad Request response: {\"error\":\"invalid_request\",\"error_description\":\"AADSTS900144: The request body must contain the following parameter: 'co (truncated...) at /home/forge/api.legalito.co.uk/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113) [stacktrace]

0 /home/forge/api.legalito.co.uk/vendor/guzzlehttp/guzzle/src/Middleware.php(72): GuzzleHttp\Exception\RequestException::create()

1 /home/forge/api.legalito.co.uk/vendor/guzzlehttp/promises/src/Promise.php(209): GuzzleHttp\Middleware::GuzzleHttp\{closure}()

2 /home/forge/api.legalito.co.uk/vendor/guzzlehttp/promises/src/Promise.php(158): GuzzleHttp\Promise\Promise::callHandler()

3 /home/forge/api.legalito.co.uk/vendor/guzzlehttp/promises/src/TaskQueue.php(52): GuzzleHttp\Promise\Promise::GuzzleHttp\Promise\{closure}()

4 /home/forge/api.legalito.co.uk/vendor/guzzlehttp/promises/src/Promise.php(251): GuzzleHttp\Promise\TaskQueue->run()

5 /home/forge/api.legalito.co.uk/vendor/guzzlehttp/promises/src/Promise.php(227): GuzzleHttp\Promise\Promise->invokeWaitFn()

6 /home/forge/api.legalito.co.uk/vendor/guzzlehttp/promises/src/Promise.php(272): GuzzleHttp\Promise\Promise->waitIfPending()

.........

looks like it is missing the code parameter but how can we fix this?

Many Thanks, Suman

SwithFr commented 11 months ago

Same for me !

ivalkenburg commented 11 months ago

I got the same issue, and i have no clue why this is happening with some users.

Im at the point im just going to ditch this code and do my own implementation.

atymic commented 11 months ago

Can you log the request query params? I'm using the provider in prod without issues. Is it only happening for some users?

thepartnership-suman commented 11 months ago

@atymic yes it is only happening for some users. how do I log the query params? I only do Socialite::driver($provider)->redirect();

ivalkenburg commented 11 months ago 
{"error":"invalid_request","error_description":"AADSTS900144: The request body must contain the following parameter: 'code'. Trace ID: 2a44b1bc-f60b-405a-aa21-1397c4bbc200 Correlation ID: a585739a-1c4f-4cca-b318-08ffc71b95fd Timestamp: 2023-11-23 14:13:09Z","error_codes":[900144],"timestamp":"2023-11-23 14:13:09Z","trace_id":"2a44b1bc-f60b-405a-aa21-1397c4bbc200","correlation_id":"a585739a-1c4f-4cca-b318-08ffc71b95fd","error_uri":"https://login.microsoftonline.com/error?code=900144"}

is the full untruncated response i get back. This happens even though all the necessary is entered. This happens to some users, even using the same credentials.

dallyger commented 10 months ago

Same issue here. was working yesterday, then it stopped working.

@atymic if I run dd($request->getUri()), I receive the following dump:

GuzzleHttp\Psr7\Uri {#309 ▼ // app/Http/Controllers/AuthController.php:28
  -scheme: "https"
  -userInfo: ""
  -host: "login.microsoftonline.com"
  -port: null
  -path: "/common/oauth2/v2.0/token"
  -query: ""
  -fragment: ""
  -composedComponents: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
}

It seems like, there is no query attached at all.

dallyger commented 10 months ago

Exception is raised by the ->user() method.

Dump of the full request:

GuzzleHttp\Psr7\Request {#313 ▼ // app/Http/Controllers/AuthController.php:29
  -method: "POST"
  -requestTarget: null
  -uri: GuzzleHttp\Psr7\Uri {#309 ▼
    -scheme: "https"
    -userInfo: ""
    -host: "login.microsoftonline.com"
    -port: null
    -path: "/common/oauth2/v2.0/token"
    -query: ""
    -fragment: ""
    -composedComponents: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
  }
  -headers: array:4 [▼
    "User-Agent" => array:1 [▼
      0 => "GuzzleHttp/7"
    ]
    "Content-Type" => array:1 [▼
      0 => "application/x-www-form-urlencoded"
    ]
    "Host" => array:1 [▼
      0 => "login.microsoftonline.com"
    ]
    "Accept" => array:1 [▼
      0 => "application/json"
    ]
  ]
  -headerNames: array:4 [▼
    "user-agent" => "User-Agent"
    "content-type" => "Content-Type"
    "host" => "Host"
    "accept" => "Accept"
  ]
  -protocol: "1.1"
  -stream: GuzzleHttp\Psr7\Stream {#311 ▼
    -stream: stream resource @8 ▼
      wrapper_type: "PHP"
      stream_type: "TEMP"
      mode: "w+b"
      unread_bytes: 0
      seekable: true
      uri: "php://temp"
      options: []
    }
    -size: 219
    -seekable: true
    -readable: true
    -writable: true
    -uri: "php://temp"
    -customMetadata: []
  }
}

Request body dump (truncated):

"grant_type=authorization_code&client_id=...&client_secret=...&redirect_uri=...&scope=User.Read ◀" // app/Http/Controllers/AuthController.php:29
dallyger commented 10 months ago

Found a fix for my issue, based on this: https://stackoverflow.com/a/38754821/9337116

I've renamed the config option services.microsoft.tenant to services.microsoft.tenant_id in config/services.php for another Service and forgot, that it is used for this Provider too. Therefore it has used the fallback common instead of the real tenant id.

Reverting that back to the original name, fixed it in my case. So probably it is just a missing (but documented as optional) tenant id.

atymic commented 8 months ago

@dallyger could you PR a fix to the docs? Thanks!

dallyger commented 8 months ago

@atymic this is a fix for my specific use-case (just login, single tenant, no other features used). I do not really understand what is going on here, just that it works in my case. That is probably not enough to submit a PR. However, I've tried to look into it and stumbled upon this comment (https://github.com/SocialiteProviders/Providers/issues/1029#issuecomment-1740089387) in another issue. It seems like that one commit from it (https://github.com/SocialiteProviders/Microsoft/commit/ed3fd7fb306ef3c02df6426b5d05fe2f203f749e) is the exact changes you'd want. But cannot really confirm due to lack in knowledge. Maybe you can cherry-pick that?

atymic commented 3 months ago

@dallyger I have PR'd those changes here: https://github.com/SocialiteProviders/Providers/pull/1226