Remove app id validation

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.

https://packagist.org/packages/thenetworg/oauth2-azure

MIT License

230 stars 108 forks source link

Remove app id validation #109

Closed sadika9 closed 4 years ago

sadika9 commented 4 years ago

Use correct claim based on token version to validate application ID.

v1 token have application id in appid claim
v2 token have application id in azp claim.

Doc: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens#claims-in-access-tokens

hajekj commented 4 years ago

Hey! Thanks for the pull request!

Actually, from looking at the docs, I think the validation of appid and azp should be removed completely, because this way, it probably breaks the on_behalf_of flow since the value will always be different from the current client_id if I understood the docs correctly.

What are your thoughts about this? Eventually, do you think you could modify the PR to remove the validation of appid and azp completely? Thanks a lot!

sadika9 commented 4 years ago

@hajekj I've removed app id validation. Also change the PR title accordingly.

hajekj commented 4 years ago

Awesome! Thanks for the contribution!