search

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.
https://packagist.org/packages/thenetworg/oauth2-azure
MIT License
230 stars 108 forks source link

Unable to make POST request? #121

Open ZeroByter opened 3 years ago

ZeroByter commented 3 years ago

Hey!

I am trying to get all the groups the logged-in user is a member of, but when I make the request the script hangs and doesn't execute beyond the API call without any error. I must be missing something.

$provider = new TheNetworg\OAuth2\Client\Provider\Azure([
    'clientId'          => 'myclientid',
    'clientSecret'      => 'myclientsecret',
    'redirectUri'       => 'myredirecturl'
]);

if (!isset($_GET['code'])) {
    // If we don't have an authorization code then get one
    $authUrl = $provider->getAuthorizationUrl();
    $_SESSION['oauth2state'] = $provider->getState();
    header('Location: '.$authUrl);
    exit;

// Check given state against previously stored one to mitigate CSRF attack
} elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) {

    unset($_SESSION['oauth2state']);
    exit('Invalid state');

} else {
    // Try to get an access token (using the authorization code grant)
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code'],
        'resource' => 'https://graph.windows.net',
    ]);

    echo "getMemberGroups:<br>";
    $groupMember = $provider->post("me/getMemberGroups", ["securityEnabledOnly" => false], $token);
    var_dump($groupMember);
}

What's wrong?

decomplexity commented 3 years ago

Worth checking that the authorization and access token endpoints you are using are consistent with the resource API. The current (V2) endpoints are:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize https://login.microsoftonline.com/common/oauth2/v2.0/token

set in oauth2-azure => Azure.php using ENDPOINT_VERSION_1_0 or ENDPOINT_VERSION_2_0;

The corresponding Graph API is https://graph.microsoft.com/ at version 1.0

I am assuming you are trying to use the V1 endpoints as a getAccessToken to V2 does not support the 'resource' property

hajekj commented 3 years ago

Also, what version of the library are you using?

ZeroByter commented 3 years ago

Worth checking that the authorization and access token endpoints you are using are consistent with the resource API. The current (V2) endpoints are:

https://login.microsoftonline.com/common/oauth2/v2.0/authorize https://login.microsoftonline.com/common/oauth2/v2.0/token

set in oauth2-azure => Azure.php using ENDPOINT_VERSION_1_0 or ENDPOINT_VERSION_2_0;

The corresponding Graph API is https://graph.microsoft.com/ at version 1.0

I am assuming you are trying to use the V1 endpoints as a getAccessToken to V2 does not support the 'resource' property

These are the variables in my Azure.php file, they look okay:

public $urlLogin = 'https://login.microsoftonline.com/';

public $pathAuthorize = '/oauth2/authorize';

public $pathToken = '/oauth2/token';

public $scope = [];

public $scopeSeparator = ' ';

public $tenant = 'common';

public $urlAPI = 'https://graph.windows.net/';

public $resource = '';

public $API_VERSION = '1.6';

public $authWithResource = true;

Also, what version of the library are you using?

Not sure where to check the version. I believe I am using the latest version because I downloaded the library just yesterday.

Calling the me API call works fine for me so not sure that's the problem.

Some more details: This is a multi-tenant situation. The tenant my users are authenticating from is not the same one as the one the app is registered (again, shouldn't be an issue but just fyi)

decomplexity commented 3 years ago

In AAD, is 'Supported account types' set to "Accounts in any organizational directory"? The default is single tenant.

ZeroByter commented 3 years ago

In AAD, is 'Supported account types' set to "Accounts in any organizational directory"? The default is single tenant.

Yep, already took care of that when I registered the app. Perhaps this may have something to do with the fact getMemberGroups requires admin consent? I did give admin consent but like I said earlier I'm probably missing something here.

I really wish we could get an error code to debug what's wrong.

ZeroByter commented 3 years ago

Alright so I am not entirely sure but I suspect this issue (and another issue we have been experiencing) is due to the fact the tenant from where our users come and sign in from did not give admin consent to getMemberGroups and that's why there is problems, despite the fact that we gave admin consent for everything in our tenant.

Curiously, when users try to sign in they are prompted to provide justification for using the application along with it's required permissions and upon clicking 'submit', they get error AADSTS90097 which gives the simple vague message: "An error has occured during admin consent processing.".

Error code AADSTS90097 isn't even listed on Microsoft's list of error codes, weird.

hajekj commented 3 years ago

So the application is multi-tenant. Can you please share the admin consent address? I can try to approve it in my own tenant to see.

ZeroByter commented 3 years ago

Where can I find the admin consent address?

hajekj commented 3 years ago

You have to build it or generate it, more here: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent

Sample implementation, against an older version of this library is here: https://github.com/TheNetworg/DreamSpark-SSO/search?q=consent

ZeroByter commented 3 years ago

Sorry, but I can't share the admin consent address. I would if I could. Although, I plan to perform your test myself and I'll post what I find, but I am still pretty confident what I said earlier is the problem (tenant hosting the users did not give admin consent)

Also, I'll take a look at that sample implemention.

Thanks for all the help so far 👍