search

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.
https://packagist.org/packages/thenetworg/oauth2-azure
MIT License
230 stars 108 forks source link

Uncaught exception with message 'invalid_grant' after authenticating user #123

Open selimirez opened 3 years ago

selimirez commented 3 years ago

After the user gets authenticated and the necessary information is gathered from AAD, I get the following error;

Uncaught exception 'League\OAuth2\Client\Provider\Exception\IdentityProviderException' with message 'invalid_grant' in /var/www/myAapp/vendor/thenetworg/oauth2-azure/src/Provider/Azure.php:315

I have 2 separate files that complete the flow (not sure if this info is relevant), one file gets the code and the other completes the token generation to get the user data.

Despite getting the necessary user information and log them in it seems to proceed further and cause this exception.

I will appreciate any help

Stack Trace is as below;

0 /var/www/myAapp/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(628): TheNetworg\OAuth2\Client\Provider\Azure->checkResponse(Object(GuzzleHttp\Psr7\Response), Array)

1 /var/www/myAapp/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(537): League\OAuth2\Client\Provider\AbstractProvider->getParsedResponse(Object(GuzzleHttp\Psr7\Request))

2 /var/www/myAapp/vendor/thenetworg/oauth2-azure/src/Provider/Azure.php(59): League\OAuth2\Client\Provider\AbstractProvider->getAccessToken('authorization_c...', Array)

3 /var/www/myAapp/controllers/application.php(253): TheNetworg\OAuth2\Client\Provider\Azure->getAccessToken('authorization_c...', Array)

4 /var/www/myAapp/controllers/application.php(304): azureSso(Object(Request))

5 /var/www/framework/controllers/framework.php(186): include('/var/www/myApp/co..

decomplexity commented 3 years ago

When I have seen this message it has usually been because the token presented to the token endpoint is the wrong type of token. If you acquire a refresh token and then - in a later run - use it to acquire a new access token (this is the way e.g. PHPMailer works), it is all too easy to accidentally offer the wrong token for that grant. Have you checked the token in jwt.ms? Access tokens should display formatted (leave out the initial email address and 'bearer'); refresh tokens and authorization codes are impenetrable with or without decode 64'ing.