search

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.
https://packagist.org/packages/thenetworg/oauth2-azure
MIT License
230 stars 108 forks source link

V1 Access tokens created but V2 endpoints specified #124

Closed decomplexity closed 3 years ago

decomplexity commented 3 years ago

I’m still trying to get Oauth2 working against MSFT’s V2 authorization and token endpoints and Graph V1 using the thephpleague oauth2-client in PHPMailer and both the (outdated) stevenmaguire/oauth2-microsoft provider and your current one.

The problem is always ‘535 5.7.3 Authentication unsuccessful

When I de-JWT the access token just before it is used by PHPMailer, it is clearly a V1 token (has an acr, an amr, an Appid (but no azp), an Appidacr (but no azpacr) and … ver: "1.0".

To check further back, I ran a simple Authorization Code Flow job (per Readme.md) with the following added: $provider->defaultEndPointVersion = TheNetworg\OAuth2\Client\Provider\Azure::ENDPOINT_VERSION_2_0; and the following appended: $token = $provider->getAccessToken('authorization_code', [ 'code' => $_GET['code'], 'scope' => $provider->scope, ]); echo ("Access token is " . $token); The access token thus displayed is also V1 Since this is trivial to replicate and check, perhaps you could be so kind to do so – and tell me I’m talking nonsense!

Versions PHP 7.4, PHPMailer 6.1, your TheNetworg/oauth2-azure at 2.0.0 with the source taken from the latest release to pre-empt my getting the V2.0.0 development branch by accident

decomplexity commented 3 years ago

After trawling MSFT documentation, it appears that this is expected behaviour! Graph currently supports V1 tokens only (!). Since both the V1 and V2 token endpoints issue access tokens that are compatible with the API of the resource (V1) or scopes (V2) specified and not necessarily by version of the AUTHZ endpoint called, any Graph resource (V1) or scope (V2) specified will force the access token to be V1.

hajekj commented 3 years ago

Hi, I think this behavior was covered in one of the recent 425Show episodes, but I can't find it...

decomplexity commented 3 years ago

Tnx. It seems bizarre that MSFT would push developers to the V2 identity platform (with MSAL use preferred) while at the same time ‘super-strategic’ Graph only accepts tokens compatible with those issued from the deprecated V1 AAD developers platform (with ADAL). In addition, I could presumably get a V1 access token and a V2 ID token from the same V2 endpoint!