Issue getting identity with Owner Resource Credentials Grant

[devzzm]

When using a user/pass login, I am unable to get the claims back.

For example:

$this->azureProvider->defaultEndPointVersion = \TheNetworg\OAuth2\Client\Provider\Azure::ENDPOINT_VERSION_1_0;
 $this->azureProvider->authWithResource = true;
 $token = $this->azureProvider->getAccessToken('password', [
                'username' => $email,
                'password' => $this->getCredential()
            ]);

Calling this:

            $resourceOwner = $this->azureProvider->getResourceOwner($token);
            $verifiedEmail = $resourceOwner->claim('email');

will result in: Argument 1 passed to TheNetworg\OAuth2\Client\Provider\Azure::createResourceOwner() must be of the type array, null given

In the old version (1.0) of the lib, I was able to do this:

            $validTokens = $this->azureProvider->validateAccessToken($token);
            $verifiedEmail = $validTokens['upn'];

This will still work for the 2.0 version of the client library IF i comment out:

     if ($this->getClientId() != $tokenClaims['aud']) {
            throw new \RuntimeException('The client_id / audience is invalid!');
        }

In this situation, aud will be something like "https://graph.windows.net/' while client id will be in the form X-X-X-X-X where X is variable chars and length

[hajekj]

Can you check if you receive the id_token back?

[devzzm]

What am I looking for and where? I do see a tid returned

[hajekj]

Can you print out the $token value and pass the claims from https://jwt.io?

[devzzm]

Here is what my token looks like: TheNetworg\OAuth2\Client\Token\AccessToken Object ( [idToken:protected] => [idTokenClaims:protected] => [accessToken:protected] => eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0LyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2M4ZjMwMmJhLWIyZmUtNDM4OS1iNzIwLWUyODVmNGZlMWIyYS8iLCJpYXQiOjE2MDI3MDI4MjIsIm5iZiI6MTYwMjcwMjgyMiwiZXhwIjoxNjAyNzA2NzIyLCJhY3IiOiIxIiwiYWlvIjoiRTJRQWdsTW0zSmYvUzB2ZTl6Mmc4dWVKdzcxLy9Vc2RuSFJ5N2xZVlpYRnd0bGoxQUFBPSIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiJkYzM1YzlmNS0xOGZjLTQ5YzEtOTBhNy0wNWU1ZmMyYmY0NWUiLCJhcHBpZGFjciI6IjEiLCJmYW1pbHlfbmFtZSI6IkxvbmciLCJnaXZlbl9uYW1lIjoiTWljaGFlbCIsImlwYWRkciI6IjY1LjIxMy4xNDQuNTciLCJuYW1lIjoiTWljaGFlbCBMb25nIiwib2lkIjoiNDUxYzZiNDAtYzE5NS00OGFlLWI5ZmYtODFlYWJjZDViYmNhIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTIxMTIwNTYwNDEtMjQ4NTIwNjk1LTY1NDgzODc3OS0yMTI0MiIsInB1aWQiOiIxMDAzQkZGRDkwNzNBRjI3IiwicmgiOiIwLkFBQUF1Z0x6eVA2eWlVTzNJT0tGOVA0Ykt2WEpOZHo4R01GSmtLY0Y1ZndyOUY0U0FNOC4iLCJzY3AiOiJlbWFpbCBvZmZsaW5lX2FjY2VzcyBvcGVuaWQgcHJvZmlsZSBVc2VyLlJlYWQiLCJzdWIiOiJZOE15QkRBVEdNYUZ3cXZiRExlWGVqREdfYnpfc2JyXzNsMWc1TUVnWXRVIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiYzhmMzAyYmEtYjJmZS00Mzg5LWI3MjAtZTI4NWY0ZmUxYjJhIiwidW5pcXVlX25hbWUiOiJtbG9uZ0BiaXpqb3VybmFscy5jb20iLCJ1cG4iOiJtbG9uZ0BiaXpqb3VybmFscy5jb20iLCJ1dGkiOiI0X2ZaUy1aWjJFcUw1YWdnM1JNaEFBIiwidmVyIjoiMS4wIn0. redacted [expires:protected] => 1602706722 [refreshToken:protected] => redacted [resourceOwnerId:protected] => [values:protected] => Array ( [token_type] => Bearer [scope] => email offline_access openid profile User.Read [ext_expires_in] => 3599 [expires_on] => 1602706722 [not_before] => 1602702822 [resource] => https://graph.windows.net/ )

)

[devzzm]

My claims:

Array ( [aud] => https://graph.windows.net/ [iss] => https://sts.windows.net/c8f302ba-b2fe-4389-b720-e285f4fe1b2a/ [iat] => 1602702906 [nbf] => 1602702906 [exp] => 1602706806 [acr] => 1 [aio] => E2RgYMg6tGjxI0ZL06YsQYd7r35YcLok3Zu+Ul5gyrkmKfvYqhcA [amr] => Array ( [0] => pwd )

[appid] => REDACTED [appidacr] => 1 [family_name] => Long [given_name] => Michael [ipaddr] => REDACTED [name] => Michael Long [oid] => 451c6b40-c195-48ae-b9ff-81eabcd5bbca [onprem_sid] => S-1-5-21-2112056041-248520695-654838779-21242 [puid] => 1003BFFD9073AF27 [rh] => 0.AAAAugLzyP6yiUO3IOKF9P4bKvXJNdz8GMFJkKcF5fwr9F4SAM8. [scp] => email offline_access openid profile User.Read [sub] => Y8MyBDATGMaFwqvbDLeXejDG_bz_sbr_3l1g5MEgYtU [tenant_region_scope] => NA [tid] => c8f302ba-b2fe-4389-b720-e285f4fe1b2a [unique_name] => mlong@EXAMPLE.COM [upn] => mlong@EXAMPLE.COM [uti] => CHgefjfNH0SnuQyFHEwdAA [ver] => 1.0 )

[hajekj]

For some reason id_token is not returned, I will need to check on it and I will get back to you.

I have modified your post to hide out the refresh token and access token signature, since those are super sensitive.

[hajekj]

Also, because you posted the refresh token, can you just for security sake hit the initiate sign-out button in your Office 365 Admin Center if this is a production account?

[devzzm]

ok i have done that

[stajnert]

Hello, any update about this? I have exactly the same, my "aud": "https://graph.windows.net/"

[hajekj]

I think this has to do with the id_token not being passed in correctly. Does it happen even on the initial request? Or just when the token is refreshed?

/cc: @stajnert, @phareous

[gabrovex]

Hi, exactly same problem for me too. Any update?