search

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.
https://packagist.org/packages/thenetworg/oauth2-azure
MIT License
229 stars 108 forks source link

General flow of authentication - Wrong authentication? #171

Closed nedvice-sv closed 6 months ago

nedvice-sv commented 1 year ago

Hi all,

Currently I'm trying to implement the TheNetworg/oauth2-azure client in my application. I'm using an SPA which uses symfony as a backend (and thus also for authentication trough Azure hence this package!)

At the moment I'm stuck on 2 sections:

  1. The following piece of code can't verify the access token since its an "Invalid Signature":

I'm generating the access_token / bearer token via this way, and then return the string so I can use this in future requests to actually authenticate the user with this token.

$microsoftProvider->get()->getAccessToken('authorization_code', [
    'scope' => $microsoftProvider->get()->scope,
    'code' => $request->getCode(),
])
try {
    $claims = $this->microsoftProvider->get()->validateAccessToken($apiToken);
} catch (Exception $exception) {
    throw new CustomUserMessageAuthenticationException($exception->getMessage(), $exception->getTrace(), $exception->getCode(), $exception);
}

The $this->microsoftProvider->get() returns an instance of TheNetworg\OAuth2\Client\Provider\Azure this is just a wrapper for setting credentials, scopes etc.

When I try to verify the JWT (bearer) token also on https://jwt.io/ it says the token that was generated was 'invalid' while I can see literally everything in the data section.

On this matter, what am I doing wrong?

  1. Second question is; Is it also possible to get actually an AccessToken-object from just only the JWT (bearer) token?

My current working flow with the SPA is as following:

  1. User clicks on "Login with Azure" ; In the back-end we'll get a login url and return this to the front-end. The front-end then redirects the user to this URL (Microsoft URL)
  2. The user authenticates with the Azure account. And redirects back with the state and code again to the front-end.
  3. The front-end recognizes that a code and state have been given and calls again the back-end to get an `access_token / bearer token / jwt token); Something that you should send atleast when you want to authenticate.
  4. When the token is given we can authenticate every other call on the back-end with this token (Which is now still stored as session data)

If anyone got a better solution to that I'd also like to know.

Thanks for reading and in advance for answering my questions,

Regards, Sanne