search

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.
https://packagist.org/packages/thenetworg/oauth2-azure
MIT License
229 stars 108 forks source link

The Code_Verifier does not match the code_challenge supplied in the authorization request #175

Open khalifaelbanan opened 1 year ago

khalifaelbanan commented 1 year ago

Greetings, I'm new to Azure and I need to implement a login flow using Azure AD for an application where the frontend retrieve the code and the backend have to generate the access token from the code already generated. On the FE side I'm using react with @azure/msal-browser and my source code looks like : 

publicClientApp = new PublicClientApplication({
  auth: {
    clientId: azureConfig.clientId,
    authority: azureConfig.authority,
    redirectUri: azureConfig.redirectUrl,
  },
  cache: {
    cacheLocation: 'sessionStorage',
    storeAuthStateInCookie: false,
  },
});
await publicClientApp.loginRedirect({
  scopes: azureConfig.scopes,
  prompt: 'select_account',
});

Then I recieve a code : code=0.AU4AxXIC70Ma9ESVBt5raWVI_yqY9ha1CQhMgMGmdTdc8tODAAA...

On the BE side I recieve this code and I need to generate the access token and get user claims. To do this I have my symfony project with thenetworg/oauth2-azure package installed, so my code looks like : 

$this->provider = new Azure([
    'clientId'          => $this->parameterBag->get('azure_client_id'),
    'clientSecret'      => $this->parameterBag->get('azure_client_secret'),
    'redirectUri'       => $this->parameterBag->get('azure_redirect_uri'),
    'scopes'            => ['openid'],
    'defaultEndPointVersion' => Azure::ENDPOINT_VERSION_2_0,
]);

$token = $this->provider->getAccessToken('authorization_code', [
    'scope' => $this->provider->scope,
    'code' => $code,
]);

But I receive this error : invalid_grant AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request.\r\nTrace ID: 254744d9-ab7b-4c31-9dbe-0485bfd50501\r\nCorrelation ID: bb4a3ddf-6527-4b2c-98af-a124b66527d6\r\nTimestamp: 2022-11-22 15:08:41Z

Any hint to get this done ?

decomplexity commented 1 year ago

React with @azure/msal-browser (i.e. V2) will force a PKCE code challenge with a (default) code challenge method of S256 for an SPA with authorization_code flow. From memory, I don’t believe that thenetworg/oauth2-azure, greew/oauth2-azure-provider or stevenmaguire/oauth2-microsoft providers offer PKCE themselves, but thephpleague oauth2-microsoft generic provider does so – you need the getPkceCode() and setPkceCode methods (see https://oauth2-client.thephpleague.com/usage/)

And note that for PHPMailer to work, your scope permissions should be “offline_access https://outlook.office.com/SMTP.Send"

khalifaelbanan commented 1 year ago

Thanks @decomplexity for your response. I'm trying to find a package with React to replace msal-browser and allows me to pass my custom code_challenge and code_chalenge_method

limogin commented 1 year ago

But I understand that the implementation of getting the pckecode is delegated to the inheriting class. In the GenericProvider class there is no way to be able to get this code in the case of Azure AD.