search

TheNetworg / oauth2-azure

Azure AD provider for the OAuth 2.0 Client.
https://packagist.org/packages/thenetworg/oauth2-azure
MIT License
231 stars 108 forks source link

The resource option in getAccessToken is ignored #66

Open mcetkovsky opened 5 years ago

mcetkovsky commented 5 years ago

The sample code in readme contains the following snippet.

$token = $provider->getAccessToken('authorization_code', [
    'code' => $_GET['code'],
    'resource' => 'https://graph.windows.net',
]);

The resource field is never applied as it is overwritten in the getAccessToken method

    if($this->authWithResource) {
        $options['resource'] = $this->resource ? $this->resource : $this->urlAPI;
    }

I am not sure whether this behaviour intended. However, it feels strange to use an ignored option in the official sample.

arueckauer commented 5 years ago

The paragraph Advanced flow following the code sample should clarify that.

The Authorization Code Grant Flow is a little bit different for Azure Active Directory. Instead of scopes, you specify the resource which you would like to access - there is a param $provider->authWithResourcewhich will automatically populate the resource param of request with the value of either $provider->resource or $provider->urlAPI. This feature is mostly intended for v2.0 endpoint of Azure AD (see more here).