Oauth MicrosoftAccount Token Request Issue

[Fosol]

I'm trying to figure out how to configure oauth with a MicrosoftAccount.

Within the Microsoft.AspNetCore.Authentication.OAuth project, in the OAuthHandler.ExchangeCodeAsync(...) function it creates a tokenRequestParameters Dictionary.

protected virtual async Task<OAuthTokenResponse> ExchangeCodeAsync(string code, string redirectUri)
        {
            var tokenRequestParameters = new Dictionary<string, string>()
            {
                { "client_id", Options.ClientId },
                { "redirect_uri", redirectUri },
                { "client_secret", Options.ClientSecret },
                { "code", code },
                { "grant_type", "authorization_code" }
            };

            var requestContent = new FormUrlEncodedContent(tokenRequestParameters);

            var requestMessage = new HttpRequestMessage(HttpMethod.Post, Options.TokenEndpoint);
            requestMessage.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
            requestMessage.Content = requestContent;
            var response = await Backchannel.SendAsync(requestMessage, Context.RequestAborted);
            if (response.IsSuccessStatusCode)
            {
                var payload = JObject.Parse(await response.Content.ReadAsStringAsync());
                return OAuthTokenResponse.Success(payload);
            }
            else
            {
                var error = "OAuth token endpoint failure: " + await Display(response);
                return OAuthTokenResponse.Failed(new Exception(error));
            }
        }

My application on Azure requires that I include a resource parameter with my application Id. It would appear that your code doesn't allow modifying these parameters.

Unless there is some secret sauce I'm unaware of, can you confirm either a) that this is a design issue or b) how to include the resource parameter in a token request

[Fosol]

I was able to configure the app on Azure to by-pass this issue. Microsoft is no longer requesting the resource parameter.

While I no longer require the ability to do this at this time, I do see an issue with the implemented design if there is no way to include Oauth parameters when making token requests.

[Fosol]

It appears to be related to which authorization and token endpoints are used. There are two available.

options.AuthorizationEndpoint = "https://login.microsoftonline.com/[guid]/oauth2/v2.0/authorize";
options.TokenEndpoint = "https://login.microsoftonline.com/[guid]/oauth2/v2.0/token";

These require a resource parameter below;

options.AuthorizationEndpoint = "https://login.microsoftonline.com/[guid]/oauth2/authorize";
options.TokenEndpoint = "https://login.microsoftonline.com/[guid]/oauth2/token";

[Tratcher]

We switched to the v2 endpoints a long time ago. Why are you using the v1 endpoints? https://github.com/aspnet/Security/blob/32177cad1eb1eb6be8ad89a7dba1a1637c0d0786/src/Microsoft.AspNetCore.Authentication.MicrosoftAccount/MicrosoftAccountDefaults.cs#L13-L15

[Fosol]

First time hooking the Oauth up to Microsoft. Just copied the values from the Azure Portal. They have both there.

[Tratcher]

Are you not using the pre-built Microsoft.AspNetCore.Authentication.MicrosoftAccount package? It handles these things for you.

[Fosol]

I was not using it originally no. When I did, it was not working for me (for other reasons). So I was manually setting things up. Had copied the endpoints from Azure Portal and got to the resource issue. Which I was able to resolve by setting the parameter manually. I do have the pre-built one now working though.

Might be useful to highlight the old endpoints don't work. While it might be intuitive for those in the 'know'. It's not so intuitive to someone going through it for the first time.