Open christophvw opened 9 months ago
When I extract the email adress (email = username here) from the token and remove the call to the userinfo endpoint I can login successfully:
$acc_token = json_decode(base64_decode(explode('.', $result->access_token)[1])); $providerUserId = $acc_token->email
My config:
apache2: RewriteEngine On RewriteRule ^/oidc/callback /index.php?module=LoginOIDC&action=callback&provider=oidc [QSA,NE,R,L]
Authorize URL: https://adfs-serverfqdn/adfs/oauth2/authorize Token URL: https://adfs-serverfqdn/adfs/oauth2/token Userinfo URL: https://adfs-serverfqdn/adfs/userinfo Redirect URL: https://matomo-serverfqdn/oidc/callback
Maybe it would be useful to be able to leave userinfo url empty in this case - and when it is empty - try to extract the claim from the token.
AD FS returns only the subject claim on /userinfo and userinfo works only when you pass "resource"=> "urn:microsoft:userinfo" on /authorize
So we have to extract the claims from the access_token and do not call the userInfo Url at all in this case.