search

dominik-th / matomo-plugin-LoginOIDC

external authentication services for matomo
https://plugins.matomo.org/LoginOIDC/
GNU General Public License v3.0
40 stars 29 forks source link

AD FS 2019 issues #106

Open christophvw opened 9 months ago

christophvw commented 9 months ago

AD FS returns only the subject claim on /userinfo and userinfo works only when you pass "resource"=> "urn:microsoft:userinfo" on /authorize

So we have to extract the claims from the access_token and do not call the userInfo Url at all in this case.

christophvw commented 9 months ago

When I extract the email adress (email = username here) from the token and remove the call to the userinfo endpoint I can login successfully:

$acc_token = json_decode(base64_decode(explode('.', $result->access_token)[1])); $providerUserId = $acc_token->email

christophvw commented 9 months ago

My config:

apache2: RewriteEngine On RewriteRule ^/oidc/callback /index.php?module=LoginOIDC&action=callback&provider=oidc [QSA,NE,R,L]

Authorize URL: https://adfs-serverfqdn/adfs/oauth2/authorize Token URL: https://adfs-serverfqdn/adfs/oauth2/token Userinfo URL: https://adfs-serverfqdn/adfs/userinfo Redirect URL: https://matomo-serverfqdn/oidc/callback

Maybe it would be useful to be able to leave userinfo url empty in this case - and when it is empty - try to extract the claim from the token.

christophvw commented 4 months ago

https://github.com/dominik-th/matomo-plugin-LoginOIDC/pull/110