BeryJu
commented
2 years ago With the latest beta build you'll see more feedback in the web interface, but from what I found you need some special setup on the Microsoft side for that scope?
Closed tieb62 closed 2 years ago
BeryJu
commented
2 years ago With the latest beta build you'll see more feedback in the web interface, but from what I found you need some special setup on the Microsoft side for that scope?
tieb62
commented
2 years ago Yes, I found the problem, the Microsoft Graph scopes and XboxLive.signin scope are incompatible with each other (due to the audience of the generated token) but I have no way to remove the Microsoft Graph User.Read scope because Authentik add it itself
tieb62
commented
2 years ago Bumping this
tieb62
commented
2 years ago Re-Bump
tieb62
commented
1 year ago But I still can't prevent Authentik from trying to get user information because user info field cannot be blank and it results in a failed account linking (return to login page)
BeryJu
commented
1 year ago Do you have some more documentation for the XboxLive.signin scope? I assume all the information required is encoded in the id_token that is returned?
tieb62
commented
1 year ago The Xboxlive.signin scope gives a token which can then be used to authenticate against XBoxLive, then with the XBoxLive token we can authenticate against XSTS and finally we can use the XSTS token with the userhash from XBoxlive or XSTS (returned by both) to obtain a Minecraft Access Token (It's what I need)
That's all I know (More information HERE)
tieb62
commented
1 year ago AFAIK there is no other use of the token given by the Xboxlive.signin scope except for Xboxlive Auth (There is no "user info" endpoint)
BeryJu
commented
1 year ago I feel like for this it would be better to have an Xbox OAuth Source which does all these steps internally
tieb62
commented
1 year ago Will it be implemented?
tieb62
commented
1 year ago Bump
tieb62
commented
1 year ago Can I help for it to be implemented ?
tieb62
commented
1 year ago Bump
tieb62
commented
1 year ago I feel like for this it would be better to have an Xbox OAuth Source which does all these steps internally
@BeryJu sorry to insist but I really need this feature, if I can help for it to be implemented just tell me (if you need details on what requests to make, where etc...)
tieb62
commented
1 year ago Bump
aabdolla
commented
1 year ago Any updates?
tieb62
commented
1 year ago Idk, I think there won't be because @BeryJu closed the issue
Describe your question : I want to configure Authentik for it to whenever a user want to sign up he MUST link his Microsoft Account AND Discord Account
The first problem occurred : When I added Azure Oauth for social login, i cannot add
XboxLive.signinscope, because if I do, then whenever I try to link my Microsoft account it redirects me to the login page and in the logs it says{"auth_via": "session", "event": "Unable to fetch access token", "exc": "HTTPError('400 Client Error: Bad Request for url: https://login.microsoftonline.com/consumers/oauth2/v2.0/token')", "level": "warning", "logger": "authentik.sources.oauth.clients.oauth2"}(I stripped host, request id, pid and timestamp) With all my other scopes it works fine (profile email offline_access) but when i addXboxLive.signinit failsAnd finally, the final "thing" (if it needs another issue no problem just tell me) : For my final app (protected by Authentik) I need to get the Microsoft token and the Discord Token, I think it will have to do with property mapping but I didn't figured out how these works
Relevant infos Authentik 2022.9.0 on docker compose behind HAProxy behind Cloudflare
If you need any other details ask, I'm new to SSO and authentik