search

pennersr / django-allauth

Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.
https://allauth.org
MIT License
9.37k stars 3.01k forks source link

Azure AD Provider not working when sending token request without code_verifier. #2920

Closed mateokurti closed 1 year ago

mateokurti commented 3 years ago

When redeeming a code for an access token using a client_secret, according to the Microsoft Documentation it is recommended to send the code_verifier as a parameter. However, when using a code_challenge with SHA256 as code_challenge_method, it seems to be necessary to also send the code_verifier.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#redeem-a-code-for-an-access-token

I tried to send the token request using the default configuration of OAuth2 Provider, but Microsoft responded with the following errors:

CODE: AADSTS70000
DESCRIPTION: The provided 'code_verifier' input value does not match the original 'code_challenge'.
URL: https://login.microsoftonline.com/error?code=70000

or

CODE: AADSTS50148
DESCRIPTION: The code_verifier does not match the code_challenge supplied in the authorization request for PKCE.
URL: https://login.microsoftonline.com/error?code=50148

It was this blog post which made me realise the problem. It is in Japanese, but I think it can be easily translated.

I modified the get_access_token method under allauth.socialaccount.provider.oauth2.client.py and after client_secret also added the "code_verifier": self.consumer_secret on the data that were sent, and this seemed to fix the issue.

I think this is a necessary change for Azure AD, but I am not sure if this might conflict with other providers.

simkimsia commented 3 years ago

I came here because I'm using allauth to help a customer setup a MS oauth login and I encounter a PKCE error.

The exact error code is

AADSTS9002325: Proof Key for Code Exchange is required for for cross-origin authorization code redemption.

Is this the same issue as yours, @mateokurti ?

simkimsia commented 3 years ago

I also note that the standard Azure python library has a method to help generate the pkce identifier https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/e94dda5f8140673e55e2cd825174ee98d886857e/msal/oauth2cli/oauth2.py#L475

and i think Azure move to what they call the auth code flow away from the previous implicit grant flow because going forward, third party browser cookies will be impacted. See https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow#prefer-the-auth-code-flow

and I quote

With the plans for third party cookies to be removed from browsers, the implicit grant flow is no longer a suitable authentication method. The silent SSO features of the implicit flow do not work without third party cookies, causing applications to break when they attempt to get a new token. We strongly recommend that all new applications use the authorization code flow that now supports single page apps in place of the implicit flow, and that existing single page apps begin migrating to the authorization code flow as well.

And this auth code flow will definitely require pkce identifier to support the use without 3rd party cookies for oauth login

Other providers

I also note that other providers also need the same PKCE setup but they made it optional. For e.g. AWS Cognito also uses code_challenge and code_challenge_method query params for PKCE but they made them optional https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

pennersr commented 1 year ago

Added via c1b8fe5e