stevenmaguire / oauth2-microsoft

Microsoft OAuth 2.0 support for the PHP League's OAuth 2.0 Client
MIT License
68 stars 41 forks source link

"Invalid response received from Authorization Server. Expected JSON." #20

Open eightfivelabs opened 4 years ago

eightfivelabs commented 4 years ago

Using the sample code on the readme, but with my application ID and secret - receiving the above error.

  #message: "Invalid response received from Authorization Server. Expected JSON."
  #code: 0
miles-dev33 commented 4 years ago

I'm getting the same thing, trying to figure it out, however, this is my error message:

Oh dear... Failed to get user details - Exception message: UnexpectedValueException: Invalid response received from Authorization Server. Expected JSON. in /var/www/html/vendor/league/oauth2-client/src/Provider/AbstractProvider.php:787 Stack trace: #0 /var/www/html/vendor/league/oauth2-client/src/Provider/AbstractProvider.php(767): League\OAuth2\Client\Provider\AbstractProvider->fetchResourceOwnerDetails(Object(League\OAuth2\Client\Token\AccessToken)) #1 /var/www/html/SSO.php(45): League\OAuth2\Client\Provider\AbstractProvider->getResourceOwner(Object(League\OAuth2\Client\Token\AccessToken)) #2 {main}

I did update the following line(s), protected $urlAuthorize = 'https://login.live.com/oauth20_authorize.srf'; To: protected $urlAuthorize = 'https://login.microsoftonline.com/common/oauth2/authorize';

and changed the following: protected $urlAccessToken = 'https://login.live.com/oauth20_token.srf'; To: protected $urlAccessToken = 'https://login.microsoftonline.com/common/oauth2/token';

In order to get professional accounts authenticated.

Also, updated the exit('Oh dear') To: exit("Oh dear... Failed to get user details - Exception message:\n {$e}");

also, added these includes (and session start to get around the Invalid state error since sample code had it missing): session_start(); ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);

Still attempting to figure out why this is happening, will update you once I get it

decomplexity commented 4 years ago

The ‘authorize’ and ‘token’ API URLs to which Miles McCloskey (above) updated would appear to be for V1.0. The latest V2 ones have a V2.0 inserted: …. /common/oauth2/v2.0/authorize and …/common/oauth2/v2.0/token

MSFT announced SMTP AUTH for the V2.0 endpoint (and made no mention of V1) , so if one has an SMTP AUTH scope in stevenmaguire/oauth2-microsoft/src/Microsoft.php, the resulting authorization would, I guess, be expected to fail, even if SMTP AUTH was included in the corresponding AAD scopes.

bilkusg commented 4 years ago

I too am having trouble getting this to work. The library appears to be non-functional at the moment. I got something to work only by hacking the source code to

I'm now going to see if someone has already forked this and fixed these problems....

decomplexity commented 4 years ago

As you may have gathered (or seen on Stackoverflow) , I too have had big problems in trying to get Steve Maguire’s Microsoft extension to Oauth2 to work.

Steve’s code appears to be pre-v1 of the authorisation and token endpoints. My attempts to use his code unaltered except for scopes and endpoints enabled me with V1 endpoints to obtain an initial refresh token, but subsequent authentication failed. Using V2 endpoints came up with JSON’ish errors in the return URL when merely asking for the initial refresh token.

I tried various scope separators – including spaces – and come to the same conclusion as you did. The only four relevant ones appear to be openid, SMTP.Send and (possibly) Mail.Send and offline_access, and I have tried these in various combinations.

I also tried various versions of the scope prefixes, eg: https://outlook.office.com/SMTP.Send (MSFT’s specification)
https://outlook.office365.com/SMTP.Send https://microsoft.graph.com/SMTP.Send (the prefix that should be the default in V2

and it is very unobvious to me what the corresponding AAD permission prefixes should be (Microsoft Graph; Exchange;…)

I should be grateful if you could email me the class addition you used for BearerTrait and any changes you made to stevenmaguire/oauth2-microsoft (or to OAuth2) and I will report back here how I get on. I see you have opened a fork which is as yet unpopulated.

Intempestif commented 2 years ago

I too am having trouble getting this to work. The library appears to be non-functional at the moment. I got something to work only by hacking the source code to

  • change the scopeSeparater to a space
  • changing the default scope to openid
  • changing all the endpoints as per microsofts latest documentation
  • adding the bearerTrait into the class definition

I'm now going to see if someone has already forked this and fixed these problems....

Can you contact me or reply here with more details about the changes you made to the package in terms of code please ?

decomplexity commented 2 years ago

I moved to Jan Hajek's TheNetworg/oauth2-azure instead - which works fine. I suggest also that you check the MSFT OAuth2 quirks.md doc in decomplexity/SendOauth2: even though MSFT eventually added an SMTP.Send permission to Graph, the target resource API should be https://_outlook.office.com_ - which is fine when using authorization_code grant type because you can push permissions from your code, but problematical when using a client_credentials grant because there is no way to push permissions. Client_credentials assumes that the permissions set up in AAD are the ones to use but there is no way to add them for the https://_outlook.office.com API !