search

thephpleague / oauth2-client

Easy integration with OAuth 2.0 service providers.
http://oauth2-client.thephpleague.com
MIT License
3.64k stars 751 forks source link

Issue with generating and validating the same token. #974

Open nedvice-sv opened 1 year ago

nedvice-sv commented 1 year ago

Hi all,

Currently I'm trying to implement the TheNetworg/oauth2-azure client in my application. I'm using an SPA which uses symfony as a backend (and thus also for authentication trough Azure hence this package!)

The following piece of code can't verify the access token since its an "Invalid Signature":

First I'm getting the access_token via the provided code from Microsoft Azure.

$accessToken = $microsoftProvider->get()->getAccessToken('authorization_code', [
    'scope' => $microsoftProvider->get()->scope,
    'code' => $request->getCode(),
]);

return $accessToken->getToken();

Second on a separate call I'm validating this token (This happens when authenticating; (This is where the accessToken is a string!)

try {
    $claims = $this->microsoftProvider->get()->validateAccessToken($accessToken);
} catch (Exception $exception) {
    throw new CustomUserMessageAuthenticationException($exception->getMessage(), $exception->getTrace(), $exception->getCode(), $exception);
}

The $this->microsoftProvider->get() returns an instance of TheNetworg\OAuth2\Client\Provider\Azure this is just a wrapper for setting credentials, scopes etc.

When I try to verify the JWT (bearer) token also on https://jwt.io/ it says the token that was generated was 'invalid' while I can see literally everything in the payload section.

What am I doing wrong?

And for an second question: Is it possible to get an AccessToken object just from the accessToken that has been sent through the requests?

To explain a little bit of the situation:

My current working flow with the SPA is as following:

  1. User clicks on "Login with Azure" ; In the back-end we'll get a login url and return this to the front-end. The front-end then redirects the user to this URL (Microsoft URL)
  2. The user authenticates with the Azure account. And redirects back with the state and code again to the front-end.
  3. The front-end recognizes that a code and state have been given and calls again the back-end to get an `access_token / bearer token / jwt token); Something that you should send atleast when you want to authenticate.
  4. When the token is given we can authenticate every other call on the back-end with this token (Which is now still stored as session data) If anyone got a better solution to that I'd also like to know.

Thanks for reading and in advance for answering my questions,

Regards, Sanne