Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access Token Validation Failure switching resource [v2.0.0] #54

Closed
PatchworkBoy opened this issue Jul 23, 2018 · 1 comment
Closed

Access Token Validation Failure switching resource [v2.0.0] #54

PatchworkBoy opened this issue Jul 23, 2018 · 1 comment

Comments

@PatchworkBoy
Copy link

PatchworkBoy commented Jul 23, 2018
edited
Loading

Hi Jan - I'm coming across an issue that I'm struggling to resolve. The code below has functioned perfectly for 2yrs using v1.x of oauth2-azure alongside v1.4.1 of league/oauth2-client with PHP5.6

I've now upped to PHP7.1 - this causes a pile of deprecation warnings due to league/oauth2-client's use of ircmaxell/random-lib, so upgraded league/oauth2-client to v2.0.0 (which uses paragonie, thus resolving the deprecation warnings), and then upgraded thenetworg/oauth2-azure to v2.0.0

Now the code below fails with 'Access Token Validation Failure' thrown at line63 - $provider->get($provider->urlAPI . '/beta/me', $_SESSION["MyApp"]['refresh_token'])

If I immediately switch back to v1.x of both, all works.

 $provider = new TheNetworg\OAuth2\Client\Provider\Azure(
    [
        'clientId'          => $app->clientId,
        'clientSecret'      => $app->clientSecret,
        'redirectUri'       => $app->redirectUri
    ]
);
if (!isset($_GET['code']) && !isset($_SESSION["MyApp"]['refresh_token'])) {
    // We're not auth'd. Let's auth.
    unset($_SESSION["MyApp"]['my']);

    $authUrl = $provider->getAuthorizationUrl();
    $_SESSION["MyApp"]['oauth2state'] = $provider->getState();
    header('Location: '.$authUrl);
    exit;
} elseif (!isset($_SESSION["MyApp"]['refresh_token']) && (empty($_GET['state']))) {
    // We've hit an invalid / inconsistent state - CSRF? Either way, reauth.
    unset($_SESSION["MyApp"]['oauth2state']);

    $authUrl = $provider->getAuthorizationUrl();
    header('Location: '.$authUrl);
    exit;
} else {

    $invalid = 0;

    // We authenticated... get a token.
    if (!isset($_SESSION["MyApp"]["refresh_token"])) {

        $token = $provider->getAccessToken(
            'authorization_code', [
                'code' => $_GET['code'],
                'resource' => 'https://graph.windows.net/',
            ]);

        // Get a refreshToken for the Graph API
        $_SESSION["MyApp"]["refresh_token"] = $provider->getAccessToken(
            'refresh_token', [
                'refresh_token' => $token->getRefreshToken(),
                'resource' => 'https://graph.microsoft.com/'
            ]);
    } else {
        $token = $_SESSION["MyApp"]["refresh_token"];
        $time = time();
        if (($token->getExpires()) - $time < 600) {
            $invalid = 1;
        }
    }

    try {
        if ($invalid == 1) {
            $_SESSION["MyApp"]['refresh_token'] = $provider->getAccessToken(
                'refresh_token', [
                    'refresh_token' => $token->getRefreshToken(),
                    'resource' => 'https://graph.microsoft.com'
                ]
            );
        }

        $provider->urlAPI = 'https://graph.microsoft.com';

        // Get user characteristics from Azure AD...
        $my = (!isset($_SESSION["MyApp"]['my'])) ? $provider->get($provider->urlAPI . '/beta/me', $_SESSION["MyApp"]['refresh_token']) : $_SESSION["MyApp"]['my'];  // <-- being line 63 of auth.php mentioned below
    }
}

Stack Trace:

Error: Access token validation failure.
File: /home/myapp/public_html/vendor/thenetworg/oauth2-azure/src/Provider/Azure.php
Line: 107
Trace: League\OAuth2\Client\Provider\Exception\IdentityProviderException: Access token validation failure.
   at TheNetworg.OAuth2.Client.Provider.Azure.checkResponse(Azure.php:107)
   at League.OAuth2.Client.Provider.AbstractProvider.getResponse(AbstractProvider.php:644)
   at TheNetworg.OAuth2.Client.Provider.Azure.request(Azure.php:233)
   at TheNetworg.OAuth2.Client.Provider.Azure.get(Azure.php:177)
   at (main)(auth.php:63)

I have already checked instructions at https://github.com/TheNetworg/oauth2-azure/tree/v2.0.0#microsoft-graph and tried amending code to...

$provider->urlAPI = 'https://graph.microsoft.com/';
$provider->resource = "https://graph.microsoft.com/";
$my = (!isset($_SESSION["MyApp"]['my'])) ? $provider->get('beta/me', $_SESSION["MyApp"]['refresh_token']) : $_SESSION["MyApp"]['my'];

...but this then throws League\OAuth2\Client\Provider\Exception\IdentityProviderException: Invalid domain name in the request url.

Any suggestions on what I'm missing to move up to v2.0.0 successfully?
@PatchworkBoy
Copy link
Author

Nevermind - fixed thanks to #43 ... sorry!

$token = $provider->getAccessToken(
            'authorization_code', [
                'code' => $_GET['code'],
                'resource' => 'https://graph.windows.net/',
            ]);

        // THE FIX:
        $provider->resource = 'https://graph.microsoft.com/'

        // Get a refreshToken for the Graph API
        $_SESSION["MyApp"]["refresh_token"] = $provider->getAccessToken(
            'refresh_token', [
                'refresh_token' => $token->getRefreshToken(),
                'resource' => 'https://graph.microsoft.com/'
            ]);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PatchworkBoy