Issue getting identity with Owner Resource Credentials Grant

Question

Issue getting identity with Owner Resource Credentials Grant

devzzm opened this issue 4 years ago · 11 comments

When using a user/pass login, I am unable to get the claims back.

For example:

$this->azureProvider->defaultEndPointVersion = \TheNetworg\OAuth2\Client\Provider\Azure::ENDPOINT_VERSION_1_0;
 $this->azureProvider->authWithResource = true;
 $token = $this->azureProvider->getAccessToken('password', [
                'username' => $email,
                'password' => $this->getCredential()
            ]);

Calling this:

            $resourceOwner = $this->azureProvider->getResourceOwner($token);
            $verifiedEmail = $resourceOwner->claim('email');

will result in:
Argument 1 passed to TheNetworg\OAuth2\Client\Provider\Azure::createResourceOwner() must be of the type array, null given

In the old version (1.0) of the lib, I was able to do this:

            $validTokens = $this->azureProvider->validateAccessToken($token);
            $verifiedEmail = $validTokens['upn'];

This will still work for the 2.0 version of the client library IF i comment out:

     if ($this->getClientId() != $tokenClaims['aud']) {
            throw new \RuntimeException('The client_id / audience is invalid!');
        }

In this situation, aud will be something like "https://graph.windows.net/' while client id will be in the form X-X-X-X-X where X is variable chars and length

Answer 1 · 2020-10-14T19:07:01.000Z

Can you check if you receive the id_token back?

Answer 2 · 2020-10-14T19:14:15.000Z

What am I looking for and where? I do see a tid returned

Answer 3 · 2020-10-14T19:18:00.000Z

Can you print out the $token value and pass the claims from https://jwt.io?

Answer 4 · 2020-10-14T19:20:23.000Z

Here is what my token looks like:
TheNetworg\OAuth2\Client\Token\AccessToken Object
(
[idToken:protected] =>
[idTokenClaims:protected] =>
[accessToken:protected] =>
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiJodHRwczovL2dyYXBoLndpbmRvd3MubmV0LyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0L2M4ZjMwMmJhLWIyZmUtNDM4OS1iNzIwLWUyODVmNGZlMWIyYS8iLCJpYXQiOjE2MDI3MDI4MjIsIm5iZiI6MTYwMjcwMjgyMiwiZXhwIjoxNjAyNzA2NzIyLCJhY3IiOiIxIiwiYWlvIjoiRTJRQWdsTW0zSmYvUzB2ZTl6Mmc4dWVKdzcxLy9Vc2RuSFJ5N2xZVlpYRnd0bGoxQUFBPSIsImFtciI6WyJwd2QiXSwiYXBwaWQiOiJkYzM1YzlmNS0xOGZjLTQ5YzEtOTBhNy0wNWU1ZmMyYmY0NWUiLCJhcHBpZGFjciI6IjEiLCJmYW1pbHlfbmFtZSI6IkxvbmciLCJnaXZlbl9uYW1lIjoiTWljaGFlbCIsImlwYWRkciI6IjY1LjIxMy4xNDQuNTciLCJuYW1lIjoiTWljaGFlbCBMb25nIiwib2lkIjoiNDUxYzZiNDAtYzE5NS00OGFlLWI5ZmYtODFlYWJjZDViYmNhIiwib25wcmVtX3NpZCI6IlMtMS01LTIxLTIxMTIwNTYwNDEtMjQ4NTIwNjk1LTY1NDgzODc3OS0yMTI0MiIsInB1aWQiOiIxMDAzQkZGRDkwNzNBRjI3IiwicmgiOiIwLkFBQUF1Z0x6eVA2eWlVTzNJT0tGOVA0Ykt2WEpOZHo4R01GSmtLY0Y1ZndyOUY0U0FNOC4iLCJzY3AiOiJlbWFpbCBvZmZsaW5lX2FjY2VzcyBvcGVuaWQgcHJvZmlsZSBVc2VyLlJlYWQiLCJzdWIiOiJZOE15QkRBVEdNYUZ3cXZiRExlWGVqREdfYnpfc2JyXzNsMWc1TUVnWXRVIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiYzhmMzAyYmEtYjJmZS00Mzg5LWI3MjAtZTI4NWY0ZmUxYjJhIiwidW5pcXVlX25hbWUiOiJtbG9uZ0BiaXpqb3VybmFscy5jb20iLCJ1cG4iOiJtbG9uZ0BiaXpqb3VybmFscy5jb20iLCJ1dGkiOiI0X2ZaUy1aWjJFcUw1YWdnM1JNaEFBIiwidmVyIjoiMS4wIn0. redacted
[expires:protected] => 1602706722
[refreshToken:protected] => redacted
[resourceOwnerId:protected] =>
[values:protected] => Array
(
[token_type] => Bearer
[scope] => email offline_access openid profile User.Read
[ext_expires_in] => 3599
[expires_on] => 1602706722
[not_before] => 1602702822
[resource] => https://graph.windows.net/
)

)

Answer 5 · 2020-10-14T19:22:31.000Z

My claims:

Array
(
[aud] => https://graph.windows.net/
[iss] => https://sts.windows.net/c8f302ba-b2fe-4389-b720-e285f4fe1b2a/
[iat] => 1602702906
[nbf] => 1602702906
[exp] => 1602706806
[acr] => 1
[aio] => E2RgYMg6tGjxI0ZL06YsQYd7r35YcLok3Zu+Ul5gyrkmKfvYqhcA
[amr] => Array
(
[0] => pwd
)

[appid] => REDACTED
[appidacr] => 1
[family_name] => Long
[given_name] => Michael
[ipaddr] => REDACTED
[name] => Michael Long
[oid] => 451c6b40-c195-48ae-b9ff-81eabcd5bbca
[onprem_sid] => S-1-5-21-2112056041-248520695-654838779-21242
[puid] => 1003BFFD9073AF27
[rh] => 0.AAAAugLzyP6yiUO3IOKF9P4bKvXJNdz8GMFJkKcF5fwr9F4SAM8.
[scp] => email offline_access openid profile User.Read
[sub] => Y8MyBDATGMaFwqvbDLeXejDG_bz_sbr_3l1g5MEgYtU
[tenant_region_scope] => NA
[tid] => c8f302ba-b2fe-4389-b720-e285f4fe1b2a
[unique_name] => mlong@EXAMPLE.COM
[upn] => mlong@EXAMPLE.COM
[uti] => CHgefjfNH0SnuQyFHEwdAA
[ver] => 1.0
)

Answer 6 · 2020-10-14T19:23:09.000Z

For some reason id_token is not returned, I will need to check on it and I will get back to you.

I have modified your post to hide out the refresh token and access token signature, since those are super sensitive.

Answer 7 · 2020-10-14T19:31:25.000Z

Also, because you posted the refresh token, can you just for security sake hit the initiate sign-out button in your Office 365 Admin Center if this is a production account?

Answer 8 · 2020-10-14T19:36:55.000Z

ok i have done that

Answer 9 · 2021-02-15T13:32:11.000Z

Hello, any update about this? I have exactly the same, my "aud": "https://graph.windows.net/"

Answer 10 · 2021-02-16T08:20:28.000Z

I think this has to do with the id_token not being passed in correctly. Does it happen even on the initial request? Or just when the token is refreshed?

/cc: @stajnert, @phareous

Answer 11 · 2021-06-02T14:16:12.000Z

Hi, exactly same problem for me too. Any update?