Use of the Graph PHP API (authentication and valid token recovery problems)

[Xavlight]

Describe the bug

Hi,
I've been going round in circles for several days and I can't find a way out. I'm not sure I've got the right direction yet.
I've come to ask you for advice and to help me with my code if that's what I'm looking for.
I develop in PHP using the msgraph-sdk-php SDK.
I'm developing a web application and I'd like to send tasks to To Do.
I'm working on the principle that the user will have to validate their consent the 1st time, and then the aim would be to stop asking them.
I would have recovered information such as token and token_refresh to redo actions the next time (stored in the database), at least that's what I think.

To create a task in To Do, I need to perform 2 actions for the user who has validated their consent:

• Read the task lists, and retrieve the task Id[0].
• Send the task and the information to this task[0]->id

I therefore turned to the ‘OnBehalfOfContext’ method with the idea of making several requests with tokens in the database for the user.

Expected behavior

Is it normal for my token not to be JWT?
Why doesn't it work?

$oboContext = new OnBehalfOfContext(
	$tenantId,
	$clientId,
	$clientSecret,
	$tokenAccess,
);
$graphClient = new GraphServiceClient($oboContext, $scopes);

How to reproduce

Test code extract (all in one)
test-event.php

	use League\OAuth2\Client\Provider\GenericProvider;
	use Microsoft\Kiota\Authentication\Oauth\OnBehalfOfContext;
	use Microsoft\Kiota\Abstractions\ApiException;
	use Microsoft\Graph\GraphServiceClient;
	use Microsoft\Graph\Generated\Models\TodoTask;
	use Microsoft\Graph\Generated\Models\DateTimeTimeZone;
	use Microsoft\Graph\Generated\Models\Importance;
	use Microsoft\Graph\Generated\Models\ItemBody;
	use Microsoft\Graph\Generated\Models\BodyType;

	session_start();
	session_regenerate_id();

	$tenantId = 'common';
	$clientId = '{clientId}';
	$clientSecret = '{clientSecretId}';
	$redirectUri = 'http://localhost/MS-Graph/test-event.php';
	$scopes = ['Tasks.ReadWrite', 'User.Read', 'offline_access'];
	$oauthClient = new GenericProvider([
		'clientId'                => $clientId,
		'clientSecret'            => $clientSecret,
		'redirectUri'             => $redirectUri,
		'urlAuthorize'            => "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/authorize",
		'urlAccessToken'          => "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token",
		'urlResourceOwnerDetails' => '',
		'scopes'                  => $scopes,
	]);
	if (!isset($_GET['code'])) {
		$authorizationUrl = $oauthClient->getAuthorizationUrl();
		header('Location: ' . $authorizationUrl);
		exit;
	}
	echo "<pre>";
	$authCode = $_GET['code'];
	$accessToken = $oauthClient->getAccessToken('authorization_code', [
		'code' => $authCode
	]);
	$tokenAccess = $accessToken->getToken();
	echo 'Access Token : ' . $tokenAccess . "<br>";
	echo 'Refresh Token : ' . $accessToken->getRefreshToken() . "<br>";
	echo 'Date d\'expiration : ' . date('d/m/Y H:i:s', $accessToken->getExpires()) . "<br>";
	echo 'Déjà expiré ? ' . ($accessToken->hasExpired() ? 'Oui' : 'Non') . "<br>";
	$oboContext = new OnBehalfOfContext(
		$tenantId,
		$clientId,
		$clientSecret,
		$tokenAccess,
	);
	$graphClient = new GraphServiceClient($oboContext, $scopes);
	try {
		$taskLists = $graphClient->me()->todo()->lists()->get()->wait()->getValue();
		foreach ($taskLists as $taskList) {
			echo 'Task List ID: ' . $taskList->getId() . ' - Title: ' . $taskList->getDisplayName() . PHP_EOL;
		}
		$task = new TodoTask();
		$task->setTitle("Nouvelle tâche OnBehalfOf");
        $dueDateTime = new DateTimeTimeZone();
        $dueDateTime->setDateTime('2024-10-25Z');
        $dueDateTime->setTimeZone('Europe/Paris');
        $task->setDueDateTime($dueDateTime);
        $task->setImportance(new Importance('normal'));
        $task->setIsReminderOn(true);
        $reminderDateTime = new DateTimeTimeZone();
        $reminderDateTime->setDateTime('2024-10-25T13:00:00Z');
        $reminderDateTime->setTimeZone('Europe/Paris');
        $task->setReminderDateTime($reminderDateTime);
		$body = new ItemBody();
        $body->setContent('Ceci est une tâche créée avec le flux OnBehalfOf');
        $body->setContentType(new BodyType('text'));
		$task->setBody($body);
		$graphClient->me()->todo()->lists()->byTodoTaskListId($taskLists[0]->getId())->tasks()->post($task)->wait();
		echo "Tâche créée avec succès.";
	} catch (ApiException $e) {
		echo "Echec de la création de la tâche : ".$ex->getError()->getMessage();
	}

SDK Version

2.17.0

Latest version known to work for scenario above?

No response

Known Workarounds

No response

Debug output

Click to expand log

```

</details>


### Configuration

PHP 8.3

### Other information

_No response_

[Xavlight]

Hi,

Further information on configuring App registrations.

App registrations Overview

Authentication

I tried with or without the tick

Certificates & secrets : Ok 1 key not expires

Token configuration : empty

API Permissions (Use of delegate mode and not application mode (I hope I didn't make a mistake) )

All other options are empty.

If you need any further information, don't hesitate to contact us.

I've already done this with the Google API, ToDoIst, Trello, and I haven't encountered as many difficulties.

Thank you for your help.

Xav

[Ndiritu]

Hi @Xavlight
Apologies for the poor experience. I'm now looking into the authentication issues on this package.

Thank you for the detailed issue.

What error are you getting when using the SDK?

[Xavlight]

Hi,

I have continued my investigations, and I have just understood something.

When I choose a user account for the consent that is part of my domain, it works, I have a valid token (JWT).
When I choose a personal or external MS account, I get an invalid token.

I've seen this message on the configuration screen in the Entra admin of my application on properties.

I am currently on a PHP local test development, to have access to external or personal accounts, do I have to have my MS Entra application validated?
Could this be the problem?

How can I do this, as these are just tests?
Can't I authorize specific e-mails to be added for testing purposes, before having to validate the application? This is done on the Google API side.

I'm waiting for your feedback, if it would help me make a little progress on the subject.
Thanks

Xav