MicrosoftResourceProvider and urlResourceOwnerDetails - no field "email" in response

[secured]

Hey,

I have tried to connect a TYPO3 12 test instance to Microsoft Azure AD.

I am not sure what to enter in the field "urlResourceOwnerDetails".

With the value "https://login.microsoftonline.com/common/openid/userinfo" I get a valid answer, but the field "email" which is required by the MicrosoftResourceProvider is missing.

$remoteUser['email']

Unfortunately, the query fails with this value "https://graph.microsoft.com/oidc/userinfo".

The token needs to be in JWS or JWE Compact Serialization Format

I have also checked in advance that the API endpoint in Azure has the rights to read the scope 'email' and 'profile'.

Am I making a mistake here?

[maikschneider]

Hey @secured!
when connecting to Azure, I always use https://graph.microsoft.com/oidc/userinfo for urlResourceOwnerDetails.

It sounds like you have general problems establishing a OAuth2 connection with your TYPO3 installation: In this case this is more of an issue for waldhacker/ext-oauth2-client. This repo builds on top of the working connection.

• Try to connect an existing backend account (no on-the-fly creation via this repo)
• Make sure you have openid in the scopes

[secured]

Thanks for the quick feedback @maikschneider.

If i try to connect with an existing account everything works fine. The problem only exists when a new user is created.
I checked the scopes and openid is present.

I use your fork of waldhacker/typo3-oauth2-client for TYPO3 12 compatibility.
The problem seems to be in the "Oauth2Service". I'll try to debug it further.

[WARNING] request="xxx" component="Waldhacker.Oauth2Client.Service.Oauth2Service": array (
  'code' => 'InvalidAuthenticationToken',
  'message' => 'IDX14100: JWT is not well formed, there are no dots (.).
The token needs to be in JWS or JWE Compact Serialization Format. (JWS): \'EncodedHeader.EndcodedPayload.EncodedSignature\'. (JWE): \'EncodedProtectedHeader.EncodedEncryptedKey.EncodedInitializationVector.EncodedCiphertext.EncodedAuthenticationTag\'.',
  'innerError' => 
  array (
    'date' => 'xxx',
    'request-id' => 'xxx',
    'client-request-id' => 'xxx,
  ),
) 

[maikschneider]

I'm not that sure where in the chain this error occurs. Which ResourceProvider do you use (oauth2_client => providers => xxx => implementationClassName)?
Have you tried Xima\XimaOauth2Extended\ResourceProvider\MicrosoftResourceProvider?

[secured]

correct. here is the full config that is used.

'oauth2_client' => [
        'providers' => [
            'azure' => [
                'label' => 'Azure',
                'scopes' => [
                   \Waldhacker\Oauth2Client\Service\Oauth2ProviderManager::SCOPE_BACKEND,
                   \Waldhacker\Oauth2Client\Service\Oauth2ProviderManager::SCOPE_FRONTEND,
                ],
                'options' => [
                    'clientId' => 'xxx',
                    'clientSecret' => 'xxx',
                    'urlAuthorize' => 'https://login.microsoftonline.com/common/oauth2/authorize',
                    'urlAccessToken' => 'https://login.microsoftonline.com/common/oauth2/token',
                    'urlResourceOwnerDetails' => 'https://login.microsoftonline.com/common/openid/userinfo',
                    'scopes' => ['openid', 'read_user', 'email', 'profile'],
                    'scopeSeparator' => ' '
                ],
                'implementationClassName' => 'Xima\XimaOauth2Extended\ResourceProvider\MicrosoftResourceProvider',
            ],
        ],
    ],
    'xima_oauth2_extended' => [
        'oauth2_client_providers' => [
            // provider of waldhacker/ext-oauth2-client you want to extend
            'azure' => [
                'resolverClassName' => \Xima\XimaOauth2Extended\ResourceResolver\MicrosoftResourceResolver::class,
                'createBackendUser' => true,
                'createFrontendUser' => false,
                'defaultBackendUsergroup' => '1',
                'defaultFrontendUsergroup' => '',
                'imageStorageBackendIdentifier' => '1:/user_upload/oauth',
            ],
        ],
    ],
],

in MicrosoftResourceResolver.php i changed email to upn to make it work locally

if (!$beUser['username'] && $remoteUser['upn']) {
    $beUser['username'] = strtolower($remoteUser['upn']);
}

if ($remoteUser['upn']) {
    $beUser['email'] = strtolower($remoteUser['upn']);
}

[maikschneider]

Hey @secured,

I've never seen upn - no idea where this comes from..
One thing I noticed: I use slightly different endpoints for urlAccessToken and urlAuthorize:

'urlAccessToken' => 'https://login.microsoftonline.com/xxxxxx-xxxx-xxxxx-xxxxxx/oauth2/v2.0/token',
'urlAuthorize' => 'https://login.microsoftonline.com/xxxxxx-xxxx-xxxxx-xxxxxx/oauth2/v2.0/authorize',

The xxx-combination is the Microsoft tenant ID.

[secured]

@maikschneider got it working :)

i'm using these scopes and your endpoints:
'scopes' => ['openid', 'email', 'profile'],

I had not set an api authorization for office365 correctly.

[abvdveen]

Wanted to add my two cents, for people using the above config, as I did myself. Using 'urlResourceOwnerDetails' => 'https://login.microsoftonline.com/common/openid/userinfo' gave the Azure error 'AADSTS9001014: This token was not issued for the UserInfo endpoint.' in function fetchResourceOwnerDetails in vendor/league/oauth2-client/src/Provider/AbstractProvider.php

Using 'https://graph.microsoft.com/oidc/userinfo' as @maikschneider remarked, gives the correct response in my case.