This lib currently caches access tokens in memory. Building on the work in #18 which abstracts the token caching layer while defaulting to an in-memory cache, a potential bug was identified.

PHP largely uses a single-process per request but using asynchronous programming frameworks like Swoole could present cases where two threads handling different user's requests could read the same cached token leading to an identity swap. This is if the same authentication provider is injected

Discussed solution is to cache tokens in a way that retrieval is unique to a user for delegated auth scenarios and unique to a tenant and client for application permission scenarios. Cached tokens to be stored/retrieved in/from a map with the following keys:

• tenantId-clientId-userId - delegated permissions
• tenantId-clientId - application permissions

ToDo

• OnBehalfOfContext to derive userId from the oid (object ID) claim of the assertion passed
• Investigate how the AuthorizationCodeContext should distinguish between users. Require nonce?

reflection of microsoft/kiota-authentication-azure-go#102

Hello,

I am trying to upgrade my application to use msgraph-sdk-php v2 and found this issue in this package.

$tokenRequestContext = new AuthorizationCodeContext(
    'tenantId', 'clientId', 'clientSecret', 'authCode', 'redirectUri');

$scopes = ['User.Read'];
$authProvider = new GraphPhpLeagueAuthenticationProvider($tokenRequestContext, $scopes);
$redirectUrl = $authProvider->getAccessTokenProvider()
    ->getOauthProvider()->getAuthorizationUrl();

The authorization url is not correct because of:

1. AADSTS900144: The request body must contain the following parameter: 'client_id'.
2. AADSTS900144: The request body must contain the following parameter: 'scope'.
3. Also the redirectUri is missing, there is no specific error for this, but it is necessary.

The clientId and redirectId issues could be fixed in the ProviderFactory class when creating the GenericProvider.
The scopes issue could be fixed in the PhpLeagueAccessTokenProvider constructor and pass them to the ProviderFactory::create, and then to the GenericProvider.

The goal is to have the League\OAuth2\Client\Provider\GenericProvider class fully equipped, which might also require passing the clientSecret to it, but it is not necessary for getAuthorizationUrl().

I can imagine that this fix might not be as simple as I described, but if you could look into it, it would be greatly appreciated.

Thanks!

Azure Identity libraries in other languages support configuring a proxy in their credential classes. The PHP Graph SDK supports using a proxy, but these auth classes do not.

The PHP League provider supports a proxy: https://oauth2-client.thephpleague.com/usage/#using-a-proxy, so we should be able to support this.

Initial PHP auth provider PR microsoft/kiota#1201 adds basic support for client_credentials & auth code flows

Consider adding support for:.

• Device Code flow
• OIDC capabilities (sign out, token validation, token introspection ...)

Pull requests from forks don't have access to secrets causing failures e.g. #18

Need to check for secret before executing SonarCloud step

ClientId, ClientSecret and additional parameters are not persisted in oauth provider https://github.com/microsoft/kiota-authentication-phpleague-php/blob/dev/src/Oauth/ProviderFactory.php#L32

Consider the following example

$tenantId = '';
$clientId = '';
$clientSecret = '';

$clientCredentials = new ClientCredentialContext($tenantId, $clientId, $clientSecret);

$accessTokenProvider = new PhpLeagueAccessTokenProvider($clientCredentials);
$accessTokenProvider->getOauthProvider()->authorize(); 

Result: The request body must contain the following parameter: 'client_id'.

https://login.microsoftonline.com/{$tenantId}/oauth2/v2.0/authorize?state=randomstring&response_type=code&approval_prompt=auto