Improve security for the token flow and add Web API protection about oauth2-azure HOT 5 CLOSED

This also requires the ability to turn off the validation and use a custom one when multitenant (/common/ endpoint) application scenario is used

Looks like this isn't the case and it is causing v2.0 usage to break for me with my implementation.

It is throwing an invalid issuer error since https://sts.windows.net/9188040d-6c67-4c5b-b112-36a304b66dad/ does not match https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0 which I assume is caused by the usage of the common endpoints? I don't see a way to disable this check aswell

from oauth2-azure.

I will have to check this and get back to you. So you are using regular AAD created app with v2.0 endpoints, right?

from oauth2-azure.

Yeah so I basically use the options described in the readme

$provider->pathAuthorize = "/oauth2/v2.0/authorize";
$provider->pathToken = "/oauth2/v2.0/token";
$provider->scope = ["openid"];

from oauth2-azure.

Ah I think I found it, there is an API call to 'https://login.windows.net/' . $tenant . '/.well-known/openid-configuration' to get the issuer. But if I check my endpoints in my azure portal it shows

https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration

So that might be the reason why?

EDIT: Yup just modified the files locally to use v2.0 and that has fixed the issue for me. So adding an option to modify the openid-configuration endpoint for example could fix this?

from oauth2-azure.

Almost forgot, I also modified the https://login.windows.net/common/discovery/keys url to use the v2.0 keys since Firebase JWT was giving me an error for a missing KID value.

from oauth2-azure.