Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with generating and validating the same token. #974

Open
nedvice-sv opened this issue Oct 17, 2022 · 0 comments
Open

Issue with generating and validating the same token. #974

nedvice-sv opened this issue Oct 17, 2022 · 0 comments

Comments

@nedvice-sv
Copy link

nedvice-sv commented Oct 17, 2022
edited

Hi all,

Currently I'm trying to implement the TheNetworg/oauth2-azure client in my application. I'm using an SPA which uses symfony as a backend (and thus also for authentication trough Azure hence this package!)

The following piece of code can't verify the access token since its an "Invalid Signature":

First I'm getting the access_token via the provided code from Microsoft Azure.

$accessToken = $microsoftProvider->get()->getAccessToken('authorization_code', [
    'scope' => $microsoftProvider->get()->scope,
    'code' => $request->getCode(),
]);

return $accessToken->getToken();

Second on a separate call I'm validating this token (This happens when authenticating; (This is where the accessToken is a string!)

try {
    $claims = $this->microsoftProvider->get()->validateAccessToken($accessToken);
} catch (Exception $exception) {
    throw new CustomUserMessageAuthenticationException($exception->getMessage(), $exception->getTrace(), $exception->getCode(), $exception);
}

The $this->microsoftProvider->get() returns an instance of TheNetworg\OAuth2\Client\Provider\Azure this is just a wrapper for setting credentials, scopes etc.

When I try to verify the JWT (bearer) token also on https://jwt.io/ it says the token that was generated was 'invalid' while I can see literally everything in the payload section.

What am I doing wrong?

And for an second question: Is it possible to get an AccessToken object just from the accessToken that has been sent through the requests?

To explain a little bit of the situation:

My current working flow with the SPA is as following:

  1. User clicks on "Login with Azure" ; In the back-end we'll get a login url and return this to the front-end. The front-end then redirects the user to this URL (Microsoft URL)
  2. The user authenticates with the Azure account. And redirects back with the state and code again to the front-end.
  3. The front-end recognizes that a code and state have been given and calls again the back-end to get an `access_token / bearer token / jwt token); Something that you should send atleast when you want to authenticate.
  4. When the token is given we can authenticate every other call on the back-end with this token (Which is now still stored as session data)
    If anyone got a better solution to that I'd also like to know.

Thanks for reading and in advance for answering my questions,

Regards, Sanne
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nedvice-sv