oauth2-azure icon indicating copy to clipboard operation
oauth2-azure copied to clipboard

Published 20 hours ago verified publisher icon TheNetworg

The Code_Verifier does not match the code_challenge supplied in the authorization request

Open khalifaelbanan opened this issue 2 years ago • 3 comments

Greetings, I'm new to Azure and I need to implement a login flow using Azure AD for an application where the frontend retrieve the code and the backend have to generate the access token from the code already generated. On the FE side I'm using react with @azure/msal-browser and my source code looks like :

publicClientApp = new PublicClientApplication({
  auth: {
    clientId: azureConfig.clientId,
    authority: azureConfig.authority,
    redirectUri: azureConfig.redirectUrl,
  },
  cache: {
    cacheLocation: 'sessionStorage',
    storeAuthStateInCookie: false,
  },
});

await publicClientApp.loginRedirect({
  scopes: azureConfig.scopes,
  prompt: 'select_account',
});

Then I recieve a code : code=0.AU4AxXIC70Ma9ESVBt5raWVI_yqY9ha1CQhMgMGmdTdc8tODAAA...

On the BE side I recieve this code and I need to generate the access token and get user claims. To do this I have my symfony project with thenetworg/oauth2-azure package installed, so my code looks like :

$this->provider = new Azure([
    'clientId'          => $this->parameterBag->get('azure_client_id'),
    'clientSecret'      => $this->parameterBag->get('azure_client_secret'),
    'redirectUri'       => $this->parameterBag->get('azure_redirect_uri'),
    'scopes'            => ['openid'],
    'defaultEndPointVersion' => Azure::ENDPOINT_VERSION_2_0,
]);

$token = $this->provider->getAccessToken('authorization_code', [
    'scope' => $this->provider->scope,
    'code' => $code,
]);

But I receive this error : invalid_grant AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request.\r\nTrace ID: 254744d9-ab7b-4c31-9dbe-0485bfd50501\r\nCorrelation ID: bb4a3ddf-6527-4b2c-98af-a124b66527d6\r\nTimestamp: 2022-11-22 15:08:41Z

Any hint to get this done ?

khalifaelbanan avatar Nov 22 '22 15:11 khalifaelbanan

React with @azure/msal-browser (i.e. V2) will force a PKCE code challenge with a (default) code challenge method of S256 for an SPA with authorization_code flow. From memory, I don’t believe that thenetworg/oauth2-azure, greew/oauth2-azure-provider or stevenmaguire/oauth2-microsoft providers offer PKCE themselves, but thephpleague oauth2-microsoft generic provider does so – you need the getPkceCode() and setPkceCode methods (see https://oauth2-client.thephpleague.com/usage/)

And note that for PHPMailer to work, your scope permissions should be “offline_access https://outlook.office.com/SMTP.Send"

decomplexity avatar Nov 22 '22 16:11 decomplexity

Thanks @decomplexity for your response. I'm trying to find a package with React to replace msal-browser and allows me to pass my custom code_challenge and code_chalenge_method

khalifaelbanan avatar Nov 24 '22 13:11 khalifaelbanan

But I understand that the implementation of getting the pckecode is delegated to the inheriting class. In the GenericProvider class there is no way to be able to get this code in the case of Azure AD.

limogin avatar Jun 19 '23 10:06 limogin