Allow OIDC with Azure B2C

There are a couple of places where the client_secret should not be passed to Azure B2C as part
of the authentication requests. B2C is picky about this, and will reject the token grant if passed.
The data bindings also needed to be improved and allowed to suit custom values, as the B2C data bindings
are different to the default bindings in AAD.

Author: Peterburnett

classes/form/application.php

@@ -90,6 +90,11 @@ protected function definition() {
         $mform->disabledIf('clientsecret', 'clientauthmethod', 'neq', AUTH_OIDC_AUTH_METHOD_SECRET);
         $mform->addElement('static', 'clientsecret_help', '', get_string('clientsecret_help', 'auth_oidc'));
 
+        // Auth token secret toggle.
+        $mform->addElement('advcheckbox', 'accesstokenclientsecret', auth_oidc_config_name_in_form('accesstokenclientsecret'), '');
+        $mform->setType('accesstokenclientsecret', PARAM_BOOL);
+        $mform->addElement('static', 'accesstokenclientsecret_help', '', get_string('accesstokenclientsecret_help', 'auth_oidc'));
+
         // Certificate private key.
         $mform->addElement('textarea', 'clientprivatekey', auth_oidc_config_name_in_form('clientprivatekey'),
             ['rows' => 10, 'cols' => 80]);

classes/loginflow/base.php

@@ -257,19 +257,19 @@ public function get_userinfo($username) {
                 if (!isset($userdata['email'])) {
                     $email = $token->claim('email');
                     if (!empty($email)) {
-                        $userdata['mail'] = $email;
+                        $userdata['email'] = $email;
                     } else {
                         if (!empty($upn)) {
                             $aademailvalidateresult = filter_var($upn, FILTER_VALIDATE_EMAIL);
                             if (!empty($aademailvalidateresult)) {
-                                $userdata['mail'] = $aademailvalidateresult;
+                                $userdata['email'] = $aademailvalidateresult;
                             }
                         }
                     }
                 }
             }
 
-            $updateduser = static::apply_configured_fieldmap_from_token($userdata, $eventtype);
+            $updateduser = static::apply_configured_fieldmap_from_token($userdata, $eventtype, $token);
             $userinfo = (array)$updateduser;
         }
 
@@ -281,9 +281,10 @@ public function get_userinfo($username) {
      *
      * @param array $userdata
      * @param string $eventtype
+     * @param jwt $token
      * @return stdClass
      */
-    public static function apply_configured_fieldmap_from_token(array $userdata, string $eventtype) {
+    public static function apply_configured_fieldmap_from_token(array $userdata, string $eventtype, jwt $token) {
         $user = new stdClass();
 
         $fieldmappings = auth_oidc_get_field_mappings();
@@ -299,6 +300,12 @@ public static function apply_configured_fieldmap_from_token(array $userdata, str
 
             if (isset($userdata[$remotefield])) {
                 $user->$localfield = $userdata[$remotefield];
+            } else {
+                // Try a manual token claim on the value provided.
+                $tokenval = $token->claim($remotefield);
+                if (!is_null($tokenval)) {
+                    $user->$localfield = $tokenval;
+                }
             }
         }
 

classes/oidcclient.php

@@ -333,14 +333,15 @@ public function tokenrequest($code) {
             'redirect_uri' => $this->redirecturi,
         ];
 
+        $sendsecret = get_config('auth_oidc', 'accesstokenclientsecret');
         switch (get_config('auth_oidc', 'clientauthmethod')) {
             case AUTH_OIDC_AUTH_METHOD_CERTIFICATE:
                 $params['client_assertion_type'] = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer';
                 $params['client_assertion'] = static::generate_client_assertion();
                 $params['tenant'] = 'common';
                 break;
             default:
-                $params['client_secret'] = $this->clientsecret;
+                $params = $sendsecret ? ['client_secret' => $this->clientsecret] : [];
         }
         $returned = $this->httpclient->post($this->endpoints['token'], $params);
         return utils::process_json_response($returned, ['id_token' => null]);
@@ -365,6 +366,7 @@ public function app_access_token_request() {
                 break;
             default:
                 $params['client_secret'] = $this->clientsecret;
+                $params = [];
         }
 
         $tokenendpoint = $this->endpoints['token'];

lang/en/auth_oidc.php

@@ -60,6 +60,8 @@
 $string['idp_type_microsoft'] = 'Microsoft identity platform (v2.0)';
 $string['idp_type_other'] = 'Other';
 $string['cfg_authenticationlink_desc'] = '<a href="{$a}" target="_blank">Link to IdP and authentication configuration</a>';
+$string['accesstokenclientsecret'] = 'Send client secret in access token requests.';
+$string['accesstokenclientsecret_help'] = 'Some IdPs like Azure B2C do not allow the client secret to be sent in token exchange requests. Disable this config to remove the client secret from the request.';
 $string['authendpoint'] = 'Authorization Endpoint';
 $string['authendpoint_help'] = 'The URI of the Authorization endpoint from your IdP to use.<br/>
 Note if the site is to be configured to allow users from other tenants to access, tenant specific authorization endpoint cannot be used.';
@@ -83,6 +85,8 @@
 $string['clientcert_help'] = 'When using <b>certificate</b> authentication method, this is the public key, or certificate, used in to authenticate with IdP.';
 $string['tenantnameorguid'] = 'Tenant name or GUID';
 $string['tenantnameorguid_help'] = 'Don\'t include https:// if use tenant name.';
+$string['cfg_custom_mapping'] = 'Use custom data mappings';
+$string['cfg_custom_mapping_desc'] = 'Allow custom attribute entry for data mappings.';
 $string['cfg_domainhint_key'] = 'Domain Hint';
 $string['cfg_domainhint_desc'] = 'When using the <b>Authorization Code</b> login flow, pass this value as the "domain_hint" parameter. "domain_hint" is used by some OpenID Connect IdP to make the login process easier for users. Check with your provider to see whether they support this parameter.';
 $string['cfg_err_invalidauthendpoint'] = 'Invalid Authorization Endpoint';

manageapplication.php

@@ -55,7 +55,7 @@
 $form = new application(null, ['oidcconfig' => $oidcconfig]);
 
 $formdata = [];
-foreach (['idptype', 'clientid', 'clientauthmethod', 'clientsecret', 'clientprivatekey', 'clientcert', 'tenantnameorguid',
+foreach (['idptype', 'clientid', 'clientauthmethod', 'clientsecret', 'accesstokenclientsecret', 'clientprivatekey', 'clientcert', 'tenantnameorguid',
     'authendpoint', 'tokenendpoint', 'oidcresource', 'oidcscope'] as $field) {
     if (isset($oidcconfig->$field)) {
         $formdata[$field] = $oidcconfig->$field;
@@ -73,7 +73,7 @@
     }
 
     // Prepare config settings to save.
-    $configstosave = ['idptype', 'clientid', 'tenantnameorguid', 'clientauthmethod', 'authendpoint', 'tokenendpoint',
+    $configstosave = ['idptype', 'clientid', 'tenantnameorguid', 'clientauthmethod', 'accesstokenclientsecret', 'authendpoint', 'tokenendpoint',
         'oidcresource', 'oidcscope'];
 
     // Depending on the value of clientauthmethod, save clientsecret or (clientprivatekey and clientcert).
@@ -110,4 +110,3 @@
 $form->display();
 
 echo $OUTPUT->footer();
-

settings.php

@@ -225,12 +225,20 @@
 
     // Other settings page and its settings.
     $fieldmappingspage = new admin_settingpage('auth_oidc_field_mapping', get_string('settings_page_field_mapping', 'auth_oidc'));
+    $fieldmappingspage->add(new admin_setting_configcheckbox('auth_oidc/custom_field_mapping',
+        get_string('cfg_custom_mapping', 'auth_oidc'), get_string('cfg_custom_mapping_desc', 'auth_oidc'), 0));
     $ADMIN->add('oidcfolder', $fieldmappingspage);
 
     // Display locking / mapping of profile fields.
     $authplugin = get_auth_plugin('oidc');
-    auth_oidc_display_auth_lock_options($fieldmappingspage, $authplugin->authtype, $authplugin->userfields,
-        get_string('cfg_field_mapping_desc', 'auth_oidc'), true, false, $authplugin->get_custom_user_profile_fields());
+    if (get_config('auth_oidc', 'custom_field_mapping')) {
+        display_auth_lock_options($fieldmappingspage, $authplugin->authtype, $authplugin->userfields,
+            get_string('cfg_field_mapping_desc', 'auth_oidc'), true, true, $authplugin->get_custom_user_profile_fields());
+    } else {
+        auth_oidc_display_auth_lock_options($fieldmappingspage, $authplugin->authtype, $authplugin->userfields,
+            get_string('cfg_field_mapping_desc', 'auth_oidc'), true, false, $authplugin->get_custom_user_profile_fields());
+    }
+    
 }
 
 $settings = null;