Skip to content

Issue with generating and validating the same token. #974

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Issue with generating and validating the same token.#974
@nedvice-sv

Description

@nedvice-sv
nedvice-sv
opened on Oct 17, 2022

Hi all,

Currently I'm trying to implement the TheNetworg/oauth2-azure client in my application. I'm using an SPA which uses symfony as a backend (and thus also for authentication trough Azure hence this package!)

The following piece of code can't verify the access token since its an "Invalid Signature":

First I'm getting the access_token via the provided code from Microsoft Azure.

$accessToken = $microsoftProvider->get()->getAccessToken('authorization_code', [
    'scope' => $microsoftProvider->get()->scope,
    'code' => $request->getCode(),
]);

return $accessToken->getToken();

Second on a separate call I'm validating this token (This happens when authenticating; (This is where the accessToken is a string!)

try {
    $claims = $this->microsoftProvider->get()->validateAccessToken($accessToken);
} catch (Exception $exception) {
    throw new CustomUserMessageAuthenticationException($exception->getMessage(), $exception->getTrace(), $exception->getCode(), $exception);
}

The $this->microsoftProvider->get() returns an instance of TheNetworg\OAuth2\Client\Provider\Azure this is just a wrapper for setting credentials, scopes etc.

When I try to verify the JWT (bearer) token also on https://jwt.io/ it says the token that was generated was 'invalid' while I can see literally everything in the payload section.

What am I doing wrong?

And for an second question: Is it possible to get an AccessToken object just from the accessToken that has been sent through the requests?

To explain a little bit of the situation:

My current working flow with the SPA is as following:

  1. User clicks on "Login with Azure" ; In the back-end we'll get a login url and return this to the front-end. The front-end then redirects the user to this URL (Microsoft URL)
  2. The user authenticates with the Azure account. And redirects back with the state and code again to the front-end.
  3. The front-end recognizes that a code and state have been given and calls again the back-end to get an `access_token / bearer token / jwt token); Something that you should send atleast when you want to authenticate.
  4. When the token is given we can authenticate every other call on the back-end with this token (Which is now still stored as session data)
    If anyone got a better solution to that I'd also like to know.

Thanks for reading and in advance for answering my questions,

Regards, Sanne

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions