Hello!
oauth2-azure v1.x supported URI form of Client ID:
$provider = new Azure(['clientId' => 'api://XXXX-XXXXX']);
In oauth2-azure v.2 src/Provider/Azure/validateAccessToken/getJwtVerificationKeys/getOpenIdConfiguration
we have:
$openIdConfigurationUri = $this->urlLogin . $tenant . $versionInfix . '/.well-known/openid-configuration?appid=' . $this->clientId;
this requires us to put clientID without prefix in Provider init:
$provider = new Azure(['clientId' => 'XXXX-XXXXX']);
Otherwise, with URI form, we get error from Azure:
"invalid_request AADSTS90112: Application identifier is expected to be a GUID"
But then we can't validate access tokens tokens from frontend app cause AUD claim is always in URI form and is
different from ClientId
'api://XXXX-XXXXX' is not equal to 'XXXX-XXXXX'
public function validateTokenClaims($tokenClaims) {
if ($this->getClientId() != $tokenClaims['aud']) {
throw new \RuntimeException('The client_id / audience is invalid!');
}
....
}
it always fails
There should be fallback to URI form of the Client ID
Hello!
oauth2-azure v1.x supported URI form of Client ID:
$provider = new Azure(['clientId' => 'api://XXXX-XXXXX']);In oauth2-azure v.2 src/Provider/Azure/validateAccessToken/getJwtVerificationKeys/getOpenIdConfiguration
we have:
$openIdConfigurationUri = $this->urlLogin . $tenant . $versionInfix . '/.well-known/openid-configuration?appid=' . $this->clientId;this requires us to put clientID without prefix in Provider init:
$provider = new Azure(['clientId' => 'XXXX-XXXXX']);Otherwise, with URI form, we get error from Azure:
"invalid_request AADSTS90112: Application identifier is expected to be a GUID"
But then we can't validate access tokens tokens from frontend app cause AUD claim is always in URI form and is
different from ClientId
'api://XXXX-XXXXX' is not equal to 'XXXX-XXXXX'
it always fails
There should be fallback to URI form of the Client ID