Don`t work for version v2.0 Azure Active Directory B2C

Hi Andrew, could you specify this patch please? What does not work, what does it fix?

I would also like to add that the access_token issued by B2C is not usable to get user data from either Azure Graph or Microsoft Graph API's. The purpose of the B2C access_token is to gain access to a custom API which uses B2C as authorization platform.
So the default "retrieveUserInfo" function will not succeed under any circumstances.
The patch above does get around it by equating access_token to id_token (since it does contain some of the same claims), but this goes against OpenID Connect principle.

Also to get access_token from Azure AD B2C, you must add the "client id" to "scope" request parameter.
I had to override the "OpenIDConnectClientBase::authorize()" function from OpenID Connect module with:
$url_options = [
'query' => [
'client_id' => $this->configuration['client_id'],
'response_type' => 'code',
'scope' => $this->configuration['client_id'].' '.$scope,
'redirect_uri' => $redirect_uri->getGeneratedUrl(),
'state' => StateToken::create(),
],
];

Without that, you will only get the id_token.

More about B2C access_tokens:
https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-direc...
https://saraford.net/2017/11/09/securing-and-calling-a-web-api-using-azu...

The supplied code, will give a notice "Notice: Undefined index: emails".
I suspect that this have not been tested with v2 turned off on a non v2 version so when we come to the line that does the

        // use_v2
        if ($profile_data['emails']) {
          $profile_data['email'] = reset($profile_data['emails']);
        }

should use a check that there is a value or/and also check if v2 is enabled.

The patch of #2 is working perfect for me.

Hello Alex,

Can you plz send me patch file as attachment 'https://www.drupal.org/files/issues/2018-12-20/openid_connect_windows_aa...'.

Thanks

I think I am running into this as well:

Could not retrieve tokens. Details: Client error: `POST https://login.microsoftonline.com/OUR_AZURE_SUB_ID/oauth2/v2.0/token` resulted in a `400 Bad Request` response: {"error":"invalid_request","error_description":"AADSTS901002: The 'resource' request parameter is not supported.

So far the only combination of settings that has worked was to get the "OAuth 2.0 token endpoint (v1)" and "OAuth 2.0 authorization endpoint (v1)" from the "Endpoints" modal in the Azure Portal (while looking at the App Registration) and enable "Azure AD Graph API (v1.6)".

The URLs for v1 look like this:

• https://login.microsoftonline.com/OUR_AZURE_SUB_ID/oauth2/authorize
• https://login.microsoftonline.com/OUR_AZURE_SUB_ID/oauth2/token

It totally fails with the error I posted above -- or with lots of undefined index errors and an error about an improperly-formatted email address -- if we use the "v2 endpoints" from the same Endpoints modal on Azure. It also totally fails if we use the "common" endpoints featured in the screenshot of this module.

@GuyPaddock I think in previous edits on the project page, "B2C" was mentioned as working functionality. However, the module focuses on OpenID Connect. I am not totally sure on what this does or doesn't mean how far we are from fully tested scenario on the B2C functionality. I simply lack some knowledge about this concerning Microsoft. Is this something you can help with? Is B2C heavily related to OpenID Connect? Is this module the right one to have this integration, or would it be better to have some related module handling the B2C integration? I hope to share some thoughts with you or others on this matter, thanks.

Hello, is there any prevision of configuring the bc2login.com V2 endpoints to use Azure B2C in this module?

I could open another issue, but I think here is ok.

Thanks for the great work, regards!

I had similar issues to this but I managed to get it working after I removed some lines from the retrieveTokens function as mentioned in this issue https://www.drupal.org/project/openid_connect_windows_aad/issues/3040473 otherwise they cause the error that was mentioned in #10 above about "'resource' request parameter is not supported."

Once those lines are gone the login works with V2 authorization urls and with the "Windows Graph API (v1.0)" userinfo endpoint configuration, without the need of the patch above.
The App in Azure though needs the permissions explained in the screenshots in the other issue which might need to be added to the module documentation page.

If I use V1 urls I get an "InvalidAuthenticationToken" error no matter what other settings I use.

I also don't really understand how the module would work with the "Alternate or no user endpoint" option set on the "User info endpoint configuration" field, because as far as I can see in code debugging the userinfo in the $context would always be empty so the authentication would not complete - I always get the "The e-mail address is not valid" error because the userinfo is never set that way...

I have another note to add to this thread: One of our Drupal 7 installations was recently upgraded to Drupal 8 using this module. Previously, we were using the vanilla OpenID Connect module for Drupal 7 along with a slew of custom patches, and it was authenticating fine. But on Drupal 8 we kept getting:

Could not retrieve user profile information. Details: Client error: `GET https://graph.windows.net/me?api-version=1.6` resulted in a `403 Forbidden` response: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete (truncated...)

I was racking my brain because the settings we're using on other Drupal 8 sites are identical (what I shared above in #11) and the app in the Azure AD portal seemed to be identically configured as well. But, after digging into the JWT that was being returned to working Drupal 8 installs vs. this one we just upgraded, I noted that the main difference was that the "scp" claim for working log-ins was "User.Read" but it was "email openid profile" for the one that was failing.

If you run across this, you need to adjust the "API Permissions" configured for the application in the App Registrations section of Azure AD. Revoke all permissions shown there, and then:

1. Click the "Add a permission" button.
2. Click "Delegated permissions".
3. Find and select "User.Read".
4. Click the "Add permission" button.
5. Click the "Grant admin consent for YOURDOMAIN.com".
6. If you receive the question "Other permissions have been granted for this tenant that are not configured. Do you want to keep these other granted permissions?" answer, "No, remove other granted permissions".
7. When asked, "Do you want to grant consent for the requested permissions for all accounts in inveniem.com? This will update any existing admin consent records this application already has to match what is listed below.", click the "Yes" button.

Now authentication should work.

For reference, this is what it looked like when it did not work:

This is what it looked like when it did work:

(Restored issue summary).

Quick view on the patch in #23:

I See this section

elseif ($profile_data['email']) {
    $profile_data['email'] = $profile_data['email'];
}

I got this error

Could not retrieve user profile information. Details: Client error: `GET https://graph.windows.net/me?api-version=1.6` resulted in a `403 Forbidden` response: {"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete (truncated...)

And comment #16 worked for me.

#6 helped me to get access token and in the end I've modified OpenIDConnect.php around 320 line to find the correct email. I've grabbed it
$context['userinfo']['email'] => $context['user_data']['email'];

I don't know if I could override those in a clever way.

Please review the patch.

Please review the patch.

Using the settings here (with https://login.microsoftonline.com/common/oauth2/v2.0/authorize as the endpoint, the 'Alternate or no user endpoint userinfo' option selected and the field left blank), I find that user_data is returned fine, but because userinfo is empty, this causes an error for the OpenID Connect module.

I get the same error as described in #26 about the empty email at line 320. I can stop this happening by implementing hook_openid_connect_userinfo_alter() in a custom module:

function MY_MODULE_openid_connect_userinfo_alter(array &$userinfo, array $context) {
  $mail = $context['user_data']['email'];
  $userinfo['email'] = $mail;
}

That sets the userinfo email field to the same as returned in user_data and it works fine for v2.0 then.

It's possible this may be fixed in 2.x of the OpenID Connect module. See https://www.drupal.org/project/openid_connect/issues/2965594#comment-140... Haven't tried that version yet so not sure.

Thanks @rahul-kr-sh for the patch, it works but it throw warnings.

adapt patch to V2 Azure provides 'email' key for userinfo not mail.

Rerolled patch #30 against latest release.

@geoffreyr

I think a lot of the other information normally required as part of authentication is in the 'profile' scope (see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permi...) . For example, the preferred_username, and 'upn' properties are all in there.

Perhaps we should also add this

  /**
   * {@inheritdoc}
   */
  public function authorize($scope = 'openid email') {
    return parent::authorize('openid email profile');
  }

to the WindowsAad class, as part of this merge request?

An alternative would be to add a new hook in the openid_connect module itself, to alter scopes, but this feels like a very common use-case, so maybe it should be part of this module?

What do people think?

I confirm that the patch proposed in comment #31 works with the new release.
However, it is no longer functional with the recovery of the email in the access token (the response returned by Azure is empty).

I submit a new patch.

These patches are not working on 2.0.x-dev. This patch works for me and verified

Please try version 2.0.0-beta1. It should fix the issue.

I thank everyone for the work done.

I have installed many variants and tried several patches to get a working authentication with Azure AD B2C

At the moment I can confirm that authentication works correctly with:

• openid_connect:8.x-1.2
• https://git.drupalcode.org/issue/openid_connect_windows_aad-3021812/-/tr...

On the contrary at the moment beta versions do not work

• openid_connect:2.0.0-beta3
• openid_connect:beta-2.0.0-beta4

@Uccio - Thanks for your feedback. Which endpoint do you use as userinfo endpoint? Here is a patch for 2.x to make it work with Graph API.

@webflow

For version openid_connect:8.x-1.2 + patch (patch)

I use this configuration:

I gladly try version 2.x

I use these versions: openid_connect:2.0.0-beta3 + openid_connect:beta-2.0.0-beta4 + (patchv2)

Or should I start from the 2.x development branch and apply the patch?

Let me know which of the two ways you prefer.

Thanks. https://graph.microsoft.com/oidc/userinfo follows the OIDC spec. Therefore it is possible to skip the whole logic related to mail vs. email.

@Uccio Please try openid_connect_windows_aad:2.0.0-beta4 + this patch.

@webflo

I installed the beta4 with composer:

After login drupal goes to WSOD.

the crash log is:

TypeError: Drupal\openid_connect_windows_aad\Plugin\OpenIDConnectClient\WindowsAad::retrieveUserInfo(): Argument #1 ($access_token) must be of type string, null given, called in /var/www/html/uccio3021812/web/modules/contrib/openid_connect/src/OpenIDConnect.php on line 235 in Drupal\openid_connect_windows_aad\Plugin\OpenIDConnectClient\WindowsAad->retrieveUserInfo() (line 348 of /var/www/html/uccio3021812/web/modules/contrib/openid_connect_windows_aad/src/Plugin/OpenIDConnectClient/WindowsAad.php) 

the problem is due to the missing access_token.
In the Microsoft response it does not include it if there is openid in the scope.

I think the change of fix_33 should be ported to the 2.x branch

Thanks for the suport

I am pretty sure this is a general error during update from openid_connect_windows_aad 1.x to 2.x. Could you check the settings in the module again? Make sure the client secret is stored in key module properly. Thanks.

@webflo

how I would love it if the problem was just configuration :(

To prevent any "migration" I uninstalled the modules cleaned the caches and after via composer installed everything including patching.

@Uccio Thanks for the configuration. I've build a new Azure B2C Tenant and an v2 Application. I followed the guide on https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens and configured everything via the access token. I hope that's doable in the most setups.

Drupal-Backend Configuration:

• User info endpoint configuration: Alternate or no user endpoint
• Alternate UserInfo endpoint: [empty]

Azure Configuration:

Custom B2C Policy with "Email Addresses" activated as Application Claim.

@webflo

I confirm that patch 45 solves all the problems of beta4 for Azure B2C users.

In summary, those who need to use Azure AD B2C authentication can choose:

Branch 1.x (current stable)

• - openid_connect:8.x-1.2
• - openid_connect_windows_aad:8.x-1.4 + patch-33

Branch 2.x (beta)

• - openid_connect:2.0.0-beta3
• - openid_connect:beta-2.0.0-beta4 + patch-45

IMHO the beta branch could include the 45 ... but I leave the hard decision to the maintainers.

I remain available to test patches (@webflo contact me in PVT when you want)

The patch proposed in comment #33 throws error.

Undefined index: mail

Attaching a new patch updating the index from 'mail' to 'email'.

I have been successfully using the above-mentioned versions and the relevant patch of comment 47 for a few months now.

@frank8199 are you sure you have configured azure correctly?
Are you using V2 of the microsoft integration?
I had the same problem when I didn't put the "openid" privilege.

Using the module I felt like having a full logout also on Azure and not only on Drupal but it didn't work...

In my version of azure( B2C + v2) the logout path is very different from "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_..." and it didn't go.

I enclose a patch for version 8.x-1.4 which allows you to specify a custom logout path.

The patch is based on patch 33

Thank you

I have committed the patch from #45. Please open a new issue for logout / end session handling. OpenID Connect version 2.x has this feature already.

This might be useful for someone, we updated openid_connect to version 3.0@alpha2 and windows_aad to 2.0@beta6.

For some reason the latest release didn't work for us so we have adjusted the patch from #33.

It also includes a fix from:this issue

Re-roll of patch 53 for 2.0.0-beta9