CODEWITHSUNDEEP
phpazurecurlmicrosoft-graph-api
Vitas
Vitas

Reputation: 50

Problem with Azure AD authentication - Bearer token returns only app information

I have a problem implementing Azure AD SSO for my website.

The Azure AD configuration uses a certificate instead of a secret. Everything looks to be working, but https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token returns a Bearer token which contains only app information and I'm trying to get the user information for the user who has logged in.

Can anyone provide me some information and tips how to obtain user information?

Code for getting Bearer token:

public function getAccessToken(){
    $link = "https://login.microsoftonline.com/{$this->tenantId}/oauth2/v2.0/token";
    $request_headers = array(
        'Accept: application/x-www-form-urlencoded'
    );
    $post_data = array(
        "client_id" => $this->clientId,
        "grant_type" => "client_credentials",
        "client_assertion_type" => "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
        "client_assertion" => $this->jwToken,
        "scope" => "https://graph.microsoft.com/.default",
        "code" => $this->responseCode,
        "redirect_uri" => $this->redirectUri,
    );
    $curlResponse = $this->sendCURLRequest($link, $request_headers, $post_data);
    var_export($curlResponse);
}

Upvotes: 0

Views: 716

Answers (1)

Allen Wu
Allen Wu

Reputation: 16438

As @juunas suggested, you should use authorization code flow rather than client credentials flow.

Now that you have got the code from Request an authorization code, next you need to Redeem a code for an access token.

POST /{tenant}/oauth2/v2.0/token HTTP/1.1
Host: https://login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded

client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&code=OAAABAAAAiL9Kn2Z27UubvWFPbm0gLWQJVzCTE9UkP3pSx1aXxUjq3n8b2JRLk4OxVXr...
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&grant_type=authorization_code
&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong 
&client_secret=JqQX2PNo9bpM0uEihUPzyrh    // NOTE: Only required for web apps. This secret needs to be URL-Encoded.

What you have used is Client credentials flow get token, in which you don't need the code.

Upvotes: 2

Related Questions