Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Code_Verifier does not match the code_challenge supplied in the authorization request #175

Open
khalifaelbanan opened this issue Nov 22, 2022 · 3 comments
Open

The Code_Verifier does not match the code_challenge supplied in the authorization request #175

khalifaelbanan opened this issue Nov 22, 2022 · 3 comments

Comments

@khalifaelbanan
Copy link

Greetings,
I'm new to Azure and I need to implement a login flow using Azure AD for an application where the frontend retrieve the code and the backend have to generate the access token from the code already generated.
On the FE side I'm using react with @azure/msal-browser and my source code looks like :

publicClientApp = new PublicClientApplication({
  auth: {
    clientId: azureConfig.clientId,
    authority: azureConfig.authority,
    redirectUri: azureConfig.redirectUrl,
  },
  cache: {
    cacheLocation: 'sessionStorage',
    storeAuthStateInCookie: false,
  },
});

await publicClientApp.loginRedirect({
  scopes: azureConfig.scopes,
  prompt: 'select_account',
});

Then I recieve a code :
code=0.AU4AxXIC70Ma9ESVBt5raWVI_yqY9ha1CQhMgMGmdTdc8tODAAA...

On the BE side I recieve this code and I need to generate the access token and get user claims. To do this I have my symfony project with thenetworg/oauth2-azure package installed, so my code looks like :

$this->provider = new Azure([
    'clientId'          => $this->parameterBag->get('azure_client_id'),
    'clientSecret'      => $this->parameterBag->get('azure_client_secret'),
    'redirectUri'       => $this->parameterBag->get('azure_redirect_uri'),
    'scopes'            => ['openid'],
    'defaultEndPointVersion' => Azure::ENDPOINT_VERSION_2_0,
]);

$token = $this->provider->getAccessToken('authorization_code', [
    'scope' => $this->provider->scope,
    'code' => $code,
]);

But I receive this error :
invalid_grant AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request.\r\nTrace ID: 254744d9-ab7b-4c31-9dbe-0485bfd50501\r\nCorrelation ID: bb4a3ddf-6527-4b2c-98af-a124b66527d6\r\nTimestamp: 2022-11-22 15:08:41Z

Any hint to get this done ?
@decomplexity
Copy link

React with @azure/msal-browser (i.e. V2) will force a PKCE code challenge with a (default) code challenge method of S256 for an SPA with authorization_code flow.
From memory, I don’t believe that thenetworg/oauth2-azure, greew/oauth2-azure-provider or stevenmaguire/oauth2-microsoft providers offer PKCE themselves, but thephpleague oauth2-microsoft generic provider does so – you need the getPkceCode() and setPkceCode methods (see https://oauth2-client.thephpleague.com/usage/)

And note that for PHPMailer to work, your scope permissions should be “offline_access https://outlook.office.com/SMTP.Send"

@khalifaelbanan
Copy link
Author

Thanks @decomplexity for your response. I'm trying to find a package with React to replace msal-browser and allows me to pass my custom code_challenge and code_chalenge_method

@limogin
Copy link

limogin commented Jun 19, 2023

But I understand that the implementation of getting the pckecode is delegated to the inheriting class. In the GenericProvider class there is no way to be able to get this code in the case of Azure AD.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@limogin @khalifaelbanan @decomplexity