Microsoft Auth improvements

src/services/MicrosoftService.php

@@ -14,6 +14,7 @@
 use jamesedmonston\graphqlauthentication\gql\Auth;
 use jamesedmonston\graphqlauthentication\GraphqlAuthentication;
 use TheNetworg\OAuth2\Client\Provider\Azure;
+use Throwable;
 use yii\base\Event;
 
 class MicrosoftService extends Component
@@ -70,7 +71,7 @@ public function registerGqlQueries(RegisterGqlQueriesEvent $event)
                 $sessionService->set('state', $state);
 
                 $url = $provider->getAuthorizationUrl([
-                    'scope' => ['offline_access'],
+                    'scope' => ['offline_access', 'profile', 'user', 'email'],
                     'state' => $state,
                 ]);
 
@@ -181,45 +182,42 @@ protected function _getUserFromToken(string $code, string $state): array
         $settings = GraphqlAuthentication::$settings;
         $errorService = GraphqlAuthentication::$errorService;
 
-        $sessionService = Craft::$app->getSession();
-        $sessionState = $sessionService->get('state');
-
-        if ($state !== $sessionState) {
-            $errorService->throw($settings->invalidOauthToken);
-        }
-
-        $provider = new Azure([
-            'clientId' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftAppId),
-            'clientSecret' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftAppSecret),
-            'redirectUri' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftRedirectUrl),
-        ]);
-
-        $accessToken = $provider->getAccessToken('authorization_code', [
-            'code' => $code,
-        ]);
-
-        $user = $provider->getResourceOwner($accessToken);
-        $email = $user->claim('email');
-
-        if (!$email) {
-            $errorService->throw($settings->emailNotInScope);
-        }
-
-        if ($settings->allowedMicrosoftDomains) {
-            GraphqlAuthentication::$socialService->verifyEmailDomain(
-                $email,
-                $settings->allowedMicrosoftDomains,
-                $settings->microsoftEmailMismatch
+        try {
+            $provider = new Azure([
+                'clientId' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftAppId),
+                'clientSecret' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftAppSecret),
+                'redirectUri' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftRedirectUrl),
+            ]);
+
+            $accessToken = $provider->getAccessToken('authorization_code', [
+                'code' => $code,
+            ]);
+
+            $user = $provider->getResourceOwner($accessToken);
+            $email = $user->claim('email') ?? $user->claim('upn');
+
+            if (!$email) {
+                $errorService->throw($settings->emailNotInScope);
+            }
+
+            if ($settings->allowedMicrosoftDomains) {
+                GraphqlAuthentication::$socialService->verifyEmailDomain(
+                    $email,
+                    $settings->allowedMicrosoftDomains,
+                    $settings->microsoftEmailMismatch
+                );
+            }
+
+            $firstName = $user->claim('given_name') ?? '';
+            $lastName = $user->claim('family_name') ?? '';
+
+            return compact(
+                'email',
+                'firstName',
+                'lastName'
             );
+        } catch (Throwable $e) {
+            $errorService->throw($e->getMessage());
         }
-
-        $fullName = "{$user->getFirstName()} {$user->getLastName()}";
-
-        $sessionService->remove('state');
-
-        return compact(
-            'email',
-            'fullName'
-        );
     }
 }