From 13a9d42e6707b588043ec7c851b865b4bb2d2b58 Mon Sep 17 00:00:00 2001 From: James Edmonston Date: Sat, 7 Jan 2023 16:16:09 +0000 Subject: [PATCH] Microsoft Auth improvements --- src/services/MicrosoftService.php | 76 +++++++++++++++---------------- 1 file changed, 37 insertions(+), 39 deletions(-) diff --git a/src/services/MicrosoftService.php b/src/services/MicrosoftService.php index 40722ca..5874efe 100644 --- a/src/services/MicrosoftService.php +++ b/src/services/MicrosoftService.php @@ -14,6 +14,7 @@ use jamesedmonston\graphqlauthentication\gql\Auth; use jamesedmonston\graphqlauthentication\GraphqlAuthentication; use TheNetworg\OAuth2\Client\Provider\Azure; +use Throwable; use yii\base\Event; class MicrosoftService extends Component @@ -70,7 +71,7 @@ public function registerGqlQueries(RegisterGqlQueriesEvent $event) $sessionService->set('state', $state); $url = $provider->getAuthorizationUrl([ - 'scope' => ['offline_access'], + 'scope' => ['offline_access', 'profile', 'user', 'email'], 'state' => $state, ]); @@ -181,45 +182,42 @@ protected function _getUserFromToken(string $code, string $state): array $settings = GraphqlAuthentication::$settings; $errorService = GraphqlAuthentication::$errorService; - $sessionService = Craft::$app->getSession(); - $sessionState = $sessionService->get('state'); - - if ($state !== $sessionState) { - $errorService->throw($settings->invalidOauthToken); - } - - $provider = new Azure([ - 'clientId' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftAppId), - 'clientSecret' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftAppSecret), - 'redirectUri' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftRedirectUrl), - ]); - - $accessToken = $provider->getAccessToken('authorization_code', [ - 'code' => $code, - ]); - - $user = $provider->getResourceOwner($accessToken); - $email = $user->claim('email'); - - if (!$email) { - $errorService->throw($settings->emailNotInScope); - } - - if ($settings->allowedMicrosoftDomains) { - GraphqlAuthentication::$socialService->verifyEmailDomain( - $email, - $settings->allowedMicrosoftDomains, - $settings->microsoftEmailMismatch + try { + $provider = new Azure([ + 'clientId' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftAppId), + 'clientSecret' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftAppSecret), + 'redirectUri' => GraphqlAuthentication::getInstance()->getSettingsData($settings->microsoftRedirectUrl), + ]); + + $accessToken = $provider->getAccessToken('authorization_code', [ + 'code' => $code, + ]); + + $user = $provider->getResourceOwner($accessToken); + $email = $user->claim('email') ?? $user->claim('upn'); + + if (!$email) { + $errorService->throw($settings->emailNotInScope); + } + + if ($settings->allowedMicrosoftDomains) { + GraphqlAuthentication::$socialService->verifyEmailDomain( + $email, + $settings->allowedMicrosoftDomains, + $settings->microsoftEmailMismatch + ); + } + + $firstName = $user->claim('given_name') ?? ''; + $lastName = $user->claim('family_name') ?? ''; + + return compact( + 'email', + 'firstName', + 'lastName' ); + } catch (Throwable $e) { + $errorService->throw($e->getMessage()); } - - $fullName = "{$user->getFirstName()} {$user->getLastName()}"; - - $sessionService->remove('state'); - - return compact( - 'email', - 'fullName' - ); } }