FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    About azure AD v2 vs v1 and FusionAuth

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    3
    7
    18.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      devops 0
      last edited by

      Hello i hope you are doing great. A few weeks ago i started an implementation of social Login for Microsoft accounts (Azure AD).

      Obviously i read the fusionauth documentation as a base to know how to implement this feature and because i am using the ReactJs Application, the packaged i am using is https://fusionauth.io/docs/v1/tech/client-libraries/node

      As the documentation says the way to implement this is with OpenIdConnect, so i started using this identity provider and the configuration was added. At the beggining this was configured using the OAuth 2.0 v2 endpoints.. But i had an issue with PKCE, apparently there is no way to pass the challenge code to the fusionauthClient.identityProviderLogin method to complete the identity provider login flow.

      So i just changed the configuration to OAuth 2.0 v1 endpoints, and from there the identity provider login works fine with Microsoft Accounts.. But when i try with Microsoft enterprise accounts the identity provider login fails .

      So, with this context i have two questions:

      1. Is this issue related with the Oauth 2.0 version selected
      2. If yes.. Is there a way to pass this challenge code to the fusionAuthClient to complete this the identity provider flow. If not possible with the fusionauthClient, Is there a way to do it with the fusion auth api endpoints?

      I think this is it. I really appreciate your help with this. Thanks

      danD 1 Reply Last reply Reply Quote 1
      • danD
        dan @devops 0
        last edited by

        @devops-0

        Hiya, can you enable debug on the Identity Provider connection and then share your event log? That might shed some light on things.

        Also, the node client library is deprecated and we recommend using the typescript library.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        D 2 Replies Last reply Reply Quote 0
        • danD dan referenced this topic on
        • danD dan referenced this topic on
        • D
          devops 0 @dan
          last edited by

          @dan Thanks for answer to this post. I will proceed to check this tomorrow and i will let you know how this goes after testing it again. I didn't know that the node client was deprecated.. so thanks for the update about this.. i am going to replace the package for the typescript library

          1 Reply Last reply Reply Quote 1
          • D
            devops 0 @dan
            last edited by

            @dan Good evening, I hope you are doing great. I just proceed to enable the debug for identity provider (That was enabled already).

            I am using v1 ad endpoints, i reproduce the error, but fusionauth doesn't show any errors, because i think that this don't have nothing to do with fusionauth. The error that azure shows is:

            AADSTS50020: User account 'email@example.com' from identity provider 'https://sts.windows.net/<tenant-id>/' does not exist in tenant 'Directorio predeterminado' and cannot access the application '<app-id>'(<app name>) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

            The fact that fusionauth dont detect any error is kind of expected because at this point we are on azure login flow. I am assuming that this is related to the v1 endpoints on azure AD.

            The first time i just started using the v2 endpoints but the problem was fusionauth, and the error was the challenge because the javascript library method dont have any param to pass the challenge values. So my question here is Is the Typescript client supporting PKCE authentication challenge. If the answer is negative. Then It is possible to achieve this with the fusionauth endpoints (passing the challenge codes to the endpoint to complete the flow)

            1 Reply Last reply Reply Quote 0
            • D
              devops 0
              last edited by

              Now using v2 endpoints (passing the code_challenge and the code_challenge_method to retrieve the authorization token https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow). Fusionauth Microsoft OpenIDConnect provider returns the next error:

              Request to the [https://login.microsoftonline.com/<tenant-id>/oauth2/token] endpoint failed. Status code [400].

Error response is 
{
  "error" : "invalid_grant",
  "error_description" : "AADSTS50148: The code_verifier does not match the code_challenge supplied in the authorization request for PKCE.\r\nTrace ID: c0836075-1551-45ad-9fce-9b7a7716d201\r\nCorrelation ID: 16f33aed-50eb-461a-9740-66299e56fe58\r\nTimestamp: 2022-05-12 15:57:26Z",
  "error_codes" : [ 50148 ],
  "timestamp" : "2022-05-12 15:57:26Z",
  "trace_id" : "c0836075-1551-45ad-9fce-9b7a7716d201",
  "correlation_id" : "16f33aed-50eb-461a-9740-66299e56fe58",
  "error_uri" : "https://login.microsoftonline.com/error?code=50148"
}

              I assume that this is because there is no way to pass this challenge code. Also i Notice that the url used by fusionauth to get the token is a v1 endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/token. So i ask again, is there a way to use v2 endpoints and code_challenge to complete the login flow for Microsoft OpenIdConnect providers?

              danD 1 Reply Last reply Reply Quote 0
              • danD
                dan @devops 0
                last edited by

                @devops-0

                So I want to sum up what you are doing to make sure I understand.

                1. You are trying to add a 'login with microsoft' button.
                2. You are using the OIDC Identity provider.
                3. You are not using the FusionAuth hosted login pages (you want to control the UX yourself) and are using the 'complete' API call documented here: https://fusionauth.io/docs/v1/tech/apis/identity-providers/openid-connect#complete-an-openid-connect-login
                4. You are trying to use v2 for the endpoints.
                5. You are using the typescript client.

                Is that correct? Because if you are using the hosted login pages (more here about that) then you should be able to follow these instructions: https://fusionauth.io/docs/v1/tech/identity-providers/openid-connect/azure-ad

                We have an example react application where you redirect over to the FusionAuth hosted login pages (which you can theme) and then get sent back to react. Here's a blog post about this: https://fusionauth.io/blog/2021/11/11/how-to-authenticate-your-react-app

                --
                FusionAuth - Auth for devs, built by devs.
                https://fusionauth.io

                1 Reply Last reply Reply Quote 0
                • D
                  danielg.rodrigues42
                  last edited by

                  While I understand this topic has been previously discussed, I believe it's still relevant due to the similarity in my use case.

                  I'm currently integrating Discord login into my application using the OpenID Connect identity provider. My goal is to implement a custom user experience that doesn't rely on FusionAuth's hosted login pages.

                  As mentioned in previous discussions, the current documentation doesn't provide a way to pass the PKCE code_verifier when requesting the "Complete an OpenID Connect Login" endpoint.

                  I'd like to propose two improvements:

                  1. Allow passing code, code_verifier (optional), and redirect_uri in the request payload. This would provide a more flexible and allow the usage of PKCE;

                  2. Allow passing an access token directly. This would eliminate the need for FusionAuth process the exchange step, similar to how Facebook's identity provider works (for example). This would probably also require the configuration of an endpoint to fetch the user email or username.

                  As a side note, since discord access_token is not a JWT I believe this cannot be done using the "External JWT" identity provider.

                  Hope you can help me with this.
                  Thanks!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post