Bugfixes + extra validation + tenant support on api calls

[TheBabaYaga]

Closes #34 + Added extra validation on client id if you use client_credentials grant

[hajekj]

What does the tenant support on api calls do exactly? Can you please provide a sample where this is used?

The reason why I am asking is because there are different versions of odata spec, in which (MS Graph) returns full URL, where (Azure Graph) returns only the address part without tenant. So I think this could technically break things.

[TheBabaYaga]

If you have an OAuth2 application that does api calls for the user instead of the user itself.

For example if you have an OAuth2 application setup with the client_credentials grant you request oauth tokens like this:

`POST /2337dcc6-3a21-4d95..../oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="client_id"

------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="scope"

https://graph.windows.net/2337dcc6-3a21-4d95..../.default
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="client_secret"

------WebKitFormBoundary7MA4YWxkTrZu0gW Content-Disposition: form-data; name="grant_type"

client_credentials
------WebKitFormBoundary7MA4YWxkTrZu0gW--`

And you get back:

{ "token_type": "Bearer", "expires_in": "3599", "ext_expires_in": "0", "expires_on": "1512658264", "not_before": "1512654364", "resource": "00000002-<truncated>", "access_token": "eyJ0eXAiOiJK<truncated>" }

If then you want to do an api call to get for example all the users you need to include the tenant in the uri:

https://graph.windows.net/2337dcc6-3a21-4d95..../users?api-version=1.6

If you don't include the tenant information you'll get the following response:

https://graph.windows.net/users?api-version=1.6

{ "odata.error": { "code": "Request_InvalidRequestUrl", "message": { "lang": "en", "value": "Request url was invalid. The request should be like /tenantdomainname/Entity or /$metadata. Tenant domain name can be any of the verified, unverified domain names or context id." } } }

I'll change the commit to remove the 'common' and only add the tenant if it's set as an option if that's ok for you. If you need more info feel free to ask or decline PR.

[TheBabaYaga]

I've updated the file to make sure it stays as it is by default and only add the tenant if it's set as an option on the provider.

[hajekj]

Let's do it a bit different then: Here's a detection whether the nextLink is URL - https://github.com/NoScopie/oauth2-azure/blob/b031aac960bc334debaac8141b5fe03188cb889e/src/Provider/Azure.php#L181 I would defintiely start there. So if the nextLink is not URL, check if it is meant for Azure Graph, then do the magic with tenant. Also, I am not sure if common is going to work with Azure Graph, the common equivalent there is myorganization. Could you please check on that?

[TheBabaYaga]

Hi, sorry for the late reply. Atm I don't have time to look into this further due to a large project I'm working on. I'll try to get back to this asap.

[hajekj]

I am not going to merge this PR, instead I reworked the changes in 3163106 If this is alright with you @NoScopie, I can release this as a new version.