Don`t work for version v2.0 Azure Active Directory B2C

I thank everyone for the work done.

I have installed many variants and tried several patches to get a working authentication with Azure AD B2C

At the moment I can confirm that authentication works correctly with:

• openid_connect:8.x-1.2
• https://git.drupalcode.org/issue/openid_connect_windows_aad-3021812/-/tr...

On the contrary at the moment beta versions do not work

• openid_connect:2.0.0-beta3
• openid_connect:beta-2.0.0-beta4

Translated with www.DeepL.com/Translator (free version)

@Uccio - Thanks for your feedback. Which endpoint do you use as userinfo endpoint? Here is a patch for 2.x to make it work with Graph API.

@webflow

For version openid_connect:8.x-1.2 + patch ( patch → )

I use this configuration:

I gladly try version 2.x

I use these versions: openid_connect:2.0.0-beta3 + openid_connect:beta-2.0.0-beta4 + (patchv2) →

Or should I start from the 2.x development branch and apply the patch?

Let me know which of the two ways you prefer.

Thanks. https://graph.microsoft.com/oidc/userinfo follows the OIDC spec. Therefore it is possible to skip the whole logic related to mail vs. email.

@Uccio Please try openid_connect_windows_aad:2.0.0-beta4 + this patch.

@webflo

I installed the beta4 with composer:

After login drupal goes to WSOD.

the crash log is:

TypeError: Drupal\openid_connect_windows_aad\Plugin\OpenIDConnectClient\WindowsAad::retrieveUserInfo(): Argument #1 ($access_token) must be of type string, null given, called in /var/www/html/tp.eutelsat.com/web/modules/contrib/openid_connect/src/OpenIDConnect.php on line 235 in Drupal\openid_connect_windows_aad\Plugin\OpenIDConnectClient\WindowsAad->retrieveUserInfo() (line 348 of /var/www/html/uccio3021812/web/modules/contrib/openid_connect_windows_aad/src/Plugin/OpenIDConnectClient/WindowsAad.php) 

the problem is due to the missing access_token.
In the Microsoft response it does not include it if there is openid in the scope.

I think the change of fix_33 → should be ported to the 2.x branch

Thanks for the suport

I am pretty sure this is a general error during update from openid_connect_windows_aad 1.x to 2.x. Could you check the settings in the module again? Make sure the client secret is stored in key module properly. Thanks.

@webflo

how I would love it if the problem was just configuration :(

To prevent any "migration" I uninstalled the modules cleaned the caches and after via composer installed everything including patching.

@Uccio Thanks for the configuration. I've build a new Azure B2C Tenant and an v2 Application. I followed the guide on https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens and configured everything via the access token. I hope that's doable in the most setups.

Drupal-Backend Configuration:

• User info endpoint configuration: Alternate or no user endpoint
• Alternate UserInfo endpoint: [empty]

Azure Configuration:

Custom B2C Policy with "Email Addresses" activated as Application Claim.

@webflo

I confirm that patch 45 solves all the problems of beta4 for Azure B2C users.

In summary, those who need to use Azure AD B2C authentication can choose:

Branch 1.x (current stable)

• - openid_connect:8.x-1.2
• - openid_connect_windows_aad:8.x-1.4 + patch-33 →

Branch 2.x (beta)

• - openid_connect:2.0.0-beta3
• - openid_connect:beta-2.0.0-beta4 + patch-45 →

IMHO the beta branch could include the 45 ... but I leave the hard decision to the maintainers.

I remain available to test patches (@webflo contact me in PVT when you want)

I have been successfully using the above-mentioned versions and the relevant patch of comment 47 for a few months now.

@frank8199 are you sure you have configured azure correctly?
Are you using V2 of the microsoft integration?
I had the same problem when I didn't put the "openid" privilege.

Using the module I felt like having a full logout also on Azure and not only on Drupal but it didn't work...

In my version of azure( B2C + v2) the logout path is very different from "https://login.microsoftonline.com/common/oauth2/v2.0/logout?post_logout_..." and it didn't go.

I enclose a patch for version 8.x-1.4 which allows you to specify a custom logout path.

The patch is based on patch 33 →

Thank you

I have committed the patch from #45. Please open a new issue for logout / end session handling. OpenID Connect version 2.x has this feature already.

Automatically closed - issue fixed for 2 weeks with no activity.

This might be useful for someone, we updated openid_connect to version 3.0@alpha2 and windows_aad to 2.0@beta6.

For some reason the latest release didn't work for us so we have adjusted the patch from #33.

It also includes a fix from: 🐛 Call to a member function getKeyValue() on null Needs review