Code changes required to set up as described in the module documentation

Created on 22 December 2020, over 3 years ago

Updated 18 October 2023, 8 months ago

Problem/Motivation

When evaluating this module for use on a project requiring authorisation via Azure AD, I followed the documentation → but had to add additional Drupal configuration and change code in the module to make it work.

I'm not sure if the module is wrong, the documentation is wrong, I've misunderstood how it says to set up Azure AD, or some mixture of it all, but I'm happy to try to patch or improve documentation if someone can clarify what's going on.

Using PHP 7.3, Drupal 9.1.0 minimal install profile, OpenID Connect 8.x-1.0, and OpenID Connect Windows Azure Active Directory.

The first issue was that without setting the Alternate UserInfo endpoint on /admin/config/services/openid-connect, I would always get the error

The e-mail address is not valid:

after clicking the Log in with Windows Azure AD for an AD user that does not exist yet in the Drupal database.

Looking in the debugger, it appears that Drupal\openid_connect_windows_aad\Plugin\OpenIDConnectClient\WindowsAad::retrieveUserInfo() will return an empty array unless the Alternate UserInfo endpoint is set. This in turn causes Drupal\openid_connect\OpenIDConnect::buildContext() to trigger the error visible in the UI, and fail to create the user.

Setting the Alternate UserInfo endpoint is not mentioned in the documentation, but I don't know how user creation from Azure AD could work without it (if you're not using Azure AD Graph API or Windows Graph API (v1.0).

Setting the Alternate UserInfo endpoint to https://graph.microsoft.com/oidc/userinfo (found by Googling!) did return userinfo, but there is some juggling in Drupal\openid_connect_windows_aad\Plugin\OpenIDConnectClient\WindowsAad::retrieveUserInfo() but it's subtly different to the data in the response

      // Azure provides 'mail' for userinfo vs email.
      if (!isset($profile_data['mail'])) {

Azure's response actually has the email address in the $profile_data['email'] field. If the module is patched to look for $profile_data['email'], then user creation and log in/out via SSO and Azure AD works!

So either my set up is wrong or the documentation is wrong, or the code is wrong (or outdated if Azure changed behaviour?) but I'm not sure why. Happy to improve code or documentation if someone can clarify why these steps are necessary.

🐛 Bug report

Status

Needs work

Version

1.0

Component

Code

Created by

🇬🇧United Kingdom Eli-T Manchester

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment 11 months ago →
solideogloria
Status changed to Needs work 11 months ago3:41pm 9 August 2023
Comment 11 months ago →
solideogloria
The latest patch won't work. I tried both the Windows Graph API and the Azure AD Graph API, and I still see it returning mail, not email.

So you should only do $profile_data['mail'] = $profile_data['email']; if $profile_data['mail'] is not set, but $profile_data['email'] is.

Comment 11 months ago →

🇮🇹Italy apaderno Brescia, 🇮🇹

+      // Temporary fix : store email from openid in $profile_data['mail']
+      $profile_data['mail'] = $profile_data['email'];

The patch should provide a definitive fix, not a temporary fix.

Comment 10 months ago →
🇳🇴Norway vegardjo
Patch from #7 works for me too when using the https://graph.microsoft.com/oidc/userinfo endpoint (have not tried other settings)
Comment 8 months ago →
🇫🇮Finland thatguy
Re-rolled #7 for 2.x

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024