Menu

#2226 OpenID MicrosoftGraph tenant setting

Extensions
accepted
Pierre Goiffon
None
Extension
Medium
2.6.0
defect
2024-02-07
2024-02-01
Erik Geletti
No

Hi.
I was tring to setup MicrosoftGraph login for our tenant but there is an error:
AADSTS50194: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxx' is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

The problem is that is not possible to specify tenant via config-itop.php file. Looking at https://github.com/hybridauth/hybridauth/blob/master/src/Provider/MicrosoftGraph.php#L29 it should be possible to scpecify 'tenant' paramiter to correct this, but the file combodo-hybridauth/vendor/hybridauth/hybridauth/src/Provider/MicrosoftGraph.php is different, the function initialize() is missing. Adding back this function solve the problem.

Discussion

  • Pierre Goiffon

    Pierre Goiffon - 2024-02-01

    Hello,
    Allowing to use single tenant in Azure was already asked in [#2107]
    There were some news lately, check the original ticket !

     

    Related

    Tickets: #2107

  • Pierre Goiffon

    Pierre Goiffon - 2024-02-01
    • status: new --> duplicate
    • assigned_to: Pierre Goiffon
     

  • Erik Geletti

    Erik Geletti - 2024-02-02

    This ticket is about combodo-hybridauth, not about Oauth2 with Azure. Here the solution is very simple. Just add this function: https://github.com/hybridauth/hybridauth/blob/master/src/Provider/MicrosoftGraph.php#L74

        protected function initialize()
    {
        parent::initialize();

        $tenant = $this->config->get('tenant');
        if (!empty($tenant)) {
            $adjustedEndpoints = [
                'authorize_url' => str_replace('/common/', '/' . $tenant . '/', $this->authorizeUrl),
                'access_token_url' => str_replace('/common/', '/' . $tenant . '/', $this->accessTokenUrl),
            ];

            $this->setApiEndpoints($adjustedEndpoints);
        }
    }

    in this 2 files:
    data/production-modules/combodo-hybridauth/vendor/hybridauth/hybridauth/src/Provider/MicrosoftGraph.php
    env-production/combodo-hybridauth/vendor/hybridauth/hybridauth/src/Provider/MicrosoftGraph.php

    Then will be possible to specify tenant ID in config-itop.php

     

  • Pierre Goiffon

    Pierre Goiffon - 2024-02-02
    • status: duplicate --> accepted
     

  • Pierre Goiffon

    Pierre Goiffon - 2024-02-02

    Hello,
    Wooops my apologies, and thanks for the clarification and the detailed solution !

    Normally I would have asked to open a pull request on the corresponding code repository, but it is private (I think it is a mistake as the extension is free on iTop Hub, I'll check !)

    I added a ticket in our internal system (reference N°7205) and I'll create a PR in the repository.

    Thanks !

     

  • Pierre Goiffon

    Pierre Goiffon - 2024-02-02

    The repository combodo-hybridauth is now public, it was indeed a mistake on our side.

     

  • Erik Geletti

    Erik Geletti - 2024-02-02

    Thanks. On github my username is @geel97

     

  • Erik Geletti

    Erik Geletti - 2024-02-07

    I noticed that the problem is the old version of hybridauth. Can you update from 3.0-rc10 to 3.11?

     

  • Guillaume Lajarige

    Guillaume Lajarige - 2024-02-07

    Hello Erik,

    The next version of the module will embed v3.11 of the library, so it should be all good :)
    That being said, we don't have a release date yet, it's currently being tested.

    Guillaume

     

  • Erik Geletti

    Erik Geletti - 2024-02-07

    Perfect! Thanks. I will wait.

     

Log in to post a comment.