Support for EntraID as an Oauth provider?

[SerWax]

Hello

is it possible to use EntraID as an Oauth provider?

[brufdev]

Are you referring to Microsoft Entra ID (formerly Azure AD)?

[SerWax]

Yes :)

[brufdev]

I’ve never used that provider, so I need a little help. Can you tell me which one of these might be the right one for you (if any)? The Microsoft-Azure provider has an extra configuration called AZURE_TENANT_ID.

https://socialiteproviders.com/Microsoft/
https://socialiteproviders.com/Microsoft-Azure/

[SerWax]

https://socialiteproviders.com/Microsoft-Azure/

This one has exactly the options that I have already configured on other services, including TENANT_ID

Azure AD to Entra ID has been a recent branding change, but everything else is identical, and most open source projects still retain the old naming. If it is of any help, I have succesfully used Bookstack with Entra, and it also uses socialite: https://github.com/BookStackApp/BookStack

I'd be happy to test things out for you if you can provide a test container

[brufdev]

Ok cool! I might be able to include it today but I'll let you know when it's done.

[brufdev]

I think it will work just fine, but could you please test it before I release it? I have pushed a dev tag to Docker Hub that includes Microsoft Azure SSO. You just need to change the latest tag to dev in your compose.yaml file and add the following environment variables:

environment:
  - AZURE_CLIENT_ID=CLIENT_ID # change id
  - AZURE_CLIENT_SECRET=CLIENT_SECRET # change secret
  - AZURE_TENANT_ID=TENANT_ID # change id
  - AZURE_PROXY=http://your-proxy-url # change url (optional configuration)

[SerWax]

Works great! Thank you!

[SerWax]

Would it be possible to add the email claim?

[brufdev]

I don't see any reference to email claim in the driver. Can you give me more context? What exactly is email claim, and why do you need it?

[SerWax]

In short, claims are the values ratified in the OIDC/OAuth 2.0 standard used to pass information in the jwt token.
Generally, Oauth 2 implementations read the preferred_username. But additional claims can be collected. Email is one of them, and it would be the optional value for the email of the user, which can be different from the username.

A longer answer can be found here (it's a Microsoft resource but Oauth 2.0 is an open standard and it works about the same with most identity providers):
https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference

[brufdev]

Did Many Notes create an account for you when you first logged in through SSO? Did it use the email from your SSO provider? Where would you like Many Notes to use that other optional email?

[SerWax]

Yes it did, it worked perfectly fine! I used a clean database for testing, so zero users, the first user who logged in with oidc was created as super admin, and the rest as normal editors.

For the username it used the user's name field, and as email it used the preferred_username (which in the Microsoft realm is the upn I.e. [email protected]).

But the email does not necessarily correspond to the upn.
To give you a more specific example, it is especially different for guest users, who get a system generated upn that is like username_externaldomain#[email protected]

And if I may have an additional suggestion, it would be great to have an option to directly login with OIDC without having to click on the login button.

Thank you again so much, you're awesome!

[brufdev]

For the username it used the user's name field, and as email it used the preferred_username (which in the Microsoft realm is the upn I.e. [email protected]).

But the email does not necessarily correspond to the upn. To give you a more specific example, it is especially different for guest users, who get a system generated upn that is like username_externaldomain#[email protected]

After you login, the driver only returns that email as you can see here. So, the responsibility of checking for a possible email claim belongs to the driver. What you're saying makes sense, but since I have no experience with that SSO provider, I have no idea if this would make sense in all cases. So, I'm not sure if they would accept this change because it would affect everyone.

Does the email claim get validated to ensure that the email address is yours?

And if I may have an additional suggestion, it would be great to have an option to directly login with OIDC without having to click on the login button.

You can disable local authentication. Read this.

[SerWax]

OOh, I am so sorry, after searching for a bit, I realise now that the Microsoft Azure provider from Socialite is actually the older one that does not support additional claims. Sorry my information was wrong, the most up to date one was this: https://github.com/SocialiteProviders/Microsoft
Microsoft_Azure also works but it's the older one and exposes a narrower user payload.
With this driver we can include the additional claims such as:

return Socialite::driver('microsoft')
->scopes(['openid','profile','email'])
->redirect();

(though i am not sure it is necessary to specify them)

Yes the email is validated within the IdP.

For local authentication, I did set SETTINGS_LOCAL_AUTH_ENABLED=false and added a logout URL with AZURE_POST_LOGOUT_REDIRECT_URI=https://login.microsoftonline.com/domain.onmicrosoft.com/oauth2/v2.0/logout but the starting page still shows the login form.

[brufdev]

Is it too much work to set up a working test provider? Otherwise, I can only try if you continue testing.

For local authentication, I did set SETTINGS_LOCAL_AUTH_ENABLED=false and added a logout URL with AZURE_POST_LOGOUT_REDIRECT_URI=https://login.microsoftonline.com/domain.onmicrosoft.com/oauth2/v2.0/logout but the starting page still shows the login form.

I forgot to add AZURE_POST_LOGOUT_REDIRECT_URI. It will be fixed in the next release.

[SerWax]

How do you mean set up a working test provider? I'm happy to test

[brufdev]

How do you mean set up a working test provider? I'm happy to test

I meant to configure the Microsoft provider with those cases to debug what data is coming from the provider. The AZURE_POST_LOGOUT_REDIRECT_URI should be working now.

I pushed another version to the dev tag so update the image. Add the following environment variable to see the debug information:

environment:
  - APP_DEBUG=true

Login with a user having email claim and when Microsoft redirects you back to Many Notes, you will see the email and the full data coming from the provider using different settings. Tell me if you can see the email claim somewhere in there and if yes show me where (just change any important data).

[SerWax]

Here you go Bruno - i replaced all private data but it looks like "email" field is carrying the UPN and "mail" is the correct one with the actual e-mail address:

"[email protected]" // app/Livewire/Auth/OAuthLoginCallback.php:25 SocialiteProviders\Azure\Provider {#1510 ▼ // app/Livewire/Auth/OAuthLoginCallback.php:25 #request: Illuminate\Http \ Request {#46 ▼ +attributes: Symfony\Component\HttpFoundation \ ParameterBag {#51 ▶} +request: Symfony\Component\HttpFoundation \ InputBag {#47 ▶} +query: Symfony\Component\HttpFoundation \ InputBag {#54 ▶} +server: Symfony\Component\HttpFoundation \ ServerBag {#49 ▶} +files: Symfony\Component\HttpFoundation \ FileBag {#53 ▶} +cookies: Symfony\Component\HttpFoundation \ InputBag {#52 ▶} +headers: Symfony\Component\HttpFoundation \ HeaderBag {#48 ▶} #content: null #languages: null #charsets: null #encodings: null #acceptableContentTypes: null #pathInfo: "/oauth/azure/callback" #requestUri: "/oauth/azure/callback?code=1.AREATom7hAzpekirKpdBHyIKhvv0txPT8sdPvUuT2wGCmBwXAfcRAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P-o-gp23f30GZlhKnhrwazm0cNRWiagKGVb ▶" #baseUrl: "" #basePath: null #method: "GET" #format: null #session: Illuminate\Session \ SymfonySessionDecorator {#1117 ▶} #locale: null #defaultLocale: "en" -preferredFormat: null -isHostValid: true -isForwardedValid: true -isSafeContentPreferred: ? bool -trustedValuesCache: array:5 [▼ "4\x00manynotes.domain.com\x00\x00" => array:1 [▶] "32\x00\x00\x00" => [] "8\x00https\x00\x00" => array:1 [▶] "16\x00\x00\x00" => [] "2\x00\x0010.66.66.21\x00" => [] ] -isIisRewrite: false #json: null #convertedFiles: null #userResolver: Closure($guard = null) {#1086 ▼ class: " Illuminate\Auth \ AuthServiceProvider " this: Illuminate\Auth \ AuthServiceProvider {#75 …} use: {▶} } #routeResolver: Closure() {#1096 ▼ class: " Illuminate\Routing \ Router " this: Illuminate\Routing \ Router {#44 …} use: {▼ $route: Illuminate\Routing \ Route {#1104 …} } } basePath: "" format: "html" } #httpClient: GuzzleHttp \ Client {#1501 ▼ -config: array:8 [▼ "handler" => GuzzleHttp \ HandlerStack {#1509 ▶} "allow_redirects" => array:5 [▶] "http_errors" => true "decode_content" => true "verify" => true "cookies" => false "idn_conversion" => false "headers" => array:1 [▼ "User-Agent" => "GuzzleHttp/7" ] ] } #clientId: "[my-client-id-replaced]" #clientSecret: "[my-clientsecret-replaced]" #redirectUrl: "https://ManyNotes.domain.com/oauth/azure/callback" #parameters: [] #scopes: array:4 [▼ 0 => "User.Read" 1 => "email" 2 => "openid" 3 => "profile" ] #scopeSeparator: " " #encodingType: 1 #stateless: false #usesPKCE: false #guzzle: [] #user: SocialiteProviders\Azure \ User {#1525 ▼ +id: "[user-id-replaced]" +nickname: null +name: "Name Surname" +email: "[email protected]" +avatar: null +user: array:12 [▼ "@odata.context" => "https://graph.microsoft.com/v1.0/$metadata#users/$entity" "businessPhones" => array:1 [▶] "displayName" => "Name Surname" "givenName" => "Name" "jobTitle" => "IT Specialist" "mail" => "[email protected]" "mobilePhone" => "+39 3426001733" "officeLocation" => null "preferredLanguage" => null "surname" => "Surname" "userPrincipalName" => "[email protected]" "id" => "[user-id-replaced]" ] +attributes: array:7 [▼ "id" => "[user-id-replaced]" "nickname" => null "name" => "Name Surname" "email" => "[email protected]" "principalName" => "[email protected]" "mail" => "[email protected]" "avatar" => null ] +token: "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjNNUGtfLV9ySUQ3U2wzUmNrNFZuOTk3NGxTcy0wamVNS2FCcTRHTG5YWFkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtp ▶" +refreshToken: null +expiresIn: 4658 +approvedScopes: array:4 [▼ 0 => "email" 1 => "openid" 2 => "profile" 3 => "User.Read" ] +accessTokenResponseBody: array:5 [▼ "token_type" => "Bearer" "scope" => "email openid profile User.Read" "expires_in" => 4658 "ext_expires_in" => 4658 "access_token" => "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjNNUGtfLV9ySUQ3U2wzUmNrNFZuOTk3NGxTcy0wamVNS2FCcTRHTG5YWFkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtp ▶" ] +principalName: "[email protected]" +mail: "[email protected]" } #credentialsResponseBody: array:5 [▼ "token_type" => "Bearer" "scope" => "email openid profile User.Read" "expires_in" => 4658 "ext_expires_in" => 4658 "access_token" => "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjNNUGtfLV9ySUQ3U2wzUmNrNFZuOTk3NGxTcy0wamVNS2FCcTRHTG5YWFkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtp ▶" ] #config: array:6 [▼ "client_id" => "[my-client-id-replaced]" "client_secret" => "[my-clientsecret-replaced]" "redirect" => "https://ManyNotes.domain.com/oauth/azure/callback" "tenant" => "84bb894e-e90c-487a-ab2a-97411f220a86" "proxy" => null "guzzle" => [] ] #graphUrl: "https://graph.microsoft.com/v1.0/me" } SocialiteProviders\Azure\Provider {#1510 ▼ // app/Livewire/Auth/OAuthLoginCallback.php:25 #request: Illuminate\Http \ Request {#46 ▼ +attributes: Symfony\Component\HttpFoundation \ ParameterBag {#51 ▶} +request: Symfony\Component\HttpFoundation \ InputBag {#47 ▶} +query: Symfony\Component\HttpFoundation \ InputBag {#54 ▶} +server: Symfony\Component\HttpFoundation \ ServerBag {#49 ▶} +files: Symfony\Component\HttpFoundation \ FileBag {#53 ▶} +cookies: Symfony\Component\HttpFoundation \ InputBag {#52 ▶} +headers: Symfony\Component\HttpFoundation \ HeaderBag {#48 ▶} #content: null #languages: null #charsets: null #encodings: null #acceptableContentTypes: null #pathInfo: "/oauth/azure/callback" #requestUri: "/oauth/azure/callback?code=1.AREATom7hAzpekirKpdBHyIKhvv0txPT8sdPvUuT2wGCmBwXAfcRAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P-o-gp23f30GZlhKnhrwazm0cNRWiagKGVb ▶" #baseUrl: "" #basePath: null #method: "GET" #format: null #session: Illuminate\Session \ SymfonySessionDecorator {#1117 ▼ +store: Illuminate\Session \ Store {#1116 ▶} } #locale: null #defaultLocale: "en" -preferredFormat: null -isHostValid: true -isForwardedValid: true -isSafeContentPreferred: ? bool -trustedValuesCache: array:5 [▼ "4\x00manynotes.domain.com\x00\x00" => array:1 [▼ 0 => "manynotes.domain.com" ] "32\x00\x00\x00" => [] "8\x00https\x00\x00" => array:1 [▼ 0 => "https" ] "16\x00\x00\x00" => [] "2\x00\x0010.66.66.21\x00" => [] ] -isIisRewrite: false #json: null #convertedFiles: null #userResolver: Closure($guard = null) {#1086 ▼ class: " Illuminate\Auth \ AuthServiceProvider " this: Illuminate\Auth \ AuthServiceProvider {#75 …} use: {▼ $app: Illuminate\Foundation \ Application {#5 …} } } #routeResolver: Closure() {#1096 ▼ class: " Illuminate\Routing \ Router " this: Illuminate\Routing \ Router {#44 …} use: {▼ $route: Illuminate\Routing \ Route {#1104 …} } } basePath: "" format: "html" } #httpClient: GuzzleHttp \ Client {#1501 ▶} #clientId: "[my-client-id-replaced]" #clientSecret: "[my-clientsecret-replaced]" #redirectUrl: "https://ManyNotes.domain.com/oauth/azure/callback" #parameters: [] #scopes: array:4 [▼ 0 => "User.Read" 1 => "email" 2 => "openid" 3 => "profile" ] #scopeSeparator: " " #encodingType: 1 #stateless: false #usesPKCE: false #guzzle: [] #user: SocialiteProviders\Azure \ User {#1525 ▼ +id: "[user-id-replaced]" +nickname: null +name: "Name Surname" +email: "[email protected]" +avatar: null +user: array:12 [▶] +attributes: array:7 [▶] +token: "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjNNUGtfLV9ySUQ3U2wzUmNrNFZuOTk3NGxTcy0wamVNS2FCcTRHTG5YWFkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtp ▶" +refreshToken: null +expiresIn: 4658 +approvedScopes: array:4 [▶] +accessTokenResponseBody: array:5 [▶] +principalName: "[email protected]" +mail: "[email protected]" } #credentialsResponseBody: array:5 [▼ "token_type" => "Bearer" "scope" => "email openid profile User.Read" "expires_in" => 4658 "ext_expires_in" => 4658 "access_token" => "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjNNUGtfLV9ySUQ3U2wzUmNrNFZuOTk3NGxTcy0wamVNS2FCcTRHTG5YWFkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtp ▶" ] #config: array:6 [▼ "client_id" => "[my-client-id-replaced]" "client_secret" => "[my-clientsecret-replaced]" "redirect" => "https://ManyNotes.domain.com/oauth/azure/callback" "tenant" => "84bb894e-e90c-487a-ab2a-97411f220a86" "proxy" => null "guzzle" => [] ] #graphUrl: "https://graph.microsoft.com/v1.0/me" } SocialiteProviders\Azure\Provider {#1510 ▼ // app/Livewire/Auth/OAuthLoginCallback.php:25 #request: Illuminate\Http \ Request {#46 ▼ +attributes: Symfony\Component\HttpFoundation \ ParameterBag {#51 ▼ #parameters: [] } +request: Symfony\Component\HttpFoundation \ InputBag {#47 ▼ #parameters: [] } +query: Symfony\Component\HttpFoundation \ InputBag {#54 ▼ #parameters: array:3 [▶] } +server: Symfony\Component\HttpFoundation \ ServerBag {#49 ▼ #parameters: array:127 [▶] } +files: Symfony\Component\HttpFoundation \ FileBag {#53 ▼ #parameters: [] } +cookies: Symfony\Component\HttpFoundation \ InputBag {#52 ▼ #parameters: array:6 [▶] } +headers: Symfony\Component\HttpFoundation \ HeaderBag {#48 ▼ #headers: array:24 [▶] #cacheControl: [] } #content: null #languages: null #charsets: null #encodings: null #acceptableContentTypes: null #pathInfo: "/oauth/azure/callback" #requestUri: "/oauth/azure/callback?code=1.AREATom7hAzpekirKpdBHyIKhvv0txPT8sdPvUuT2wGCmBwXAfcRAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P-o-gp23f30GZlhKnhrwazm0cNRWiagKGVb ▶" #baseUrl: "" #basePath: null #method: "GET" #format: null #session: Illuminate\Session \ SymfonySessionDecorator {#1117 ▼ +store: Illuminate\Session \ Store {#1116 ▼ #id: "D7poCY24Ygo61yYweSFqmLuOxZdYbaeSSPJaA9RP" #name: "many_notes_session" #attributes: array:4 [▶] #handler: Illuminate\Session \ DatabaseSessionHandler {#1115 ▼ #connection: Staudenmeir\LaravelCte\Connections \ SQLiteConnection {#776 …23} #table: "sessions" #minutes: "120" #container: Illuminate\Foundation \ Application {#5 …} #exists: true } #serialization: "php" #started: true } } #locale: null #defaultLocale: "en" -preferredFormat: null -isHostValid: true -isForwardedValid: true -isSafeContentPreferred: ? bool -trustedValuesCache: array:5 [▼ "4\x00manynotes.domain.com\x00\x00" => array:1 [▼ 0 => "manynotes.domain.com" ] "32\x00\x00\x00" => [] "8\x00https\x00\x00" => array:1 [▼ 0 => "https" ] "16\x00\x00\x00" => [] "2\x00\x0010.66.66.21\x00" => [] ] -isIisRewrite: false #json: null #convertedFiles: null #userResolver: Closure($guard = null) {#1086 ▼ class: " Illuminate\Auth \ AuthServiceProvider " this: Illuminate\Auth \ AuthServiceProvider {#75 …} use: {▶} } #routeResolver: Closure() {#1096 ▼ class: " Illuminate\Routing \ Router " this: Illuminate\Routing \ Router {#44 …} use: {▶} } basePath: "" format: "html" } #httpClient: GuzzleHttp \ Client {#1501 ▼ -config: array:8 [▼ "handler" => GuzzleHttp \ HandlerStack {#1509 ▼ -handler: Closure(RequestInterface $request, array $options): PromiseInterface {#1520 ▼ returnType: " GuzzleHttp\Promise \ PromiseInterface " class: " GuzzleHttp\Handler \ Proxy " use: {▼ $default: Closure(RequestInterface $request, array $options): PromiseInterface {#1518 …} $streaming: GuzzleHttp\Handler \ StreamHandler {#1519 …} } } -stack: array:4 [▼ 0 => array:2 [▶] 1 => array:2 [▼ 0 => Closure(callable $handler): RedirectMiddleware {#1522 ▼ returnType: " GuzzleHttp \ RedirectMiddleware " class: " GuzzleHttp \ Middleware " } 1 => "allow_redirects" ] 2 => array:2 [▼ 0 => Closure(callable $handler): callable {#1523 ▼ returnType: "callable" class: " GuzzleHttp \ Middleware " } 1 => "cookies" ] 3 => array:2 [▼ 0 => Closure(callable $handler): PrepareBodyMiddleware {#1524 ▼ returnType: " GuzzleHttp \ PrepareBodyMiddleware " class: " GuzzleHttp \ Middleware " } 1 => "prepare_body" ] ] -cached: Closure($request, array $options) {#1532 ▼ class: " GuzzleHttp \ Middleware " use: {▶} } } "allow_redirects" => array:5 [▼ "max" => 5 "protocols" => array:2 [▼ 0 => "http" 1 => "https" ] "strict" => false "referer" => false "track_redirects" => false ] "http_errors" => true "decode_content" => true "verify" => true "cookies" => false "idn_conversion" => false "headers" => array:1 [▼ "User-Agent" => "GuzzleHttp/7" ] ] } #clientId: "[my-client-id-replaced]" #clientSecret: "[my-clientsecret-replaced]" #redirectUrl: "https://ManyNotes.domain.com/oauth/azure/callback" #parameters: [] #scopes: array:4 [▼ 0 => "User.Read" 1 => "email" 2 => "openid" 3 => "profile" ] #scopeSeparator: " " #encodingType: 1 #stateless: false #usesPKCE: false #guzzle: [] #user: SocialiteProviders\Azure \ User {#1525 ▼ +id: "[user-id-replaced]" +nickname: null +name: "Name Surname" +email: "[email protected]" +avatar: null +user: array:12 [▼ "@odata.context" => "https://graph.microsoft.com/v1.0/$metadata#users/$entity" "businessPhones" => array:1 [▶] "displayName" => "Name Surname" "givenName" => "Name" "jobTitle" => "IT Specialist" "mail" => "[email protected]" "mobilePhone" => "+39 3426001733" "officeLocation" => null "preferredLanguage" => null "surname" => "Surname" "userPrincipalName" => "[email protected]" "id" => "[user-id-replaced]" ] +attributes: array:7 [▼ "id" => "[user-id-replaced]" "nickname" => null "name" => "Name Surname" "email" => "[email protected]" "principalName" => "[email protected]" "mail" => "[email protected]" "avatar" => null ] +token: "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjNNUGtfLV9ySUQ3U2wzUmNrNFZuOTk3NGxTcy0wamVNS2FCcTRHTG5YWFkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtp ▶" +refreshToken: null +expiresIn: 4658 +approvedScopes: array:4 [▼ 0 => "email" 1 => "openid" 2 => "profile" 3 => "User.Read" ] +accessTokenResponseBody: array:5 [▼ "token_type" => "Bearer" "scope" => "email openid profile User.Read" "expires_in" => 4658 "ext_expires_in" => 4658 "access_token" => "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjNNUGtfLV9ySUQ3U2wzUmNrNFZuOTk3NGxTcy0wamVNS2FCcTRHTG5YWFkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtp ▶" ] +principalName: "[email protected]" +mail: "[email protected]" } #credentialsResponseBody: array:5 [▼ "token_type" => "Bearer" "scope" => "email openid profile User.Read" "expires_in" => 4658 "ext_expires_in" => 4658 "access_token" => "eyJ0eXAiOiJKV1QiLCJub25jZSI6IjNNUGtfLV9ySUQ3U2wzUmNrNFZuOTk3NGxTcy0wamVNS2FCcTRHTG5YWFkiLCJhbGciOiJSUzI1NiIsIng1dCI6IkhTMjNiN0RvN1RjYVUxUm9MSHdwSXEyNFZZZyIsImtp ▶" ] #config: array:6 [▼ "client_id" => "[my-client-id-replaced]" "client_secret" => "[my-clientsecret-replaced]" "redirect" => "https://ManyNotes.domain.com/oauth/azure/callback" "tenant" => "84bb894e-e90c-487a-ab2a-97411f220a86" "proxy" => null "guzzle" => [] ] #graphUrl: "https://graph.microsoft.com/v1.0/me" }

[brufdev]

Thank you. I updated the dev image again. Now it will print only the email and the mail fields, but I need you to test authenticating with one user who has an email claim and another user who doest not have an email claim.

1. Tell me the debugged data for both cases and, in each case, what email you consider the correct one to use.
2. I didn't change the provider, so this Azure provider seems to be the correct one, right?
3. In your opinion, the flow for this provider should be: use the mail field if it exists, use email field otherwise. Try to think beyond your specific use case. Do you believe this flow works for any user of this provider?
4. Could there be a case where someone has a mail field defined, but the correct one to use is the email field?

[SerWax]

Unfortunately I can't, if missing the email field is automatically populated with the UPN in Entra. It is nonly different if the email alias is added.
I did try unexposing the "email" claim, but the result was the same in both instances:

"[email protected]" // app/Livewire/Auth/OAuthLoginCallback.php:25
"[email protected]" // app/Livewire/Auth/OAuthLoginCallback.php:25

[brufdev]

So, the second is always the correct email?

[SerWax]

Yes, the second is always the correct email

[brufdev]

1. I didn't change the provider, so this Azure provider seems to be the correct one, right?
2. The second print is the mail. Try to think beyond your use case: can I safely use the mail for everyone using the Azure provider?

[SerWax]

1. I think both are "correct" and both expose the email, the other one is just more modern and has additional claims (such as group claims).

2. Yes, everyone who uses Azure/Entra will have the same fields: if that field is a different email, then it is used, otherwise it will be the UPN. I have confirmed even with an external/guest user that the second row shows the correct email address.

[brufdev]

I updated the dev image again. Now there are no more debugs, and I've added the other Microsoft provider as well. Test with the Azure first, since it is already configured. After that, you can test with the Microsoft provider using this:

environment:
  - MICROSOFT_CLIENT_ID=CLIENT_ID # change id
  - MICROSOFT_CLIENT_SECRET=CLIENT_SECRET # change secret
  - MICROSOFT_REDIRECT_URI=http://localhost/oauth/microsoft/callback # change domain
  - MICROSOFT_PROXY=http://your-proxy-url # change url (optional configuration)

You can use MICROSOFT_POST_LOGOUT_REDIRECT_URI if you are disabling local authentication. If this provider works well and you think it’s better, I’ll remove the other one.

Let me know if everything is working as expected.

[brufdev]

The only thing that matters is the provider's ability to authenticate users. I don't mind using one provider or the other, as long as it works. The extra stuff is not relevant for authentication.

[SerWax]

Hi Bruno

my apologies I could not find the chance to test the other provider. The other stuff is only relevant to use group permission mapping from the IdP.

The AZURE driver is working perfectly for all kinds of users, so for the current purposes, it is perfectly good.

[brufdev]

No problem. I want to finish something else but I expect to release this in the next few days. I'll let you know when it's done. Thank you.

[brufdev]

This feature is now available in today's release v0.15.0. Make sure to change the dev tag and to remove the APP_DEBUG environment variable.