Signing in to an oidcc/Phoenix app using Entra ID?

[chgeuer]

I'm using erlef/oidcc in a Phoenix project to authenticate with Entra ID (a.k.a. Azure AD), and the library seems to partly do a PKCE flow, but only the 2nd half of it:

In my application.ex file, I have the following child spec:

{Oidcc.ProviderConfiguration.Worker, %{issuer: "https://login.microsoftonline.com/{entra_tenant_id}/v2.0", name: :entra_id_raffley_configuration}}

In the OidccController, I follow the steps outlined in the erlef/oidcc_plug docs.

In order to see the outgoing HTTPS requests done by the oidcc library (which uses Erlang's :httpc client under the hood), I set up a proxy server with HTTPS decryption using Fiddler, and globally configured the proxy in my Elixir project:

# This code replaces all 100+ trusted CA root certs with a single one from Fiddler, 
# so we can MITM ourselves...
Application.ensure_all_started([:inets, :ssl])
:ok = :public_key.cacerts_load("/mnt/c/tmp/fiddler_ca.pem")
:httpc.set_options(proxy: ~c"192.168.1.29", 8888}, []})

This is the browser HTTP request/response against the Phoenix app (line breaks etc. for readability)

GET http://localhost:4000/oidcc/authorize HTTP/1.1

HTTP/1.1 302 Found
location: https://login.microsoftonline.com/{tid}/oauth2/v2.0/authorize
   ?scope=openid
   &nonce={__nonce__}
   &presponse_type=code
   &client_id={client_id}
   &redirect_uri=http://localhost:4000/oidcc/callback

After Entra ID authenticates me, I get redirected to the Phoenix app's callback URL with the authorization code:

GET http://localhost:4000/oidcc/callback
   ?code={__code__}
   &session_state={session_state} 

At this point, the oidcc library sends a POST request to the token endpoint:

POST https://login.microsoftonline.com/{tid}/oauth2/v2.0/token HTTP/1.1
content-type: application/x-www-form-urlencoded

grant_type=authorization_code
client_id={client_id}
client_secret={client_secret}
redirect_uri=http://localhost:4000/oidcc/callback
code={__code__}
code_verifier=...

HTTP/1.1 400 Bad Request
Content-Type: application/json; charset=utf-8

{
  "error":"invalid_grant",
  "error_description":"AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request.",
  "error_codes":[501481]
}

Out of the blue, it suddenly includes a code_verifier parameter in the token request. Entra ID then essentially complains about AADSTS501481: The Code_Verifier does not match the code_challenge supplied in the authorization request..

Can I somehow turn off all PKCE-related stuff?

Setup: OTP27 / Elixir 1.17.3, oidcc 3.2, oidcc_plug 0.1.2, on Linux (WSL) (with Fiddler on the Windows side)...

[maennchen]

@chgeuer That's curious. Generally, PKCE should only be sent both for authorize & retrieving the token if that is supported by the provider, not just one of them.

What is the value of code_challenge_methods_supported in the openid configuration?

[chgeuer]

The .well-known/openid-configuration is e.g. here (it's the same for all Entra tenants, I think)...

{
    "token_endpoint": "https://login.microsoftonline.com/81c45207-40a0-4d7d-a8f3-feeca7c918fd/oauth2/v2.0/token",
    "token_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt", "client_secret_basic" ],
    "jwks_uri": "https://login.microsoftonline.com/81c45207-40a0-4d7d-a8f3-feeca7c918fd/discovery/v2.0/keys",
    "response_modes_supported": [ "query", "fragment", "form_post" ],
    "subject_types_supported": [ "pairwise" ],
    "id_token_signing_alg_values_supported": [ "RS256" ],
    "response_types_supported": [ "code", "id_token", "code id_token", "id_token token" ],
    "scopes_supported": [ "openid", "profile", "email", "offline_access" ],
    "issuer": "https://login.microsoftonline.com/81c45207-40a0-4d7d-a8f3-feeca7c918fd/v2.0",
    "request_uri_parameter_supported": false,
    "userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
    "authorization_endpoint": "https://login.microsoftonline.com/81c45207-40a0-4d7d-a8f3-feeca7c918fd/oauth2/v2.0/authorize",
    "device_authorization_endpoint": "https://login.microsoftonline.com/81c45207-40a0-4d7d-a8f3-feeca7c918fd/oauth2/v2.0/devicecode",
    "http_logout_supported": true,
    "frontchannel_logout_supported": true,
    "end_session_endpoint": "https://login.microsoftonline.com/81c45207-40a0-4d7d-a8f3-feeca7c918fd/oauth2/v2.0/logout",
    "claims_supported": [ "sub", "iss", "cloud_instance_name", "cloud_instance_host_name", "cloud_graph_host_name", "msgraph_host", 
                     "aud", "exp", "iat", "auth_time", "acr", "nonce", "preferred_username", "name", "tid", "ver", "at_hash", "c_hash", "email" ],
    "kerberos_endpoint": "https://login.microsoftonline.com/81c45207-40a0-4d7d-a8f3-feeca7c918fd/kerberos",
    "tenant_region_scope": "EU",
    "cloud_instance_name": "microsoftonline.com",
    "cloud_graph_host_name": "graph.windows.net",
    "msgraph_host": "graph.microsoft.com",
    "rbac_url": "https://pas.windows.net"
}

From what I see, there is no code_challenge_methods_supported value.

BTW, when I try the code interactively, there is no PKCE stuff in the

callback_uri = "http://localhost:4000/oidcc/callback"
client_id = Application.fetch_env!(:raffley, Oidcc)[:client_id]
client_secret = Application.fetch_env!(:raffley, Oidcc)[:client_secret]
auth_code = "1.ARoAB1LEgaBAfU2o8..."

{:ok, token} = 
	Oidcc.retrieve_token(auth_code, :entra_id_raffley_configuration, client_id, client_secret, %{redirect_uri: callback_uri})

POST https://login.microsoftonline.com/{entra_tenant_id}/oauth2/v2.0/token HTTP/1.1
content-type: application/x-www-form-urlencoded

client_id=...&client_secret=...&grant_type=authorization_code&code=...&redirect_uri=http%3A%2F%2Flocalhost%3A4000%2Foidcc%2Fcallback

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
	"token_type":"Bearer",
	"scope":"openid profile email",
	"expires_in":4415,
	"ext_expires_in":4415,
	"access_token":"eyJ...",
	"id_token":"..."
}

[maennchen]

I see the issue, there's a missing check when exchanging the token. Preparing a PR.

It's interesting however that Entra does not define code_challenge_methods_supported, but still seem to check the query params for PKCE.

[chgeuer]

Thanks mate, very cool!

[maennchen]

@chgeuer Can you check if PR #399 solves your issue?

(Install with mix using {:oidcc, github: "erlef/oidcc", branch: "token_pkce_check", override: true})

[chgeuer]

Thanks @maennchen, using this branch it works. The authorization_code grant token request only supplies client_id, client_secret, grant_type, code and redirect_uri and properly gets token(s) issued.

[chgeuer]

Thanks, @maennchen very cool seeing the PR merged. Will that update become avail on hex.pm with the next larger release, or directly?