Support for AuthEvent in OAuth2 Flow

[rjhankison]

Hi there -- first off, thank you so much for building this library! Our team loves working with it. :-D

We're running into an issue where our application cannot tell which organization a user authenticates in the OAuth2 flow. This occurs when a user has multiple connections to our application. We're missing a way to examine the JWT for an AuthEventID. We can use that ID to determine which organization a user authorized in that handshake. However, I don't see a way to examine this event in your library. Here's the response I received from Xero support for context:

So after the user performed an authentication, your app will receive an access token (JWT) which you'll need to decode to get some info.

There is one more value that you'll need to decode, authentication_event_id, which can be used to find out which tenant the user connected.

You can then use it with the GET Connections to grab the tenantId of the organisation.

Example: GET https://api.xero.com/connections?authEventId=d0ddcf81-f942-4f4d-b3c7-f98045204db4

Do you have plans to include a method for this on your Calcinai\OAuth2\Client\Provider\Xero class?

Thanks so much in advance!

[gary-britland]

Hi @rjhankison

I had been trying to understand what needs to be done to effect a solution for your question as I too had an issue with this. Today I solved that problem.

$token = $provider->getAccessToken('authorization_code', [
	'code' => $_GET['code']
]);

// Get the JWT version of the Access Token (I am calling this the raw access token)
$raw_token_string = $token->getToken();

// Decode the JWT as an array
$token_data = json_decode(base64_decode(str_replace('_', '/', str_replace('-','+',explode('.', $raw_token_string)[1]))), true);

// Retrieve the 'authentication_event_id' this can then be passed to $provider->getTenant()
var_dump($token_data['authentication_event_id']);

This will get you what you want. It is only useful when the first Access Token is retrieved as the 'authentication_event_id' changes with each refresh so you must store the Tenant ID somewhere as you would the Access Token.

As for as how this should be implemented I would assume it would make sense to implement a solution to this upstream in the league/oauth2-client repository as I believe this would be applicable for all OAuth2 integrations. If someone can correct me if I am wrong.

Thanks
Gary

[rjhankison]

Thanks Gary! Yes, we found a similar solution:

public static function jwtParsePayload(string $token)
{
        $tokenParts = explode(".", $token);
        $tokenPayload = base64_decode($tokenParts[1]);
        return json_decode($tokenPayload);

//        $tokenHeader = base64_decode($tokenParts[0]);
//        $jwtHeader = json_decode($tokenHeader);
 }

We also noticed the same constraint around a the auth_event. We've actually just built out a UI to handle when there are multiple tenants authorized, and none are specified in the auth_event.

Anyway, it makes me feel better knowing that you've come to the same conclusion. :)

Thanks again!

[calcinai]

Hi all, sorry I completely missed this thread! Would you like a method like that added to the library? I'm happy to take a PR if you've done something to resolve it locally.