fix microsoft active directory config

server/db/providers/cassandradb/verification_requests.go

@@ -74,7 +74,6 @@ func (p *provider) ListVerificationRequests(ctx context.Context, pagination *mod
 			var verificationRequest models.VerificationRequest
 			err := scanner.Scan(&verificationRequest.ID, &verificationRequest.Token, &verificationRequest.Identifier, &verificationRequest.ExpiresAt, &verificationRequest.Email, &verificationRequest.Nonce, &verificationRequest.RedirectURI, &verificationRequest.CreatedAt, &verificationRequest.UpdatedAt)
 			if err != nil {
-				fmt.Println("=> getting error here...", err)
 				return nil, err
 			}
 			verificationRequests = append(verificationRequests, verificationRequest.AsAPIVerificationRequest())

server/handlers/oauth_callback.go

@@ -32,11 +32,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 	return func(ctx *gin.Context) {
 		provider := ctx.Param("oauth_provider")
 		state := ctx.Request.FormValue("state")
-
 		sessionState, err := memorystore.Provider.GetState(state)
 		if sessionState == "" || err != nil {
 			log.Debug("Invalid oauth state: ", state)
 			ctx.JSON(400, gin.H{"error": "invalid oauth state"})
+			return
 		}
 		// contains random token, redirect url, role
 		sessionSplit := strings.Split(state, "___")
@@ -46,32 +46,34 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			ctx.JSON(400, gin.H{"error": "invalid redirect url"})
 			return
 		}
-
 		// remove state from store
 		go memorystore.Provider.RemoveState(state)
-
 		stateValue := sessionSplit[0]
 		redirectURL := sessionSplit[1]
 		inputRoles := strings.Split(sessionSplit[2], ",")
 		scopes := strings.Split(sessionSplit[3], ",")
-
 		var user *models.User
 		oauthCode := ctx.Request.FormValue("code")
+		if oauthCode == "" {
+			log.Debug("Invalid oauth code: ", oauthCode)
+			ctx.JSON(400, gin.H{"error": "invalid oauth code"})
+			return
+		}
 		switch provider {
 		case constants.AuthRecipeMethodGoogle:
-			user, err = processGoogleUserInfo(oauthCode)
+			user, err = processGoogleUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodGithub:
-			user, err = processGithubUserInfo(oauthCode)
+			user, err = processGithubUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodFacebook:
-			user, err = processFacebookUserInfo(oauthCode)
+			user, err = processFacebookUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodLinkedIn:
-			user, err = processLinkedInUserInfo(oauthCode)
+			user, err = processLinkedInUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodApple:
-			user, err = processAppleUserInfo(oauthCode)
+			user, err = processAppleUserInfo(ctx, oauthCode)
 		case constants.AuthRecipeMethodTwitter:
-			user, err = processTwitterUserInfo(oauthCode, sessionState)
+			user, err = processTwitterUserInfo(ctx, oauthCode, sessionState)
 		case constants.AuthRecipeMethodMicrosoft:
-			user, err = processMicrosoftUserInfo(oauthCode)
+			user, err = processMicrosoftUserInfo(ctx, oauthCode)
 		default:
 			log.Info("Invalid oauth provider")
 			err = fmt.Errorf(`invalid oauth provider`)
@@ -281,9 +283,8 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 	}
 }
 
-func processGoogleUserInfo(code string) (*models.User, error) {
+func processGoogleUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	ctx := context.Background()
 	oauth2Token, err := oauth.OAuthProviders.GoogleConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
@@ -313,9 +314,9 @@ func processGoogleUserInfo(code string) (*models.User, error) {
 	return user, nil
 }
 
-func processGithubUserInfo(code string) (*models.User, error) {
+func processGithubUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.GithubConfig.Exchange(context.TODO(), code)
+	oauth2Token, err := oauth.OAuthProviders.GithubConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid github exchange code: %s", err.Error())
@@ -420,9 +421,9 @@ func processGithubUserInfo(code string) (*models.User, error) {
 	return user, nil
 }
 
-func processFacebookUserInfo(code string) (*models.User, error) {
+func processFacebookUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.FacebookConfig.Exchange(context.TODO(), code)
+	oauth2Token, err := oauth.OAuthProviders.FacebookConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Invalid facebook exchange code: ", err)
 		return user, fmt.Errorf("invalid facebook exchange code: %s", err.Error())
@@ -471,9 +472,9 @@ func processFacebookUserInfo(code string) (*models.User, error) {
 	return user, nil
 }
 
-func processLinkedInUserInfo(code string) (*models.User, error) {
+func processLinkedInUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.LinkedInConfig.Exchange(context.TODO(), code)
+	oauth2Token, err := oauth.OAuthProviders.LinkedInConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid linkedin exchange code: %s", err.Error())
@@ -553,9 +554,9 @@ func processLinkedInUserInfo(code string) (*models.User, error) {
 	return user, nil
 }
 
-func processAppleUserInfo(code string) (*models.User, error) {
+func processAppleUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.AppleConfig.Exchange(context.TODO(), code)
+	oauth2Token, err := oauth.OAuthProviders.AppleConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid apple exchange code: %s", err.Error())
@@ -606,9 +607,9 @@ func processAppleUserInfo(code string) (*models.User, error) {
 	return user, err
 }
 
-func processTwitterUserInfo(code, verifier string) (*models.User, error) {
+func processTwitterUserInfo(ctx context.Context, code, verifier string) (*models.User, error) {
 	var user *models.User
-	oauth2Token, err := oauth.OAuthProviders.TwitterConfig.Exchange(context.TODO(), code, oauth2.SetAuthURLParam("code_verifier", verifier))
+	oauth2Token, err := oauth.OAuthProviders.TwitterConfig.Exchange(ctx, code, oauth2.SetAuthURLParam("code_verifier", verifier))
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
 		return user, fmt.Errorf("invalid twitter exchange code: %s", err.Error())
@@ -674,24 +675,24 @@ func processTwitterUserInfo(code, verifier string) (*models.User, error) {
 }
 
 // process microsoft user information
-func processMicrosoftUserInfo(code string) (*models.User, error) {
+func processMicrosoftUserInfo(ctx context.Context, code string) (*models.User, error) {
 	var user *models.User
-	ctx := context.Background()
 	oauth2Token, err := oauth.OAuthProviders.MicrosoftConfig.Exchange(ctx, code)
 	if err != nil {
 		log.Debug("Failed to exchange code for token: ", err)
-		return user, fmt.Errorf("invalid google exchange code: %s", err.Error())
+		return user, fmt.Errorf("invalid microsoft exchange code: %s", err.Error())
 	}
-
-	verifier := oauth.OIDCProviders.MicrosoftOIDC.Verifier(&oidc.Config{ClientID: oauth.OAuthProviders.MicrosoftConfig.ClientID})
-
+	// we need to skip issuer check because for common tenant it will return internal issuer which does not match
+	verifier := oauth.OIDCProviders.MicrosoftOIDC.Verifier(&oidc.Config{
+		ClientID:        oauth.OAuthProviders.MicrosoftConfig.ClientID,
+		SkipIssuerCheck: true,
+	})
 	// Extract the ID Token from OAuth2 token.
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
 	if !ok {
 		log.Debug("Failed to extract ID Token from OAuth2 token")
 		return user, fmt.Errorf("unable to extract id_token")
 	}
-
 	// Parse and verify ID Token payload.
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {

server/resolvers/verify_otp.go

@@ -69,7 +69,6 @@ func VerifyOtpResolver(ctx context.Context, params model.VerifyOTPRequest) (*mod
 		user, err = db.Provider.GetUserByPhoneNumber(ctx, refs.StringValue(params.PhoneNumber))
 	}
 	if user == nil || err != nil {
-		fmt.Println("=> failing here....", err)
 		log.Debug("Failed to get user by email or phone number: ", err)
 		return res, err
 	}

server/test/mobile_login_test.go

@@ -1,12 +1,18 @@
 package test
 
 import (
+	"fmt"
+	"strings"
 	"testing"
+	"time"
 
+	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -48,6 +54,17 @@ func mobileLoginTests(t *testing.T, s TestSetup) {
 		smsRequest, err := db.Provider.GetOTPByPhoneNumber(ctx, phoneNumber)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, smsRequest.Otp)
+		// Get user by phone number
+		user, err := db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+		assert.NoError(t, err)
+		assert.NotNil(t, user)
+		// Set mfa cookie session
+		mfaSession := uuid.NewString()
+		memorystore.Provider.SetMfaSession(user.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
+		cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
+		cookie = strings.TrimSuffix(cookie, ";")
+		req, ctx := createContext(s)
+		req.Header.Set("Cookie", cookie)
 		verifySMSRequest, err := resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
 			PhoneNumber: &phoneNumber,
 			Otp:         smsRequest.Otp,

server/test/mobile_signup_test.go

@@ -1,7 +1,10 @@
 package test
 
 import (
+	"fmt"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
@@ -9,6 +12,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -79,6 +83,17 @@ func mobileSingupTest(t *testing.T, s TestSetup) {
 		otp, err := db.Provider.GetOTPByPhoneNumber(ctx, phoneNumber)
 		assert.Nil(t, err)
 		assert.NotEmpty(t, otp.Otp)
+		// Get user by phone number
+		user, err := db.Provider.GetUserByPhoneNumber(ctx, phoneNumber)
+		assert.NoError(t, err)
+		assert.NotNil(t, user)
+		// Set mfa cookie session
+		mfaSession := uuid.NewString()
+		memorystore.Provider.SetMfaSession(user.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
+		cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
+		cookie = strings.TrimSuffix(cookie, ";")
+		req, ctx := createContext(s)
+		req.Header.Set("Cookie", cookie)
 		otpRes, err := resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
 			PhoneNumber: &phoneNumber,
 			Otp:         otp.Otp,

server/test/resend_otp_test.go

@@ -2,13 +2,18 @@ package test
 
 import (
 	"context"
+	"fmt"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -89,6 +94,16 @@ func resendOTPTest(t *testing.T, s TestSetup) {
 		})
 		assert.Error(t, err)
 		assert.Nil(t, verifyOtpRes)
+		// Get user by email
+		user, err := db.Provider.GetUserByEmail(ctx, email)
+		assert.NoError(t, err)
+		assert.NotNil(t, user)
+		// Set mfa cookie session
+		mfaSession := uuid.NewString()
+		memorystore.Provider.SetMfaSession(user.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
+		cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
+		cookie = strings.TrimSuffix(cookie, ";")
+		req.Header.Set("Cookie", cookie)
 		verifyOtpRes, err = resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
 			Email: &email,
 			Otp:   newOtp.Otp,

server/test/verify_otp_test.go

@@ -2,13 +2,18 @@ package test
 
 import (
 	"context"
+	"fmt"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/authorizerdev/authorizer/server/constants"
 	"github.com/authorizerdev/authorizer/server/db"
 	"github.com/authorizerdev/authorizer/server/graph/model"
+	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/resolvers"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -63,7 +68,16 @@ func verifyOTPTest(t *testing.T, s TestSetup) {
 		otp, err := db.Provider.GetOTPByEmail(ctx, email)
 		assert.NoError(t, err)
 		assert.NotEmpty(t, otp.Otp)
-
+		// Get user by email
+		user, err := db.Provider.GetUserByEmail(ctx, email)
+		assert.NoError(t, err)
+		assert.NotNil(t, user)
+		// Set mfa cookie session
+		mfaSession := uuid.NewString()
+		memorystore.Provider.SetMfaSession(user.ID, mfaSession, time.Now().Add(1*time.Minute).Unix())
+		cookie := fmt.Sprintf("%s=%s;", constants.MfaCookieName+"_session", mfaSession)
+		cookie = strings.TrimSuffix(cookie, ";")
+		req.Header.Set("Cookie", cookie)
 		verifyOtpRes, err := resolvers.VerifyOtpResolver(ctx, model.VerifyOTPRequest{
 			Email: &email,
 			Otp:   otp.Otp,

server/token/auth_token.go

@@ -386,7 +386,6 @@ func CreateIDToken(user *models.User, roles []string, hostname, nonce, atHash, c
 	userBytes, _ := json.Marshal(&resUser)
 	var userMap map[string]interface{}
 	json.Unmarshal(userBytes, &userMap)
-	fmt.Println("=> userBytes", string(userBytes))
 	claimKey, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyJwtRoleClaim)
 	if err != nil {
 		claimKey = "roles"