The provided ssl_options to the OAuth client request opts cause an SSL failure as the default voor :verify is now :verify_peer, but no certificates are provided.

Solution is to remove the ssl_options altogether which causes the system default to be used, I think this is safe anyway since TLS 1.3 is preferred over 1.2. Will create a PR.

#25 updated the ueberauth to version 0.7, which requires strategies to prevent CSRF attacks.

Because the library was simply updated, and no protection added, every attempt to sign in results in an error. I would therefore recommend retiring the version 0.11.0.

Hi,
when use dynamic config, the authorize and token url must be setted, because the tenant_id variable is only readed from env config

` defp defaults(config) do
tenant_id = config[:tenant_id] || "common"

[
  strategy: __MODULE__,
  site: "https://graph.microsoft.com",
  authorize_url: "https://login.microsoftonline.com/#{tenant_id}/oauth2/v2.0/authorize",
  token_url: "https://login.microsoftonline.com/#{tenant_id}/oauth2/v2.0/token",
  request_opts: [ssl_options: [versions: [:"tlsv1.2"]]]
]

end`

Could you please add a global option for a single redirect_uri for multi tenant with subdomains ?

Ueberauth Strategy for Google has this similar feature.

config.exs

config :ueberauth, Ueberauth,
  providers: [
    ...
    microsoft: {Ueberauth.Strategy.Microsoft, [
      callback_url: "https://subdomain.example.com/auth/microsoft/callback"
    ]},
  ]

Thanks.

I have been implementing my own ueberauth strategy for Azure Active Directory and only noticed this one as it was nearing completion. I have had a quick look at your code and can't see the callback validations? I would expect there to at least be a check for the nonce. The openid specification expects validations for the following:

• aud
• iss
• nbf
• iat
• exp
• nonce

Are you using a protocol that doesn't need these validations? Or are the developers using this library expected to do these validations to allow for more flexibility?

As far as I see, there is no logout implemented. Or did I missed something?

https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-sign-user-sign-in?tabs=aspnetcore#sign-out

I'm having an odd issue with the fetch_user/2 portion of the app. It seems like I get my OAuth2 tokens just fine, but when trying to fetch the user data from https://graph.microsoft.com/v1.0/me, it's trying to pass a JSON representation of the token instead of the token itself. Turning on OAuth2's debug logging, I'm getting something like this:

[debug]   OAuth2 Provider Request
  url: "https://graph.microsoft.com/v1.0/me/"
  method: :get
  headers: [{"accept", "application/json"}, {"authorization", "Bearer {\"token_type\":\"Bearer\",\"scope\":\"email openid profile https://graph.microsoft.com/Calendars.Read https://graph.microsoft.com/User.Read\",\"expires_in\":3599,\"ext_expires_in\":3599,\"access_token\":\"eyJ0eXAiOiJKV1QiLCJub25jZSI6Ik02N...\", \"refresh_token\":\"OAQABAAAAAAAP0wLl...\", \"id_token\": "eyJ0eXAiO..."}]
  body: ""
  req_opts: [ssl_options: [versions: [:"tlsv1.2"]]]

This results in an error from the MS Graph API along the lines of CompactToken parsing failed with error code: 80049217

If I extract the "access_token" string from this JSON and manually pass it as a bearer token via CURL, everything works, so I know the token is valid.

What's perplexing to me is why is that "Bearer" in the OAuth2.Client.get (in ueberauth/strategy/microsoft.ex#105) passing an whole stringified-JSON instead of just the plain ASCII access token?

It seems "show stopping" enough that I'm wondering if I have some odd configuration causing this issues, but it seems like a pretty simple setup so I'm not sure what I could have done wrong.

Appreciate any advice.

Hi,
I previously submitted a PR which contains a flaw where the given :extra_scopes is not merged with default scopes. Sorry about that 😕

I have submitted a new PR #36 which fixes this issue (and also bumps a patch version).