Error with OAuth2ResourceOwner on ADFS

[glaplace]

Q	A
Bug?	yes
New Feature?	no
Support question?	no
Version	2.3.0

Actual Behavior

Hello this commit add a regression on adfs oauth (i'm using OAuth2ResourceOwner).

Response 400 with body
"error" => "invalid_request"
"error_description" => "MSIS9631 : requête OAuth non valide reçue. Plusieurs méthodes d'authentification client ont été tentées."

this error is due to the new parameters (adfs does not support mixing).

Expected Behavior

Same behavior of v 2.2.0 without extra parameters.

Steps to Reproduce

i have no repository to reproduce this case.

Used configuration :

hwi_oauth:
    # list of names of the firewalls in which this bundle is active, this setting MUST be set
#    firewall_names: [main]

    # https://github.com/hwi/HWIOAuthBundle/blob/master/Resources/doc/2-configuring_resource_owners.md
    resource_owners:
      adfs:
        class: \HWI\Bundle\OAuthBundle\OAuth\ResourceOwner\OAuth2ResourceOwner
        client_id: "%env(resolve:OAUTH_CLIENT_ID)%"
        client_secret: "%env(resolve:OAUTH_CLIENT_SECRET)%"
        access_token_url: "%env(resolve:OAUTH_TOKEN_URL)%"
        authorization_url: "%env(resolve:OAUTH_AUTHORIZATION_URL)%"
        infos_url: "%env(resolve:OAUTH_INFOS_URL)%"
        scope: "%env(resolve:OAUTH_SCOPE)%"
        user_response_class: HWI\Bundle\OAuthBundle\OAuth\Response\PathUserResponse
        paths:
          identifier: matricule
          email: E-mail

Possible Solutions

revert commit to solve this issue.

the original issue (#2002) should be resolved using WindowsLiveResourceOwner (which can be fixed to add parameters).

It's possible to create a « MS live ResourceOwner » who extend GenericOAuth2ResourceOwner and using GenericOAuth2ResourceOwner::getAccessToken with $extraParameters contains 'client_id' => $this->options['client_id'] and 'client_secret' => $this->options['client_secret']

<?php

namespace HWI\Bundle\OAuthBundle\OAuth\ResourceOwner;

use Symfony\Component\HttpFoundation\Request as HttpRequest;

class MsLiveResourceOwner extends GenericOAuth2ResourceOwner
{
    public function getAccessToken(HttpRequest $request, $redirectUri, array $extraParameters = []): array
    {
        $parameters = array_merge([
            'client_id' => $this->options['client_id'],
            'client_secret' => $this->options['client_secret'],
        ], $extraParameters);

        return parent::getAccessToken($request, $redirectUri, $parameters);
    }

}

Another possibility is to modify GenericOAuth2ResourceOwner with more complex logic to add only valued parameters (not null, not empty ?).

I don't know if these parameters are required by the oauth2 standard.
If so, compatibility with the standard generates a BC in 2.3.0 and this issue does not require a correction but only documentation on this case and how to solve it (with a custom ResourceOwner using the original code).

Thanks

[nziermann]

I have the same issue. My error message is: OAuth error: "Request contains multiple client credentials"

[thomas-pike]

This also breaks our authentication against a WSO2 identity server. The error received is Request body and headers contain authorization information.

[thomas-pike]

Simplest workaround until this is fixed: re-implement the getAccessToken function in your class that extends GenericOAuth2ResourceOwner, removing the parameters that were added in #2002.

[pmdevelopment]

This change also breaks my okta integration ("Cannot supply multiple client credentials. Use one of the following: credentials in the Authorization header, credentials in the post body, or a client_assertion in the post body.")