Try better fix for #28194

htdocs/admin/oauth.php

@@ -178,6 +178,8 @@ if ($action == 'confirm_delete') {
 			$callbacktodel .= '/core/modules/oauth/stripetest_oauthcallback.php?action=delete&keyforprovider='.$provider.'&token='.newToken().'&backtourl='.urlencode($backtourl);
 		} elseif ($label == 'OAUTH_MICROSOFT') {
 			$callbacktodel .= '/core/modules/oauth/microsoft_oauthcallback.php?action=delete&keyforprovider='.$provider.'&token='.newToken().'&backtourl='.urlencode($backtourl);
+		} elseif ($label == 'OAUTH_MICROSOFT2') {
+			$callbacktodel .= '/core/modules/oauth/microsoft_oauthcallback.php?action=delete&keyforprovider='.$provider.'&token='.newToken().'&backtourl='.urlencode($backtourl);
 		} elseif ($label == 'OAUTH_OTHER') {
 			$callbacktodel .= '/core/modules/oauth/generic_oauthcallback.php?action=delete&keyforprovider='.$provider.'&token='.newToken().'&backtourl='.urlencode($backtourl);
 		}

htdocs/core/lib/oauth.lib.php

@@ -150,6 +150,11 @@ function getAllOauth2Array()
 		'OAUTH_MICROSOFT_ID',
 		'OAUTH_MICROSOFT_SECRET',
 	),
+	array(
+		'OAUTH_MICROSOFT2_NAME',
+		'OAUTH_MICROSOFT2_ID',
+		'OAUTH_MICROSOFT2_SECRET',
+	),
 	array(
 		'OAUTH_NEST_NAME',
 		'OAUTH_NEST_ID',
@@ -276,7 +281,7 @@ function getSupportedOauth2Array()
 	// Supported OAUTH (a provider is supported when a file xxx_oauthcallback.php is available into htdocs/core/modules/oauth)
 	$supportedoauth2array = array(
 		'OAUTH_GOOGLE_NAME' => array(
-			'callbackfile' => 'google',
+			'callbackfile' => 'google',		// used to generate the filename: google_oauthcallback.php
 			'picto' => 'google',
 			'urlforapp' => 'OAUTH_GOOGLE_DESC',
 			'name' => 'Google',
@@ -319,12 +324,22 @@ function getSupportedOauth2Array()
 		'callbackfile' => 'microsoft',
 		'picto' => 'microsoft',
 		'urlforapp' => 'OAUTH_MICROSOFT_DESC',
-		'name' => 'Microsoft',
+		'name' => 'Microsoft [outlook.office365]',
 		'urlforcredentials' => 'https://portal.azure.com/',
 		// User.Read is a microsoftgraph scope, if it's not working, do not select it
 		'availablescopes' => 'openid,offline_access,profile,email,User.Read,https://outlook.office365.com/IMAP.AccessAsUser.All,https://outlook.office365.com/SMTP.Send',
 		'returnurl' => '/core/modules/oauth/microsoft_oauthcallback.php'
 	);
+	$supportedoauth2array['OAUTH_MICROSOFT2_NAME'] = array(
+		'callbackfile' => 'microsoft2',
+		'picto' => 'microsoft',
+		'urlforapp' => 'OAUTH_MICROSOFT2_DESC',
+		'name' => 'Microsoft [outlook.office]',
+		'urlforcredentials' => 'https://portal.azure.com/',
+		// User.Read is a microsoftgraph scope, if it's not working, do not select it
+		'availablescopes' => 'openid,offline_access,profile,email,User.Read,https://outlook.office.com/.default',
+		'returnurl' => '/core/modules/oauth/microsoft_oauthcallback.php'
+	);
 	if (getDolGlobalInt('MAIN_FEATURES_LEVEL') >= 2) {
 		$supportedoauth2array['OAUTH_OTHER_NAME'] = array(
 			'callbackfile' => 'generic',

htdocs/core/modules/oauth/microsoft_oauthcallback2.php

@@ -0,0 +1,217 @@
+<?php
+/* Copyright (C) 2022       Laurent Destailleur  <eldy@users.sourceforge.net>
+ * Copyright (C) 2015       Frederic France      <frederic.france@free.fr>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+/**
+ *      \file       htdocs/core/modules/oauth/microsoft_oauthcallback.php
+ *      \ingroup    oauth
+ *      \brief      Page to get oauth callback
+ */
+
+// Load Dolibarr environment
+require '../../../main.inc.php';
+require_once DOL_DOCUMENT_ROOT.'/includes/OAuth/bootstrap.php';
+use OAuth\Common\Storage\DoliStorage;
+use OAuth\Common\Consumer\Credentials;
+
+// Define $urlwithroot
+$urlwithouturlroot = preg_replace('/'.preg_quote(DOL_URL_ROOT, '/').'$/i', '', trim($dolibarr_main_url_root));
+$urlwithroot = $urlwithouturlroot.DOL_URL_ROOT; // This is to use external domain name found into config file
+//$urlwithroot=DOL_MAIN_URL_ROOT;					// This is to use same domain name than current
+
+
+$action = GETPOST('action', 'aZ09');
+$backtourl = GETPOST('backtourl', 'alpha');
+$keyforprovider = GETPOST('keyforprovider', 'aZ09');
+if (empty($keyforprovider) && !empty($_SESSION["oauthkeyforproviderbeforeoauthjump"]) && (GETPOST('code') || $action == 'delete')) {
+	$keyforprovider = $_SESSION["oauthkeyforproviderbeforeoauthjump"];
+}
+$genericstring = 'MICROSOFT2';
+
+
+/**
+ * Create a new instance of the URI class with the current URI, stripping the query string
+ */
+$uriFactory = new \OAuth\Common\Http\Uri\UriFactory();
+//$currentUri = $uriFactory->createFromSuperGlobalArray($_SERVER);
+//$currentUri->setQuery('');
+$currentUri = $uriFactory->createFromAbsolute($urlwithroot.'/core/modules/oauth/microsoft_oauthcallback.php');
+
+
+/**
+ * Load the credential for the service
+ */
+
+/** @var \OAuth\ServiceFactory $serviceFactory An OAuth service factory. */
+$serviceFactory = new \OAuth\ServiceFactory();
+$httpClient = new \OAuth\Common\Http\Client\CurlClient();
+// TODO Set options for proxy and timeout
+// $params=array('CURLXXX'=>value, ...)
+//$httpClient->setCurlParameters($params);
+$serviceFactory->setHttpClient($httpClient);
+
+// Dolibarr storage
+$storage = new DoliStorage($db, $conf, $keyforprovider);
+
+// Setup the credentials for the requests
+$keyforparamid = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_ID';
+$keyforparamsecret = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_SECRET';
+$keyforparamtenant = 'OAUTH_'.$genericstring.($keyforprovider ? '-'.$keyforprovider : '').'_TENANT';
+$credentials = new Credentials(
+	getDolGlobalString($keyforparamid),
+	getDolGlobalString($keyforparamsecret),
+	$currentUri->getAbsoluteUri()
+);
+
+$state = GETPOST('state');
+
+$requestedpermissionsarray = array();
+if ($state) {
+	$requestedpermissionsarray = explode(',', $state); // Example: 'user'. 'state' parameter is standard to retrieve some parameters back
+}
+if ($action != 'delete' && empty($requestedpermissionsarray)) {
+	print 'Error, parameter state is not defined';
+	exit;
+}
+//var_dump($requestedpermissionsarray);exit;
+
+// Instantiate the Api service using the credentials, http client and storage mechanism for the token
+// ucfirst(strtolower($genericstring)) must be the name of a class into OAuth/OAuth2/Services/Xxxx
+// $requestedpermissionsarray contains list of scopes.
+// Conversion into URL is done by Reflection on constant with name SCOPE_scope_in_uppercase
+try {
+	$apiService = $serviceFactory->createService(ucfirst(strtolower($genericstring)), $credentials, $storage, $requestedpermissionsarray);
+} catch (Exception $e) {
+	print $e->getMessage();
+	exit;
+}
+/*
+var_dump($genericstring.($keyforprovider ? '-'.$keyforprovider : ''));
+var_dump($credentials);
+var_dump($storage);
+var_dump($requestedpermissionsarray);
+*/
+
+if (empty($apiService)) {
+	print 'Error, failed to create serviceFactory';
+	exit;
+}
+
+// access type needed to have oauth provider refreshing token
+//$apiService->setAccessType('offline');
+
+$langs->load("oauth");
+
+if (!getDolGlobalString($keyforparamid)) {
+	accessforbidden('Setup of service is not complete. Customer ID is missing');
+}
+if (!getDolGlobalString($keyforparamsecret)) {
+	accessforbidden('Setup of service is not complete. Secret key is missing');
+}
+
+
+/*
+ * Actions
+ */
+
+if ($action == 'delete') {
+	$storage->clearToken($genericstring);
+
+	setEventMessages($langs->trans('TokenDeleted'), null, 'mesgs');
+
+	if (empty($backtourl)) {
+		$backtourl = DOL_URL_ROOT.'/';
+	}
+
+	header('Location: '.$backtourl);
+	exit();
+}
+
+//dol_syslog("GET=".join(',', $_GET));
+
+
+if (GETPOST('code') || GETPOST('error')) {     // We are coming from oauth provider page
+	// We should have
+	//$_GET=array('code' => string 'aaaaaaaaaaaaaa' (length=20), 'state' => string 'user,public_repo' (length=16))
+
+	dol_syslog("We are coming from the oauth provider page code=".dol_trunc(GETPOST('code'), 5)." error=".GETPOST('error'));
+
+	// This was a callback request from service, get the token
+	try {
+		//var_dump($state);
+		//var_dump($apiService);      // OAuth\OAuth2\Service\Microsoft
+
+		if (GETPOST('error')) {
+			setEventMessages(GETPOST('error').' '.GETPOST('error_description'), null, 'errors');
+		} else {
+			//print GETPOST('code');exit;
+
+			//$token = $apiService->requestAccessToken(GETPOST('code'), $state);
+			$token = $apiService->requestAccessToken(GETPOST('code'));
+			// Microsoft is a service that does not need state to be stored as second parameter of requestAccessToken
+
+			//print $token->getAccessToken().'<br><br>';
+			//print $token->getExtraParams()['id_token'].'<br>';
+			//print $token->getRefreshToken().'<br>';exit;
+
+			setEventMessages($langs->trans('NewTokenStored'), null, 'mesgs'); // Stored into object managed by class DoliStorage so into table oauth_token
+		}
+
+		$backtourl = $_SESSION["backtourlsavedbeforeoauthjump"];
+		unset($_SESSION["backtourlsavedbeforeoauthjump"]);
+
+		header('Location: '.$backtourl);
+		exit();
+	} catch (Exception $e) {
+		print $e->getMessage();
+	}
+} else {
+	// If we enter this page without 'code' parameter, we arrive here. This is the case when we want to get the redirect
+	// to the OAuth provider login page.
+	$_SESSION["backtourlsavedbeforeoauthjump"] = $backtourl;
+	$_SESSION["oauthkeyforproviderbeforeoauthjump"] = $keyforprovider;
+	$_SESSION['oauthstateanticsrf'] = $state;
+
+	//if (!preg_match('/^forlogin/', $state)) {
+	//	$apiService->setApprouvalPrompt('auto');
+	//}
+
+	// This may create record into oauth_state before the header redirect.
+	// Creation of record with state in this tables depend on the Provider used (see its constructor).
+	if ($state) {
+		$url = $apiService->getAuthorizationUri(array('state' => $state));
+	} else {
+		$url = $apiService->getAuthorizationUri(); // Parameter state will be randomly generated
+	}
+
+	// Show url to get authorization
+	//var_dump((string) $url);exit;
+	dol_syslog("Redirect to url=".$url);
+
+	// we go on oauth provider authorization page
+	header('Location: '.$url);
+	exit();
+}
+
+
+/*
+ * View
+ */
+
+// No view at all, just actions
+
+$db->close();

htdocs/includes/OAuth/OAuth2/Service/Microsoft2.php

@@ -0,0 +1,142 @@
+<?php
+
+namespace OAuth\OAuth2\Service;
+
+use OAuth\OAuth2\Token\StdOAuth2Token;
+use OAuth\Common\Http\Exception\TokenResponseException;
+use OAuth\Common\Http\Uri\Uri;
+use OAuth\Common\Consumer\CredentialsInterface;
+use OAuth\Common\Http\Client\ClientInterface;
+use OAuth\Common\Storage\TokenStorageInterface;
+use OAuth\Common\Http\Uri\UriInterface;
+
+class Microsoft extends AbstractService
+{
+    const SCOPE_BASIC = 'basic';
+    const SCOPE_OFFLINE_ACCESS = 'offline_access';
+    const SCOPE_SIGNIN = 'signin';
+    const SCOPE_BIRTHDAY = 'birthday';
+    const SCOPE_CALENDARS = 'calendars';
+    const SCOPE_CALENDARS_UPDATE = 'calendars_update';
+    const SCOPE_CONTACTS_BIRTHDAY = 'contacts_birthday';
+    const SCOPE_CONTACTS_CREATE = 'contacts_create';
+    const SCOPE_CONTACTS_CALENDARS = 'contacts_calendars';
+    const SCOPE_CONTACTS_PHOTOS = 'contacts_photos';
+    const SCOPE_CONTACTS_SKYDRIVE = 'contacts_skydrive';
+    const SCOPE_EMAIL = 'email';
+    const SCOPE_EVENTS_CREATE = 'events_create';
+    const SCOPE_MESSENGER = 'messenger';
+    const SCOPE_OPENID = 'openid';
+    const SCOPE_PHONE_NUMBERS = 'phone_numbers';
+    const SCOPE_PHOTOS = 'photos';
+    const SCOPE_POSTAL_ADDRESSES = 'postal_addresses';
+    const SCOPE_PROFILE = 'profile';
+    const SCOPE_SHARE = 'share';
+    const SCOPE_SKYDRIVE = 'skydrive';
+    const SCOPE_SKYDRIVE_UPDATE = 'skydrive_update';
+    const SCOPE_WORK_PROFILE = 'work_profile';
+    const SCOPE_APPLICATIONS = 'applications';
+    const SCOPE_APPLICATIONS_CREATE = 'applications_create';
+    const SCOPE_IMAP = 'imap';
+    const SCOPE_IMAP_ACCESSASUSERALL = 'https://outlook.office.com/.default';
+    const SCOPE_SMTPSEND = 'https://outlook.office.com/.default';
+    const SCOPE_USERREAD = 'User.Read';
+    const SCOPE_MAILREAD = 'Mail.Read';
+    const SCOPE_MAILSEND = 'Mail.Send';
+
+    protected $storage;
+
+
+    /**
+     * MS uses some magical not officialy supported scope to get even moar info like full emailaddresses.
+     * They agree that giving 3rd party apps access to 3rd party emailaddresses is a pretty lame thing to do so in all
+     * their wisdom they added this scope because fuck you that's why.
+     *
+     * https://github.com/Lusitanian/PHPoAuthLib/issues/214
+     * http://social.msdn.microsoft.com/Forums/live/en-US/c6dcb9ab-aed4-400a-99fb-5650c393a95d/how-retrieve-users-
+     *                                  contacts-email-address?forum=messengerconnect
+     *
+     * Considering this scope is not officially supported: use with care
+     */
+    const SCOPE_CONTACTS_EMAILS = 'contacts_emails';
+
+
+    public function __construct(
+        CredentialsInterface $credentials,
+        ClientInterface $httpClient,
+        TokenStorageInterface $storage,
+        $scopes = array(),
+        UriInterface $baseApiUri = null
+    ) {
+        parent::__construct($credentials, $httpClient, $storage, $scopes, $baseApiUri);
+
+        $this->storage = $storage;
+
+        if (null === $baseApiUri) {
+            $this->baseApiUri = new Uri('https://apis.live.net/v5.0/');
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getAuthorizationEndpoint()
+    {
+    	$tenant = $this->storage->getTenant();
+
+    	//return new Uri('https://login.live.com/oauth20_authorize.srf');
+        //return new Uri('https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize');
+        return new Uri('https://login.microsoftonline.com/'.$tenant.'/oauth2/v2.0/authorize');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getAccessTokenEndpoint()
+    {
+    	$tenant = $this->storage->getTenant();
+
+        //return new Uri('https://login.live.com/oauth20_token.srf');
+        //return new Uri('https://login.microsoftonline.com/organizations/oauth2/v2.0/token');
+        return new Uri('https://login.microsoftonline.com/'.$tenant.'/oauth2/v2.0/token');
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function getAuthorizationMethod()
+    {
+        return static::AUTHORIZATION_METHOD_QUERY_STRING;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function parseAccessTokenResponse($responseBody)
+    {
+        $data = json_decode($responseBody, true);
+
+        if (null === $data || !is_array($data)) {
+            throw new TokenResponseException('Unable to parse response.');
+        } elseif (isset($data['error'])) {
+            throw new TokenResponseException('Error in retrieving token: "' . $data['error'] . '"');
+        }
+        //print $data['access_token'];exit;
+
+        $token = new StdOAuth2Token();
+        $token->setAccessToken($data['access_token']);
+        $token->setLifetime($data['expires_in']);
+
+        if (isset($data['refresh_token'])) {
+            $token->setRefreshToken($data['refresh_token']);
+            unset($data['refresh_token']);
+        }
+
+        unset($data['access_token']);
+        unset($data['expires_in']);
+
+        $token->setExtraParams($data);
+
+        return $token;
+    }
+}