Merge pull request #21 from smitthhyy/master

danieltjewett · web-flow · commit bb26d8bbcfcf · 2019-12-20T09:04:13.000-05:00
Resolve issue where user authenticates but does not have permission to run application displaying unfriendly error
diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@ Route::get('/login/azurecallback', '\RootInc\LaravelAzureMiddleware\Azure@azurec
 ```
 
 4. In our `App\Http\Kernel.php` add `'azure' => \RootInc\LaravelAzureMiddleware\Azure::class,` most likely to the `$routeMiddleware` array.
-5. In our `.env` add `AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_RESOURCE`.  We can get these values/read more here: https://portal.azure.com/
+5. In our `.env` add `AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_RESOURCE`.  We can get these values/read more here: https://portal.azure.com/ (Hint: AZURE_RESOURCE should be https://graph.microsoft.com)
 6. As of 0.8.0, we added `AZURE_SCOPE`, which are permissions to be used for the request.  We can read more about these here: https://docs.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0
 7. We also added an optional `AZURE_DOMAIN_HINT` that can be used to help users know which email address they should login with.  More info here: https://azure.microsoft.com/en-us/updates/app-service-auth-and-azure-ad-domain-hints/
 8. Within our app on https://portal.azure.com/ point `reply url` to the `/login/azurecallback` route with the full url (ex: http://thewebsite.com/login/azurecallback).
diff --git a/src/Azure.php b/src/Azure.php
@@ -182,6 +182,14 @@ protected function success(Request $request, $access_token, $refresh_token, $pro
      */
     protected function fail(Request $request, RequestException $e)
     {
+        // Added by smitthhyy 18Dec2019 - Return 403 if user authenticates in AD but is not assigned to this application
+        if ($request->isMethod('get')) {
+            $errorDescription = trim(substr($request->query('error_description', 'SOMETHING_ELSE'), 0, 11));
+            if($errorDescription == "AADSTS50105") {
+                abort(403, "User is not authorisied within Azure AD to access this application.");
+            }
+        }
+        
         return implode("", explode(PHP_EOL, $e->getMessage()));
     }
 

Original file line number	Diff line number	Diff line change
`@@ -182,6 +182,14 @@ protected function success(Request $request, $access_token, $refresh_token, $pro`
`182`	`182`	`*/`
`183`	`183`	`protected function fail(Request $request, RequestException $e)`
`184`	`184`	`{`
	`185`	`+ // Added by smitthhyy 18Dec2019 - Return 403 if user authenticates in AD but is not assigned to this application`
	`186`	`+ if ($request->isMethod('get')) {`
	`187`	`+ $errorDescription = trim(substr($request->query('error_description', 'SOMETHING_ELSE'), 0, 11));`
	`188`	`+ if($errorDescription == "AADSTS50105") {`
	`189`	`+ abort(403, "User is not authorisied within Azure AD to access this application.");`
	`190`	`+ }`
	`191`	`+ }`
	`192`	`+`
`185`	`193`	`return implode("", explode(PHP_EOL, $e->getMessage()));`
`186`	`194`	`}`
`187`	`195`