Azure AD: Undefined array key in /var/www/app/plugins/OAuth2/User/GenericOAuth2UserProvider.php

[MeatyPetey-5000]

Actual behaviour

External authentication failed and Warning: Undefined array key "id" in /var/www/app/plugins/OAuth2/User/GenericOAuth2UserProvider.php on line 266 is thrown when using Azure AD as identity provider.

GitHub auth works as intended - Likely something not supported in GenericOAuth2UserProvider.php for Azure AD?

Expected behaviour

Authentication is successful

Steps to reproduce

Add following config in OAuth2 Plugin:
Callback URL: https://kanboard.domain.com/oauth/callback
Client ID: *******************
Client Secret: ********************************
Authorize URL: https://login.microsoftonline.com/common/oauth2/authorize
Token URL: https://login.microsoftonline.com/common/oauth2/token
User API URL: https://graph.microsoft.com/beta/me
Scopes: User.Read or openid (happens regardless of scope)
Username Key: userPrincipalName
Name Key: displayName
Email Key: mail
User ID Key: id (Undefined array key always thrown regardless of value here)
Allow Account Creation: Any
Allow account creation only for those domains: Empty
Groups Key: Empty
Group Filter: Empty

Configuration

• Plugin version: 1.0.2
• Kanboard version: 1.2.23
• Database type and version: SQLite
• PHP version: Whatever comes with 1.2.23
• OS: Docker Compose on Ubuntu 20.04
• Browser: MS Edge
• Reverse proxy: caddy - pointing to kanboard.domain.com on port 443

docker-compose.yml
version: '2'
services:
kanboard:
image: kanboard/kanboard:latest
ports:
- "9443:80"
volumes:
- ./kanboard_kanboard_data/_data:/var/www/app/data
- ./kanboard_kanboard_plugins/_data:/var/www/app/plugins
- ./config.php:/var/www/app/config.php

config.php:
config.php.txt

[s3nu4]

Same issue with Keycloak 18.

[corbing]

Same issue with Azure AD and same settings as above except the callback URL
https://kanboard.domain.com/?controller=OAuthController&action=handler&plugin=OAuth2

Has anyone been able to get it working with AzureAD?

[yash-ahir]

Same issue with Authelia:

Warning: Undefined array key "id" in /var/www/app/app/Core/User/UserProfile.php on line 56

That's the only error thrown regardless of the configuration for the User ID Key

---

Configuration:

Callback URL: https://kanboard.example.com/?controller=OAuthController&action=handler&plugin=OAuth2
Client ID: ********
Client Secret: ************************
Authorize URL: https://authelia.example.com/api/oidc/authorization
Token URL: https://authelia.example.com/api/oidc/token
User API URL: https://authelia.example.com/api/oidc/userinfo
Scopes: openid profile groups email
Username Key: preferred_username
Name Key: name
Email Key: email
User ID Key: sub

Allow Account Creation: Checked

---

Please let me know if any other information is required, I can atleast confirm that OIDC works for my other applications e.g. Portainer.

[luketainton]

I'm getting the same error as @yash-ahir while using Authentik.

[dece]

If you're tweaking your configuration as you try to connect, remember to close and re-open a private browsing session and use a clean URL before retrying to connect. I had the exact same issue as OP (with Azure AD) even though my settings were right. In a clean environment I was able to connect.

[ToraNova]

I found a workaround to this problem

1. add define('LDAP_GROUP_SYNC', false); to config.php
2. have the user first login with their kanboard user/password combo, then navigate to 'My Profile > External Accounts (under Actions)' and click 'Link OAuth2 Account'

Works using Authentik 2023.06

[mapperr]

I needed to change the User API URL from:

https://graph.microsoft.com/beta/me

to:

https://graph.microsoft.com/v1.0/me

[elohmeier]

I had the same issue with Azure AD due to using the wrong (v1) endpoints, had to switch to the v2 endpoints to make it work.
https://login.microsoftonline.com/<uuid>/oauth2/authorize (v1, not working) vs.
https://login.microsoftonline.com/<uuid>/oauth2/v2.0/authorize (v2, working) and
https://login.microsoftonline.com/<uuid>/oauth2/token (v1, not working) vs.
https://login.microsoftonline.com/<uuid>/oauth2/v2.0/token (v2, working).

[Trapulo]

I needed to change the User API URL from:

https://graph.microsoft.com/beta/me

to:

https://graph.microsoft.com/v1.0/me

this is the right endpoint and this works. Doc may be updated

Changing the User API URL does not resolve this issue.

I also already have the v2.0 endpoints. Kanban has been operating at my company for over 6 months, today it started doing this. I have made no updates, I have changed no configurations. I've attempted a restart of kanban and my server, logging out/in of my MS accounts, etc. No one in my org can login.

Please, is there any information on what is going on or a line on an update to fix it and the documentation at all?

edit: The only solution I've found so far is to disable the plugin and move to local auth. I also tried creating a brand new application in Entra ID, but still no luck.

edit2: to clarify, my error logs are identical to the OP, except mine is on line 260 and not 266. Presumably just a slight difference in versions from 2 years ago to now. I also tried GitHub auth like the OP, and can confirm that works as expected for me as well. It is only Entra ID applications that are failing.

edit3: this must be partially related to Microsoft Entra ID themselves in some way. I re-enabled OAuth2 today for some testing, and I had two users report they were able to login. My attempts still failed, though. We're either going to move to GitHub or just keep trucking with local auth.

[n0nag0n]

So what worked for me was just understanding better how the thing worked. I did need to change the graph url from beta/me to v1.0/me and that seemed to help.

I was inviting my users to Kanboard via the Invite modal in the Users area. They would get the email and create the user. They would create the user with the email address as the username which is a no no and the DB will throw an error because of a duplicate username when Account Creation checkbox is turned on. After I figured that out, and stopped creating the invite, and tweaking the URL people could then login correctly the first time around.

I was wondering why duplicate accounts were being created, and now I know :)

[dece]

Here I am two years later wondering why this error popped again after I managed to fix it.

I fixed it by dumping $this->userData in GenericOAuth2UserProvider::getKey (plugins/OAuth2/User/GenericOAuth2UserProvider.php) in a temporary file to check what the Azure API was giving me and why "id" was absent from the response. Turns out my API key expired (2 years is the longest longevity you can give to your Azure API secrets…) so the plugin received an error message instead of the user data. I renewed my app secret in Azure and in the Kanboard settings and the authentication worked again.

[mitchplze]

Can't get this working for me either with Pocket ID. I'm using the proper userinfo endpoint, and confirmed the field names.

No matter what I put in, I get:

Warning: Undefined array key "email" in /var/www/app/plugins/OAuth2/User/GenericOAuth2UserProvider.php on line 260

I've tried name, preferred_username, email, etc. All of these are valid, and it will accept none of them.