Microsoft oauth, does it work?

ikkeT

The issue

I don't get MS oauth to work. Is it my fault or is the plugin listed at fof oauth readme outdated?

I configured the app to portal.azure.com -> entra id. I set the callback url to be https://flarum.mydomain.com/auth/microsoft.

Then I set Application (Client) ID and Secret ID to fof/oauth -> microsoft settings. Now I try in private window, and it authenticates at microsoft, but the callback does fail. It gives long trace in log, I enabled "debug oauth".

[2026-01-19 19:41:36] flarum.ERROR: FoF\OAuth\Errors\AuthenticationException: Bad Request in /usr/www/users/myuser/flarum/vendor/fof/oauth/src/Controller.php:90
--- add long trace here ---

There is ton of details in error log. But of things that I can change, it shows the callback and it seems like the one in instructions in fof/oauth:

        "SCRIPT_URI": "https:\/\/flarum.mydomain.com\/auth\/microsoft",
        "SCRIPT_URL": "\/auth\/microsoft",
        "REDIRECT_SCRIPT_URI": "https:\/\/flarum.mydomain.com\/auth\/microsoft",
        "REDIRECT_SCRIPT_URL": "\/auth\/microsoft",

I can provide whatever else required to figure this out, but does anyone spot what I do wrong?

Flarum info (from hetzner webhosting):

Flarum core: 1.8.12
PHP version: CLI: 8.3.30, Web: 8.3.30
PHP memory limit: CLI: 128M, Web: unable to detect
MySQL version: 10.11.14-MariaDB-0+deb12u2
Loaded extensions: Core, date, libxml, openssl, pcre, sqlite3, zlib, bcmath, bz2, calendar, ctype, curl, dba, dom, hash, fileinfo, filter, ftp, gd, gettext, gmp, json, iconv, SPL, intl, session, ldap, mbstring, mcrypt, standard, mysqlnd, pcntl, exif, mysqli, PDO, pdo_dblib, PDO_Firebird, pdo_mysql, PDO_ODBC, pdo_pgsql, pdo_sqlite, pgsql, Phar, posix, random, readline, Reflection, imap, SimpleXML, soap, sockets, sodium, sysvmsg, sysvsem, sysvshm, tidy, timezonedb, tokenizer, xml, xmlreader, xmlwriter, xsl, zip, imagick, apcu, OAuth, ssh2, Zend OPcache
+------------------------------+---------+--------+-------+
| Flarum Extensions            |         |        |       |
+------------------------------+---------+--------+-------+
| ID                           | Version | Commit | Notes |
+------------------------------+---------+--------+-------+
| flarum-flags                 | v1.8.2  |        |       |
| fof-oauth                    | 1.7.3   |        |       |
| flarum-approval              | v1.8.2  |        |       |
| flarum-tags                  | v1.8.6  |        |       |
| xrh0905-oauth-microsoft      | v1.0.1  |        |       |
| sycho-private-facade         | v0.1.16 |        |       |
| fof-upload                   | 1.8.8   |        |       |
| fof-subscribed               | 1.1.4   |        |       |
| fof-polls                    | 2.3.1   |        |       |
| fof-doorman                  | 2.0.0   |        |       |
| fof-discussion-views         | 1.0.0   |        |       |
| fof-default-user-preferences | 1.2.2   |        |       |
| flarum-suspend               | v1.8.5  |        |       |
| flarum-subscriptions         | v1.8.1  |        |       |
| flarum-sticky                | v1.8.2  |        |       |
| flarum-statistics            | v1.8.1  |        |       |
| flarum-nicknames             | v1.8.2  |        |       |
| flarum-mentions              | v1.8.5  |        |       |
| flarum-markdown              | v1.8.1  |        |       |
| flarum-lock                  | v1.8.2  |        |       |
| flarum-likes                 | v1.8.1  |        |       |
| flarum-lang-swedish          | 1.1.1   |        |       |
| flarum-lang-finnish          | v1.17.0 |        |       |
| flarum-lang-english          | v1.8.0  |        |       |
| flarum-extension-manager     | v1.0.7  |        |       |
| flarum-emoji                 | v1.8.1  |        |       |
| flarum-bbcode                | v1.8.0  |        |       |
| clarkwinkelmann-passwordless | 2.0.0   |        |       |
| blomstra-database-queue      | 1.1.0   |        |       |
| askvortsov-pwa               | v3.4.1  |        |       |
| askvortsov-markdown-tables   | v1.2.1  |        |       |
+------------------------------+---------+--------+-------+
Base URL: https://flarum.mydomain.com
Installation path: /usr/www/users/myuser/flarum
Queue driver: database
Session driver: file
Scheduler status: Aktiivinen
Mail driver: smtp
Debug mode: off

GreXXL

ikkeT I don’t know that extension so I cannot commented if its currently working. But it seems to be targeted at public Microsoft Accounts and not commercial / EntraID.

There is also an LDAP Extension available but I also don’t know the state of it: https://flarum.org/extension/tituspijean/flarum-ext-auth-ldap

ikkeT

Thanks, I got complaints "Do i need to create another username and password?" and thus wanted to lower the barrier by hooking up with the most common google/ms auths. FB seems impossible, I'd need to setup company there. I don't host ldap server, nor keycloak. But I assume I need to forget this then. At least google oauth works., and passwordless.

ikkeT

BTW. I tried the two last options:
Supported account types
Who can use this application or access this API?

Accounts in this organizational directory only (Default Directory only - Single tenant)
Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)
Personal Microsoft accounts only

And also both of the types for application type:

Web
Single page application

It is not instructed at plugin readme what to select to these. I believe the Web one gets me past the MS part, but flarum throws the error. Where as SPA errors out to cors already at the MS end.

ikkeT

looks like the underlying ms auth repo is abandoned: stevenmaguire/oauth2-microsoft30