About azure AD v2 vs v1 and FusionAuth

Hello i hope you are doing great. A few weeks ago i started an implementation of social Login for Microsoft accounts (Azure AD).

Obviously i read the fusionauth documentation as a base to know how to implement this feature and because i am using the ReactJs Application, the packaged i am using is https://fusionauth.io/docs/v1/tech/client-libraries/node

As the documentation says the way to implement this is with OpenIdConnect, so i started using this identity provider and the configuration was added. At the beggining this was configured using the OAuth 2.0 v2 endpoints.. But i had an issue with PKCE, apparently there is no way to pass the challenge code to the fusionauthClient.identityProviderLogin method to complete the identity provider login flow.

So i just changed the configuration to OAuth 2.0 v1 endpoints, and from there the identity provider login works fine with Microsoft Accounts.. But when i try with Microsoft enterprise accounts the identity provider login fails .

So, with this context i have two questions:

1. Is this issue related with the Oauth 2.0 version selected
2. If yes.. Is there a way to pass this challenge code to the fusionAuthClient to complete this the identity provider flow. If not possible with the fusionauthClient, Is there a way to do it with the fusion auth api endpoints?

I think this is it. I really appreciate your help with this. Thanks

@dan Thanks for answer to this post. I will proceed to check this tomorrow and i will let you know how this goes after testing it again. I didn't know that the node client was deprecated.. so thanks for the update about this.. i am going to replace the package for the typescript library

@dan Good evening, I hope you are doing great. I just proceed to enable the debug for identity provider (That was enabled already).

I am using v1 ad endpoints, i reproduce the error, but fusionauth doesn't show any errors, because i think that this don't have nothing to do with fusionauth. The error that azure shows is:

AADSTS50020: User account 'email@example.com' from identity provider 'https://sts.windows.net/<tenant-id>/' does not exist in tenant 'Directorio predeterminado' and cannot access the application '<app-id>'(<app name>) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

The fact that fusionauth dont detect any error is kind of expected because at this point we are on azure login flow. I am assuming that this is related to the v1 endpoints on azure AD.

The first time i just started using the v2 endpoints but the problem was fusionauth, and the error was the challenge because the javascript library method dont have any param to pass the challenge values. So my question here is Is the Typescript client supporting PKCE authentication challenge. If the answer is negative. Then It is possible to achieve this with the fusionauth endpoints (passing the challenge codes to the endpoint to complete the flow)

Now using v2 endpoints (passing the code_challenge and the code_challenge_method to retrieve the authorization token https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow). Fusionauth Microsoft OpenIDConnect provider returns the next error:

Request to the [https://login.microsoftonline.com/<tenant-id>/oauth2/token] endpoint failed. Status code [400].

Error response is 
{
  "error" : "invalid_grant",
  "error_description" : "AADSTS50148: The code_verifier does not match the code_challenge supplied in the authorization request for PKCE.\r\nTrace ID: c0836075-1551-45ad-9fce-9b7a7716d201\r\nCorrelation ID: 16f33aed-50eb-461a-9740-66299e56fe58\r\nTimestamp: 2022-05-12 15:57:26Z",
  "error_codes" : [ 50148 ],
  "timestamp" : "2022-05-12 15:57:26Z",
  "trace_id" : "c0836075-1551-45ad-9fce-9b7a7716d201",
  "correlation_id" : "16f33aed-50eb-461a-9740-66299e56fe58",
  "error_uri" : "https://login.microsoftonline.com/error?code=50148"
}

I assume that this is because there is no way to pass this challenge code. Also i Notice that the url used by fusionauth to get the token is a v1 endpoint https://login.microsoftonline.com/<tenant-id>/oauth2/token. So i ask again, is there a way to use v2 endpoints and code_challenge to complete the login flow for Microsoft OpenIdConnect providers?