Audience error - Office365

redolencetech · March 12, 2024, 4:27pm

I’ve had Office 365 social login working for a few months, it has suddenly stopped working with the below error:

Traceback (most recent call last):
File “apps/frappe/frappe/app.py”, line 110, in application
response = frappe.api.handle(request)
File “apps/frappe/frappe/api/init.py”, line 49, in handle
data = endpoint(**arguments)
File “apps/frappe/frappe/api/v1.py”, line 36, in handle_rpc_call
return frappe.handler.handle()
File “apps/frappe/frappe/handler.py”, line 49, in handle
data = execute_cmd(cmd)
File “apps/frappe/frappe/handler.py”, line 85, in execute_cmd
return frappe.call(method, **frappe.form_dict)
File “apps/frappe/frappe/init.py”, line 1716, in call
return fn(*args, **newargs)
File “apps/frappe/frappe/utils/typing_validations.py”, line 31, in wrapper
return func(*args, **kwargs)
File “apps/frappe/frappe/integrations/oauth2_logins.py”, line 33, in login_via_office365
login_via_oauth2_id_token(“office_365”, code, state, decoder=decoder_compat)
File “apps/frappe/frappe/utils/oauth.py”, line 119, in login_via_oauth2_id_token
info = get_info_via_oauth(provider, code, decoder, id_token=True)
File “apps/frappe/frappe/utils/oauth.py”, line 145, in get_info_via_oauth
info = jwt.decode(token, flow.client_secret, options={“verify_signature”: False})
File “env/lib/python3.10/site-packages/jwt/api_jwt.py”, line 104, in decode
self._validate_claims(payload, merged_options, **kwargs)
File “env/lib/python3.10/site-packages/jwt/api_jwt.py”, line 140, in _validate_claims
self._validate_aud(payload, audience)
File “env/lib/python3.10/site-packages/jwt/api_jwt.py”, line 189, in _validate_aud
raise InvalidAudienceError(‘Invalid audience’)
jwt.exceptions.InvalidAudienceError: Invalid audience

hashir · March 12, 2024, 7:19pm

I encountered this same issue few months ago while setting up O365 social login… i had to edit a core file to get it working, and i am still not sure if this is the best way or even the right way to do it…

In frappe.utils.oauth.py file, inside the get_info_via_oauth(), change

if id_token:
parsed_access = json.loads(session.access_token_response.text)
token = parsed_access[“id_token”]
info = jwt.decode(token, flow.client_secret, options={“verify_signature”: False})

to

if id_token:
parsed_access = json.loads(session.access_token_response.text)
token = parsed_access[“id_token”]
info = jwt.decode(token, flow.client_secret, options={“verify_signature”: False, “verify_aud”: False})

redolencetech · March 14, 2024, 10:23am

That worked, thank you!