I'm working on a PHP application that authenticates users via Microsoft 365 using OAuth 2.0. The login flow works fine, and I'm able to get the access token successfully. However, I'm encountering an issue with redirecting the user to a specific page (LeaveManagement.php) after a successful login.
I've ensured that the session is started at the beginning of each script, and session variables are being set correctly post-login. However, the redirection to management.php doesn't seem to occur as expected.
Here's a simplified version of my login.php script:
<?php
session_start();
require 'php_scripts/db.php';
// Initialize configuration variables from DB
$appid = getApiConfig($pdo, 'client_id');
$tenantid = getApiConfig($pdo, 'tenant_id');
$secret = getApiConfig($pdo, 'client_secret');
$redirect_uri = 'https://my.domain.com/management.php';
// Redirect if already logged in
if (!empty($_SESSION['HRUserIsAllowed'])) {
header("Location: $redirect_uri");
exit;
}
// OAuth flow
if (isset($_GET['action']) && $_GET['action'] === 'login') {
// Redirect to Microsoft login
$loginUrl = "https://login.microsoftonline.com/{$tenantid}/oauth2/v2.0/authorize?" . http_build_query([
'client_id' => $appid,
'response_type' => 'code',
'redirect_uri' => $redirect_uri,
'scope' => 'https://graph.microsoft.com/User.Read offline_access',
'state' => bin2hex(random_bytes(16)),
]);
header('Location: ' . $loginUrl);
exit;
} elseif (isset($_GET['code'])) {
// Process the authorization code
$tokenUrl = "https://login.microsoftonline.com/{$tenantid}/oauth2/v2.0/token";
// ...Token request and session variable setup...
// Assume successful token acquisition
$_SESSION['HRUserIsAllowed'] = true;
header("Location: $redirect_uri");
exit;
} else {
// Display login screen (simplified for brevity)
echo "Login Screen HTML Here";
}
?>
and a simplified version of my management.php script:
<?php
session_start();
require 'vendor/autoload.php';
require 'php_scripts/db.php';
if (!isset($_SESSION['HRUserIsAllowed']) || $_SESSION['HRUserIsAllowed'] !== true) {
$current_page = (isset($_SERVER['HTTPS']) ? "https://" : "http://") . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header("Location: login.php?redirect_uri=" . urlencode($current_page));
exit;
} else {
// Code for when user is authenticated to view page
}
?>
After login, the script is supposed to redirect users to https://my.domain.com/management.php, but this redirection fails to happen. The expected behavior is that once authenticated, the user should not see the login page again but should be directed to the management.php page.
Notably, I've checked that the session variables are correctly set, and there are no apparent issues with the headers.
I'm looking for insights or suggestions on what might be causing the redirect to fail or be ignored after the login process. Is there something I'm overlooking in my redirect logic or session handling?
Any advice or pointers would be greatly appreciated.
I think your mistake is that you are trying to redirect to management.php when it should be login.php in the call below:
$loginUrl = "https://login.microsoftonline.com/{$tenantid}/oauth2/v2.0/authorize?" . http_build_query([
'client_id' => $appid,
'response_type' => 'code',
'redirect_uri' => 'https://my.domain.com/login.php',
'scope' => 'https://graph.microsoft.com/User.Read offline_access',
'state' => bin2hex(random_bytes(16)),
]);
It is login.php that must receive and process the return $_GET['code'].