Undefined "token_type"

[tomdean]

I've started suddenly getting an error during the OAuth2 process after the user has been redirected back.

Strategy: OIDC
Response Type: "id_token code"
Response Mode: form_post

Versions:
passport-azure-ad@3.0.6
oauth@0.9.14

if (items.token_type.toLowerCase() !== 'bearer') {
                      ^
TypeError: Cannot read property 'toLowerCase' of undefined
	at self._getAccessTokenBySecretOrAssertion (/node_modules/passport-azure-ad/lib/oidcstrategy.js:1151:25)
	at oauth2._request (/node_modules/passport-azure-ad/lib/oidcstrategy.js:1395:7)
	at passBackControl (/node_modules/oauth/lib/oauth2.js:125:9)
	at IncomingMessage.<anonymous> (/node_modules/oauth/lib/oauth2.js:143:7)
	at emitNone (events.js:110:20)
	at IncomingMessage.emit (events.js:207:7)
	at endReadableNT (_stream_readable.js:1047:12)
	at _combinedTickCallback (internal/process/next_tick.js:102:11)
	at process._tickDomainCallback (internal/process/next_tick.js:198:9)

The items object does not have a token_type property - the only key present is id_token.

Stopped suddenly working without any changes/pushes (app was running fine yesterday, not so fine today). Could Microsoft/Azure changed something on their end?

[lovemaths]

@tomdean Yes, something changed in Azure side. Please use the code in dev branch, I fixed it there. I will make a new release as soon as possible.

[abramz]

Can we please get some details? My understanding was that this library is maintained by Microsoft and as such there should be communication structures, etc in place to make sure this sort of thing doesn't happen in production.

[lovemaths]

@abramz Azure AD v2 endpoint used to send back an access token when we request authorization code, and they no longer did that since yesterday. This library expects and tries to validate the token, and causes the problem.

[lovemaths]

@tomdean @abramz We just released the new version. Please update this library to v3.0.7 (latest).

[abramz]

@lovemaths

I would say that this issue is far from closed. This is not aimed at you specifically, but at the PMs and leadership that you are working with. For the past few months now, we have had several issues with the V2 API and what it sends. First, with varying payload bodies where we are now checking 3 or 4 different fields for an email address, and now this.

This library is maintained by Microsoft and was broken by Microsoft. What is your leadership doing to prevent such occurrences from repeating? What communication structures need to be put in place to avoid this from happening, etc? This was an entirely internal issue that cropped up in production for your users, how are you guys going to avoid this from happening again?

I know it isn't going to hurt Microsoft-- it certainly won't hurt us, but we are seriously considering dropping our OAuth support for Microsoft accounts because of the headaches v2 has caused.