Authorization header set to array after refreshing token, API call fails

[steverowling]

Describe the bug

I am using Auth 1.0.38 in a Craft 4 project for a Dynamics365 integration.

I have the connection to Dynamics successfully set up and a token stored in the database.

Whilst the token is still valid, all API calls work as expected.

Once the access token has expired, the next API call refreshes the token successfully, however, then when the API call is attempted, it fails with a 400 Bad Request error and the following message:

Bad Request - Invalid Header
HTTP Error 400. The request has an invalid header name.

Subsequent API calls work as expected until the access token expires again and the same behaviour happens again.

I enabled debug and stepped through an API call for an expired access token and noticed that immediately after the access token had been refreshed, the Authorization header was being set to an array with two identical members, instead of a string. This appears to be happening in the createRequest() method in the AbstractProvider.php` file.

Steps to reproduce

1. Set up connection to Dynamics365
2. Wait for access token to expire
3. Make a new API request
4. The token will be refreshed and the API request will fail as the Authorization header is now an array instead of a string.
5. Subsequent API calls will succeed until the access token expires again.

Craft CMS version

4.15.3

Plugin version

1.0.38

Multi-site?

No

Additional context

No response

[steverowling]

I've added a check in my code to remove the Authorisation header if the existing token has expired before making the API request and this appears to have fixed the issue I was having. Not sure if this is the best way to handle this, but it's working now!

[engram-design]

Thanks for the heads up on this one. Quick one - are you using the Entra or Azure provider for your integration?

What sort of output were you getting for the Authorisation header and at what call?

For example, some quick debugging in the createRequest() function on an expired token for Azure:

array:3 [
  0 => "POST"
  1 => "https://login.microsoftonline.com/common/oauth2/token"
  2 => array:2 [
    "headers" => array:1 [
      "content-type" => "application/x-www-form-urlencoded"
    ]
    "body" => "client_id=1379fbf2-d4...."
  ]
]

[steverowling]

This Is using the Azure provider.

After refreshing the token (done automatically by the Auth module), the headers after the createRequest() function has run look like this: (note the Authorisation header is set to an array)

This call fails with the error shown in the original post.

For subsequent API calls, the headers after the createRequest() function has run look like this:

These calls succeed with no errors.

It seems that the token refresh procedure adds an Authorisation header to the request and if one already exists, it turns the header into an array.

I've worked around the issue as described above, and as mentioned, this is using version 1.0.38 of the module. For now all is good, just wondered if you'd seen the behaviour before.

[engram-design]

Thanks for that insight. I'll say this is the first I've seen this sort of thing. But I should be able to track that down with that sort of information I think.