AzureADProvider does not work with default (common) endpoint #8374
Comments
georgy
added
providers
triage
|
It is possible to bypass the discovery phase by specifying authorization and token urls like such: Then I can see the login page and can login. But JWT validation fails: The problem here is that Azure AD service returns issuer with tenantId of the organization to which user's account belongs. This means that issuer does not match the one that was built by the lib (the one with 'common' alias for tenantId) |
|
+1 I'm having the same exact issue, and have tried @georgy's explicit definition for |
|
I'm not sure how to best implement this and test, but I believe what needs to happen is something to the effect of modifying azure-ad.ts I'm not sure how to best test this or try it out, I haven't modified a node module before I had issues running |
|
@georgy were you able to resolve? |
|
very sorry... premature commit by accident... |
|
I have tried something in addition to the first part of the solution. by adding an issuer to the config with the proper issuer tenantid it works. The id itself I cannot find in the Azure portal, so I had to grab it from the network. Also, I am not sure if Microsoft keeps this id the same or if it might change.... |
|
@RonB The issue with your solution is that the issuer is different based on the domain or if its public. For examples the issuer for |
|
Yes i noticed that, works for one other domain only which was the case in my situationeel. Thanx for noticing. Any idea how to solve this? |
|
@RonB It looks like there is a standoff between the Azure team and the OAuth2 teams MicrosoftDocs/azure-docs#38427 Their issues are not my issues, but now that I know there is an issue I can dig in and let you know what I find. |
|
So is it the case that the @balazsorban44 it would be very helpful if in the documentation for Azure AD, this was plastered in big letters that AuthJS is fundamentally incompatible with Microsoft Login, and if you care about Microsoft authentication at all you should use a different library. It is very misleading to claim that It's looking like either I need to fork |
|
@osdiab you are correct, as it stands you cannot use |
|
Welllll for now I'll do this stupid dirty hack.
Patch file (last updated 2023-12-14 to apply @cbdabner 's suggestion): How to use:
and for completeness for anyone who is unsure how to use this, this is how I set up the Azure auth when instantiating AuthJS: // we use the common tenant to accept any Microsoft account
const microsoftTenantId = "common";
const microsoftConfig = AzureADProvider({
// copied from the Essentials section in the Azure Console, Microsoft Entra ID,
// make an App Registration, get the client ID after done with that
clientId: process.env["AZURE_AD_CLIENT_ID"],
// In the App Registration, click on the Client Secrets link, make a secret
clientSecret: process.env["AZURE_AD_CLIENT_SECRET"],
tenantId: microsoftTenantId,
// need to override these URLs to skip the Discovery phase, to sidestep OIDC
// validation issues
token: {
url: `https://login.microsoftonline.com/${microsoftTenantId}/oauth2/v2.0/token`,
},
userinfo: { url: "https://graph.microsoft.com/oidc/userinfo" },
authorization: {
url: `https://login.microsoftonline.com/${microsoftTenantId}/oauth2/v2.0/authorize`,
params: { scope: "openid profile email User.Read" },
},
issuer: `https://login.microsoftonline.com/${microsoftTenantId}/v2.0`,
});
|
|
Following |
|
@osdiab, re: your patch, you should check the iss claim matches the tenant returned in the custom tid claim: function validateIssuer(expected, result) {
if (expected === 'https://login.microsoftonline.com/common/v2.0'
&& result.claims.tid !== undefined
&& result.claims.iss === `https://login.microsoftonline.com/${result.claims.tid}/v2.0`) {
return result;
}
... |
|
@cbdabner's fix is the most correct one; @osdiab's pnpm patch approach works great here. Thanks both! It's a shame that it's taken years for Microsoft to resolve this, since Microsoft has long helped to guide the OAuth and OIDC specification work. Big companies, I guess. 🙃 As a note to the next-auth authors, while I applaud your stance urging conformance to the spec, I'd encourage you to bake in the workaround (even if it's via a snarky flag like Ultimately, those of us who find our way to this issue are just trying to get people signed in, and most aren't concerned with the state of Microsoft's standards compliance. Resorting to one-off hacks in many codebases, versus a "supported" workaround will leave us all less secure. Keep pressing on Microsoft, though! They should know better, but encouraging your users to leave reports on their issue tracker will have an effect. Also, thanks for your work on next-auth! 💜 |
|
I updated my post to include the suggested fix! |
|
Thanks for the help from everyone here to figure out this OIDC issue. When I apply this method, I do get forwarded to the Microsoft login screen, but the authentication still fails with the following, has anyone else encountered this, I can't find any further useful information about what went wrong here specifically. |
|
hard to say without more details - can you make sure that the callback/jwt implementations don't throw?
|
|
Yeah I already did add logging to my callbacks, which don't throw, as well as around the image fetching in the profile, which never gets called. I'm a bit clueless where else to add logging inside next-auth to get some useful information about what went wrong. I guess I'll just wait with upgrading to next-auth@5 until this is more stable. |
|
Would a PR be accepted that allows switching back to the old OAuth (no OIDC) workflow on the Azure AD provider for common tenant? Not working for one of the biggest providers seems to totally defeats the purpose of this library. |
|
I'd very much appreciate a work around officially in Authjs, I know Microsoft isn't conforming properly, but they're one of the biggest OAuth players out there next to Google and Apple. Not having easy support for them kinda defeats the purpose of Authjs. I like @blaine's suggestion of a snarky flag, and have the Authjs documentation link to where people can put pressure on MS. |
|
@osdiab Your solution didn't fix it for me. Still get:
|
|
@dennishammarstrand i can’t comment without knowing how your project is set up, but I would start by using the pnpm patch command to insert a console log or something into the function to make sure that the patch is actually applied, and maybe inspect what is in iss to see if it’s something expected. |
|
@osdiab Sorry was just me that was doing it wrong, did it the yarn way and it works great! Thanks a lot for your solution! 👍 |
|
Tracking this via #9635 (comment). You can also follow #9718 closing as duplicate |
|
I had the same issue with "consumers" tenant and fixed it by simply replace |
Provider type
Azure Active Directory
Environment
"next" : N/A
"react": N/A
"@auth/core": "0.12.0"
"@auth/sveltekit": "0.3.1"
Reproduction URL
N/A (it is a basic setup)
Describe the issue
I am using simple setup for AzureADProvider. My goal is to allow login with any valid Microsoft identity (I have app registration setup, etc). I am am not providing
tenantIdwill default tocommonThe root cause is the way Microsoft implemented oidc.
How to reproduce
Expected behavior
User is redirected to the Microsoth login page and login works...
The text was updated successfully, but these errors were encountered: