Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(providers): conform Entra ID when responding with the wrong issuer #11980

Merged
merged 10 commits into from
Oct 18, 2024
Merged

fix(providers): conform Entra ID when responding with the wrong issuer #11980

merged 10 commits into from
Oct 18, 2024

Conversation

balazsorban44
Copy link
Member

@balazsorban44 balazsorban44 commented Oct 6, 2024
edited
Loading

Fixes #9635
Closes #9718
Fixes #12041

Microsoft has a non-compliant provider and shows no signs of wanting to fix it ๐Ÿ˜ฎโ€๐Ÿ’จ: MicrosoftDocs/azure-docs#38427, MicrosoftDocs/azure-docs#113944

The current common-practice approach requires throwing the spec in the ๐Ÿ—‘๏ธ and:

  • For the discovery endpoint in general, fake the response by replacing {tenantid} with common
  • Specifically for the token response, extract the tid claim from the id_token and manually override the issuer of the discovery metadata with a reconstructed issuer, this time replacing {tenantid} with the tid value. Technically another discovery request is then necessary to get the issuer.

In this PR, I am trying to find a way that would not require modifying the core library (panva/oauth4webapi#131 (comment)) just for the sake of Microsoft, but as it seems, it is quite impossible with a generic API...

@vercel Vercel
Copy link

vercel bot commented Oct 6, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git โ†—๏ธŽ

Name Status Preview Comments Updated (UTC)
auth-docs โœ… Ready (Inspect) Visit Preview ๐Ÿ’ฌ Add feedback Oct 18, 2024 4:56pm
2 Skipped Deployments
Name Status Preview Comments Updated (UTC)
next-auth-docs โฌœ๏ธ Ignored (Inspect) Visit Preview Oct 18, 2024 4:56pm
proxy โฌœ๏ธ Ignored (Inspect) Visit Preview Oct 18, 2024 4:56pm

@github-actions github-actions bot added providers core Refers to `@auth/core` labels Oct 6, 2024
This was referenced Oct 6, 2024
Closed
Closed
@balazsorban44 balazsorban44 changed the title fix(providers): handle Entra ID sending the wrong issuer fix(providers): conform Entra ID when responding with the wrong issuer Oct 6, 2024
@codecov Codecov
Copy link

codecov bot commented Oct 6, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 37.77778% with 112 lines in your changes missing coverage. Please review.

Project coverage is 39.27%. Comparing base (f7f570c) to head (77a3fc6).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
packages/core/src/providers/microsoft-entra-id.ts 0.00% 54 Missing โš ๏ธ
...es/core/src/lib/actions/callback/oauth/callback.ts 4.76% 40 Missing โš ๏ธ
packages/core/src/providers/azure-ad.ts 0.00% 10 Missing โš ๏ธ
packages/core/src/providers/azure-ad-b2c.ts 0.00% 3 Missing โš ๏ธ
packages/core/src/providers/oauth.ts 0.00% 3 Missing โš ๏ธ
...s/core/src/lib/actions/signin/authorization-url.ts 33.33% 2 Missing โš ๏ธ
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #11980      +/-   ##
==========================================
+ Coverage   39.05%   39.27%   +0.21%     
==========================================
  Files         191      191              
  Lines       29994    29852     -142     
  Branches     1288     1294       +6     
==========================================
+ Hits        11715    11725      +10     
+ Misses      18279    18127     -152

โ˜” View full report in Codecov by Sentry.
๐Ÿ“ข Have feedback on the report? Share it here.

@balazsorban44
Copy link
Member Author

balazsorban44 commented Oct 6, 2024
edited
Loading

As of this comment, I managed to get things working, if the developer knows the tenantId of the id_token of the user, when adding the provider in Auth.js libraries. Ideally, they would not need to do this though...

@balazsorban44 balazsorban44 mentioned this pull request Oct 15, 2024
Closed
@balazsorban44 balazsorban44 marked this pull request as ready for review October 18, 2024 16:52
@balazsorban44 balazsorban44 merged commit e981e4d into main Oct 18, 2024
9 of 10 checks passed
@balazsorban44 balazsorban44 deleted the fix/entra-id branch October 18, 2024 16:52
@github-actions GitHub Actions
Copy link

Broken Link Checker

87 broken links found. Links organised below by source page, or page where they were found.

1) /reference/core/providers/reddit

Target Link Link Text
/reference/core/providers/postmark "postmark"
/reference/core/providers/postmark "postmark"

2) /reference/core/providers/resend

Target Link Link Text
/reference/core/providers/postmark "postmark"

3) /reference/core/providers/roblox

Target Link Link Text
/reference/core/providers/postmark "postmark"

4) /reference/core/providers/salesforce

Target Link Link Text
/reference/core/providers/postmark "postmark"

5) /reference/core/providers/sendgrid

Target Link Link Text
/reference/core/providers/postmark "postmark"

6) /reference/core/providers/simplelogin

Target Link Link Text
/reference/core/providers/postmark "postmark"

7) /reference/core/providers/slack

Target Link Link Text
/reference/core/providers/postmark "postmark"

8) /reference/core/providers/spotify

Target Link Link Text
/reference/core/providers/postmark "postmark"

9) /reference/core/providers/strava

Target Link Link Text
/reference/core/providers/postmark "postmark"

10) /reference/core/providers/threads

Target Link Link Text
/reference/core/providers/postmark "postmark"

11) /reference/core/providers/tiktok

Target Link Link Text
/reference/core/providers/postmark "postmark"

12) /reference/core/providers/todoist

Target Link Link Text
/reference/core/providers/postmark "postmark"

13) /reference/core/providers/trakt

Target Link Link Text
/reference/core/providers/postmark "postmark"

14) /reference/core/providers/twitch

Target Link Link Text
/reference/core/providers/postmark "postmark"

15) /reference/core/providers/twitter

Target Link Link Text
/reference/core/providers/postmark "postmark"

16) /reference/core/providers/united-effects

Target Link Link Text
/reference/core/providers/postmark "postmark"

17) /reference/core/providers/vipps

Target Link Link Text
/reference/core/providers/postmark "postmark"

18) /reference/core/providers/vk

Target Link Link Text
/reference/core/providers/postmark "postmark"

19) /reference/core/providers/webauthn

Target Link Link Text
/reference/core/providers/postmark "postmark"

20) /reference/core/providers/webex

Target Link Link Text
/reference/core/providers/postmark "postmark"

21) /reference/core/providers/wechat

Target Link Link Text
/reference/core/providers/postmark "postmark"

22) /reference/core/providers/wikimedia

Target Link Link Text
/reference/core/providers/postmark "postmark"

23) /reference/core/providers/wordpress

Target Link Link Text
/reference/core/providers/postmark "postmark"

24) /reference/core/providers/workos

Target Link Link Text
/reference/core/providers/postmark "postmark"

25) /reference/core/providers/yandex

Target Link Link Text
/reference/core/providers/postmark "postmark"

26) /reference/core/providers/zitadel

Target Link Link Text
/reference/core/providers/postmark "postmark"

27) /reference/core/providers/zoho

Target Link Link Text
/reference/core/providers/postmark "postmark"

28) /reference/core/providers/zoom

Target Link Link Text
/reference/core/providers/postmark "postmark"

29) /reference/core/types

Target Link Link Text
/reference/core/providers/postmark "postmark"

30) /reference/nextjs

Target Link Link Text
/reference/core/providers/postmark "postmark"

31) /reference/nextjs/adapters

Target Link Link Text
/reference/core/providers/postmark "postmark"

32) /reference/nextjs/jwt

Target Link Link Text
/reference/core/providers/postmark "postmark"

33) /reference/nextjs/middleware

Target Link Link Text
/reference/core/providers/postmark "postmark"

34) /reference/nextjs/next

Target Link Link Text
/reference/core/providers/postmark "postmark"

35) /reference/nextjs/react

Target Link Link Text
/reference/core/providers/postmark "postmark"

36) /reference/nextjs/webauthn

Target Link Link Text
/reference/core/providers/postmark "postmark"

37) /reference/sveltekit

Target Link Link Text
/reference/core/providers/postmark "postmark"

38) /reference/sveltekit/actions

Target Link Link Text
/reference/core/providers/postmark "postmark"

39) /reference/sveltekit/adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

40) /reference/sveltekit/client

Target Link Link Text
/reference/core/providers/postmark "postmark"

41) /reference/sveltekit/env

Target Link Link Text
/reference/core/providers/postmark "postmark"

42) /reference/sveltekit/types

Target Link Link Text
/reference/core/providers/postmark "postmark"

43) /reference/express

Target Link Link Text
/reference/core/providers/postmark "postmark"

44) /reference/express/adapters

Target Link Link Text
/reference/core/providers/postmark "postmark"

45) /reference/express/lib

Target Link Link Text
/reference/core/providers/postmark "postmark"

46) /reference/express/lib/http-api-adapters

Target Link Link Text
/reference/core/providers/postmark "postmark"

47) /reference/qwik

Target Link Link Text
/reference/core/providers/postmark "postmark"

48) /reference/solid-start

Target Link Link Text
/reference/core/providers/postmark "postmark"

49) /reference/solid-start/adapters

Target Link Link Text
/reference/core/providers/postmark "postmark"

50) /reference/solid-start/client

Target Link Link Text
/reference/core/providers/postmark "postmark"

51) /reference/warnings

Target Link Link Text
/reference/core/providers/postmark "postmark"

52) /reference/prisma-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

53) /reference/drizzle-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

54) /reference/drizzle-adapter/lib/mysql

Target Link Link Text
/reference/core/providers/postmark "postmark"

55) /reference/drizzle-adapter/lib/pg

Target Link Link Text
/reference/core/providers/postmark "postmark"

56) /reference/drizzle-adapter/lib/sqlite

Target Link Link Text
/reference/core/providers/postmark "postmark"

57) /reference/drizzle-adapter/lib/utils

Target Link Link Text
/reference/core/providers/postmark "postmark"

58) /reference/azure-tables-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

59) /reference/d1-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

60) /reference/dgraph-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

61) /reference/dgraph-adapter/lib/client

Target Link Link Text
/reference/core/providers/postmark "postmark"

62) /reference/dgraph-adapter/lib/graphql/fragments

Target Link Link Text
/reference/core/providers/postmark "postmark"

63) /reference/dynamodb-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

64) /reference/edgedb-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

65) /reference/fauna-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

66) /reference/firebase-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

67) /reference/hasura-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

68) /reference/hasura-adapter/lib/client

Target Link Link Text
/reference/core/providers/postmark "postmark"

69) /reference/kysely-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

70) /reference/mikro-orm-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

71) /reference/mikro-orm-adapter/lib/entities

Target Link Link Text
/reference/core/providers/postmark "postmark"

72) /reference/mongodb-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

73) /reference/neo4j-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

74) /reference/pg-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

75) /reference/pouchdb-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

76) /reference/sequelize-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

77) /reference/sequelize-adapter/models

Target Link Link Text
/reference/core/providers/postmark "postmark"

78) /reference/supabase-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

79) /reference/surrealdb-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

80) /reference/typeorm-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

81) /reference/typeorm-adapter/entities

Target Link Link Text
/reference/core/providers/postmark "postmark"

82) /reference/typeorm-adapter/utils

Target Link Link Text
/reference/core/providers/postmark "postmark"

83) /reference/unstorage-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

84) /reference/upstash-redis-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

85) /reference/xata-adapter

Target Link Link Text
/reference/core/providers/postmark "postmark"

86) /reference/xata-adapter/xata

Target Link Link Text
/reference/core/providers/postmark "postmark"

@edwardccg
Copy link

Hi @balazsorban44

Sorry for replying in this particular PR, as this is relevant with this change it seems.
When trying to run the code inside Docker with a standalone build using the latest version of next-auth (next-auth@5.0.0-beta.25). I am getting following error.

[auth][error] TypeError: fetch failed
    at node:internal/deps/undici/undici:13178:13
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async [custom-fetch] (webpack-internal:///(rsc)/../../node_modules/@auth/core/providers/microsoft-entra-id.js:126:34)
    at async getAuthorizationUrl (webpack-internal:///(rsc)/../../node_modules/@auth/core/lib/actions/signin/authorization-url.js:25:35)
    at async Module.signIn (webpack-internal:///(rsc)/../../node_modules/@auth/core/lib/actions/signin/index.js:16:56)
    at async AuthInternal (webpack-internal:///(rsc)/../../node_modules/@auth/core/lib/index.js:76:24)
    at async Auth (webpack-internal:///(rsc)/../../node_modules/@auth/core/index.js:130:34)

This pointed to the [custom-fetch] code (line 126 on the microsoft-entra-id.js):
image

When trying to understand this logic, I found out the tenantRe might be incorrect? It matched a single word like common
image

However, in actual input, tenant id is a GUID. Following doesnt match, so tenantId are not able to extract
image

It's probably not the direct cause of the issue above as it work fine when i run the standalone code in my local machine but not on my Docker. Can you review and verify if the tenantRe are intended?

@alamchrstn
Copy link

alamchrstn commented Oct 25, 2024
edited
Loading

if I may add a dumb question here, am I correct to use https://login.microsoftonline.com/{my-tenant-id as the issuer property? not sure if this is related to @edwardccg 's issue above, but after bumping to 5.0.0-beta.25, I got the following error

[auth][error] OperationProcessingError: "response" body "issuer" property does not match the expected value

previously I was using 5.0.0-beta.22 with tenantId config rather than issuer, and it worked fine. ๐Ÿค”

EDIT: scrap my โ˜๏ธ dumbness... I missed out on putting /v2.0 at the end of the issuer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThangHuuVu ThangHuuVu Awaiting requested review from ThangHuuVu ThangHuuVu is a code owner

@ubbe-xyz ubbe-xyz Awaiting requested review from ubbe-xyz ubbe-xyz is a code owner

@ndom91 ndom91 Awaiting requested review from ndom91 ndom91 is a code owner

Assignees
No one assigned
Labels
core Refers to `@auth/core` providers
Projects
None yet
Milestone
No milestone
3 participants
@balazsorban44 @edwardccg @alamchrstn