fix(providers): Handle Azure AD tenants correctly #9718
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
1 Ignored Deployment
|
JibbityJobbity
changed the title
|
Testing needed
|
There was a problem hiding this comment.
Any non-compliance needs to be handled at the provider level. we don't want branching based on specific providers, it's not maintainable in the long term
This will need a different solution. Something similar to the conform method on token.
some useful info at the end of the thread here #8831
|
I think there should be two distinct providers One where you know the tenant you're working with and you're NOT using any of the "common" issuers (the existing one with the exception that tenant id is required). And then another one which can be used with one of the "common" issuers This one has the workarounds in and requires explicit configuration to
|
|
While we all know the real solution to this, I think by the time I have a crack at this, we will know what ends up happening. But that's definitely considerable if |
JibbityJobbity
force-pushed
the
azure-ad-common-tenant
branch
from
59df0ac
to
3626664
Compare
JibbityJobbity
force-pushed
the
azure-ad-common-tenant
branch
2 times, most recently
from
e4ffecd
to
cfaf8da
Compare
|
I've done what I can for now. Completely open to suggestions and feedback. I know this doesn't quite match the sample, but I wanted the check to work the other way around. Rather than having it try to check against the "fake" URL with |
|
@JibbityJobbity is attempting to deploy a commit to the authjs Team on Vercel. A member of the Team first needs to authorize it. |
JibbityJobbity
force-pushed
the
azure-ad-common-tenant
branch
2 times, most recently
from
b8e41d1
to
db8b784
Compare
|
|
||
| return { | ||
| ...authServer, | ||
| issuer: authServer.issuer.replace("common", tenantId), |
There was a problem hiding this comment.
This isn't right. Need to detect the tenant that's being used. Probably just replace the provider's tenant ID with whatever we expect from the JWT.
|
I'm not finding all the individual bits from my original recommendation nor the recommended split from #9718 (comment) so I'm assuming you're going with your own workarounds. |
It's a mix between what you suggested in the other issue and the conform methods. It still achieves the same thing, which is satisfying those underlying checks in your library while bringing the conformity to the provider level, as suggested by @balazsorban44. If this isn't good enough then I'll change the PR to satisfy the solution you gave earlier. The special Anyway, I just did some testing with the other grouped tenants. The issuer URL comes back with some weird tenant ID instead of getting the user to replace "{tenantid}" or some other value we can expect. Replacing "{tenantid}" only seems to work with "common" and doesn't work with "organizations" or "consumers". This keeps rearing its ugly head, you almost need something to the effect of this to override the check to bypass it: const discoveryResponse: Response | undefined = await o.discoveryRequest(issuer)
let json = await discoveryResponse.json();
const as = await o.processDiscoveryResponse(new URL(json.issuer), discoveryResponse!)I'll need another go at this. I'll shoot for tomorrow. |
JibbityJobbity
force-pushed
the
azure-ad-common-tenant
branch
from
b488878
to
43a1482
Compare
|
This seems to work nicely :) I'm largely happy with the current solution now. |
JibbityJobbity
force-pushed
the
azure-ad-common-tenant
branch
from
360734d
to
ab0a2a5
Compare
|
Bump, rebased. |
|
hey! great work here, we could really use this. would love to see this get merged soon. |
|
It would be great to see this get merged. I'm sure it blocks a lot of people from adopting v5. |
Original PR on next-auth: nextauthjs#9718 Patched waiting for this to be released upstream
|
Is there an update on this? |
|
Hello, |
I'll rebase, but I haven't heard anything from any of the maintainers since I got it working. |
|
Thank you @JibbityJobbity |
|
Thanks @JibbityJobbity for that PR! Hopefully maintainers of this repo will merge it! |
|
Any updates guys? |
|
It looks like there is some status quo here. Azure AD also has been rebranded to Microsoft Entra Id and that has been adressed in the code already. I am afraid the train is moving on and a solution is getting out of site. @JibbityJobbity, thank you for your hard work. A request on behalf of all of us if you could adress the remaining open ends here? |
|
Entra ID has the exact same issue that this PR tries to fix. |
The way Microsoft integrates their tenant system will change the underlying endpoints underneath the oauth/openid ones it provides. This works around the non-conformity and makes it functional.
JibbityJobbity
force-pushed
the
azure-ad-common-tenant
branch
from
ab0a2a5
to
f0ee97e
Compare
|
I've rebased and put the fix onto Entra ID. I haven't changed any logic. |
|
@JibbityJobbity "dependencies":
"@auth/core": "https://github.com/JibbityJobbity/next-auth.git",
"@auth/sveltekit": "^1.1.0"
"pnpm": {
"overrides": {
"@auth/core": "https://github.com/JibbityJobbity/next-auth.git"
}
},It errors with: Does the package has to be build first and do i need to make a fork of your repo and do that myself or is there a simpler solution use your repo? And do i need to specify a tenant for the EntraId config like: MicrosoftEntraIDProvider({
clientId: MICROSOFT_ENTRA_ID_CLIENT_ID,
clientSecret: MICROSOFT_ENTRA_ID_CLIENT_SECRET,
authorization: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
token: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
tenantId: 'common'
})Excuse my ignorance :-) |
|
@RonB but I'm getting following error when
I'm using Would be great if this fix is merged 🤞 |
|
Yeah, the way I got around it for development was to hack stuff in my |
Hi Michael, I've followed the instructions in this link for applying the patch. However, I'm still encountering the same errors as before. Could you please explain how you did it? Errors |
☕️ Reasoning
Endpoints returned by Azure AD want us to edit the path so that each request gets routed to their proper tenant IDs.
The old implementation didn't handle this properly when using the "common" tenant ID, which basically lets us use it normally like any other provider. We would receive the template endpoint paths and use those in error checking and stuff rather than the ones we actually use.
I've just thrown something up and I've done some quick testing. It seems to work normally. I'll test custom tenants at some point and I suspect it won't work until I test and fix it.
🧢 Checklist
🎫 Affected issues
Fixes: #9635
📌 Resources