search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
24.79k stars 3.49k forks source link

AADSTS700005: Provided Authorization Code is intended to use against other tenant, thus rejected. #11604

Open Wosca opened 2 months ago

Wosca commented 2 months ago

Provider type

Azure Active Directory

Environment

System:
    OS: Windows 11 10.0.22631
    CPU: (16) x64 AMD Ryzen 7 7800X3D 8-Core Processor
    Memory: 13.87 GB / 31.69 GB
  Binaries:
    Node: 21.6.1 - C:\Program Files\nodejs\node.EXE
    npm: 10.4.0 - C:\Program Files\nodejs\npm.CMD
    bun: 1.1.17 - ~\.bun\bin\bun.EXE
  Browsers:
    Edge: Chromium (127.0.2651.74)
    Internet Explorer: 11.0.22621.3527
  npmPackages:
    next: 14.2.5 => 14.2.5
    next-auth: ^5.0.0-beta.20 => 5.0.0-beta.20
    react: ^18 => 18.3.1

Windows 11 Tested on firefox and chrome

Reproduction URL

https://github.com/Wosca/temporary-issue

Describe the issue

The error AADSTS700005 occurs when I try to use the Microsoft Entra ID Provider in Auth.js on Next.js v14. I have all the environment variables configured properly. I can verify this because I have manually recreated the flow using manual API requests to the microsoft endpoints with successful results. I believe it is something happening inside of the provider as I don't believe there is anything else I can configure to fix it. Below is my auth.ts file:

import NextAuth from "next-auth";
import EntraId from "next-auth/providers/microsoft-entra-id";

export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [
    EntraId({
      clientId: process.env.AUTH_AZURE_AD_ID,
      clientSecret: process.env.AUTH_AZURE_AD_SECRET,
      tenantId: process.env.AUTH_AZURE_AD_TENANT_ID,
      authorization: {
        url: `https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize`,
        params: {
          scope: "openid email",
        },
      },
    }),
  ],
});

How to reproduce

You can go to the reproduction url at https://temporary-issue.vercel.app/ and simply press "sign in with azure active directory" and then press sign in with entra id and continuie from there, then you will be greeted with the Auth.js error page that logs the following to the console:

error {
  error: 'invalid_grant',
  error_description: 'AADSTS700005: Provided Authorization Code is intended to use against other tenant, thus rejected. Trace ID:  Correlation ID:  Timestamp: 2024-08-14 12:03:28Z',
  error_codes: [ 700005 ],
  timestamp: '2024-08-14 12:03:28Z',
  trace_id: '',
  correlation_id: '',
  error_uri: 'https://login.microsoftonline.com/error?code=700005'
}

Expected behavior

The authorization flow returns a valid auth code. Everything is successful on microsoft's end and I believe this because no error is shown until the exchange for the access token commences.

(Also Entra ID is missing from the provider selection above)

Wosca commented 2 months ago

I just tried with next-auth v4 using the AzureAD provider and it worked first try.

dymoo commented 2 months ago

Not working on v5 beta 20 for me