search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
25k stars 3.53k forks source link

Entra ID provider causes JWTInvalid: JWTs must use Compact JWS serialization, JWT must be a string error #12187

Closed ay13 closed 1 week ago

ay13 commented 2 weeks ago

Provider type

This is using Entra ID provider. Entra wasnt an option in the drop down so I chose AD Azure Active Directory

Environment

  System:
    OS: macOS 14.5
    CPU: (10) arm64 Apple M1 Pro
    Memory: 27.52 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.18.0 - ~/.nvm/versions/node/v20.18.0/bin/node
    Yarn: 1.22.22 - ~/.nvm/versions/node/v20.18.0/bin/yarn
    npm: 10.8.2 - ~/.nvm/versions/node/v20.18.0/bin/npm
    pnpm: 9.9.0 - ~/.nvm/versions/node/v20.18.0/bin/pnpm
  Browsers:
    Chrome: 130.0.6723.92
    Edge: 130.0.2849.68
    Safari: 17.5
  npmPackages:
    @auth/sveltekit: ^1.7.3 => 1.7.3

Reproduction URL

https://github.com/ay13/auth-entra

Describe the issue

After the initial auth process it redirects back to the app and displays the message:

Server error

There is a problem with the server configuration.

Check the server logs for more information.

in the console I see the error:

"provider": "microsoft-entra-id" } [auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror [auth][cause]: JWTInvalid: JWTs must use Compact JWS serialization, JWT must be a string

How to reproduce

  1. New SvelteKit project using npx sv create
  2. Set up SvelteKit integration using directions from https://authjs.dev/getting-started/installation?framework=SvelteKit
  3. Set up the Entra ID provider using https://authjs.dev/getting-started/providers/microsoft-entra-id
  4. Try to sign in.

Expected behavior

I expected to authenticate without an error

diego-gt commented 1 week ago

Hi @ay13 ! I ran into this issue as well, my specific cause was that I was not setting the issuer url correctly.

Assuming that you're trying to use a Microsoft 365 business plan for this, please try to verify that your issuer variable is set to https://login.microsoftonline.com/{tenantId}/v2.0, you can reference the docs here https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri.

Hopefully that helps.

ay13 commented 1 week ago

Thanks for the reply @diego-gt , I verified that my issuer is set up the correct way. Same issue.

ay13 commented 1 week ago

Disregard this issue, it was my mistake.

In the redirect section of Entra ID I set my redirect as a Single-page app, when I set it as a web app it worked correctly.

warrantor commented 1 week ago

Hi @ay13 I've also been racking my brain on this for 3 days. Is this the proposed fix, setting the redirect as a web app? Does everything work as expected?

Thanks!

ay13 commented 1 week ago

@warrantor For me, setting the platform to Web worked and Single-page application did not. I believe Entra returns the token differntly based on which of those you select. image

How my Authentication settings look now. image

diego-gt commented 1 week ago

Glad you got it working! Yes, the redirect should be set as a Web app instead of SPA, the Entra platform will provide different tokens (Access Tokens for SPAs vs ID Tokens for Web app) depending on that type. It doesn't limit you to use only server components, it works on both. The way you access the session is different though. Docs for app types: https://learn.microsoft.com/en-us/entra/identity-platform/v2-app-types