search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
25.03k stars 3.54k forks source link

MicrosoftEntraID provider broken in 5.0.25 #12195

Closed rhufsky closed 2 weeks ago

rhufsky commented 2 weeks ago

Environment

  System:
    OS: macOS 15.1
    CPU: (8) arm64 Apple M1 Pro
    Memory: 604.73 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.18.0 - /opt/homebrew/opt/node@20/bin/node
    npm: 10.8.2 - /opt/homebrew/opt/node@20/bin/npm
    pnpm: 9.12.2 - /opt/homebrew/bin/pnpm
    bun: 1.1.33 - /opt/homebrew/bin/bun
  Browsers:
    Chrome: 130.0.6723.92
    Safari: 18.1
  npmPackages:
    next: 15.0.2 => 15.0.2 
    next-auth: 5.0.0-beta.25 => 5.0.0-beta.25 
    react: 19.0.0-rc-02c0e824-20241028 => 19.0.0-rc-02c0e824-20241028 ```

Reproduction URL

https://github.com/rhufsky/entra-id-demo

Describe the issue

Signin with MicrosoftEntraID provider generates an error:

[auth][error] OAuthCallbackError: OAuth Provider returned an error. Read more at https://errors.authjs.dev#oauthcallbackerror
    at handleOAuth (/Users/rhufsky/demo/entra-id/.next/server/chunks/node_modules_@auth_core_427ddb._.js:3284:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Module.callback (/Users/rhufsky/demo/entra-id/.next/server/chunks/node_modules_@auth_core_427ddb._.js:3782:41)
    at async AuthInternal (/Users/rhufsky/demo/entra-id/.next/server/chunks/node_modules_@auth_core_427ddb._.js:4859:24)
    at async Auth (/Users/rhufsky/demo/entra-id/.next/server/chunks/node_modules_@auth_core_427ddb._.js:5120:34)
    at async AppRouteRouteModule.do (/Users/rhufsky/demo/entra-id/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:10:32976)
    at async AppRouteRouteModule.handle (/Users/rhufsky/demo/entra-id/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:10:38477)
    at async doRender (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/base-server.js:1493:42)
    at async responseGenerator (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/base-server.js:1834:28)
    at async DevServer.renderToResponseWithComponentsImpl (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/base-server.js:1876:28)
    at async DevServer.renderPageComponent (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/base-server.js:2290:24)
    at async DevServer.renderToResponseImpl (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/base-server.js:2328:32)
    at async DevServer.pipeImpl (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/base-server.js:984:25)
    at async NextNodeServer.handleCatchallRenderRequest (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/next-server.js:281:17)
    at async DevServer.handleRequestImpl (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/base-server.js:877:17)
    at async /Users/rhufsky/demo/entra-id/node_modules/next/dist/server/dev/next-dev-server.js:373:20
    at async Span.traceAsyncFn (/Users/rhufsky/demo/entra-id/node_modules/next/dist/trace/trace.js:153:20)
    at async DevServer.handleRequest (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/dev/next-dev-server.js:370:24)
    at async invokeRender (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/lib/router-server.js:183:21)
    at async handleRequest (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/lib/router-server.js:360:24)
    at async requestHandlerImpl (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/lib/router-server.js:384:13)
    at async Server.requestListener (/Users/rhufsky/demo/entra-id/node_modules/next/dist/server/lib/start-server.js:142:13)

How to reproduce

Signin with MicrosoftEntraID as in the sample referenced in Github. Signin with Google works.

In 5.0.0-beta.22 it works, albeit displaying errors indicating that we have to await cookies() and headers() as described for React 19.

5.0.0.-beta.32 does not seem to work either.

As per the docs, the provider should be configured like so: 

   MicrosoftEntraID({
      clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
      clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
      issuer: process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
    }),

In this case, the system throws an exception because issuer should refer to an URL.

Expected behavior

Successful login

dreitagebart commented 2 weeks ago

Today at work I got the exact same issue. Have a look at this page: https://docs.logto.io/docs/recipes/single-sign-on/configure-sso/entra-id-oidc/#step-2-configure-microsoft-entra-id-oidc-sso-at-logto

Under 3. Issuer there is a screenshot where you can find the info for constructing the url for the issuer property: image

Excerpt from the page: Locate the OpenID Connect metadata document endpoint and copy the URL WITHOUT the trailing path .well-known/openid-configuration. This is because Logto will automatically append the .well-known/openid-configuration to the issuer URL when fetching the OIDC configurations.

This helped me to get the right information and solving the issue. Good luck, hope this helps!

rhufsky commented 2 weeks ago

Great, works for me now, thanks a lot.

rhufsky commented 2 weeks ago

Seems that has changed since 5.0.22, so also the docs are correct, maybe it would be nice to have the hint to where to findthe issuer azure parameter in the docs.