search

nhost / hasura-auth

Authentication for Hasura.
https://nhost.io
MIT License
376 stars 111 forks source link

Signing up with Azure AD does not set the users email #404

Closed hk-meko closed 1 year ago

hk-meko commented 1 year ago

When using AzureAD for signup/ signin, the users email is not set in the database. This part of the azuread config is the falsey part. The payload field containing the email is named "upn", in the config it's email

azuread: {
    grant: {
      oauth: 2,
      scope_delimiter: ' ',
      client_id: process.env.AUTH_PROVIDER_AZUREAD_CLIENT_ID,
      client_secret: process.env.AUTH_PROVIDER_AZUREAD_CLIENT_SECRET,
      authorize_url: `${azureBaseUrl}/[subdomain]/oauth2/authorize`,
      access_url: `${azureBaseUrl}/[subdomain]/oauth2/token`,
      profile_url: `${azureBaseUrl}/[subdomain]/openid/userinfo`,
      subdomain: process.env.AUTH_PROVIDER_AZUREAD_TENANT || 'common',
    },
    profile: ({ jwt }) => {
      const payload = jwt?.id_token?.payload;
      return {
        id: payload.oid,
        displayName: payload.name,
        email: payload.email,
      };
    },
  },

Here is a privatized OAuth response from AzureAD:

{
  "id_token": "...",
  "access_token": "...",
  "refresh_token": "...",
  "jwt": {
    "id_token": {
      "header": {
        "typ": "JWT",
        "alg": "none"
      },
      "payload": {
        "aud": "...",
        "iss": "https://sts.windows.net/.../",
        "iat": 1689073876,
        "nbf": 1689073876,
        "exp": 1689077776,
        "amr": [
          "pwd",
          "mfa"
        ],
        "family_name": "Doe",
        "given_name": "John",
        "ipaddr": "12.345.78.912",
        "name": "John Doe",
        "oid": "...",
        "onprem_sid": "...",
        "rh": "...",
        "sub": "...",
        "tid": "...",
        "unique_name": "email@email.com",
        "upn": "email@email.com",
        "ver": "1.0"
      },
      "signature": ""
    }
  },
  "profile": {
    "error": {}
  }
}

I hope this can be fixed quickly, with the provided information.

dbarrosop commented 1 year ago

Given you have already identified the root cause and are a bit in a hurry here, would you mind opening a PR fixing it? Thanks!

dbarrosop commented 1 year ago

Closing as per the following comment: https://github.com/nhost/hasura-auth/pull/405#issuecomment-1630951568