fix(providers): conform Entra ID when responding with the wrong issuer (#11980)

* update to OIDC

* fix: modify the tenantId of the discovery document

* pass all config

* refactor

* works, but ugly...

* drop iss check

* group symbols, refactor Entra ID

* re-export Microsoft Entra ID as Azure AD

* tweak B2C

Author: balazsorban44

docs/public/img/providers/azure-ad.svg

@@ -67,7 +67,7 @@ import type { CredentialInput, Provider } from "./providers/index.js"
 import { JWT, JWTOptions } from "./jwt.js"
 import { isAuthAction } from "./lib/utils/actions.js"
 
-export { customFetch } from "./lib/utils/custom-fetch.js"
+export { customFetch } from "./lib/symbols.js"
 export { skipCSRFCheck, raw, setEnvDefaults, createActionURL, isAuthAction }
 
 export async function Auth(

packages/core/src/index.ts

@@ -17,7 +17,8 @@ import type {
 import { type OAuthConfigInternal } from "../../../../providers/index.js"
 import type { Cookie } from "../../../utils/cookie.js"
 import { isOIDCProvider } from "../../../utils/providers.js"
-import { fetchOpt } from "../../../utils/custom-fetch.js"
+import { conformInternal, customFetch } from "../../../symbols.js"
+import { decodeJwt } from "jose"
 
 function formUrlEncode(token: string) {
   return encodeURIComponent(token).replace(/%20/g, "+")
@@ -61,27 +62,21 @@ export async function handleOAuth(
     // We assume that issuer is always defined as this has been asserted earlier
 
     const issuer = new URL(provider.issuer!)
-    // TODO: move away from allowing insecure HTTP requests
     const discoveryResponse = await o.discoveryRequest(issuer, {
-      ...fetchOpt(provider),
       [o.allowInsecureRequests]: true,
+      [o.customFetch]: provider[customFetch],
     })
-    const discoveredAs = await o.processDiscoveryResponse(
-      issuer,
-      discoveryResponse
-    )
+    as = await o.processDiscoveryResponse(issuer, discoveryResponse)
 
-    if (!discoveredAs.token_endpoint)
+    if (!as.token_endpoint)
       throw new TypeError(
         "TODO: Authorization server did not provide a token endpoint."
       )
 
-    if (!discoveredAs.userinfo_endpoint)
+    if (!as.userinfo_endpoint)
       throw new TypeError(
         "TODO: Authorization server did not provide a userinfo endpoint."
       )
-
-    as = discoveredAs
   } else {
     as = {
       issuer: provider.issuer ?? "https://authjs.dev", // TODO: review fallback issuer
@@ -172,7 +167,7 @@ export async function handleOAuth(
         if (!provider.checks.includes("pkce")) {
           args[1].body.delete("code_verifier")
         }
-        return fetchOpt(provider)[o.customFetch](...args)
+        return (provider[customFetch] ?? fetch)(...args)
       },
     }
   )
@@ -185,20 +180,50 @@ export async function handleOAuth(
 
   let profile: Profile = {}
 
-  const isOidc = isOIDCProvider(provider)
+  const requireIdToken = isOIDCProvider(provider)
+
+  if (provider[conformInternal]) {
+    switch (provider.id) {
+      case "microsoft-entra-id":
+      case "azure-ad": {
+        /**
+         * These providers need the authorization server metadata to be re-processed
+         * based on the `id_token`'s `tid` claim
+         * @see https://github.com/MicrosoftDocs/azure-docs/issues/113944
+         */
+        const { tid } = decodeJwt(
+          (await codeGrantResponse.clone().json()).id_token
+        )
+        if (typeof tid === "string") {
+          const tenantRe = /microsoftonline\.com\/(\w+)\/v2\.0/
+          const tenantId = as.issuer?.match(tenantRe)?.[1] ?? "common"
+          const issuer = new URL(as.issuer.replace(tenantId, tid))
+          const discoveryResponse = await o.discoveryRequest(issuer, {
+            [o.customFetch]: provider[customFetch],
+          })
+          as = await o.processDiscoveryResponse(issuer, discoveryResponse)
+        }
+        break
+      }
+      default:
+        throw new TypeError(
+          `Unrecognized provider conformation (${provider.id}).`
+        )
+    }
+  }
   const processedCodeResponse = await o.processAuthorizationCodeResponse(
     as,
     client,
     codeGrantResponse,
     {
       expectedNonce: await checks.nonce.use(cookies, resCookies, options),
-      requireIdToken: isOidc,
+      requireIdToken,
     }
   )
 
   const tokens: TokenSet & Pick<Account, "expires_at"> = processedCodeResponse
 
-  if (isOidc) {
+  if (requireIdToken) {
     const idTokenClaims = o.getValidatedIdTokenClaims(processedCodeResponse)!
     profile = idTokenClaims
 
@@ -208,7 +233,7 @@ export async function handleOAuth(
         client,
         processedCodeResponse.access_token,
         {
-          ...fetchOpt(provider),
+          [o.customFetch]: provider[customFetch],
           // TODO: move away from allowing insecure HTTP requests
           [o.allowInsecureRequests]: true,
         }
@@ -230,7 +255,7 @@ export async function handleOAuth(
         as,
         client,
         processedCodeResponse.access_token,
-        fetchOpt(provider)
+        { [o.customFetch]: provider[customFetch] }
       )
       profile = await userinfoResponse.json()
     } else {

packages/core/src/lib/actions/callback/oauth/callback.ts

@@ -3,7 +3,7 @@ import * as o from "oauth4webapi"
 
 import type { InternalOptions, RequestInternal } from "../../../types.js"
 import type { Cookie } from "../../utils/cookie.js"
-import { fetchOpt } from "../../utils/custom-fetch.js"
+import { customFetch } from "../../symbols.js"
 
 /**
  * Generates an authorization/request token URL.
@@ -25,9 +25,9 @@ export async function getAuthorizationUrl(
     // We check this in assert.ts
 
     const issuer = new URL(provider.issuer!)
-    // TODO: move away from allowing insecure HTTP requests
     const discoveryResponse = await o.discoveryRequest(issuer, {
-      ...fetchOpt(options.provider),
+      [o.customFetch]: provider[customFetch],
+      // TODO: move away from allowing insecure HTTP requests
       [o.allowInsecureRequests]: true,
     })
     const as = await o.processDiscoveryResponse(issuer, discoveryResponse)

packages/core/src/lib/actions/signin/authorization-url.ts

@@ -7,6 +7,9 @@ import { validateCSRF } from "./actions/callback/oauth/csrf-token.js"
 
 import type { RequestInternal, ResponseInternal } from "../types.js"
 import type { AuthConfig } from "../index.js"
+import { skipCSRFCheck } from "./symbols.js"
+
+export { customFetch, raw, skipCSRFCheck } from "./symbols.js"
 
 /** @internal */
 export async function AuthInternal(
@@ -92,25 +95,3 @@ export async function AuthInternal(
   }
   throw new UnknownAction(`Cannot handle action: ${action}`)
 }
-
-/**
- * :::danger
- * This option is intended for framework authors.
- * :::
- *
- * Auth.js comes with built-in CSRF protection, but
- * if you are implementing a framework that is already protected against CSRF attacks, you can skip this check by
- * passing this value to {@link AuthConfig.skipCSRFCheck}.
- */
-export const skipCSRFCheck = Symbol("skip-csrf-check")
-
-/**
- * :::danger
- * This option is intended for framework authors.
- * :::
- *
- * Auth.js returns a web standard {@link Response} by default, but
- * if you are implementing a framework you might want to get access to the raw internal response
- * by passing this value to {@link AuthConfig.raw}.
- */
-export const raw = Symbol("return-type-raw")

packages/core/src/lib/index.ts

@@ -0,0 +1,60 @@
+/**
+ * :::danger
+ * This option is intended for framework authors.
+ * :::
+ *
+ * Auth.js comes with built-in CSRF protection, but
+ * if you are implementing a framework that is already protected against CSRF attacks, you can skip this check by
+ * passing this value to {@link AuthConfig.skipCSRFCheck}.
+ */
+export const skipCSRFCheck = Symbol("skip-csrf-check")
+
+/**
+ * :::danger
+ * This option is intended for framework authors.
+ * :::
+ *
+ * Auth.js returns a web standard {@link Response} by default, but
+ * if you are implementing a framework you might want to get access to the raw internal response
+ * by passing this value to {@link AuthConfig.raw}.
+ */
+export const raw = Symbol("return-type-raw")
+
+/**
+ * :::danger
+ * This option allows you to override the default `fetch` function used by the provider
+ * to make requests to the provider's OAuth endpoints directly.
+ * Used incorrectly, it can have security implications.
+ * :::
+ *
+ * It can be used to support corporate proxies, custom fetch libraries, cache discovery endpoints,
+ * add mocks for testing, logging, set custom headers/params for non-spec compliant providers, etc.
+ *
+ * @example
+ * ```ts
+ * import { Auth, customFetch } from "@auth/core"
+ * import GitHub from "@auth/core/providers/github"
+ *
+ * const dispatcher = new ProxyAgent("my.proxy.server")
+ * function proxy(...args: Parameters<typeof fetch>): ReturnType<typeof fetch> {
+ *   return undici(args[0], { ...(args[1] ?? {}), dispatcher })
+ * }
+ *
+ * const response = await Auth(request, {
+ *   providers: [GitHub({ [customFetch]: proxy })]
+ * })
+ * ```
+ *
+ * @see https://undici.nodejs.org/#/docs/api/ProxyAgent?id=example-basic-proxy-request-with-local-agent-dispatcher
+ * @see https://authjs.dev/guides/corporate-proxy
+ */
+export const customFetch = Symbol("custom-fetch")
+
+/**
+ * @internal
+ *
+ * Used to mark some providers for processing within the core library.
+ *
+ * **Do not use or you will be fired.**
+ */
+export const conformInternal = Symbol("conform-internal")

packages/core/src/lib/symbols.ts

@@ -10,7 +10,7 @@ import type {
 } from "../../providers/index.js"
 import type { InternalProvider, Profile } from "../../types.js"
 import { type AuthConfig } from "../../index.js"
-import { customFetch } from "../utils/custom-fetch.js"
+import { customFetch } from "../symbols.js"
 
 /**
  * Adds `signinUrl` and `callbackUrl` to each provider

packages/core/src/lib/utils/custom-fetch.ts

@@ -27,6 +27,7 @@ export interface AzureADB2CProfile {
   postalCode: string
   emails: string[]
   tfp: string
+  preferred_username: string
 }
 
 /**
@@ -103,21 +104,16 @@ export interface AzureADB2CProfile {
  * :::
  */
 export default function AzureADB2C(
-  options: OIDCUserConfig<AzureADB2CProfile> & {
-    primaryUserFlow?: string
-    tenantId?: string
-  }
+  options: OIDCUserConfig<AzureADB2CProfile>
 ): OIDCConfig<AzureADB2CProfile> {
-  const { tenantId, primaryUserFlow } = options
-  options.issuer ??= `https://${tenantId}.b2clogin.com/${tenantId}.onmicrosoft.com/${primaryUserFlow}/v2.0`
   return {
     id: "azure-ad-b2c",
     name: "Azure AD B2C",
     type: "oidc",
     profile(profile) {
       return {
         id: profile.sub,
-        name: profile.name,
+        name: profile.name ?? profile.preferred_username,
         email: profile?.emails?.[0],
         image: null,
       }