UNPKG

@auth/core

Version:

Authentication for the Web.

authjs.dev

nextauthjs/next-auth

145 lines (144 loc) 6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
/** * * @deprecated * Azure Active Directory is now known as [Microsoft Entra ID](/getting-started/providers/microsoft-entra-id). * Import this provider from the `providers/microsoft-entra-id` submodule instead of `providers/azure-ad`. * * Add Azure AD login to your page. * * ### Setup * * #### Callback URL * ``` * https://example.com/api/auth/callback/azure-ad * ``` * * #### Configuration *```ts * import { Auth } from "@auth/core" * import AzureAd from "@auth/core/providers/azure-ad" * * const request = new Request(origin) * const response = await Auth(request, { * providers: [ * AzureAd({ * clientId: AZURE_AD_CLIENT_ID, * clientSecret: AZURE_AD_CLIENT_SECRET, * }), * ], * }) * ``` * * ### Resources * * - [AzureAd OAuth documentation](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow/) * - [AzureAd OAuth apps](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app/) * * @example * * ### To allow specific Active Directory users access: * * - In https://portal.azure.com/ search for "Azure Active Directory", and select your organization. * - Next, go to "App Registration" in the left menu, and create a new one. * - Pay close attention to "Who can use this application or access this API?" * - This allows you to scope access to specific types of user accounts * - Only your tenant, all azure tenants, or all azure tenants and public Microsoft accounts (Skype, Xbox, Outlook.com, etc.) * - When asked for a redirection URL, use `https://yourapplication.com/api/auth/callback/azure-ad` or for development `http://localhost:3000/api/auth/callback/azure-ad`. * - After your App Registration is created, under "Client Credential" create your Client secret. * - Click on "API Permissions" and click "Grant admin consent for..." to allow User.Read access to your tenant. * - Now copy your: * - Application (client) ID * - Directory (tenant) ID * - Client secret (value) * * In `.env.local` create the following entries: * * ``` * AZURE_AD_CLIENT_ID=<copy Application (client) ID here> * AZURE_AD_CLIENT_SECRET=<copy generated client secret value here> * AZURE_AD_TENANT_ID=<copy the tenant id here> * ``` * * That will default the tenant to use the `common` authorization endpoint. [For more details see here](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints). * * :::note * Azure AD returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://docs.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#examples. The default image size is 48x48 to avoid [running out of space](https://next-auth.js.org/faq#:~:text=What%20are%20the%20disadvantages%20of%20JSON%20Web%20Tokens%3F) in case the session is saved as a JWT. * ::: * * In `auth.ts` find or add the `AzureAD` entries: * * ```ts * import AzureAd from "@auth/core/providers/azure-ad" * * ... * providers: [ * AzureAD({ * clientId: process.env.AZURE_AD_CLIENT_ID, * clientSecret: process.env.AZURE_AD_CLIENT_SECRET, * tenantId: process.env.AZURE_AD_TENANT_ID, * }), * ] * ... * * ``` * * ### Notes * * By default, Auth.js assumes that the AzureAd provider is * based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) specification. * * :::tip * * The AzureAd provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/azure-ad.ts). * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers). * * ::: * * :::info **Disclaimer** * * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue). * * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec, * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions). * * ::: */ export default function AzureAD(options) { const { tenantId = "common", profilePhotoSize = 48, ...rest } = options; rest.issuer ?? (rest.issuer = `https://login.microsoftonline.com/${tenantId}/v2.0`); return { id: "azure-ad", name: "Azure Active Directory", type: "oidc", wellKnown: `${rest.issuer}/.well-known/openid-configuration?appid=${options.clientId}`, authorization: { params: { scope: "openid profile email User.Read", }, }, async profile(profile, tokens) { // https://docs.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0#examples const response = await fetch(`https://graph.microsoft.com/v1.0/me/photos/${profilePhotoSize}x${profilePhotoSize}/$value`, { headers: { Authorization: `Bearer ${tokens.access_token}` } }); // Confirm that profile photo was returned let image; // TODO: Do this without Buffer if (response.ok && typeof Buffer !== "undefined") { try { const pictureBuffer = await response.arrayBuffer(); const pictureBase64 = Buffer.from(pictureBuffer).toString("base64"); image = `data:image/jpeg;base64, ${pictureBase64}`; } catch { } } return { id: profile.sub, name: profile.name, email: profile.email, image: image ?? null, }; }, style: { text: "#fff", bg: "#0072c6" }, options: rest, }; }