UNPKG

@auth/core

Version:

Authentication for the Web.

authjs.dev

nextauthjs/next-auth

159 lines (158 loc) 5.58 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
/** * * @deprecated * While still available, Microsoft is [no longer supporting](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#available-oauth-models) Azure DevOps OAuth and recommends using [Microsoft Entra ID](/getting-started/providers/microsoft-entra-id) instead. * * ## Documentation * * [Microsoft Docs](https://docs.microsoft.com/en-us) · [Azure DevOps](https://docs.microsoft.com/en-us/azure/devops/) · [Authorize access to REST APIs with OAuth 2.0](https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops]) * * ## Configuration * * ### Register application * * :::tip * [`https://app.vsaex.visualstudio.com/app/register`](https://app.vsaex.visualstudio.com/app/register) * ::: * * Provide the required details: * * - Company name * - Application name * - Application website * - Authorization callback URL * - `https://example.com/api/auth/callback/azure-devops` for production * - `https://localhost/api/auth/callback/azure-devops` for development * - Authorized scopes * - Required minimum is `User profile (read)` * * Click ‘Create Application’ * * :::warning * You are required to use HTTPS even for the localhost * ::: * * :::warning * You will have to delete and create a new application to change the scopes later * ::: * * The following data is relevant for the next step: * * - App ID * - Client Secret (after clicking the ‘Show’ button, ignore App Secret entry above it) * - Authorized Scopes * * ### Set up the environment variables * * In `.env.local` create the following entries: * * ``` * AZURE_DEVOPS_APP_ID=<copy App ID value here> * AZURE_DEVOPS_CLIENT_SECRET=<copy generated client secret value here> * AZURE_DEVOPS_SCOPE=<copy space separated Authorized Scopes list here> * ``` * * ## Example * * ```ts * import AzureDevOps from "@auth/core/providers/azure-devops" * ... * providers: [ * AzureDevOps({ * clientId: process.env.AZURE_DEVOPS_APP_ID, * clientSecret: process.env.AZURE_DEVOPS_CLIENT_SECRET, * scope: process.env.AZURE_DEVOPS_SCOPE, * }), * ] * ... * ``` * * ### Refresh token rotation * * Use the [main guide](/guides/basics/refresh-token-rotation) as your starting point with the following considerations: * * ```ts * async jwt({ token, user, account }) { * ... * // The token has an absolute expiration time * const accessTokenExpires = account.expires_at * 1000 * ... * } * * async function refreshAccessToken(token) { * ... * const response = await fetch( * "https://app.vssps.visualstudio.com/oauth2/token", * { * headers: { "Content-Type": "application/x-www-form-urlencoded" }, * method: "POST", * body: new URLSearchParams({ * client_assertion_type: * "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", * client_assertion: process.env.AZURE_DEVOPS_CLIENT_SECRET, * grant_type: "refresh_token", * assertion: token.refreshToken, * redirect_uri: * process.env.NEXTAUTH_URL + "/api/auth/callback/azure-devops", * }), * } * ) * ... * // The refreshed token comes with a relative expiration time * const accessTokenExpires = Date.now() + newToken.expires_in * 1000 * ... * } * ``` */ export default function AzureDevOpsProvider(options) { const scope = options.scope ?? "vso.profile"; const tokenEndpointUrl = "https://app.vssps.visualstudio.com/oauth2/authorize"; const userInfoEndpointUrl = "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?details=true&coreAttributes=Avatar&api-version=6.0"; return { id: "azure-devops", name: "Azure DevOps", type: "oauth", authorization: { url: "https://app.vssps.visualstudio.com/oauth2/authorize", params: { response_type: "Assertion", scope }, }, token: { url: tokenEndpointUrl, async request(context) { const response = await fetch(tokenEndpointUrl, { headers: { "Content-Type": "application/x-www-form-urlencoded" }, method: "POST", body: new URLSearchParams({ client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer", client_assertion: context.provider.clientSecret, grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer", assertion: context.params.code, redirect_uri: context.provider.callbackUrl, }), }); return { tokens: await response.json() }; }, }, userinfo: { url: userInfoEndpointUrl, async request(context) { const accessToken = context.tokens.access_token; const response = await fetch(userInfoEndpointUrl, { headers: { Authorization: `Bearer ${accessToken}`, }, }); return response.json(); }, }, profile(profile) { return { id: profile.id, name: profile.displayName, email: profile.emailAddress, image: `data:image/jpeg;base64,${profile.coreAttributes.Avatar.value.value}`, }; }, options, }; }