Fix MS OAuth (#457)

2026-06-04 21:04:37 +08:00 · 2025-02-21 19:39:22 +01:00 · 2025-02-21 19:39:22 +01:00 · b465dddcee
commit b465dddcee
parent dfadf809eb
5 changed files with 37 additions and 11 deletions
--- a/apps/backend/package.json
+++ b/apps/backend/package.json
@ -62,7 +62,7 @@
    "next": "15.0.3",
    "nodemailer": "^6.9.10",
    "oidc-provider": "^8.5.1",
-    "openid-client": "^5.6.4",
+    "openid-client": "5.6.4",
    "oslo": "^1.2.1",
    "posthog-node": "^4.1.0",
    "react": "^19.0.0",
--- a/apps/backend/src/oauth/providers/microsoft.tsx
+++ b/apps/backend/src/oauth/providers/microsoft.tsx
@ -14,12 +14,17 @@ export class MicrosoftProvider extends OAuthBaseProvider {
    clientSecret: string,
    microsoftTenantId?: string,
  }) {
+    const tenantId = encodeURIComponent(options.microsoftTenantId || "consumers");
    return new MicrosoftProvider(...await OAuthBaseProvider.createConstructorArgs({
-      issuer: `https://login.microsoftonline.com${"/" + options.microsoftTenantId || ""}`,
-      authorizationEndpoint: `https://login.microsoftonline.com/${options.microsoftTenantId || 'consumers'}/oauth2/v2.0/authorize`,
-      tokenEndpoint: `https://login.microsoftonline.com/${options.microsoftTenantId || 'consumers'}/oauth2/v2.0/token`,
+      // Note that it is intentional to have tenantid instead of tenantId, also intentional to not be a template literal. This will be replaced by the openid-client library.
+      // The library only supports azure tenancy with the discovery endpoint but not the manual setup, so we patch it to enable the tenantid replacement.
+      issuer: "https://login.microsoftonline.com/{tenantid}/v2.0",
+      authorizationEndpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/authorize`,
+      tokenEndpoint: `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`,
      redirectUri: getEnvVariable("NEXT_PUBLIC_STACK_API_URL") + "/api/v1/auth/oauth/callback/microsoft",
-      baseScope: "User.Read",
+      baseScope: "User.Read openid",
+      openid: true,
+      jwksUri: `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`,
      ...options,
    }));
  }
--- a/package.json
+++ b/package.json
@ -76,6 +76,9 @@
    "overrides": {
      "@types/react": "^18.2.0",
      "@types/react-dom": "^18.2.0"
+    },
+    "patchedDependencies": {
+      "openid-client@5.6.4": "patches/openid-client@5.6.4.patch"
    }
  },
  "engines": {
--- a/patches/openid-client@5.6.4.patch
+++ b/patches/openid-client@5.6.4.patch
@ -0,0 +1,13 @@
+diff --git a/lib/issuer.js b/lib/issuer.js
+index 3329e889fd3e3e8ddb3b0482675fe9610c675311..6cc55b1183b4fcff0306a78521b4daff35bec863 100644
+--- a/lib/issuer.js
+++ b/lib/issuer.js
+@@ -31,7 +31,7 @@ const ISSUER_DEFAULTS = {
+ class Issuer {
+   #metadata;
+   constructor(meta = {}) {
+-    const aadIssValidation = meta[AAD_MULTITENANT];
+    const aadIssValidation = true;
+     delete meta[AAD_MULTITENANT];
+     ['introspection', 'revocation'].forEach((endpoint) => {
+       // if intro/revocation endpoint auth specific meta is missing use the token ones if they
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -8,6 +8,11 @@ overrides:
  '@types/react': ^18.2.0
  '@types/react-dom': ^18.2.0

+patchedDependencies:
+  openid-client@5.6.4:
+    hash: 2gg7ly76yaettle5dlvkpcfpny
+    path: patches/openid-client@5.6.4.patch
+
 importers:

  .:
@ -169,8 +174,8 @@ importers:
        specifier: ^8.5.1
        version: 8.5.1
      openid-client:
-        specifier: ^5.6.4
-        version: 5.6.5
+        specifier: 5.6.4
+        version: 5.6.4(patch_hash=2gg7ly76yaettle5dlvkpcfpny)
      oslo:
        specifier: ^1.2.1
        version: 1.2.1
@ -9523,8 +9528,8 @@ packages:
    resolution: {integrity: sha512-ur5UIdyw5Y7yEj9wLzhqXiy6GZ3Mwx0yGI+5sMn2r0N0v3cKJvUmFH5yPP+WXh9e0xfyzyJX95D8l088DNFj7A==}
    hasBin: true

-  openid-client@5.6.5:
-    resolution: {integrity: sha512-5P4qO9nGJzB5PI0LFlhj4Dzg3m4odt0qsJTfyEtZyOlkgpILwEioOhVVJOrS1iVH494S4Ee5OCjjg6Bf5WOj3w==}
+  openid-client@5.6.4:
+    resolution: {integrity: sha512-T1h3B10BRPKfcObdBklX639tVz+xh34O7GjofqrqiAQdm7eHsQ00ih18x6wuJ/E6FxdtS2u3FmUGPDeEcMwzNA==}

  optionator@0.9.4:
    resolution: {integrity: sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==}
@ -18583,7 +18588,7 @@ snapshots:

  execa@5.1.1:
    dependencies:
-      cross-spawn: 7.0.3
+      cross-spawn: 7.0.5
      get-stream: 6.0.1
      human-signals: 2.1.0
      is-stream: 2.0.1
@ -21016,7 +21021,7 @@ snapshots:

  opener@1.5.2: {}

-  openid-client@5.6.5:
+  openid-client@5.6.4(patch_hash=2gg7ly76yaettle5dlvkpcfpny):
    dependencies:
      jose: 4.15.5
      lru-cache: 6.0.0