Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

@auth/core

Package Overview
Dependencies
Maintainers
2
Versions
111
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@auth/core - npm Package Compare versions

Comparing version
0.39.1
 to
0.40.0
+1
-1
lib/actions/callback/handle-login.d.ts.map

@@ -1,1 +0,1 @@

{"version":3,"file":"handle-login.d.ts","sourceRoot":"","sources":["../../../src/lib/actions/callback/handle-login.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACd,WAAW,EACZ,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AACvE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAE1C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAEzD;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,YAAY,EAC1B,QAAQ,EAAE,IAAI,GAAG,WAAW,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,EAChD,QAAQ,EAAE,cAAc,GAAG,OAAO,GAAG,IAAI,EACzC,OAAO,EAAE,eAAe;UAkBK,IAAI;aAAuB,OAAO;;;;;;;;;;;;;GA8RhE"}
{"version":3,"file":"handle-login.d.ts","sourceRoot":"","sources":["../../../src/lib/actions/callback/handle-login.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,cAAc,EACd,cAAc,EACd,WAAW,EACZ,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAA;AACvE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,iBAAiB,CAAA;AAE1C,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAA;AAEzD;;;;;;;;;;;GAWG;AACH,wBAAsB,qBAAqB,CACzC,YAAY,EAAE,YAAY,EAC1B,QAAQ,EAAE,IAAI,GAAG,WAAW,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,EAChD,QAAQ,EAAE,cAAc,GAAG,OAAO,GAAG,IAAI,EACzC,OAAO,EAAE,eAAe;;;;;;;;;;;;;;;GAgTzB"}
+9
-9
lib/actions/callback/oauth/callback.d.ts

@@ -19,4 +19,4 @@ import * as o from "oauth4webapi";

email: string | undefined;
name?: string | null;
image?: string | null;
name?: string | null | undefined;
image?: string | null | undefined;
} | undefined;

@@ -28,11 +28,11 @@ account?: {

access_token?: string | undefined;
expires_in?: number;
id_token?: string;
refresh_token?: string;
scope?: string;
authorization_details?: o.AuthorizationDetails[];
token_type?: Lowercase<string> | undefined;
expires_at?: number;
expires_in?: number | undefined;
id_token?: string | undefined;
refresh_token?: string | undefined;
scope?: string | undefined;
authorization_details?: o.AuthorizationDetails[] | undefined;
token_type?: "bearer" | "dpop" | Lowercase<string> | undefined;
expires_at?: number | undefined;
} | undefined;
}>;
//# sourceMappingURL=callback.d.ts.map
+1
-1
lib/actions/callback/oauth/checks.d.ts.map

@@ -1,1 +0,1 @@

{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../../../../src/lib/actions/callback/oauth/checks.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAEV,eAAe,EACf,eAAe,EACf,IAAI,EACL,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAA;AA8F7E;;;GAGG;AACH,eAAO,MAAM,IAAI;IACf,6FAA6F;oBACvE,eAAe,CAAC,OAAO,CAAC;;;;IAM9C;;;;OAIG;mBA9BQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,eAAe,CAAC,MAAM,CAAC;CA8BnC,CAAA;AAED,UAAU,YAAY;IACpB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,MAAM,CAAA;CACf;AAKD;;;GAGG;AACH,eAAO,MAAM,KAAK;IAChB,8DAA8D;oBACxC,eAAe,CAAC,OAAO,CAAC,WAAW,MAAM;;;;IA0B/D;;;;OAIG;mBA9EQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,eAAe,CAAC,MAAM,CAAC;IA8ElC,yEAAyE;kBACrD,MAAM,WAAW,eAAe;CAcrD,CAAA;AAED,eAAO,MAAM,KAAK;oBACM,eAAe,CAAC,MAAM,CAAC;;;;IAM7C;;;;;;OAMG;mBA9GQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,eAAe,CAAC,MAAM,CAAC;CA8GnC,CAAA;AAID,UAAU,wBAAwB;IAChC,SAAS,EAAE,MAAM,CAAA;IACjB,YAAY,CAAC,EAAE,IAAI,CAAA;CACpB;AAGD,eAAO,MAAM,iBAAiB;oBAEjB,eAAe,CAAC,oBAAoB,CAAC,aACnC,MAAM,iBACF,IAAI;;;IAerB,6CAA6C;iBAElC,eAAe,CAAC,oBAAoB,CAAC,WACrC,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,GACnB,OAAO,CAAC,wBAAwB,CAAC;CAkBrC,CAAA"}
{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../../../../src/lib/actions/callback/oauth/checks.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAEV,eAAe,EACf,eAAe,EACf,IAAI,EACL,MAAM,sBAAsB,CAAA;AAC7B,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAA;AACtD,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAA;AA8F7E;;;GAGG;AACH,eAAO,MAAM,IAAI;IACf,6FAA6F;oBACvE,gBAAgB,OAAO,CAAC;;;;IAM9C;;;;OAIG;mBA9BQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,gBAAgB,MAAM,CAAC;CA8BnC,CAAA;AAED,UAAU,YAAY;IACpB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,MAAM,CAAA;CACf;AAKD;;;GAGG;AACH,eAAO,MAAM,KAAK;IAChB,8DAA8D;oBACxC,gBAAgB,OAAO,CAAC,WAAW,MAAM;;;;IA0B/D;;;;OAIG;mBA9EQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,gBAAgB,MAAM,CAAC;IA8ElC,yEAAyE;kBACrD,MAAM,WAAW,eAAe;CAcrD,CAAA;AAED,eAAO,MAAM,KAAK;oBACM,gBAAgB,MAAM,CAAC;;;;IAM7C;;;;;;OAMG;mBA9GQ,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,WACX,gBAAgB,MAAM,CAAC;CA8GnC,CAAA;AAID,UAAU,wBAAwB;IAChC,SAAS,EAAE,MAAM,CAAA;IACjB,YAAY,CAAC,EAAE,IAAI,CAAA;CACpB;AAGD,eAAO,MAAM,iBAAiB;oBAEjB,gBAAgB,oBAAoB,CAAC,aACnC,MAAM,iBACF,IAAI;;;IAerB,6CAA6C;iBAElC,gBAAgB,oBAAoB,CAAC,WACrC,eAAe,CAAC,SAAS,CAAC,cACvB,MAAM,EAAE,GACnB,QAAQ,wBAAwB,CAAC;CAkBrC,CAAA"}
+4
-1
lib/utils/web.js

@@ -105,3 +105,6 @@ import * as cookie from "../vendored/cookie.js";

throw new UnknownAction(`Cannot parse action at ${pathname}`);
return { action, providerId };
return {
action,
providerId: providerId == "undefined" ? undefined : providerId,
};
}
+1
-1
lib/utils/webauthn-client.d.ts.map

@@ -1,1 +0,1 @@

{"version":3,"file":"webauthn-client.d.ts","sourceRoot":"","sources":["../../src/lib/utils/webauthn-client.js"],"names":[],"mappings":"AAIA,qDAAqD;AACrD,6CAA6C;AAC7C,+EAA+E;AAC/E;;;;;;;;GAQG;AAEH;;;;;GAKG;AACH,wCAHW,MAAM,cACN,MAAM,iBA+MhB;mCAhOa,cAAc;+BACd,UAAU;oCACV,gBAAgB,GAAG,oBAAoB;kCAEhB,CAAC,SAAxB,qBAAsB,IACvB,CAAC,SAAS,oBAAoB,GAC1C;IAAK,OAAO,EAAE,OAAO,uBAAuB,EAAE,qCAAqC,CAAC;IAAC,MAAM,EAAE,cAAc,CAAA;CAAE,GAC1G,CAAC,SAAS,gBAAgB,GAC7B;IAAK,OAAO,EAAE,OAAO,uBAAuB,EAAE,sCAAsC,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,GAC1G,KAAO"}
{"version":3,"file":"webauthn-client.d.ts","sourceRoot":"","sources":["../../src/lib/utils/webauthn-client.js"],"names":[],"mappings":"AAIA,qDAAqD;AACrD,6CAA6C;AAC7C,+EAA+E;AAC/E;;;;;;;;GAQG;AAEH;;;;;GAKG;AACH,wCAHW,MAAM,cACN,MAAM,iBA+MhB;mCAhOa,cAAc;+BACd,UAAU;oCACV,gBAAgB,GAAG,oBAAoB;qEAGxC,CAAC,SAAS,oBAAoB,GAC1C;IAAK,OAAO,EAAE,OAAO,uBAAuB,EAAE,qCAAqC,CAAC;IAAC,MAAM,EAAE,cAAc,CAAA;CAAE,GAC7G,CAAI,SAAS,gBAAgB,GAC7B;IAAK,OAAO,EAAE,OAAO,uBAAuB,EAAE,sCAAsC,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,GAC1G,KAAO"}
+1
-1
package.json
{
"name": "@auth/core",
"version": "0.39.1",
"version": "0.40.0",
"description": "Authentication for the Web.",

@@ -5,0 +5,0 @@ "keywords": [

+2
-2
providers/keycloak.d.ts

@@ -11,3 +11,3 @@ /**

*/
import type { OAuthConfig, OAuthUserConfig } from "./index.js";
import type { OIDCConfig, OIDCUserConfig } from "./index.js";
export interface KeycloakProfile extends Record<string, any> {

@@ -100,3 +100,3 @@ exp: number;

*/
export default function Keycloak<P extends KeycloakProfile>(options: OAuthUserConfig<P>): OAuthConfig<P>;
export default function Keycloak<P extends KeycloakProfile>(options: OIDCUserConfig<P>): OIDCConfig<P>;
//# sourceMappingURL=keycloak.d.ts.map
+1
-1
providers/keycloak.d.ts.map

@@ -1,1 +0,1 @@

{"version":3,"file":"keycloak.d.ts","sourceRoot":"","sources":["../src/providers/keycloak.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAE9D,MAAM,WAAW,eAAgB,SAAQ,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;IAC1D,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,SAAS,EAAE,MAAM,CAAA;IACjB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;IACf,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,cAAc,EAAE,OAAO,CAAA;IACvB,IAAI,EAAE,MAAM,CAAA;IACZ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,GAAG,CAAA;CACV;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+DG;AACH,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,CAAC,SAAS,eAAe,EACxD,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,GAC1B,WAAW,CAAC,CAAC,CAAC,CAQhB"}
{"version":3,"file":"keycloak.d.ts","sourceRoot":"","sources":["../src/providers/keycloak.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE5D,MAAM,WAAW,eAAgB,SAAQ,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;IAC1D,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,SAAS,EAAE,MAAM,CAAA;IACjB,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,aAAa,EAAE,MAAM,CAAA;IACrB,OAAO,EAAE,MAAM,CAAA;IACf,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,cAAc,EAAE,OAAO,CAAA;IACvB,IAAI,EAAE,MAAM,CAAA;IACZ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,UAAU,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,GAAG,CAAA;CACV;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+DG;AACH,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,CAAC,SAAS,eAAe,EACxD,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,GACzB,UAAU,CAAC,CAAC,CAAC,CAQf"}
+12
-2
providers/mailgun.d.ts

@@ -25,3 +25,6 @@ /**

* providers: [
* Mailgun({ from: MAILGUN_DOMAIN }),
* Mailgun({
* from: MAILGUN_DOMAIN,
* region: "EU", // Optional
* }),
* ],

@@ -45,3 +48,10 @@ * })

*/
export default function MailGun(config: EmailUserConfig): EmailConfig;
export default function MailGun(config: EmailUserConfig & {
/**
* https://documentation.mailgun.com/docs/mailgun/api-reference/#base-url
*
* @default "US"
*/
region?: "US" | "EU";
}): EmailConfig;
//# sourceMappingURL=mailgun.d.ts.map
+1
-1
providers/mailgun.d.ts.map

@@ -1,1 +0,1 @@

{"version":3,"file":"mailgun.d.ts","sourceRoot":"","sources":["../src/providers/mailgun.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAG9D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,CAAC,OAAO,UAAU,OAAO,CAAC,MAAM,EAAE,eAAe,GAAG,WAAW,CAiCpE"}
{"version":3,"file":"mailgun.d.ts","sourceRoot":"","sources":["../src/providers/mailgun.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,KAAK,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAG9D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,MAAM,CAAC,OAAO,UAAU,OAAO,CAC7B,MAAM,EAAE,eAAe,GAAG;IACxB;;;;OAIG;IACH,MAAM,CAAC,EAAE,IAAI,GAAG,IAAI,CAAA;CACrB,GACA,WAAW,CAwCb"}
+11
-2
providers/mailgun.js

@@ -15,3 +15,6 @@ import { html, text } from "../lib/utils/email.js";

* providers: [
* Mailgun({ from: MAILGUN_DOMAIN }),
* Mailgun({
* from: MAILGUN_DOMAIN,
* region: "EU", // Optional
* }),
* ],

@@ -36,2 +39,8 @@ * })

export default function MailGun(config) {
const { region = "US" } = config;
const servers = {
US: "api.mailgun.net",
EU: "api.eu.mailgun.net",
};
const apiServer = servers[region];
return {

@@ -55,3 +64,3 @@ id: "mailgun",

form.append("text", text({ host, url }));
const res = await fetch(`https://api.mailgun.net/v3/${domain}/messages`, {
const res = await fetch(`https://${apiServer}/v3/${domain}/messages`, {
method: "POST",

@@ -58,0 +67,0 @@ headers: {

+375
-38
providers/microsoft-entra-id.d.ts
import type { OIDCConfig, OIDCUserConfig } from "./index.js";
export interface MicrosoftEntraIDProfile extends Record<string, any> {
/**
* @see [Microsoft Identity Platform - ID token claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference)
* @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
*/
export interface MicrosoftEntraIDProfile {
/**
* Identifies the intended recipient of the token. In `id_tokens`, the
* audience is your app's Application ID, assigned to your app in the Azure
* portal. This value should be validated. The token should be rejected if it
* fails to match your app's Application ID.
*/
aud: string;
/**
* Identifies the issuer, or "authorization server" that constructs and
* returns the token. It also identifies the tenant for which the user was
* authenticated. If the token was issued by the v2.0 endpoint, the URI ends
* in `/v2.0`. The GUID that indicates that the user is a consumer user from
* a Microsoft account is `9188040d-6c67-4c5b-b112-36a304b66dad`. Your app
* should use the GUID portion of the claim to restrict the set of tenants
* that can sign in to the app, if applicable. */
iss: string;
/** Indicates when the authentication for the token occurred. */
iat: Date;
/**
* Records the identity provider that authenticated the subject of the token.
* This value is identical to the value of the issuer claim unless the user
* account isn't in the same tenant as the issuer - guests, for instance. If
* the claim isn't present, it means that the value of `iss` can be used
* instead. For personal accounts being used in an organizational context
* (for instance, a personal account invited to a tenant), the `idp` claim
* may be 'live.com' or an STS URI containing the Microsoft account tenant
* `9188040d-6c67-4c5b-b112-36a304b66dad`.
*/
idp: string;
/**
* Identifies the time before which the JWT can't be accepted for processing.
*/
nbf: Date;
/**
* Identifies the expiration time on or after which the JWT can't be accepted
* for processing. In certain circumstances, a resource may reject the token
* before this time. For example, if a change in authentication is required
* or a token revocation has been detected.
*/
exp: Date;
/**
* The code hash is included in ID tokens only when the ID token is issued
* with an OAuth 2.0 authorization code. It can be used to validate the
* authenticity of an authorization code. To understand how to do this
* validation, see the
* [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken).
* This claim isn't returned on ID tokens from the /token endpoint.
*/
c_hash: string;
/**
* The access token hash is included in ID tokens only when the ID token is
* issued from the `/authorize` endpoint with an OAuth 2.0 access token. It
* can be used to validate the authenticity of an access token. To understand
* how to do this validation, see the
* [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken).
* This claim isn't returned on ID tokens from the `/token` endpoint.
*/
at_hash: string;
/**
* An internal claim that's used to record data for token reuse. Should be
* ignored.
*/
aio: string;
/**
* The primary username that represents the user. It could be an email
* address, phone number, or a generic username without a specified format.
* Its value is mutable and might change over time. Since it's mutable, this
* value can't be used to make authorization decisions. It can be used for
* username hints and in human-readable UI as a username. The `profile` scope
* is required to receive this claim. Present only in v2.0 tokens.
*/
preferred_username: string;
/**
* Present by default for guest accounts that have an email address. Your app
* can request the email claim for managed users (from the same tenant as the
* resource) using the `email`
* [optional claim](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims).
* This value isn't guaranteed to be correct and is mutable over time. Never
* use it for authorization or to save data for a user. If you require an
* addressable email address in your app, request this data from the user
* directly by using this claim as a suggestion or prefill in your UX. On the
* v2.0 endpoint, your app can also request the `email` OpenID Connect
* scope - you don't need to request both the optional claim and the scope to
* get the claim.
*/
email: string;
/**
* The `name` claim provides a human-readable value that identifies the
* subject of the token. The value isn't guaranteed to be unique, it can be
* changed, and should be used only for display purposes. The `profile` scope
* is required to receive this claim.
*/
name: string;
/**
* The nonce matches the parameter included in the original authorize request
* to the IDP. If it doesn't match, your application should reject the token.
*/
nonce: string;
/**
* The immutable identifier for an object, in this case, a user account. This
* ID uniquely identifies the user across applications - two different
* applications signing in the same user receives the same value in the `oid`
* claim. Microsoft Graph returns this ID as the `id` property for a user
* account. Because the `oid` allows multiple apps to correlate users, the
* `profile` scope is required to receive this claim. If a single user exists
* in multiple tenants, the user contains a different object ID in each
* tenant - they're considered different accounts, even though the user logs
* into each account with the same credentials. The `oid` claim is a GUID and
* can't be reused.
*/
oid: string;
/** The set of roles that were assigned to the user who is logging in. */
roles: string[];
/** An internal claim used to revalidate tokens. Should be ignored. */
rh: string;
/**
* The subject of the information in the token. For example, the user of an
* app. This value is immutable and can't be reassigned or reused. The
* subject is a pairwise identifier and is unique to an application ID. If a
* single user signs into two different apps using two different client IDs,
* those apps receive two different values for the subject claim. You may or
* may not want two values depending on your architecture and privacy
* requirements.
*/
sub: string;
nickname: string;
email: string;
picture: string;
/** Represents the tenant that the user is signing in to. For work and school
* accounts, the GUID is the immutable tenant ID of the organization that the
* user is signing in to. For sign-ins to the personal Microsoft account
* tenant (services like Xbox, Teams for Life, or Outlook), the value is
* `9188040d-6c67-4c5b-b112-36a304b66dad`.
*/
tid: string;
/**
* Represents an unique identifier for a session and will be generated when a
* new session is established.
*/
sid: string;
/**
* Token identifier claim, equivalent to jti in the JWT specification.
* Unique, per-token identifier that is case-sensitive.
*/
uti: string;
/** Indicates the version of the ID token. */
ver: "2.0";
/**
* If present, always true, denoting the user is in at least one group.
* Indicates that the client should use the Microsoft Graph API to determine
* the user's groups
* (`https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects`).
*/
hasgroups: boolean;
/**
* Users account status in tenant. If the user is a member of the tenant, the
* value is `0`. If they're a guest, the value is `1`.
*/
acct: 0 | 1;
/**
* Auth Context IDs. Indicates the Auth Context IDs of the operations that
* the bearer is eligible to perform. Auth Context IDs can be used to trigger
* a demand for step-up authentication from within your application and
* services. Often used along with the `xms_cc` claim.
*/
acrs: string;
/** Time when the user last authenticated. */
auth_time: Date;
/**
* User's country/region. This claim is returned if it's present and the
* value of the field is a standard two-letter country/region code, such as
* FR, JP, SZ, and so on.
*/
ctry: string;
/**
* IP address. Adds the original address of the requesting client
* (when inside a VNET).
*/
fwd: string;
/**
* Optional formatting for group claims. The `groups` claim is used with the
* GroupMembershipClaims setting in the
* [application manifest](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest),
* which must be set as well.
*/
groups: string;
/**
* Login hint. An opaque, reliable login hint claim that's base 64 encoded.
* Don't modify this value. This claim is the best value to use for the
* `login_hint` OAuth parameter in all flows to get SSO. It can be passed
* between applications to help them silently SSO as well - application A can
* sign in a user, read the `login_hint` claim, and then send the claim and
* the current tenant context to application B in the query string or
* fragment when the user selects on a link that takes them to application B.
* To avoid race conditions and reliability issues, the `login_hint` claim
* doesn't include the current tenant for the user, and defaults to the
* user's home tenant when used. In a guest scenario where the user is from
* another tenant, a tenant identifier must be provided in the sign-in
* request. and pass the same to apps you partner with. This claim is
* intended for use with your SDK's existing `login_hint` functionality,
* however that it exposed.
*/
login_hint: string;
/**
* Resource tenant's country/region. Same as `ctry` except set at a tenant
* level by an admin. Must also be a standard two-letter value.
*/
tenant_ctry: string;
/**
* Region of the resource tenant
*/
tenant_region_scope: string;
/**
* UserPrincipalName. An identifier for the user that can be used with the
* `username_hint` parameter. Not a durable identifier for the user and
* shouldn't be used for authorization or to uniquely identity user
* information (for example, as a database key). Instead, use the user object
* ID (`oid`) as a database key. For more information, see
* [Secure applications and APIs by validating claims](https://learn.microsoft.com/en-us/entra/identity-platform/claims-validation).
* Users signing in with an
* [alternate login ID](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-use-email-signin)
* shouldn't be shown their User Principal Name (UPN). Instead, use the
* following ID token claims for displaying sign-in state to the user:
* `preferred_username` or `unique_name` for v1 tokens and
* `preferred_username` for v2 tokens. Although this claim is automatically
* included, you can specify it as an optional claim to attach other
* properties to modify its behavior in the guest user case. You should use
* the `login_hint` claim for `login_hint` use - human-readable identifiers
* like UPN are unreliable.
*/
upn: string;
/** Sourced from the user's PrimaryAuthoritativeEmail */
verified_primary_email: string[];
/** Sourced from the user's SecondaryAuthoritativeEmail */
verified_secondary_email: string[];
/** VNET specifier information. */
vnet: string;
/**
* Client Capabilities. Indicates whether the client application that
* acquired the token is capable of handling claims challenges. It's often
* used along with claim `acrs`. This claim is commonly used in Conditional
* Access and Continuous Access Evaluation scenarios. The resource server or
* service application that the token is issued for controls the presence of
* this claim in a token. A value of `cp1` in the access token is the
* authoritative way to identify that a client application is capable of
* handling a claims challenge. For more information, see
* [Claims challenges, claims requests and client capabilities](https://learn.microsoft.com/en-us/entra/identity-platform/claims-challenge?tabs=dotnet).
*/
xms_cc: string;
/**
* Boolean value indicating whether the user's email domain owner has been
* verified. An email is considered to be domain verified if it belongs to
* the tenant where the user account resides and the tenant admin has done
* verification of the domain. Also, the email must be from a Microsoft
* account (MSA), a Google account, or used for authentication using the
* one-time passcode (OTP) flow. Facebook and SAML/WS-Fed accounts do not
* have verified domains. For this claim to be returned in the token, the
* presence of the `email` claim is required.
*/
xms_edov: boolean;
/**
* Preferred data location. For Multi-Geo tenants, the preferred data
* location is the three-letter code showing the geographic region the user
* is in. For more information, see the
* [Microsoft Entra Connect documentation about preferred data location](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-feature-preferreddatalocation).
*/
xms_pdl: string;
/**
* User preferred language. The user's preferred language, if set. Sourced
* from their home tenant, in guest access scenarios. Formatted LL-CC
* ("en-us").
*/
xms_pl: string;
/**
* Tenant preferred language. The resource tenant's preferred language, if
* set. Formatted LL ("en").
*/
xms_tpl: string;
/**
* Zero-touch Deployment ID. The device identity used for `Windows AutoPilot`.
*/
ztdid: string;
/** IP Address. The IP address the client logged in from. */
ipaddr: string;
/** On-premises Security Identifier */
onprem_sid: string;
/**
* Password Expiration Time. The number of seconds after the time in the
* `iat` claim at which the password expires. This claim is only included
* when the password is expiring soon (as defined by "notification days" in
* the password policy).
*/
pwd_exp: number;
/**
* Change Password URL. A URL that the user can visit to change their
* password. This claim is only included when the password is expiring soon
* (as defined by "notification days" in the password policy).
*/
pwd_url: string;
/**
* Inside Corporate Network. Signals if the client is logging in from the
* corporate network. If they're not, the claim isn't included. Based off of
* the
* [trusted IPs](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#trusted-ips)
* settings in MFA.
*/
in_corp: string;
/**
* Last Name. Provides the last name, surname, or family name of the user as
* defined in the user object. For example, `"family_name":"Miller"`.
* Supported in MSA and Microsoft Entra ID. Requires the `profile` scope.
*/
family_name: string;
/**
* First name. Provides the first or "given" name of the user, as set on the
* user object. For example, `"given_name": "Frank"`. Supported in MSA and
* Microsoft Entra ID. Requires the `profile` scope.
*/
given_name: string;
}
/**
* ### Setup
*
* Add Microsoft Entra ID login to your page.
* #### Callback URL
*
* ## Setup
*
* ### Callback URL
* ```
* https://example.com/auth/callback/microsoft-entra-id
* https://example.com/api/auth/callback/microsoft-entra-id
* ```
*
* ### Configuration
* #### Environment Variables
*
* @example
* ```env
* AUTH_MICROSOFT_ENTRA_ID_ID="<Application (client) ID>"
* AUTH_MICROSOFT_ENTRA_ID_SECRET="<Client secret value>"
* AUTH_MICROSOFT_ENTRA_ID_ISSUER="https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/"
* ```
*
* ```ts
* #### Configuration
*
* When the `issuer` parameter is omitted it will default to
* `"https://login.microsoftonline.com/common/v2.0/"`.
* This allows any Microsoft account (Personal, School or Work) to log in.
*
* ```typescript
* import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"

@@ -28,4 +352,4 @@ * ...

* MicrosoftEntraID({
* clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* }),

@@ -36,37 +360,47 @@ * ]

*
* ### Resources
* To only allow your organization's users to log in you will need to configure
* the `issuer` parameter with your Directory (tenant) ID.
*
* - [Microsoft Entra OAuth documentation](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
* - [Microsoft Entra OAuth apps](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
* ```env
* AUTH_MICROSOFT_ENTRA_ID_ISSUER="https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/"
* ```
*
* ### To allow specific Active Directory users access:
*
* By default, the Entra ID provider lets the users to log in with any Microsoft account (either Personal, School or Work).
*
* To only allow your organization's users to log in, you'll need to set the `issuer`, in addition to the client id and secret.
*
* @example
* ```ts
* ```typescript
* import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"
*
* ...
* providers: [
* MicrosoftEntraID({
* clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* issuer: env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
* clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* issuer: process.env.AUTH_MICROSOFT_ENTRA_ID_ISSUER,
* }),
* ]
* ...
* ```
*
* ### Resources
*
* - [Microsoft Entra OAuth documentation](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
* - [Microsoft Entra OAuth apps](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
*
* ### Notes
*
* Microsoft Entra ID returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples. The default image size is 48x48 to avoid [running out of space](https://next-auth.js.org/faq#:~:text=What%20are%20the%20disadvantages%20of%20JSON%20Web%20Tokens%3F) in case the session is saved as a JWT.
* Microsoft Entra ID returns the profile picture in an ArrayBuffer, instead of
* just a URL to the image, so our provider converts it to a base64 encoded
* image string and returns that instead. See:
* https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples.
* The default image size is 48x48 to avoid
* [running out of space](https://next-auth.js.org/faq#json-web-tokens)
* in case the session is saved as a JWT.
*
* By default, Auth.js assumes that the Microsoft Entra ID provider is
* based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
* By default, Auth.js assumes that the Microsoft Entra ID provider is based on
* the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html)
* specification.
*
* :::tip
*
* The Microsoft Entra ID provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/microsoft-entra-id.ts).
* To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
* The Microsoft Entra ID provider comes with a
* [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/microsoft-entra-id.ts).
* To override the defaults for your use case, check out
* [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
*

@@ -77,7 +411,10 @@ * :::

*
* If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
* If you think you found a bug in the default configuration, you can
* [open an issue](https://authjs.dev/new/provider-issue).
*
* Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
* the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
* we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
* Auth.js strictly adheres to the specification and it cannot take
* responsibility for any deviation from the spec by the provider. You can open
* an issue, but if the problem is non-compliance with the spec, we might not
* pursue a resolution. You can ask for more help in
* [Discussions](https://authjs.dev/new/github-discussions).
*

@@ -84,0 +421,0 @@ * :::

+1
-1
providers/microsoft-entra-id.d.ts.map

@@ -1,1 +0,1 @@

{"version":3,"file":"microsoft-entra-id.d.ts","sourceRoot":"","sources":["../src/providers/microsoft-entra-id.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE5D,MAAM,WAAW,uBAAwB,SAAQ,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;IAClE,GAAG,EAAE,MAAM,CAAA;IACX,QAAQ,EAAE,MAAM,CAAA;IAChB,KAAK,EAAE,MAAM,CAAA;IACb,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0EG;AACH,MAAM,CAAC,OAAO,UAAU,gBAAgB,CACtC,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,GAAG;IAChD;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAA;CACpE,GACA,UAAU,CAAC,uBAAuB,CAAC,CAoDrC"}
{"version":3,"file":"microsoft-entra-id.d.ts","sourceRoot":"","sources":["../src/providers/microsoft-entra-id.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE5D;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC;;;;;OAKG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;;;;;sDAOkD;IAClD,GAAG,EAAE,MAAM,CAAA;IACX,gEAAgE;IAChE,GAAG,EAAE,IAAI,CAAA;IACT;;;;;;;;;OASG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;OAEG;IACH,GAAG,EAAE,IAAI,CAAA;IACT;;;;;OAKG;IACH,GAAG,EAAE,IAAI,CAAA;IACT;;;;;;;OAOG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;;;;;;OAOG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;;;;;OAOG;IACH,kBAAkB,EAAE,MAAM,CAAA;IAC1B;;;;;;;;;;;;OAYG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;;;;OAKG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;;;;;;;;;;OAWG;IACH,GAAG,EAAE,MAAM,CAAA;IACX,yEAAyE;IACzE,KAAK,EAAE,MAAM,EAAE,CAAA;IACf,sEAAsE;IACtE,EAAE,EAAE,MAAM,CAAA;IACV;;;;;;;;OAQG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;;;OAKG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAA;IACX,6CAA6C;IAC7C,GAAG,EAAE,KAAK,CAAA;IACV;;;;;OAKG;IACH,SAAS,EAAE,OAAO,CAAA;IAClB;;;OAGG;IACH,IAAI,EAAE,CAAC,GAAG,CAAC,CAAA;IACX;;;;;OAKG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ,6CAA6C;IAC7C,SAAS,EAAE,IAAI,CAAA;IACf;;;;OAIG;IACH,IAAI,EAAE,MAAM,CAAA;IACZ;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;;;OAKG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;;;;;;;;;;;;;;OAeG;IACH,UAAU,EAAE,MAAM,CAAA;IAClB;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;OAEG;IACH,mBAAmB,EAAE,MAAM,CAAA;IAC3B;;;;;;;;;;;;;;;;;OAiBG;IACH,GAAG,EAAE,MAAM,CAAA;IACX,wDAAwD;IACxD,sBAAsB,EAAE,MAAM,EAAE,CAAA;IAChC,0DAA0D;IAC1D,wBAAwB,EAAE,MAAM,EAAE,CAAA;IAClC,kCAAkC;IAClC,IAAI,EAAE,MAAM,CAAA;IACZ;;;;;;;;;;OAUG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;;;;;;;;OASG;IACH,QAAQ,EAAE,OAAO,CAAA;IACjB;;;;;OAKG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;;;OAIG;IACH,MAAM,EAAE,MAAM,CAAA;IACd;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IACb,4DAA4D;IAC5D,MAAM,EAAE,MAAM,CAAA;IACd,sCAAsC;IACtC,UAAU,EAAE,MAAM,CAAA;IAClB;;;;;OAKG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;;;OAIG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;;;;;OAMG;IACH,OAAO,EAAE,MAAM,CAAA;IACf;;;;OAIG;IACH,WAAW,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,UAAU,EAAE,MAAM,CAAA;CACnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+FG;AACH,MAAM,CAAC,OAAO,UAAU,gBAAgB,CACtC,MAAM,EAAE,cAAc,CAAC,uBAAuB,CAAC,GAAG;IAChD;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,CAAA;CACpE,GACA,UAAU,CAAC,uBAAuB,CAAC,CAuDrC"}
+59
-36
providers/microsoft-entra-id.js

@@ -13,17 +13,25 @@ /**

/**
* ### Setup
*
* Add Microsoft Entra ID login to your page.
* #### Callback URL
*
* ## Setup
*
* ### Callback URL
* ```
* https://example.com/auth/callback/microsoft-entra-id
* https://example.com/api/auth/callback/microsoft-entra-id
* ```
*
* ### Configuration
* #### Environment Variables
*
* @example
* ```env
* AUTH_MICROSOFT_ENTRA_ID_ID="<Application (client) ID>"
* AUTH_MICROSOFT_ENTRA_ID_SECRET="<Client secret value>"
* AUTH_MICROSOFT_ENTRA_ID_ISSUER="https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/"
* ```
*
* ```ts
* #### Configuration
*
* When the `issuer` parameter is omitted it will default to
* `"https://login.microsoftonline.com/common/v2.0/"`.
* This allows any Microsoft account (Personal, School or Work) to log in.
*
* ```typescript
* import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"

@@ -33,4 +41,4 @@ * ...

* MicrosoftEntraID({
* clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* }),

@@ -41,37 +49,47 @@ * ]

*
* ### Resources
* To only allow your organization's users to log in you will need to configure
* the `issuer` parameter with your Directory (tenant) ID.
*
* - [Microsoft Entra OAuth documentation](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
* - [Microsoft Entra OAuth apps](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
* ```env
* AUTH_MICROSOFT_ENTRA_ID_ISSUER="https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/"
* ```
*
* ### To allow specific Active Directory users access:
*
* By default, the Entra ID provider lets the users to log in with any Microsoft account (either Personal, School or Work).
*
* To only allow your organization's users to log in, you'll need to set the `issuer`, in addition to the client id and secret.
*
* @example
* ```ts
* ```typescript
* import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"
*
* ...
* providers: [
* MicrosoftEntraID({
* clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* issuer: env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
* clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* issuer: process.env.AUTH_MICROSOFT_ENTRA_ID_ISSUER,
* }),
* ]
* ...
* ```
*
* ### Resources
*
* - [Microsoft Entra OAuth documentation](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
* - [Microsoft Entra OAuth apps](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
*
* ### Notes
*
* Microsoft Entra ID returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples. The default image size is 48x48 to avoid [running out of space](https://next-auth.js.org/faq#:~:text=What%20are%20the%20disadvantages%20of%20JSON%20Web%20Tokens%3F) in case the session is saved as a JWT.
* Microsoft Entra ID returns the profile picture in an ArrayBuffer, instead of
* just a URL to the image, so our provider converts it to a base64 encoded
* image string and returns that instead. See:
* https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples.
* The default image size is 48x48 to avoid
* [running out of space](https://next-auth.js.org/faq#json-web-tokens)
* in case the session is saved as a JWT.
*
* By default, Auth.js assumes that the Microsoft Entra ID provider is
* based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
* By default, Auth.js assumes that the Microsoft Entra ID provider is based on
* the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html)
* specification.
*
* :::tip
*
* The Microsoft Entra ID provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/microsoft-entra-id.ts).
* To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
* The Microsoft Entra ID provider comes with a
* [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/microsoft-entra-id.ts).
* To override the defaults for your use case, check out
* [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
*

@@ -82,7 +100,10 @@ * :::

*
* If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
* If you think you found a bug in the default configuration, you can
* [open an issue](https://authjs.dev/new/provider-issue).
*
* Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
* the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
* we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
* Auth.js strictly adheres to the specification and it cannot take
* responsibility for any deviation from the spec by the provider. You can open
* an issue, but if the problem is non-compliance with the spec, we might not
* pursue a resolution. You can ask for more help in
* [Discussions](https://authjs.dev/new/github-discussions).
*

@@ -93,3 +114,6 @@ * :::

const { profilePhotoSize = 48 } = config;
config.issuer ?? (config.issuer = "https://login.microsoftonline.com/common/v2.0");
// If issuer is not set, first fallback to environment variable, then
// fallback to /common/ uri.
config.issuer ?? (config.issuer = process.env.AUTH_MICROSOFT_ENTRA_ID_ISSUER ||
"https://login.microsoftonline.com/common/v2.0");
return {

@@ -122,3 +146,2 @@ id: "microsoft-entra-id",

style: { text: "#fff", bg: "#0072c6" },
/** Entra ID returns the wrong issuer @see https://github.com/MicrosoftDocs/azure-docs/issues/113944 */
async [customFetch](...args) {

@@ -125,0 +148,0 @@ const url = new URL(args[0] instanceof Request ? args[0].url : args[0]);

+1
-1
providers/tiktok.d.ts

@@ -144,3 +144,3 @@ import type { OAuthConfig, OAuthUserConfig } from "./index.js";

* - [TikTok login kit documentation](https://developers.tiktok.com/doc/login-kit-web/)
* - [Avaliable Scopes](https://developers.tiktok.com/doc/tiktok-api-scopes/)
* - [Available Scopes](https://developers.tiktok.com/doc/tiktok-api-scopes/)
* - [Sandbox for testing](https://developers.tiktok.com/blog/introducing-sandbox)

@@ -147,0 +147,0 @@ *

+1
-1
providers/tiktok.js

@@ -40,3 +40,3 @@ /**

* - [TikTok login kit documentation](https://developers.tiktok.com/doc/login-kit-web/)
* - [Avaliable Scopes](https://developers.tiktok.com/doc/tiktok-api-scopes/)
* - [Available Scopes](https://developers.tiktok.com/doc/tiktok-api-scopes/)
* - [Sandbox for testing](https://developers.tiktok.com/blog/introducing-sandbox)

@@ -43,0 +43,0 @@ *

+1
-1
providers/trakt.d.ts

@@ -70,3 +70,3 @@ /**

*
* - Trakt does not allow hotlinking images. Even the authenticated user's profie picture.
* - Trakt does not allow hotlinking images. Even the authenticated user's profile picture.
* - Trakt does not supply the authenticated user's email.

@@ -73,0 +73,0 @@ *

+1
-1
providers/trakt.js

@@ -39,3 +39,3 @@ /**

*
* - Trakt does not allow hotlinking images. Even the authenticated user's profie picture.
* - Trakt does not allow hotlinking images. Even the authenticated user's profile picture.
* - Trakt does not supply the authenticated user's email.

@@ -42,0 +42,0 @@ *

+4
-1
src/lib/utils/web.ts

@@ -147,3 +147,6 @@ import * as cookie from "../vendored/cookie.js"

return { action, providerId }
return {
action,
providerId: providerId == "undefined" ? undefined : providerId,
}
}
+3
-3
src/providers/keycloak.ts

@@ -11,3 +11,3 @@ /**

*/
import type { OAuthConfig, OAuthUserConfig } from "./index.js"
import type { OIDCConfig, OIDCUserConfig } from "./index.js"

@@ -103,4 +103,4 @@ export interface KeycloakProfile extends Record<string, any> {

export default function Keycloak<P extends KeycloakProfile>(
options: OAuthUserConfig<P>
): OAuthConfig<P> {
options: OIDCUserConfig<P>
): OIDCConfig<P> {
return {

@@ -107,0 +107,0 @@ id: "keycloak",

+22
-3
src/providers/mailgun.ts

@@ -27,3 +27,6 @@ /**

* providers: [
* Mailgun({ from: MAILGUN_DOMAIN }),
* Mailgun({
* from: MAILGUN_DOMAIN,
* region: "EU", // Optional
* }),
* ],

@@ -47,3 +50,19 @@ * })

*/
export default function MailGun(config: EmailUserConfig): EmailConfig {
export default function MailGun(
config: EmailUserConfig & {
/**
* https://documentation.mailgun.com/docs/mailgun/api-reference/#base-url
*
* @default "US"
*/
region?: "US" | "EU"
}
): EmailConfig {
const { region = "US" } = config
const servers = {
US: "api.mailgun.net",
EU: "api.eu.mailgun.net",
}
const apiServer = servers[region]
return {

@@ -69,3 +88,3 @@ id: "mailgun",

const res = await fetch(`https://api.mailgun.net/v3/${domain}/messages`, {
const res = await fetch(`https://${apiServer}/v3/${domain}/messages`, {
method: "POST",

@@ -72,0 +91,0 @@ headers: {

+380
-40
src/providers/microsoft-entra-id.ts

@@ -14,25 +14,349 @@ /**

export interface MicrosoftEntraIDProfile extends Record<string, any> {
/**
* @see [Microsoft Identity Platform - ID token claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference)
* @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
*/
export interface MicrosoftEntraIDProfile {
/**
* Identifies the intended recipient of the token. In `id_tokens`, the
* audience is your app's Application ID, assigned to your app in the Azure
* portal. This value should be validated. The token should be rejected if it
* fails to match your app's Application ID.
*/
aud: string
/**
* Identifies the issuer, or "authorization server" that constructs and
* returns the token. It also identifies the tenant for which the user was
* authenticated. If the token was issued by the v2.0 endpoint, the URI ends
* in `/v2.0`. The GUID that indicates that the user is a consumer user from
* a Microsoft account is `9188040d-6c67-4c5b-b112-36a304b66dad`. Your app
* should use the GUID portion of the claim to restrict the set of tenants
* that can sign in to the app, if applicable. */
iss: string
/** Indicates when the authentication for the token occurred. */
iat: Date
/**
* Records the identity provider that authenticated the subject of the token.
* This value is identical to the value of the issuer claim unless the user
* account isn't in the same tenant as the issuer - guests, for instance. If
* the claim isn't present, it means that the value of `iss` can be used
* instead. For personal accounts being used in an organizational context
* (for instance, a personal account invited to a tenant), the `idp` claim
* may be 'live.com' or an STS URI containing the Microsoft account tenant
* `9188040d-6c67-4c5b-b112-36a304b66dad`.
*/
idp: string
/**
* Identifies the time before which the JWT can't be accepted for processing.
*/
nbf: Date
/**
* Identifies the expiration time on or after which the JWT can't be accepted
* for processing. In certain circumstances, a resource may reject the token
* before this time. For example, if a change in authentication is required
* or a token revocation has been detected.
*/
exp: Date
/**
* The code hash is included in ID tokens only when the ID token is issued
* with an OAuth 2.0 authorization code. It can be used to validate the
* authenticity of an authorization code. To understand how to do this
* validation, see the
* [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken).
* This claim isn't returned on ID tokens from the /token endpoint.
*/
c_hash: string
/**
* The access token hash is included in ID tokens only when the ID token is
* issued from the `/authorize` endpoint with an OAuth 2.0 access token. It
* can be used to validate the authenticity of an access token. To understand
* how to do this validation, see the
* [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken).
* This claim isn't returned on ID tokens from the `/token` endpoint.
*/
at_hash: string
/**
* An internal claim that's used to record data for token reuse. Should be
* ignored.
*/
aio: string
/**
* The primary username that represents the user. It could be an email
* address, phone number, or a generic username without a specified format.
* Its value is mutable and might change over time. Since it's mutable, this
* value can't be used to make authorization decisions. It can be used for
* username hints and in human-readable UI as a username. The `profile` scope
* is required to receive this claim. Present only in v2.0 tokens.
*/
preferred_username: string
/**
* Present by default for guest accounts that have an email address. Your app
* can request the email claim for managed users (from the same tenant as the
* resource) using the `email`
* [optional claim](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims).
* This value isn't guaranteed to be correct and is mutable over time. Never
* use it for authorization or to save data for a user. If you require an
* addressable email address in your app, request this data from the user
* directly by using this claim as a suggestion or prefill in your UX. On the
* v2.0 endpoint, your app can also request the `email` OpenID Connect
* scope - you don't need to request both the optional claim and the scope to
* get the claim.
*/
email: string
/**
* The `name` claim provides a human-readable value that identifies the
* subject of the token. The value isn't guaranteed to be unique, it can be
* changed, and should be used only for display purposes. The `profile` scope
* is required to receive this claim.
*/
name: string
/**
* The nonce matches the parameter included in the original authorize request
* to the IDP. If it doesn't match, your application should reject the token.
*/
nonce: string
/**
* The immutable identifier for an object, in this case, a user account. This
* ID uniquely identifies the user across applications - two different
* applications signing in the same user receives the same value in the `oid`
* claim. Microsoft Graph returns this ID as the `id` property for a user
* account. Because the `oid` allows multiple apps to correlate users, the
* `profile` scope is required to receive this claim. If a single user exists
* in multiple tenants, the user contains a different object ID in each
* tenant - they're considered different accounts, even though the user logs
* into each account with the same credentials. The `oid` claim is a GUID and
* can't be reused.
*/
oid: string
/** The set of roles that were assigned to the user who is logging in. */
roles: string[]
/** An internal claim used to revalidate tokens. Should be ignored. */
rh: string
/**
* The subject of the information in the token. For example, the user of an
* app. This value is immutable and can't be reassigned or reused. The
* subject is a pairwise identifier and is unique to an application ID. If a
* single user signs into two different apps using two different client IDs,
* those apps receive two different values for the subject claim. You may or
* may not want two values depending on your architecture and privacy
* requirements.
*/
sub: string
nickname: string
email: string
picture: string
/** Represents the tenant that the user is signing in to. For work and school
* accounts, the GUID is the immutable tenant ID of the organization that the
* user is signing in to. For sign-ins to the personal Microsoft account
* tenant (services like Xbox, Teams for Life, or Outlook), the value is
* `9188040d-6c67-4c5b-b112-36a304b66dad`.
*/
tid: string
/**
* Represents an unique identifier for a session and will be generated when a
* new session is established.
*/
sid: string
/**
* Token identifier claim, equivalent to jti in the JWT specification.
* Unique, per-token identifier that is case-sensitive.
*/
uti: string
/** Indicates the version of the ID token. */
ver: "2.0"
/**
* If present, always true, denoting the user is in at least one group.
* Indicates that the client should use the Microsoft Graph API to determine
* the user's groups
* (`https://graph.microsoft.com/v1.0/users/{userID}/getMemberObjects`).
*/
hasgroups: boolean
/**
* Users account status in tenant. If the user is a member of the tenant, the
* value is `0`. If they're a guest, the value is `1`.
*/
acct: 0 | 1
/**
* Auth Context IDs. Indicates the Auth Context IDs of the operations that
* the bearer is eligible to perform. Auth Context IDs can be used to trigger
* a demand for step-up authentication from within your application and
* services. Often used along with the `xms_cc` claim.
*/
acrs: string
/** Time when the user last authenticated. */
auth_time: Date
/**
* User's country/region. This claim is returned if it's present and the
* value of the field is a standard two-letter country/region code, such as
* FR, JP, SZ, and so on.
*/
ctry: string
/**
* IP address. Adds the original address of the requesting client
* (when inside a VNET).
*/
fwd: string
/**
* Optional formatting for group claims. The `groups` claim is used with the
* GroupMembershipClaims setting in the
* [application manifest](https://learn.microsoft.com/en-us/entra/identity-platform/reference-app-manifest),
* which must be set as well.
*/
groups: string
/**
* Login hint. An opaque, reliable login hint claim that's base 64 encoded.
* Don't modify this value. This claim is the best value to use for the
* `login_hint` OAuth parameter in all flows to get SSO. It can be passed
* between applications to help them silently SSO as well - application A can
* sign in a user, read the `login_hint` claim, and then send the claim and
* the current tenant context to application B in the query string or
* fragment when the user selects on a link that takes them to application B.
* To avoid race conditions and reliability issues, the `login_hint` claim
* doesn't include the current tenant for the user, and defaults to the
* user's home tenant when used. In a guest scenario where the user is from
* another tenant, a tenant identifier must be provided in the sign-in
* request. and pass the same to apps you partner with. This claim is
* intended for use with your SDK's existing `login_hint` functionality,
* however that it exposed.
*/
login_hint: string
/**
* Resource tenant's country/region. Same as `ctry` except set at a tenant
* level by an admin. Must also be a standard two-letter value.
*/
tenant_ctry: string
/**
* Region of the resource tenant
*/
tenant_region_scope: string
/**
* UserPrincipalName. An identifier for the user that can be used with the
* `username_hint` parameter. Not a durable identifier for the user and
* shouldn't be used for authorization or to uniquely identity user
* information (for example, as a database key). Instead, use the user object
* ID (`oid`) as a database key. For more information, see
* [Secure applications and APIs by validating claims](https://learn.microsoft.com/en-us/entra/identity-platform/claims-validation).
* Users signing in with an
* [alternate login ID](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-use-email-signin)
* shouldn't be shown their User Principal Name (UPN). Instead, use the
* following ID token claims for displaying sign-in state to the user:
* `preferred_username` or `unique_name` for v1 tokens and
* `preferred_username` for v2 tokens. Although this claim is automatically
* included, you can specify it as an optional claim to attach other
* properties to modify its behavior in the guest user case. You should use
* the `login_hint` claim for `login_hint` use - human-readable identifiers
* like UPN are unreliable.
*/
upn: string
/** Sourced from the user's PrimaryAuthoritativeEmail */
verified_primary_email: string[]
/** Sourced from the user's SecondaryAuthoritativeEmail */
verified_secondary_email: string[]
/** VNET specifier information. */
vnet: string
/**
* Client Capabilities. Indicates whether the client application that
* acquired the token is capable of handling claims challenges. It's often
* used along with claim `acrs`. This claim is commonly used in Conditional
* Access and Continuous Access Evaluation scenarios. The resource server or
* service application that the token is issued for controls the presence of
* this claim in a token. A value of `cp1` in the access token is the
* authoritative way to identify that a client application is capable of
* handling a claims challenge. For more information, see
* [Claims challenges, claims requests and client capabilities](https://learn.microsoft.com/en-us/entra/identity-platform/claims-challenge?tabs=dotnet).
*/
xms_cc: string
/**
* Boolean value indicating whether the user's email domain owner has been
* verified. An email is considered to be domain verified if it belongs to
* the tenant where the user account resides and the tenant admin has done
* verification of the domain. Also, the email must be from a Microsoft
* account (MSA), a Google account, or used for authentication using the
* one-time passcode (OTP) flow. Facebook and SAML/WS-Fed accounts do not
* have verified domains. For this claim to be returned in the token, the
* presence of the `email` claim is required.
*/
xms_edov: boolean
/**
* Preferred data location. For Multi-Geo tenants, the preferred data
* location is the three-letter code showing the geographic region the user
* is in. For more information, see the
* [Microsoft Entra Connect documentation about preferred data location](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-feature-preferreddatalocation).
*/
xms_pdl: string
/**
* User preferred language. The user's preferred language, if set. Sourced
* from their home tenant, in guest access scenarios. Formatted LL-CC
* ("en-us").
*/
xms_pl: string
/**
* Tenant preferred language. The resource tenant's preferred language, if
* set. Formatted LL ("en").
*/
xms_tpl: string
/**
* Zero-touch Deployment ID. The device identity used for `Windows AutoPilot`.
*/
ztdid: string
/** IP Address. The IP address the client logged in from. */
ipaddr: string
/** On-premises Security Identifier */
onprem_sid: string
/**
* Password Expiration Time. The number of seconds after the time in the
* `iat` claim at which the password expires. This claim is only included
* when the password is expiring soon (as defined by "notification days" in
* the password policy).
*/
pwd_exp: number
/**
* Change Password URL. A URL that the user can visit to change their
* password. This claim is only included when the password is expiring soon
* (as defined by "notification days" in the password policy).
*/
pwd_url: string
/**
* Inside Corporate Network. Signals if the client is logging in from the
* corporate network. If they're not, the claim isn't included. Based off of
* the
* [trusted IPs](https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-mfasettings#trusted-ips)
* settings in MFA.
*/
in_corp: string
/**
* Last Name. Provides the last name, surname, or family name of the user as
* defined in the user object. For example, `"family_name":"Miller"`.
* Supported in MSA and Microsoft Entra ID. Requires the `profile` scope.
*/
family_name: string
/**
* First name. Provides the first or "given" name of the user, as set on the
* user object. For example, `"given_name": "Frank"`. Supported in MSA and
* Microsoft Entra ID. Requires the `profile` scope.
*/
given_name: string
}
/**
* ### Setup
*
* Add Microsoft Entra ID login to your page.
* #### Callback URL
*
* ## Setup
*
* ### Callback URL
* ```
* https://example.com/auth/callback/microsoft-entra-id
* https://example.com/api/auth/callback/microsoft-entra-id
* ```
*
* ### Configuration
* #### Environment Variables
*
* @example
* ```env
* AUTH_MICROSOFT_ENTRA_ID_ID="<Application (client) ID>"
* AUTH_MICROSOFT_ENTRA_ID_SECRET="<Client secret value>"
* AUTH_MICROSOFT_ENTRA_ID_ISSUER="https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/"
* ```
*
* ```ts
* #### Configuration
*
* When the `issuer` parameter is omitted it will default to
* `"https://login.microsoftonline.com/common/v2.0/"`.
* This allows any Microsoft account (Personal, School or Work) to log in.
*
* ```typescript
* import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"

@@ -42,4 +366,4 @@ * ...

* MicrosoftEntraID({
* clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* }),

@@ -50,37 +374,47 @@ * ]

*
* ### Resources
* To only allow your organization's users to log in you will need to configure
* the `issuer` parameter with your Directory (tenant) ID.
*
* - [Microsoft Entra OAuth documentation](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
* - [Microsoft Entra OAuth apps](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
* ```env
* AUTH_MICROSOFT_ENTRA_ID_ISSUER="https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0/"
* ```
*
* ### To allow specific Active Directory users access:
*
* By default, the Entra ID provider lets the users to log in with any Microsoft account (either Personal, School or Work).
*
* To only allow your organization's users to log in, you'll need to set the `issuer`, in addition to the client id and secret.
*
* @example
* ```ts
* ```typescript
* import MicrosoftEntraID from "@auth/core/providers/microsoft-entra-id"
*
* ...
* providers: [
* MicrosoftEntraID({
* clientId: env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* issuer: env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
* clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
* clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
* issuer: process.env.AUTH_MICROSOFT_ENTRA_ID_ISSUER,
* }),
* ]
* ...
* ```
*
* ### Resources
*
* - [Microsoft Entra OAuth documentation](https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow)
* - [Microsoft Entra OAuth apps](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app)
*
* ### Notes
*
* Microsoft Entra ID returns the profile picture in an ArrayBuffer, instead of just a URL to the image, so our provider converts it to a base64 encoded image string and returns that instead. See: https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples. The default image size is 48x48 to avoid [running out of space](https://next-auth.js.org/faq#:~:text=What%20are%20the%20disadvantages%20of%20JSON%20Web%20Tokens%3F) in case the session is saved as a JWT.
* Microsoft Entra ID returns the profile picture in an ArrayBuffer, instead of
* just a URL to the image, so our provider converts it to a base64 encoded
* image string and returns that instead. See:
* https://learn.microsoft.com/en-us/graph/api/profilephoto-get?view=graph-rest-1.0&tabs=http#examples.
* The default image size is 48x48 to avoid
* [running out of space](https://next-auth.js.org/faq#json-web-tokens)
* in case the session is saved as a JWT.
*
* By default, Auth.js assumes that the Microsoft Entra ID provider is
* based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
* By default, Auth.js assumes that the Microsoft Entra ID provider is based on
* the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html)
* specification.
*
* :::tip
*
* The Microsoft Entra ID provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/microsoft-entra-id.ts).
* To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
* The Microsoft Entra ID provider comes with a
* [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/microsoft-entra-id.ts).
* To override the defaults for your use case, check out
* [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
*

@@ -91,7 +425,10 @@ * :::

*
* If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
* If you think you found a bug in the default configuration, you can
* [open an issue](https://authjs.dev/new/provider-issue).
*
* Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
* the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
* we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
* Auth.js strictly adheres to the specification and it cannot take
* responsibility for any deviation from the spec by the provider. You can open
* an issue, but if the problem is non-compliance with the spec, we might not
* pursue a resolution. You can ask for more help in
* [Discussions](https://authjs.dev/new/github-discussions).
*

@@ -112,3 +449,7 @@ * :::

config.issuer ??= "https://login.microsoftonline.com/common/v2.0"
// If issuer is not set, first fallback to environment variable, then
// fallback to /common/ uri.
config.issuer ??=
process.env.AUTH_MICROSOFT_ENTRA_ID_ISSUER ||
"https://login.microsoftonline.com/common/v2.0"

@@ -146,3 +487,2 @@ return {

style: { text: "#fff", bg: "#0072c6" },
/** Entra ID returns the wrong issuer @see https://github.com/MicrosoftDocs/azure-docs/issues/113944 */
async [customFetch](...args) {

@@ -149,0 +489,0 @@ const url = new URL(args[0] instanceof Request ? args[0].url : args[0])

+1
-1
src/providers/tiktok.ts

@@ -157,3 +157,3 @@ /**

* - [TikTok login kit documentation](https://developers.tiktok.com/doc/login-kit-web/)
* - [Avaliable Scopes](https://developers.tiktok.com/doc/tiktok-api-scopes/)
* - [Available Scopes](https://developers.tiktok.com/doc/tiktok-api-scopes/)
* - [Sandbox for testing](https://developers.tiktok.com/blog/introducing-sandbox)

@@ -160,0 +160,0 @@ *

+1
-1
src/providers/trakt.ts

@@ -66,3 +66,3 @@ /**

*
* - Trakt does not allow hotlinking images. Even the authenticated user's profie picture.
* - Trakt does not allow hotlinking images. Even the authenticated user's profile picture.
* - Trakt does not supply the authenticated user's email.

@@ -69,0 +69,0 @@ *

+1
-1
src/types.ts

@@ -407,3 +407,3 @@ /**

/**
* `true` if the [Double-submit CSRF check](https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf) was succesful
* `true` if the [Double-submit CSRF check](https://owasp.org/www-chapter-london/assets/slides/David_Johansson-Double_Defeat_of_Double-Submit_Cookie.pdf) was successful
* or [`skipCSRFCheck`](https://authjs.dev/reference/core#skipcsrfcheck) was enabled.

@@ -410,0 +410,0 @@ */