Azure AD B2C authorization code flow fails because of validation of "expires_in" value returned in token response

[JezBayliss]

Provider type

Azure Active Directory B2C

Environment

System:
OS: macOS 14.2
CPU: (10) arm64 Apple M2 Pro
Memory: 53.91 MB / 16.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.19.0 - ~/.nvm/versions/node/v18.19.0/bin/node
Yarn: 1.22.21 - ~/.nvm/versions/node/v18.19.0/bin/yarn
npm: 10.2.3 - ~/.nvm/versions/node/v18.19.0/bin/npm
Browsers:
Chrome: 123.0.6312.124
Edge: 123.0.2420.97
Safari: 17.2
npmPackages:
next: 14.1.3 => 14.1.3
next-auth: 5.0.0-beta.15 => 5.0.0-beta.15
react: ^18 => 18.2.0

Reproduction URL

https://github.com/JezBayliss/b2c-token-validation-issue-example/tree/example/example-b2c-app-template

Describe the issue

Hello all! 😃

The issue I have found is that signIn using the Azure B2C authorization code flow is failing - due to validation of the expires_in value from the token response.

Background:
https://learn.microsoft.com/en-us/answers/questions/877384/azure-active-directory-b2c-authorization-code-flow
(Summary: Azure AD B2C returned expires_in as a string not a number/int)

There is an issue with some validation of the 'expires_in' value returned in the /token request as part of the authorization code flow using Azure B2C using next-auth. (I have used AzureADB2CProvider from 'next-auth/providers/azure-ad-b2c')
The issue is that the type/validation of this value seems to fail the authentication flow. I believe this may be done within a third party dependency "oauth4webapi" that this project is consuming as part of the token validation.

An example of the response as returned from Azure AD B2C token endpoint:

{
  access_token: 'eyJhbGciOiJSUzI1NiIs…..ob7GIyYNrQ',
  id_token: 'eyJhbGciOiJSUzI1NiIs……xVFObkEfA',
  token_type: 'bearer',
  not_before: '1713349756',
  expires_in: '3600',
  expires_on: '1713353356',
  resource: ‘<client-id>',
  id_token_expires_in: '3600',
  profile_info: 'eyJ2ZXIiOiIxLjA….pudWxsfQ',
  scope: ‘<client-id> openid'
}

I was able to manually fix in the build by creating a build: npm run build; and then editing the output of the build (.next/server/chunks/228.js in my case) - (I simply searched the file tree of the build to find the error) like so:

// Before
if (void 0 !== o.expires_in &&('number' != typeof o.expires_in || o.expires_in <= 0)) {
      throw new ny(
       '"response" body "expires_in" property must be a positive number'
     )
}

// After
if (void 0 !== o.expires_in &&('number' != typeof o.expires_in || o.expires_in <= 0)) {
      o.expires_in = Number(o.expires_in)
      //throw new ny(
      //  '"response" body "expires_in" property must be a positive number'
      //)
}

I have raised here due to this being the package I am consuming, but am happy to raise in the dependency if the issue is not resolvable from within the scope of this project.

Thankyou :)
Jez

How to reproduce

Once configured with a valid B2C tenant+application+policy; Signing in using the built in signIn method from the provider fails and resolves to <Auth_URL>/error?error=Configuration

Expected behavior

Validation of the expires_in value should not break the authentication flow and the application should resolve to a logged in state. This is because the value is a string as returned by Azure AD B2C and so should be supported in this way

[JezBayliss]

I have a current work around based on similar mentioned here #8868 (comment)