You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The issue I have found is that signIn using the Azure B2C authorization code flow is failing - due to validation of the expires_in value from the token response.
There is an issue with some validation of the 'expires_in' value returned in the /token request as part of the authorization code flow using Azure B2C using next-auth. (I have used AzureADB2CProvider from 'next-auth/providers/azure-ad-b2c')
The issue is that the type/validation of this value seems to fail the authentication flow. I believe this may be done within a third party dependency "oauth4webapi" that this project is consuming as part of the token validation.
An example of the response as returned from Azure AD B2C token endpoint:
I was able to manually fix in the build by creating a build: npm run build; and then editing the output of the build (.next/server/chunks/228.js in my case) - (I simply searched the file tree of the build to find the error) like so:
// Before
if (void 0 !== o.expires_in &&('number' != typeof o.expires_in || o.expires_in <= 0)) {
throw new ny(
'"response" body "expires_in" property must be a positive number'
)
}
// After
if (void 0 !== o.expires_in &&('number' != typeof o.expires_in || o.expires_in <= 0)) {
o.expires_in = Number(o.expires_in)
//throw new ny(
// '"response" body "expires_in" property must be a positive number'
//)
}
I have raised here due to this being the package I am consuming, but am happy to raise in the dependency if the issue is not resolvable from within the scope of this project.
Thankyou :)
Jez
How to reproduce
Once configured with a valid B2C tenant+application+policy; Signing in using the built in signIn method from the provider fails and resolves to <Auth_URL>/error?error=Configuration
Expected behavior
Validation of the expires_in value should not break the authentication flow and the application should resolve to a logged in state. This is because the value is a string as returned by Azure AD B2C and so should be supported in this way
The text was updated successfully, but these errors were encountered:
Provider type
Azure Active Directory B2C
Environment
System:
OS: macOS 14.2
CPU: (10) arm64 Apple M2 Pro
Memory: 53.91 MB / 16.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.19.0 - ~/.nvm/versions/node/v18.19.0/bin/node
Yarn: 1.22.21 - ~/.nvm/versions/node/v18.19.0/bin/yarn
npm: 10.2.3 - ~/.nvm/versions/node/v18.19.0/bin/npm
Browsers:
Chrome: 123.0.6312.124
Edge: 123.0.2420.97
Safari: 17.2
npmPackages:
next: 14.1.3 => 14.1.3
next-auth: 5.0.0-beta.15 => 5.0.0-beta.15
react: ^18 => 18.2.0
Reproduction URL
https://github.com/JezBayliss/b2c-token-validation-issue-example/tree/example/example-b2c-app-template
Describe the issue
Hello all! 😃
The issue I have found is that signIn using the Azure B2C authorization code flow is failing - due to validation of the expires_in value from the token response.
Background:
https://learn.microsoft.com/en-us/answers/questions/877384/azure-active-directory-b2c-authorization-code-flow
(Summary: Azure AD B2C returned expires_in as a string not a number/int)
There is an issue with some validation of the 'expires_in' value returned in the /token request as part of the authorization code flow using Azure B2C using next-auth. (I have used AzureADB2CProvider from 'next-auth/providers/azure-ad-b2c')
The issue is that the type/validation of this value seems to fail the authentication flow. I believe this may be done within a third party dependency "oauth4webapi" that this project is consuming as part of the token validation.
An example of the response as returned from Azure AD B2C token endpoint:
I was able to manually fix in the build by creating a build:
npm run build
; and then editing the output of the build (.next/server/chunks/228.js in my case) - (I simply searched the file tree of the build to find the error) like so:I have raised here due to this being the package I am consuming, but am happy to raise in the dependency if the issue is not resolvable from within the scope of this project.
Thankyou :)
Jez
How to reproduce
Once configured with a valid B2C tenant+application+policy; Signing in using the built in signIn method from the provider fails and resolves to <Auth_URL>/error?error=Configuration
Expected behavior
Validation of the expires_in value should not break the authentication flow and the application should resolve to a logged in state. This is because the value is a string as returned by Azure AD B2C and so should be supported in this way
The text was updated successfully, but these errors were encountered: