feat(provider): ✨ Added Microsoft provider

Author: itpropro

playground/composables/useProviders.ts

@@ -2,18 +2,18 @@
 
 export function useProviders(currentProvider: string) {
   const providers = ref([
-    {
-      label: 'Microsoft Entra ID',
-      name: 'entra',
-      disabled: Boolean(currentProvider === 'entra'),
-      icon: 'i-simple-icons-microsoftazure',
-    },
     {
       label: 'Auth0',
       name: 'auth0',
       disabled: Boolean(currentProvider === 'auth0'),
       icon: 'i-simple-icons-auth0',
     },
+    {
+      label: 'AWS Cognito',
+      name: 'cognito',
+      disabled: Boolean(currentProvider === 'cognito'),
+      icon: 'i-simple-icons-amazoncognito',
+    },
     {
       label: 'GitHub',
       name: 'github',
@@ -27,10 +27,16 @@ export function useProviders(currentProvider: string) {
       icon: 'i-simple-icons-cncf',
     },
     {
-      label: 'AWS Cognito',
-      name: 'cognito',
-      disabled: Boolean(currentProvider === 'cognito'),
-      icon: 'i-simple-icons-amazoncognito',
+      label: 'Microsoft',
+      name: 'microsoft',
+      disabled: Boolean(currentProvider === 'entra'),
+      icon: 'i-simple-icons-microsoft',
+    },
+    {
+      label: 'Microsoft Entra ID',
+      name: 'entra',
+      disabled: Boolean(currentProvider === 'entra'),
+      icon: 'i-simple-icons-microsoftazure',
     },
     {
       label: 'Zitadel',

playground/nuxt.config.ts

@@ -93,6 +93,11 @@ export default defineNuxtConfig({
         userInfoUrl: 'https://api-m.sandbox.paypal.com/v1/identity/openidconnect/userinfo?schema=openid',
         redirectUri: 'http://127.0.0.1:3000/auth/paypal/callback',
       },
+      microsoft: {
+        clientId: '',
+        clientSecret: '',
+        redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+      },
     },
     session: {
       expirationCheck: true,

playground/pages/index.vue

@@ -2,11 +2,17 @@
 const { loggedIn, user, refresh, fetch, login, logout, currentProvider, clear } = useOidcAuth()
 const { providers } = useProviders(currentProvider.value as string)
 const refreshing = ref(false)
+const clearing = ref(false)
 async function handleRefresh() {
   refreshing.value = true
   await refresh()
   refreshing.value = false
 }
+async function handleClear() {
+  clearing.value = true
+  await clear()
+  clearing.value = false
+}
 </script>
 
 <template>
@@ -65,8 +71,8 @@ async function handleRefresh() {
       </button>
       <button
         class="btn-base btn-login"
-        :disabled="!loggedIn"
-        @click="clear()"
+        :disabled="!loggedIn || clearing"
+        @click="handleClear()"
       >
         <span class="i-majesticons-delete-bin-line" />
         <span class="pl-2">Clear session</span>

src/module.ts

@@ -159,15 +159,23 @@ export default defineNuxtModule<ModuleOptions>({
 
     // Per provider tasks
     providers.forEach((provider) => {
-      const baseUrl = process.env[`NUXT_OIDC_PROVIDERS_${provider.toUpperCase()}_BASE_URL`] || (options.providers as ProviderConfigs)[provider].baseUrl
+      const baseUrl = process.env[`NUXT_OIDC_PROVIDERS_${provider.toUpperCase()}_BASE_URL`] || (options.providers as ProviderConfigs)[provider].baseUrl || providerPresets[provider].baseUrl
 
       // Generate provider routes
       if (baseUrl) {
-        (options.providers[provider] as OidcProviderConfig).authorizationUrl = generateProviderUrl(baseUrl as string, providerPresets[provider].authorizationUrl);
-        (options.providers[provider] as OidcProviderConfig).tokenUrl = generateProviderUrl(baseUrl as string, providerPresets[provider].tokenUrl);
-        (options.providers[provider] as OidcProviderConfig).userInfoUrl = generateProviderUrl(baseUrl as string, providerPresets[provider].userInfoUrl)
+        let _baseUrl = baseUrl
+        const placeholders = baseUrl.matchAll(/\{(.*?)\}/g)
+        for (const placeholderMatch of placeholders) {
+          if (placeholderMatch && options.providers[provider] && Object.prototype.hasOwnProperty.call(options.providers[provider], placeholderMatch[1])) {
+            _baseUrl = _baseUrl.replace(`{${placeholderMatch[1]}}`, (options.providers[provider] as any)[placeholderMatch[1]])
+          }
+        }
+        (options.providers[provider] as OidcProviderConfig).authorizationUrl = generateProviderUrl(_baseUrl as string, providerPresets[provider].authorizationUrl);
+        (options.providers[provider] as OidcProviderConfig).tokenUrl = generateProviderUrl(_baseUrl as string, providerPresets[provider].tokenUrl)
+        if (providerPresets[provider].userInfoUrl && !providerPresets[provider].userInfoUrl.startsWith('https'))
+          (options.providers[provider] as OidcProviderConfig).userInfoUrl = generateProviderUrl(_baseUrl as string, providerPresets[provider].userInfoUrl)
         if (providerPresets[provider].logoutUrl)
-          (options.providers[provider] as OidcProviderConfig).logoutUrl = generateProviderUrl(baseUrl as string, providerPresets[provider].logoutUrl)
+          (options.providers[provider] as OidcProviderConfig).logoutUrl = generateProviderUrl(_baseUrl as string, providerPresets[provider].logoutUrl)
       }
 
       // Replace placeholder parameters from provider presets

src/runtime/providers/index.ts

@@ -4,6 +4,7 @@ export { cognito } from './cognito.js'
 export { entra } from './entra.js'
 export { github } from './github.js'
 export { keycloak } from './keycloak.js'
+export { microsoft } from './microsoft.js'
 export { oidc } from './oidc.js'
 export { paypal } from './paypal.js'
 export { zitadel } from './zitadel.js'

src/runtime/providers/microsoft.ts

@@ -0,0 +1,75 @@
+import { ofetch } from 'ofetch'
+import { defineOidcProvider } from '../server/utils/provider'
+
+type MicrosoftRequiredFields = 'clientId' | 'clientSecret'
+
+interface MicrosoftAdditionalFields {
+  /**
+   * Optional. Indicates the type of user interaction that is required. Valid values are `login`, `none`, `consent`, and `select_account`.
+   * @default 'login'
+   */
+  prompt?: 'login' | 'none' | 'consent' | 'select_account'
+  /**
+   * Optional. You can use this parameter to pre-fill the username and email address field of the sign-in page for the user. Apps can use this parameter during reauthentication, after already extracting the login_hint optional claim from an earlier sign-in.
+   * @default undefined
+   */
+  loginHint?: string
+  /**
+   * Optional. Enables sign-out to occur without prompting the user to select an account. To use logout_hint, enable the login_hint optional claim in your client application and use the value of the login_hint optional claim as the logout_hint parameter.
+   * @default undefined
+   */
+  logoutHint?: string
+  /**
+   * Optional. If included, the app skips the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience.
+   * @default undefined
+   */
+  domainHint?: boolean
+}
+
+interface MicrosoftProviderConfig {
+  /**
+   * Required. The tenant id is used to automatically configure the correct endpoint urls for the Microsoft provider to work.
+   * @default 'login'
+   */
+  tenantId: 'login' | 'none' | 'consent' | 'select_account'
+}
+
+export const microsoft = defineOidcProvider<MicrosoftAdditionalFields, MicrosoftRequiredFields, MicrosoftProviderConfig>({
+  tokenRequestType: 'form-urlencoded',
+  logoutRedirectParameterName: 'post_logout_redirect_uri',
+  grantType: 'authorization_code',
+  // scopeInTokenRequest: true,
+  scope: ['openid', 'User.Read'],
+  pkce: true,
+  state: true,
+  nonce: true,
+  requiredProperties: [
+    'clientId',
+    'clientSecret',
+    'authorizationUrl',
+    'tokenUrl',
+    'redirectUri',
+  ],
+  responseType: 'code id_token',
+  async openIdConfiguration(config: any) {
+    const openIdConfig = await ofetch(`https://login.microsoftonline.com/${config.tenantId ? config.tenantId : 'common'}/v2.0/.well-known/openid-configuration`)
+    openIdConfig.issuer = config.tenantId ? [`https://login.microsoftonline.com/${config.tenantId}/v2.0`, openIdConfig.issuer] : undefined
+    return openIdConfig
+  },
+  sessionConfiguration: {
+    expirationCheck: true,
+    automaticRefresh: true,
+    expirationThreshold: 1800,
+  },
+  skipAccessTokenParsing: true,
+  validateAccessToken: false,
+  validateIdToken: true,
+  additionalAuthParameters: {
+    prompt: 'select_account',
+  },
+  optionalClaims: ['name', 'preferred_username'],
+  baseUrl: 'https://login.microsoftonline.com/common',
+  authorizationUrl: '/oauth2/v2.0/authorize',
+  tokenUrl: '/oauth2/v2.0/token',
+  userInfoUrl: 'https://graph.microsoft.com/v1.0/me', // https://graph.microsoft.com/oidc/userinfo"
+})

src/runtime/server/handler/callback.ts

@@ -7,7 +7,7 @@ import { normalizeURL, parseURL } from 'ufo'
 import * as providerPresets from '../../providers'
 import { validateConfig } from '../utils/config'
 import { configMerger, convertObjectToSnakeCase, convertTokenRequestToType, oidcErrorHandler, useOidcLogger } from '../utils/oidc'
-import { encryptToken, parseJwtToken, validateToken } from '../utils/security'
+import { encryptToken, type JwtPayload, parseJwtToken, validateToken } from '../utils/security'
 import { getUserSessionId, setUserSession, useAuthSession } from '../utils/session'
 // @ts-expect-error - Missing Nitro type exports in Nuxt
 import { useRuntimeConfig, useStorage } from '#imports'
@@ -113,12 +113,21 @@ function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
     let tokens: Tokens
 
     // Validate tokens only if audience is matched
-    const accessToken = parseJwtToken(tokenResponse.access_token, !!config.skipAccessTokenParsing)
-    const idToken = tokenResponse.id_token ? parseJwtToken(tokenResponse.id_token) : undefined
+    let accessToken: JwtPayload | Record<string, never>
+    let idToken: JwtPayload | Record<string, never> | undefined
+    if (!tokenResponse.access_token)
+      return oidcErrorHandler(event, `[${provider}] No access token found`)
+    try {
+      accessToken = parseJwtToken(tokenResponse.access_token, !!config.skipAccessTokenParsing)
+      idToken = tokenResponse.id_token ? parseJwtToken(tokenResponse.id_token) : undefined
+    }
+    catch (error) {
+      return oidcErrorHandler(event, `[${provider}] Token parsing failed: ${error}`)
+    }
     if ([config.audience as string, config.clientId].some(audience => accessToken.aud?.includes(audience) || idToken?.aud?.includes(audience)) && (config.validateAccessToken || config.validateIdToken)) {
       // Get OIDC configuration
       const openIdConfiguration = (config.openIdConfiguration && typeof config.openIdConfiguration === 'object') ? config.openIdConfiguration : typeof config.openIdConfiguration === 'string' ? await ofetch(config.openIdConfiguration) : await (config.openIdConfiguration!)(config)
-      const validationOptions = { jwksUri: openIdConfiguration.jwks_uri as string, issuer: openIdConfiguration.issuer as string, ...config.audience && { audience: [config.audience, config.clientId] } }
+      const validationOptions = { jwksUri: openIdConfiguration.jwks_uri as string, ...openIdConfiguration.issuer && { issuer: openIdConfiguration.issuer as string }, ...config.audience && { audience: [config.audience, config.clientId] } }
       try {
         tokens = {
           accessToken: config.validateAccessToken ? await validateToken(tokenResponse.access_token, validationOptions) : accessToken,

src/runtime/server/handler/login.get.ts

@@ -29,6 +29,7 @@ function loginEventHandler() {
       state: generateRandomUrlSafeString(),
       codeVerifier: generatePkceVerifier(),
       redirect: getRequestHeader(event, 'referer'),
+      nonce: undefined,
     })
 
     // Get client side query parameters

src/runtime/server/utils/oidc.ts

@@ -129,9 +129,9 @@ export function convertObjectToSnakeCase(object: Record<string, any>) {
   }, {} as Record<string, any>)
 }
 
-export function oidcErrorHandler(event: H3Event, errorText: string, errorCode: number = 500) {
+export async function oidcErrorHandler(event: H3Event, errorText: string, errorCode: number = 500) {
   const logger = useOidcLogger()
-  clearUserSession(event, true)
+  await clearUserSession(event, true)
   logger.error(errorText, 'code:', errorCode)
   return sendRedirect(
     event,

src/runtime/server/utils/provider.ts

@@ -203,8 +203,8 @@ const configMerger = createDefu((obj, key, value) => {
   }
 })
 
-export function defineOidcProvider<TConfig, TRequired extends keyof OidcProviderConfig>(config: Partial<OidcProviderConfig> & { additionalAuthParameters?: Partial<TConfig>; additionalTokenParameters?: Partial<TConfig>; additionalLogoutParameters?: Partial<TConfig> } = {} as any) {
-  const defaults: Partial<OidcProviderConfig> = {
+export function defineOidcProvider<TConfig, TRequired extends keyof (OidcProviderConfig & TProviderConfig), TProviderConfig extends object = object>(config: Partial<Omit<OidcProviderConfig, 'requiredProperties'> & { requiredProperties?: (keyof (TProviderConfig & OidcProviderConfig))[] }> & Partial<TProviderConfig> & { additionalAuthParameters?: Partial<TConfig>; additionalTokenParameters?: Partial<TConfig>; additionalLogoutParameters?: Partial<TConfig> } = {} as object) {
+  const defaults: Partial<Omit<OidcProviderConfig, 'requiredProperties'> & { requiredProperties?: (keyof (TProviderConfig & OidcProviderConfig))[] }> = {
     clientId: '',
     redirectUri: '',
     clientSecret: '',