itpropro
diff --git a/‎docs/content/2.provider/entra.md
Lines changed: 4 additions & 4 deletions b/‎docs/content/2.provider/entra.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/content/2.provider/microsoft.md
Lines changed: 112 additions & 0 deletions b/‎docs/content/2.provider/microsoft.md
Lines changed: 112 additions & 0 deletions
diff --git a/‎docs/content/2.provider/zitadel.md
Lines changed: 2 additions & 1 deletion b/‎docs/content/2.provider/zitadel.md
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/content/7.configuration.md
Lines changed: 1 addition & 1 deletion b/‎docs/content/7.configuration.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/public/content/microsoft-accounttype.png
24.9 KB b/‎docs/public/content/microsoft-accounttype.png
24.9 KB
diff --git a/‎docs/public/content/microsoft-platform.png
33.5 KB b/‎docs/public/content/microsoft-platform.png
33.5 KB
diff --git a/‎docs/public/content/microsoft-scopes.png
56.3 KB b/‎docs/public/content/microsoft-scopes.png
56.3 KB
diff --git a/‎docs/staticwebapp.config.json
Lines changed: 24 additions & 24 deletions b/‎docs/staticwebapp.config.json
Lines changed: 24 additions & 24 deletions
@@ -15,7 +15,7 @@ icon: i-simple-icons-microsoftazure
 ## Introduction
 
 This provider is specifically preconfigured to be used with Entra ID or Entra External ID (successor of Azure AD B2C).
-If you just need a social login using a Microsoft Account, use the Microsoft provider.
+If you just need a social login using a Microsoft Account, use the [Microsoft provider](/provider/microsoft), which provides a simplified version for social login.
 
 If you are requesting a token for an application registered in Entra ID (for example an API), you need to set the resource to the id of that app registration. You should also set the audience to that ID, so the token can be correctly validated.
 
@@ -49,13 +49,13 @@ entra: {
   redirectUri: 'http://localhost:3000/auth/entra/callback',
   clientId: '',
   clientSecret: '',
-  authorizationUrl: 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize',
-  tokenUrl: 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token',
+  authorizationUrl: 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/authorize', // For Entra External ID, use https://TENANT_NAME.ciamlogin.com/TENANT_ID/oauth2/authorize
+  tokenUrl: 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token', // For Entra External ID, use https://TENANT_NAME.ciamlogin.com/TENANT_ID/oauth2/token
   userNameClaim: 'unique_name',
   nonce: true,
   responseType: 'code id_token',
   scope: ['profile', 'openid', 'offline_access', 'email'],
-  logoutUrl: '',
+  logoutUrl: 'https://login.microsoftonline.com/TENANT_ID/oauth2/logout', // For Entra External ID, use https://TENANT_NAME.ciamlogin.com/TENANT_ID/oauth2/logout
   optionalClaims: ['unique_name', 'family_name', 'given_name', 'login_hint'],
   audience: '', // In case you need access to an App/API registered in Entra ID
   additionalAuthParameters: {
 
@@ -0,0 +1,112 @@
+---
+title: Microsoft
+description: Microsoft provider documentation
+icon: i-simple-icons-microsoft
+---
+
+## Feature/OIDC support
+
+✅&nbsp; PKCE<br>
+✅&nbsp; Nonce<br>
+✅&nbsp; State<br>
+❌&nbsp; Access Token validation<br>
+✅&nbsp; ID Token validation<br>
+
+## Introduction
+
+This is the simplified Microsoft provider for social login with a Microsoft Account (MSA). You need access to the Azure portal (portal.azure.com) to configure an app registration and get the required properties.
+Learn how to creat an app registration [here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app?tabs=client-secret).
+Be sure that you select one of the bottom two options if you want persoanl Microsoft accounts to be able to login to your application:
+
+::contentImage{src="/content/microsoft-accounttype.png" alt="Microsoft account types"}
+::
+
+Choose 'Web' as the target platform under `Manage` -> `Authentication` -> `Platform configurations`
+
+::contentImage{src="/content/microsoft-platform.png" alt="Microsoft Platform configurations"}
+::
+
+This provider uses the predefined userInfo url `https://graph.microsoft.com/v1.0/me` to get user information for an account.
+
+## Example Configurations
+
+::callout{icon="i-carbon-warning-alt" color="amber"}
+Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables.
+::
+
+### Minimal
+
+```typescript [nuxt.config.ts]
+entra: {
+  redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+  clientId: '',
+  clientSecret: '',
+},
+```
+
+### Get user information
+
+You can also add the `profile` or another OIDC common scope. `User.Read` as a delegated permission is configured by default in **API permissons**.
+
+```typescript [nuxt.config.ts]
+entra: {
+  redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+  clientId: '',
+  clientSecret: '',
+  responseType: 'code',
+  scope: ['openid', 'User.Read'],
+},
+```
+
+### Get additonal user information with ID token
+
+To be able to use the ID token, make sure you have set the checkbox at **Manage** -> **Authentication** -> **Implicit grant and hybrid flows** -> `ID tokens (used for implicit and hybrid flows)`.
+To add additional claims you want to use, configure them on your app registration under **Manage** -> **Token configuration** and add them by using the `optionalClaims: ['name', 'preferred_username'],` parameter.
+The default setting is `optionalClaims: ['name', 'preferred_username'],`.
+
+```typescript [nuxt.config.ts]
+entra: {
+  redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+  clientId: '',
+  clientSecret: '',
+  responseType: 'code id_token',
+  scope: ['openid', 'User.Read'],
+},
+```
+
+### Offline access/refresh token
+
+In order to get a refresh token, you need to add the "Microsoft Graph" delegated permission `offline_access` and add it to the scopes.
+**Manage** -> **API permissions** -> `Add a permission`
+
+::contentImage{src="/content/microsoft-scopes.png" alt="Microsoft account types"}
+::
+
+```typescript [nuxt.config.ts]
+entra: {
+  redirectUri: 'http://localhost:3000/auth/microsoft/callback',
+  clientId: '',
+  clientSecret: '',
+  responseType: 'code id_token',
+  scope: ['openid', 'User.Read', 'offline_access'],
+},
+```
+
+### Environment variables
+
+Dotenv files are only for (local) development. Use a proper configuration management or injection system in production.
+
+```ini [.env]
+NUXT_OIDC_PROVIDERS_MICROSOFT_CLIENT_SECRET=CLIENT_SECRET
+NUXT_OIDC_PROVIDERS_MICROSOFT_CLIENT_ID=CLIENT_ID
+```
+
+## Provider specific parameters
+
+| Option | Type | Default | Description |
+|---|---|---|---|
+| tenantId | `string` | - | Required. The tenant id is used to automatically configure the correct endpoint urls for the Microsoft provider to work. |
+| prompt | `string` | 'login' | Optional. Indicates the type of user interaction that is required. Valid values are `login`, `none`, `consent`, and `select_account`. Can be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`. |
+| loginHint | `string` | - | Optional. You can use this parameter to pre-fill the username and email address field of the sign-in page for the user. Apps can use this parameter during reauthentication, after already extracting the login_hint optional claim from an earlier sign-in. Can be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`. |
+| logoutHint | `string` | - | Optional. Enables sign-out to occur without prompting the user to select an account. To use logout_hint, enable the login_hint optional claim in your client application and use the value of the login_hint optional claim as the logout_hint parameter. Can be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`. |
+| domainHint | `string` | - | Optional. If included, the app skips the email-based discovery process that user goes through on the sign-in page, leading to a slightly more streamlined user experience. Can be used in `additionalAuthParameters`, `additionalTokenParameters` or `additionalLogoutParameters`. |
@@ -44,5 +44,6 @@ zitadel: {
 Dotenv files are only for (local) development. Use a proper configuration management or injection system in production.
 
 ```ini [.env]
-
+NUXT_OIDC_PROVIDERS_ZITADEL_CLIENT_ID=123456789012345678
+NUXT_OIDC_PROVIDERS_ZITADEL_BASE_URL=https://PROJECT.us1.zitadel.cloud/
 ```
@@ -78,7 +78,7 @@ export default defineNuxtConfig({
 | exposeIdToken | `boolean` (optional) | `false` | Expose raw id token to the client within session object
 | callbackRedirectUrl | `string` (optional) | `/` | Set a custom redirect url to redirect to after a successful callback
 | allowedClientAuthParameters | `string[]` (optional) | `[]` | List of allowed client-side user-added query parameters for the auth request
-| sessionConfiguration | `ProviderSessionConfig` (optional) | `{}` | Session configuration overrides, see [session](#provider-session)
+| sessionConfiguration | `ProviderSessionConfig` (optional) | `{}` | Session configuration overrides, see [session](#provider-session-configuration)
 
 ### Global session configuration (session)
 
 
@@ -1,13 +1,13 @@
 {
   "routes": [
-    {
-      "route": "/getting-started/installation",
-      "rewrite": "/getting-started/installation/index.html"
-    },
     {
       "route": "/provider/paypal",
       "rewrite": "/provider/paypal/index.html"
     },
+    {
+      "route": "/getting-started/installation",
+      "rewrite": "/getting-started/installation/index.html"
+    },
     {
       "route": "/provider/auth0",
       "rewrite": "/provider/auth0/index.html"
@@ -16,49 +16,45 @@
       "route": "/provider/keycloak",
       "rewrite": "/provider/keycloak/index.html"
     },
-    {
-      "route": "/provider/entra",
-      "rewrite": "/provider/entra/index.html"
-    },
     {
       "route": "/provider/zitadel",
       "rewrite": "/provider/zitadel/index.html"
     },
     {
-      "route": "/provider/oidc",
-      "rewrite": "/provider/oidc/index.html"
+      "route": "/provider/entra",
+      "rewrite": "/provider/entra/index.html"
     },
     {
       "route": "/provider/github",
       "rewrite": "/provider/github/index.html"
     },
     {
-      "route": "/provider/aws-cognito",
-      "rewrite": "/provider/aws-cognito/index.html"
+      "route": "/provider/oidc",
+      "rewrite": "/provider/oidc/index.html"
     },
     {
-      "route": "/composable",
-      "rewrite": "/composable/index.html"
+      "route": "/provider/aws-cognito",
+      "rewrite": "/provider/aws-cognito/index.html"
     },
     {
       "route": "/hooks",
       "rewrite": "/hooks/index.html"
     },
     {
-      "route": "/configuration",
-      "rewrite": "/configuration/index.html"
-    },
-    {
-      "route": "/server-utils/session-management",
-      "rewrite": "/server-utils/session-management/index.html"
+      "route": "/server-utils/middleware",
+      "rewrite": "/server-utils/middleware/index.html"
     },
     {
       "route": "/server-utils/oidc-handlers",
       "rewrite": "/server-utils/oidc-handlers/index.html"
     },
     {
-      "route": "/server-utils/middleware",
-      "rewrite": "/server-utils/middleware/index.html"
+      "route": "/server-utils/session-management",
+      "rewrite": "/server-utils/session-management/index.html"
+    },
+    {
+      "route": "/configuration",
+      "rewrite": "/configuration/index.html"
     },
     {
       "route": "/contributing",
@@ -73,13 +69,17 @@
       "rewrite": "/getting-started/security/index.html"
     },
     {
-      "route": "/provider",
-      "rewrite": "/provider/index.html"
+      "route": "/composable",
+      "rewrite": "/composable/index.html"
     },
     {
       "route": "/getting-started",
       "rewrite": "/getting-started/index.html"
     },
+    {
+      "route": "/provider",
+      "rewrite": "/provider/index.html"
+    },
     {
       "route": "/dev-mode",
       "rewrite": "/dev-mode/index.html"