Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: added Microsoft as oauth provider #8

Merged
merged 11 commits into from
Nov 29, 2023
Merged

feat: added Microsoft as oauth provider #8

merged 11 commits into from
Nov 29, 2023

Conversation

jfrelik
Copy link
Contributor

@jfrelik jfrelik commented Nov 9, 2023
edited
Loading

Added Microsoft as an oauth provider

image

@curlydoodle
Copy link

Some Microsoft logins for government instances use https://login.microsoftonline.us

https://graph.microsoft.us/v1.0/me
https://portal.azure.us

maybe having a domain .env variable would make this work with government and non government Microsoft instances.

@jfrelik
Copy link
Contributor Author

jfrelik commented Nov 10, 2023

Never heard of it maybe because it is only available for US GOV
https://learn.microsoft.com/en-us/azure/azure-government/documentation-government-aad-auth-qs

I would prefer to do this via optional env variable with a boolean like
NUXT_OAUTH_MICROSOFT_GOVERNMENT=true

@curlydoodle
Copy link

Yea US Gov instance uses all .us domains.

same goes for their graph api

yep, having that optional .env would work great

@atinux
Copy link
Owner

atinux commented Nov 12, 2023

Agree by adding NUXT_OAUTH_MICROSOFT_US_GOV env variable

@jfrelik
Copy link
Contributor Author

jfrelik commented Nov 13, 2023

@atinux @curlydoodle,

Added NUXT_OAUTH_MICROSOFT_US_GOV as an env variable
When env is not set auth works correctly by using .com domain, if declared and set to true it resolves to .us
Cannot test this without Azure Gov instance

@atinux
Copy link
Owner

atinux commented Nov 13, 2023

Thanks!
Happy to resolve the conflicts @jfrelik ?

@jfrelik
Copy link
Contributor Author

jfrelik commented Nov 13, 2023

@atinux

Conflicts resolved should be good to go :)

@curlydoodle
Copy link

curlydoodle commented Nov 14, 2023
edited
Loading

From my testing, I believe Microsoft forwards to the correct domain based on the tenant id that is supplied. But I still think how @jfrelik implemented this is good to ensure we explicitly define which instance to use. I didn't get to test all the way through since its asking me to grant access permission but that could be due to me reusing an existing client id.

needs permission to access resources in your organization that only an admin can grant

UPDATE: was able to test global and US instance after creating a new app registration.

@RihanArfan
Copy link

Just want to point out there's more instances than just global and US gov. From what I can briefly see, there's global, US Gov, China, Germany and potentially more. https://learn.microsoft.com/en-us/entra/identity-platform/authentication-national-cloud

I think we should default to global, and have an environment variable to override instance (which is what Microsoft's auth SDKs call this).

@atinux
Copy link
Owner

atinux commented Nov 15, 2023

Then what about letting the user configure the authorization url and tokens url like for GitHub?
https://github.com/Atinux/nuxt-auth-utils/blob/1b296e2bf841e6288ef7ce6d2a19892f20912ad1/src/runtime/server/lib/oauth/github.ts#L32-L42

@jfrelik
Copy link
Contributor Author

jfrelik commented Nov 15, 2023
edited
Loading

That can be the solution, although looking at some other projects like Appwrite they only support global .com domain

https://github.com/appwrite/appwrite/blob/7766279025424f390032c8bee558913725e1a402/src/Appwrite/Auth/OAuth2/Microsoft.php#L65

Therefore if we want to support all Entra instances i would suggest 3 optional env variables, if not set the module would assume global instance

Proposed envs:
NUXT_OAUTH_MICROSOFT_AUTHORIZATION_URL
NUXT_OAUTH_MICROSOFT_TOKEN_URL
NUXT_OAUTH_MICROSOFT_GRAPH_URL (for obtaining the user info)

@RihanArfan
Copy link

RihanArfan commented Nov 16, 2023
edited
Loading

I suggest we follow what Microsoft's SDKs does - https://learn.microsoft.com/en-us/entra/identity-platform/tutorial-v2-nodejs-webapp-msal#add-app-registration-details

NUXT_OAUTH_MICROSOFT_INSTANCE # cloud instance string should end with a trailing slash - default to https://login.microsoftonline.com/
NUXT_OAUTH_MICROSOFT_TENANT_ID # "common" | "consumers" | string
NUXT_OAUTH_MICROSOFT_CLIENT_ID
NUXT_OAUTH_MICROSOFT_CLIENT_SECRET
NUXT_OAUTH_MICROSOFT_SCOPES # scopes if granting access to access other APIs or endpoints on Graph
NUXT_OAUTH_MICROSOFT_GRAPH_API_ENDPOINT # default to https://graph.microsoft.com/ - some people might want to use beta endpoint

The token and and authorization URL path remain the same, the with the only part changing is the instance and tenant IDs, so I don't think it should be configurable.

  • https://<instance>/<tenant>/oauth2/v2.0/authorize
  • https://<instance>/<tenant>/oauth2/v2.0/token

@atinux
Copy link
Owner

atinux commented Nov 20, 2023

I don't think we need an env variable each time since it can configure it with the config prop of oauth.microsoftEventHandler or the runtimeConfig.

NUXT_OAUTH_MICROSOFT_CLIENT_ID=
NUXT_OAUTH_MICROSOFT_CLIENT_SECRET=
NUXT_OAUTH_MICROSOFT_TENANT_ID=

Then we could give for configuration:

export default oauth.microsoftEventHandler({
  config: {
    authorizationURL: '', // custom url
    tokenURL: '', // custom url
    userURL: '', // custom url
    scope: []
  },
  // ...
})

@atinux atinux merged commit 2fb01d3 into atinux:main Nov 29, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jfrelik @curlydoodle @atinux @RihanArfan