From 98f93ef2f0eed1ef474192d80ffc46de31d49e94 Mon Sep 17 00:00:00 2001 From: BrandonStudio <55647556+BrandonStudio@users.noreply.github.com> Date: Mon, 2 Feb 2026 13:35:54 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20fix(auth):=20revert=20authority?= =?UTF-8?q?=20URL=20and=20tenant=20ID=20for=20Microsoft=20authentication.?= =?UTF-8?q?=20(#11930)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 🔧 feat(auth): revert authority URL and tenant ID for Microsoft authentication --- Dockerfile | 4 ++- docs/self-hosting/auth.mdx | 2 +- docs/self-hosting/auth.zh-CN.mdx | 2 +- .../self-hosting/auth/providers/microsoft.mdx | 18 +++++----- .../auth/providers/microsoft.zh-CN.mdx | 18 +++++----- .../environment-variables/auth.mdx | 14 ++++++++ .../environment-variables/auth.zh-CN.mdx | 14 ++++++++ .../v2/auth/nextauth-to-betterauth.mdx | 34 +++++++++--------- .../v2/auth/nextauth-to-betterauth.zh-CN.mdx | 32 +++++++++-------- scripts/_shared/checkDeprecatedAuth.js | 36 +++++++++++++------ src/envs/auth.ts | 6 ++++ .../better-auth/sso/providers/microsoft.ts | 15 +++++--- 12 files changed, 126 insertions(+), 69 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6f794834ee..ca9f1da6ee 100644 --- a/Dockerfile +++ b/Dockerfile @@ -186,7 +186,9 @@ ENV AUTH_SECRET="" \ AUTH_GITHUB_SECRET="" \ # Microsoft AUTH_MICROSOFT_ID="" \ - AUTH_MICROSOFT_SECRET="" + AUTH_MICROSOFT_SECRET="" \ + AUTH_MICROSOFT_AUTHORITY_URL="" \ + AUTH_MICROSOFT_TENANT_ID="" # Redis ENV REDIS_URL="" \ diff --git a/docs/self-hosting/auth.mdx b/docs/self-hosting/auth.mdx index 122c29174b..056ee1a341 100644 --- a/docs/self-hosting/auth.mdx +++ b/docs/self-hosting/auth.mdx @@ -42,7 +42,7 @@ To enable Better Auth in LobeHub, set the following environment variables: | --------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------ | | Google | `google` | `AUTH_GOOGLE_ID`, `AUTH_GOOGLE_SECRET` | | GitHub | `github` | `AUTH_GITHUB_ID`, `AUTH_GITHUB_SECRET` | -| Microsoft | `microsoft` | `AUTH_MICROSOFT_ID`, `AUTH_MICROSOFT_SECRET` | +| Microsoft | `microsoft` | `AUTH_MICROSOFT_ID`, `AUTH_MICROSOFT_SECRET`, `AUTH_MICROSOFT_AUTHORITY_URL`, `AUTH_MICROSOFT_TENANT_ID` | | Apple | `apple` | `AUTH_APPLE_CLIENT_ID`, `AUTH_APPLE_CLIENT_SECRET` | | AWS Cognito | `cognito` | `AUTH_COGNITO_ID`, `AUTH_COGNITO_SECRET`, `AUTH_COGNITO_DOMAIN`, `AUTH_COGNITO_REGION`, `AUTH_COGNITO_USERPOOL_ID` | | Auth0 | `auth0` | `AUTH_AUTH0_ID`, `AUTH_AUTH0_SECRET`, `AUTH_AUTH0_ISSUER` | diff --git a/docs/self-hosting/auth.zh-CN.mdx b/docs/self-hosting/auth.zh-CN.mdx index e3ebf8ff6e..29c274a681 100644 --- a/docs/self-hosting/auth.zh-CN.mdx +++ b/docs/self-hosting/auth.zh-CN.mdx @@ -42,7 +42,7 @@ LobeHub 支持使用 Better Auth 配置外部身份验证服务,供企业 / | --------------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------ | | Google | `google` | `AUTH_GOOGLE_ID`, `AUTH_GOOGLE_SECRET` | | GitHub | `github` | `AUTH_GITHUB_ID`, `AUTH_GITHUB_SECRET` | -| Microsoft | `microsoft` | `AUTH_MICROSOFT_ID`, `AUTH_MICROSOFT_SECRET` | +| Microsoft | `microsoft` | `AUTH_MICROSOFT_ID`, `AUTH_MICROSOFT_SECRET`, `AUTH_MICROSOFT_AUTHORITY_URL`, `AUTH_MICROSOFT_TENANT_ID` | | Apple | `apple` | `AUTH_APPLE_CLIENT_ID`, `AUTH_APPLE_CLIENT_SECRET` | | AWS Cognito | `cognito` | `AUTH_COGNITO_ID`, `AUTH_COGNITO_SECRET`, `AUTH_COGNITO_DOMAIN`, `AUTH_COGNITO_REGION`, `AUTH_COGNITO_USERPOOL_ID` | | Auth0 | `auth0` | `AUTH_AUTH0_ID`, `AUTH_AUTH0_SECRET`, `AUTH_AUTH0_ISSUER` | diff --git a/docs/self-hosting/auth/providers/microsoft.mdx b/docs/self-hosting/auth/providers/microsoft.mdx index 22d4671d0f..ee4f6aefb0 100644 --- a/docs/self-hosting/auth/providers/microsoft.mdx +++ b/docs/self-hosting/auth/providers/microsoft.mdx @@ -70,12 +70,14 @@ tags: ### Configure Environment Variables - | Environment Variable | Type | Description | - | ----------------------- | -------- | --------------------------------------------------------------- | - | `AUTH_SECRET` | Required | Session encryption key, generate with `openssl rand -base64 32` | - | `AUTH_SSO_PROVIDERS` | Required | Set to `microsoft` | - | `AUTH_MICROSOFT_ID` | Required | Application (client) ID | - | `AUTH_MICROSOFT_SECRET` | Required | Client secret value | + | Environment Variable | Type | Description | + | ------------------------------ | -------- | --------------------------------------------------------------- | + | `AUTH_SECRET` | Required | Session encryption key, generate with `openssl rand -base64 32` | + | `AUTH_SSO_PROVIDERS` | Required | Set to `microsoft` | + | `AUTH_MICROSOFT_ID` | Required | Application (client) ID | + | `AUTH_MICROSOFT_SECRET` | Required | Client secret value | + | `AUTH_MICROSOFT_AUTHORITY_URL` | Optional | Authority URL for Microsoft Entra ID | + | `AUTH_MICROSOFT_TENANT_ID` | Optional | Directory (tenant) ID for single-tenant apps | **Alternative Environment Variables**: For backward compatibility, these @@ -99,10 +101,6 @@ tags: ## Common Issues -### Tenant Configuration - -By default, LobeHub uses `common` tenant which allows both organizational and personal Microsoft accounts. If you need single-tenant configuration, you may need to customize the tenant settings. - ### Client Secret Expiration Microsoft client secrets have a maximum validity of 24 months. Remember to rotate secrets before they expire. diff --git a/docs/self-hosting/auth/providers/microsoft.zh-CN.mdx b/docs/self-hosting/auth/providers/microsoft.zh-CN.mdx index 5044f99711..3b4670d8d4 100644 --- a/docs/self-hosting/auth/providers/microsoft.zh-CN.mdx +++ b/docs/self-hosting/auth/providers/microsoft.zh-CN.mdx @@ -68,12 +68,14 @@ tags: ### 配置环境变量 - | 环境变量 | 类型 | 描述 | - | ----------------------- | -- | -------------------------------------- | - | `AUTH_SECRET` | 必选 | 会话加密密钥,使用 `openssl rand -base64 32` 生成 | - | `AUTH_SSO_PROVIDERS` | 必选 | 填写 `microsoft` | - | `AUTH_MICROSOFT_ID` | 必选 | Application (client) ID | - | `AUTH_MICROSOFT_SECRET` | 必选 | 客户端密钥值 | + | 环境变量 | 类型 | 描述 | + | ------------------------------ | -- | -------------------------------------- | + | `AUTH_SECRET` | 必选 | 会话加密密钥,使用 `openssl rand -base64 32` 生成 | + | `AUTH_SSO_PROVIDERS` | 必选 | 填写 `microsoft` | + | `AUTH_MICROSOFT_ID` | 必选 | Application (client) ID | + | `AUTH_MICROSOFT_SECRET` | 必选 | 客户端密钥值 | + | `AUTH_MICROSOFT_AUTHORITY_URL` | 可选 | Microsoft Entra ID 的 Authority URL | + | `AUTH_MICROSOFT_TENANT_ID` | 可选 | 单租户应用的 Directory (tenant) ID | **兼容的环境变量**:为了向后兼容,以下别名也支持: @@ -95,10 +97,6 @@ tags: ## 常见问题 -### 租户配置 - -默认情况下,LobeHub 使用 `common` 租户,允许组织帐户和个人 Microsoft 帐户登录。如果需要单租户配置,可能需要自定义租户设置。 - ### 客户端密钥过期 Microsoft 客户端密钥最长有效期为 24 个月。请记得在过期前轮换密钥。 diff --git a/docs/self-hosting/environment-variables/auth.mdx b/docs/self-hosting/environment-variables/auth.mdx index 5f2b547a99..7cb6c2da8b 100644 --- a/docs/self-hosting/environment-variables/auth.mdx +++ b/docs/self-hosting/environment-variables/auth.mdx @@ -162,6 +162,20 @@ These settings are required for email verification and password reset features. - Default: `-` - Example: `xxxxxxxxxxxxxxxxxxxxxxxxxxxxx` +#### `AUTH_MICROSOFT_AUTHORITY_URL` + +- Type: Optional +- Description: Authority URL for the Microsoft Entra ID. This is used to specify the endpoint for authentication requests. +- Default: `https://login.microsoftonline.com` +- Example: `https://login.partner.microsoftonline.cn` + +#### `AUTH_MICROSOFT_TENANT_ID` + +- Type: Optional +- Description: Directory (tenant) ID for single-tenant Microsoft Entra ID applications. +- Default: `common` +- Example: `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` + ### AWS Cognito #### `AUTH_COGNITO_ID` diff --git a/docs/self-hosting/environment-variables/auth.zh-CN.mdx b/docs/self-hosting/environment-variables/auth.zh-CN.mdx index 4c9b1c2452..5704e9c668 100644 --- a/docs/self-hosting/environment-variables/auth.zh-CN.mdx +++ b/docs/self-hosting/environment-variables/auth.zh-CN.mdx @@ -160,6 +160,20 @@ LobeHub 在部署时提供了完善的身份验证服务能力,以下是相关 - 默认值:`-` - 示例:`xxxxxxxxxxxxxxxxxxxxxxxxxxxxx` +#### `AUTH_MICROSOFT_AUTHORITY_URL` + +- 类型:可选 +- 描述:Microsoft Entra ID 的 Authority URL。 +- 默认值:`https://login.microsoftonline.com` +- 示例:`https://login.partner.microsoftonline.cn` + +#### `AUTH_MICROSOFT_TENANT_ID` + +- 类型:可选 +- 描述:单租户 Microsoft Entra ID 应用的 Directory (tenant) ID。 +- 默认值:`common` +- 示例:`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx` + ### AWS Cognito #### `AUTH_COGNITO_ID` diff --git a/docs/self-hosting/migration/v2/auth/nextauth-to-betterauth.mdx b/docs/self-hosting/migration/v2/auth/nextauth-to-betterauth.mdx index 631aafb01b..871afd03e0 100644 --- a/docs/self-hosting/migration/v2/auth/nextauth-to-betterauth.mdx +++ b/docs/self-hosting/migration/v2/auth/nextauth-to-betterauth.mdx @@ -54,23 +54,23 @@ This guide helps you migrate your existing NextAuth-based LobeHub deployment to SSO provider environment variables follow the same format: `AUTH__ID` and `AUTH__SECRET`. -| NextAuth (Old) | Better Auth (New) | Notes | -| ----------------------------------- | ----------------------- | ------------------- | -| `AUTH_GITHUB_ID` | `AUTH_GITHUB_ID` | ✅ Unchanged | -| `AUTH_GITHUB_SECRET` | `AUTH_GITHUB_SECRET` | ✅ Unchanged | -| `AUTH_GOOGLE_ID` | `AUTH_GOOGLE_ID` | ✅ Unchanged | -| `AUTH_GOOGLE_SECRET` | `AUTH_GOOGLE_SECRET` | ✅ Unchanged | -| `AUTH_AUTH0_ID` | `AUTH_AUTH0_ID` | ✅ Unchanged | -| `AUTH_AUTH0_SECRET` | `AUTH_AUTH0_SECRET` | ✅ Unchanged | -| `AUTH_AUTH0_ISSUER` | `AUTH_AUTH0_ISSUER` | ✅ Unchanged | -| `AUTH_AUTHENTIK_ID` | `AUTH_AUTHENTIK_ID` | ✅ Unchanged | -| `AUTH_AUTHENTIK_SECRET` | `AUTH_AUTHENTIK_SECRET` | ✅ Unchanged | -| `AUTH_AUTHENTIK_ISSUER` | `AUTH_AUTHENTIK_ISSUER` | ✅ Unchanged | -| `microsoft-entra-id` | `microsoft` | ⚠️ Provider renamed | -| `AUTH_MICROSOFT_ENTRA_ID_ID` | `AUTH_MICROSOFT_ID` | ⚠️ Variable renamed | -| `AUTH_MICROSOFT_ENTRA_ID_SECRET` | `AUTH_MICROSOFT_SECRET` | ⚠️ Variable renamed | -| `AUTH_MICROSOFT_ENTRA_ID_TENANT_ID` | - | ❌ No longer needed | -| `AUTH_MICROSOFT_ENTRA_ID_BASE_URL` | - | ❌ No longer needed | +| NextAuth (Old) | Better Auth (New) | Notes | +| ----------------------------------- | ------------------------------ | ------------------- | +| `AUTH_GITHUB_ID` | `AUTH_GITHUB_ID` | ✅ Unchanged | +| `AUTH_GITHUB_SECRET` | `AUTH_GITHUB_SECRET` | ✅ Unchanged | +| `AUTH_GOOGLE_ID` | `AUTH_GOOGLE_ID` | ✅ Unchanged | +| `AUTH_GOOGLE_SECRET` | `AUTH_GOOGLE_SECRET` | ✅ Unchanged | +| `AUTH_AUTH0_ID` | `AUTH_AUTH0_ID` | ✅ Unchanged | +| `AUTH_AUTH0_SECRET` | `AUTH_AUTH0_SECRET` | ✅ Unchanged | +| `AUTH_AUTH0_ISSUER` | `AUTH_AUTH0_ISSUER` | ✅ Unchanged | +| `AUTH_AUTHENTIK_ID` | `AUTH_AUTHENTIK_ID` | ✅ Unchanged | +| `AUTH_AUTHENTIK_SECRET` | `AUTH_AUTHENTIK_SECRET` | ✅ Unchanged | +| `AUTH_AUTHENTIK_ISSUER` | `AUTH_AUTHENTIK_ISSUER` | ✅ Unchanged | +| `microsoft-entra-id` | `microsoft` | ⚠️ Provider renamed | +| `AUTH_MICROSOFT_ENTRA_ID_ID` | `AUTH_MICROSOFT_ID` | ⚠️ Variable renamed | +| `AUTH_MICROSOFT_ENTRA_ID_SECRET` | `AUTH_MICROSOFT_SECRET` | ⚠️ Variable renamed | +| `AUTH_MICROSOFT_ENTRA_ID_TENANT_ID` | `AUTH_MICROSOFT_TENANT_ID` | ⚠️ Variable renamed | +| `AUTH_MICROSOFT_ENTRA_ID_BASE_URL` | `AUTH_MICROSOFT_AUTHORITY_URL` | ⚠️ Variable renamed | **Note**: Microsoft Entra ID provider name changed from `microsoft-entra-id` to `microsoft`, and the environment variable prefix changed from `AUTH_MICROSOFT_ENTRA_ID_` to `AUTH_MICROSOFT_`. diff --git a/docs/self-hosting/migration/v2/auth/nextauth-to-betterauth.zh-CN.mdx b/docs/self-hosting/migration/v2/auth/nextauth-to-betterauth.zh-CN.mdx index 359db43ab8..5112f94fb7 100644 --- a/docs/self-hosting/migration/v2/auth/nextauth-to-betterauth.zh-CN.mdx +++ b/docs/self-hosting/migration/v2/auth/nextauth-to-betterauth.zh-CN.mdx @@ -52,21 +52,23 @@ tags: SSO 提供商的环境变量格式保持一致:`AUTH__ID` 和 `AUTH__SECRET`。 -| NextAuth (旧) | Better Auth (新) | 说明 | -| -------------------------------- | ----------------------- | ---------------- | -| `AUTH_GITHUB_ID` | `AUTH_GITHUB_ID` | ✅ 保持不变 | -| `AUTH_GITHUB_SECRET` | `AUTH_GITHUB_SECRET` | ✅ 保持不变 | -| `AUTH_GOOGLE_ID` | `AUTH_GOOGLE_ID` | ✅ 保持不变 | -| `AUTH_GOOGLE_SECRET` | `AUTH_GOOGLE_SECRET` | ✅ 保持不变 | -| `AUTH_AUTH0_ID` | `AUTH_AUTH0_ID` | ✅ 保持不变 | -| `AUTH_AUTH0_SECRET` | `AUTH_AUTH0_SECRET` | ✅ 保持不变 | -| `AUTH_AUTH0_ISSUER` | `AUTH_AUTH0_ISSUER` | ✅ 保持不变 | -| `AUTH_AUTHENTIK_ID` | `AUTH_AUTHENTIK_ID` | ✅ 保持不变 | -| `AUTH_AUTHENTIK_SECRET` | `AUTH_AUTHENTIK_SECRET` | ✅ 保持不变 | -| `AUTH_AUTHENTIK_ISSUER` | `AUTH_AUTHENTIK_ISSUER` | ✅ 保持不变 | -| `microsoft-entra-id` | `microsoft` | ⚠️ provider 名称变更 | -| `AUTH_MICROSOFT_ENTRA_ID_ID` | `AUTH_MICROSOFT_ID` | ⚠️ 变量名变更 | -| `AUTH_MICROSOFT_ENTRA_ID_SECRET` | `AUTH_MICROSOFT_SECRET` | ⚠️ 变量名变更 | +| NextAuth (旧) | Better Auth (新) | 说明 | +| ----------------------------------- | ------------------------------ | ---------------- | +| `AUTH_GITHUB_ID` | `AUTH_GITHUB_ID` | ✅ 保持不变 | +| `AUTH_GITHUB_SECRET` | `AUTH_GITHUB_SECRET` | ✅ 保持不变 | +| `AUTH_GOOGLE_ID` | `AUTH_GOOGLE_ID` | ✅ 保持不变 | +| `AUTH_GOOGLE_SECRET` | `AUTH_GOOGLE_SECRET` | ✅ 保持不变 | +| `AUTH_AUTH0_ID` | `AUTH_AUTH0_ID` | ✅ 保持不变 | +| `AUTH_AUTH0_SECRET` | `AUTH_AUTH0_SECRET` | ✅ 保持不变 | +| `AUTH_AUTH0_ISSUER` | `AUTH_AUTH0_ISSUER` | ✅ 保持不变 | +| `AUTH_AUTHENTIK_ID` | `AUTH_AUTHENTIK_ID` | ✅ 保持不变 | +| `AUTH_AUTHENTIK_SECRET` | `AUTH_AUTHENTIK_SECRET` | ✅ 保持不变 | +| `AUTH_AUTHENTIK_ISSUER` | `AUTH_AUTHENTIK_ISSUER` | ✅ 保持不变 | +| `microsoft-entra-id` | `microsoft` | ⚠️ provider 名称变更 | +| `AUTH_MICROSOFT_ENTRA_ID_ID` | `AUTH_MICROSOFT_ID` | ⚠️ 变量名变更 | +| `AUTH_MICROSOFT_ENTRA_ID_SECRET` | `AUTH_MICROSOFT_SECRET` | ⚠️ 变量名变更 | +| `AUTH_MICROSOFT_ENTRA_ID_TENANT_ID` | `AUTH_MICROSOFT_TENANT_ID` | ⚠️ 变量名变更 | +| `AUTH_MICROSOFT_ENTRA_ID_BASE_URL` | `AUTH_MICROSOFT_AUTHORITY_URL` | ⚠️ 变量名变更 | **注意**:Microsoft Entra ID 的 provider 名称从 `microsoft-entra-id` 改为 `microsoft`,相应的环境变量前缀也从 `AUTH_MICROSOFT_ENTRA_ID_` 改为 `AUTH_MICROSOFT_`。 diff --git a/scripts/_shared/checkDeprecatedAuth.js b/scripts/_shared/checkDeprecatedAuth.js index 67e31ec6bb..e6ed20d7a1 100644 --- a/scripts/_shared/checkDeprecatedAuth.js +++ b/scripts/_shared/checkDeprecatedAuth.js @@ -86,10 +86,10 @@ const DEPRECATED_CHECKS = [ const mapping = { AUTH_AZURE_AD_ID: 'AUTH_MICROSOFT_ID', AUTH_AZURE_AD_SECRET: 'AUTH_MICROSOFT_SECRET', - AUTH_AZURE_AD_TENANT_ID: 'No longer needed', + AUTH_AZURE_AD_TENANT_ID: 'AUTH_MICROSOFT_TENANT_ID', AZURE_AD_CLIENT_ID: 'AUTH_MICROSOFT_ID', AZURE_AD_CLIENT_SECRET: 'AUTH_MICROSOFT_SECRET', - AZURE_AD_TENANT_ID: 'No longer needed', + AZURE_AD_TENANT_ID: 'AUTH_MICROSOFT_TENANT_ID', }; return `${envVar} → ${mapping[envVar]}`; }, @@ -167,10 +167,10 @@ const DEPRECATED_CHECKS = [ docUrl: `${MIGRATION_DOC_BASE}/nextauth-to-betterauth`, formatVar: (envVar) => { const mapping = { - AUTH_MICROSOFT_ENTRA_ID_BASE_URL: 'No longer needed', + AUTH_MICROSOFT_ENTRA_ID_BASE_URL: 'AUTH_MICROSOFT_AUTHORITY_URL', AUTH_MICROSOFT_ENTRA_ID_ID: 'AUTH_MICROSOFT_ID', AUTH_MICROSOFT_ENTRA_ID_SECRET: 'AUTH_MICROSOFT_SECRET', - AUTH_MICROSOFT_ENTRA_ID_TENANT_ID: 'No longer needed', + AUTH_MICROSOFT_ENTRA_ID_TENANT_ID: 'AUTH_MICROSOFT_TENANT_ID', }; return `${envVar} → ${mapping[envVar]}`; }, @@ -213,7 +213,11 @@ function printIssueBlock(name, vars, message, docUrl, formatVar, severity = 'err log(`\n${icon} ${name}`); log('─'.repeat(50)); - log(isWarning ? 'Missing recommended environment variables:' : 'Detected deprecated environment variables:'); + log( + isWarning + ? 'Missing recommended environment variables:' + : 'Detected deprecated environment variables:', + ); for (const envVar of vars) { log(` • ${formatVar ? formatVar(envVar) : envVar}`); } @@ -253,7 +257,14 @@ function checkDeprecatedAuth(options = {}) { console.warn('═'.repeat(70)); for (const issue of warnings) { - printIssueBlock(issue.name, issue.foundVars, issue.message, issue.docUrl, issue.formatVar, 'warning'); + printIssueBlock( + issue.name, + issue.foundVars, + issue.message, + issue.docUrl, + issue.formatVar, + 'warning', + ); } console.warn('\n' + '═'.repeat(70)); @@ -264,13 +275,18 @@ function checkDeprecatedAuth(options = {}) { // Print errors and exit (blocking) if (errors.length > 0) { console.error('\n' + '═'.repeat(70)); - console.error( - `❌ ERROR: Found ${errors.length} deprecated environment variable issue(s)!`, - ); + console.error(`❌ ERROR: Found ${errors.length} deprecated environment variable issue(s)!`); console.error('═'.repeat(70)); for (const issue of errors) { - printIssueBlock(issue.name, issue.foundVars, issue.message, issue.docUrl, issue.formatVar, 'error'); + printIssueBlock( + issue.name, + issue.foundVars, + issue.message, + issue.docUrl, + issue.formatVar, + 'error', + ); } console.error('\n' + '═'.repeat(70)); diff --git a/src/envs/auth.ts b/src/envs/auth.ts index 31c6656484..adf84ec184 100644 --- a/src/envs/auth.ts +++ b/src/envs/auth.ts @@ -33,8 +33,10 @@ declare global { AUTH_COGNITO_REGION?: string; AUTH_COGNITO_USERPOOL_ID?: string; + AUTH_MICROSOFT_AUTHORITY_URL?: string; AUTH_MICROSOFT_ID?: string; AUTH_MICROSOFT_SECRET?: string; + AUTH_MICROSOFT_TENANT_ID?: string; AUTH_AUTH0_ID?: string; AUTH_AUTH0_SECRET?: string; @@ -132,8 +134,10 @@ export const getAuthConfig = () => { AUTH_COGNITO_REGION: z.string().optional(), AUTH_COGNITO_USERPOOL_ID: z.string().optional(), + AUTH_MICROSOFT_AUTHORITY_URL: z.string().optional(), AUTH_MICROSOFT_ID: z.string().optional(), AUTH_MICROSOFT_SECRET: z.string().optional(), + AUTH_MICROSOFT_TENANT_ID: z.string().optional(), AUTH_AUTH0_ID: z.string().optional(), AUTH_AUTH0_SECRET: z.string().optional(), @@ -219,8 +223,10 @@ export const getAuthConfig = () => { AUTH_GITHUB_ID: process.env.AUTH_GITHUB_ID, AUTH_GITHUB_SECRET: process.env.AUTH_GITHUB_SECRET, + AUTH_MICROSOFT_AUTHORITY_URL: process.env.AUTH_MICROSOFT_AUTHORITY_URL, AUTH_MICROSOFT_ID: process.env.AUTH_MICROSOFT_ID, AUTH_MICROSOFT_SECRET: process.env.AUTH_MICROSOFT_SECRET, + AUTH_MICROSOFT_TENANT_ID: process.env.AUTH_MICROSOFT_TENANT_ID, AUTH_COGNITO_ID: process.env.AUTH_COGNITO_ID, AUTH_COGNITO_SECRET: process.env.AUTH_COGNITO_SECRET, diff --git a/src/libs/better-auth/sso/providers/microsoft.ts b/src/libs/better-auth/sso/providers/microsoft.ts index b541dee06c..782d144ec6 100644 --- a/src/libs/better-auth/sso/providers/microsoft.ts +++ b/src/libs/better-auth/sso/providers/microsoft.ts @@ -3,23 +3,30 @@ import { authEnv } from '@/envs/auth'; import type { BuiltinProviderDefinition } from '../types'; type MicrosoftEnv = { - AUTH_MICROSOFT_ID?: string; - AUTH_MICROSOFT_SECRET?: string; + AUTH_MICROSOFT_AUTHORITY_URL?: string; + AUTH_MICROSOFT_ID: string; + AUTH_MICROSOFT_SECRET: string; + AUTH_MICROSOFT_TENANT_ID?: string; }; const provider: BuiltinProviderDefinition = { aliases: ['microsoft-entra-id'], build: (env) => ({ - clientId: env.AUTH_MICROSOFT_ID!, - clientSecret: env.AUTH_MICROSOFT_SECRET!, + authority: env.AUTH_MICROSOFT_AUTHORITY_URL, + clientId: env.AUTH_MICROSOFT_ID, + clientSecret: env.AUTH_MICROSOFT_SECRET, + tenantId: env.AUTH_MICROSOFT_TENANT_ID, }), checkEnvs: () => { const clientId = authEnv.AUTH_MICROSOFT_ID; const clientSecret = authEnv.AUTH_MICROSOFT_SECRET; + const tenantId = authEnv.AUTH_MICROSOFT_TENANT_ID; return !!(clientId && clientSecret) ? { + AUTH_MICROSOFT_AUTHORITY_URL: authEnv.AUTH_MICROSOFT_AUTHORITY_URL, AUTH_MICROSOFT_ID: clientId, AUTH_MICROSOFT_SECRET: clientSecret, + AUTH_MICROSOFT_TENANT_ID: tenantId, } : false; },