Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

​OIDC login with Microsoft Entra fails on Zod #9914

Open
1 task done
chief-nerd opened this issue Jan 29, 2025 · 2 comments
Open
1 task done

​OIDC login with Microsoft Entra fails on Zod #9914

chief-nerd opened this issue Jan 29, 2025 · 2 comments

Comments

@chief-nerd
Copy link

What happened?

Trying to make OIDC work with Microsoft Entra ID.

AFFiNE.use('oauth', {
  providers: {
    oidc: {
      // OpenID Connect
      issuer: 'https://#.microsoftonline.com/<tenant_id>/v2.0',
      clientId: '<app_id>',
      clientSecret: '<app_secret>',
      args: {
        scope: 'openid email profile offline_access',
        claim_id: 'preferred_username',
        claim_email: 'email',
        claim_name: 'name',
      },
    },
  },
});

Distribution version

Web (app.affine.pro)

What browsers are you seeing the problem on if you're using web version?

Chrome, Microsoft Edge, Firefox, Safari

Are you self-hosting?

  • Yes

Relevant log output

affine_server         | [Nest] 1  - 01/29/2025, 3:30:44 PM   ERROR [HTTP] Internal server error
affine_server         | ZodError: [
affine_server         |   {
affine_server         |     "code": "invalid_type",
affine_server         |     "expected": "string",
affine_server         |     "received": "undefined",
affine_server         |     "path": [
affine_server         |       "preferred_username"
affine_server         |     ],
affine_server         |     "message": "Required"
affine_server         |   }
affine_server         | ]
affine_server         |     at get error [as error] (file:///app/node_modules/zod/lib/index.mjs:587:31)
affine_server         |     at ZodObject.parse (file:///app/node_modules/zod/lib/index.mjs:663:22)
affine_server         |     at OIDCClient.fetch (file:///app/dist/plugins/oauth/providers/oidc.js:45:25)
affine_server         |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
affine_server         |     at async OIDCClient.userinfo (file:///app/dist/plugins/oauth/providers/oidc.js:115:22)
affine_server         |     at async OIDCProvider.getUser (file:///app/dist/plugins/oauth/providers/oidc.js:162:16)
affine_server         |     at async OAuthController.callback (file:///app/dist/plugins/oauth/controller.js:69:31)

Anything else?

Permissions in Entra ID are set:
Image
@forehalo
Copy link
Member

forehalo commented Feb 2, 2025

you set preferred_username as claim_id but the content of user returned by your provider's endpoint doesn't contains such field

@chief-nerd
Copy link
Author

Yea so turns out MS does not support that field.
Who thought.

Can I choose any other one? Like email ?
Any best practices from your side?

Much appreciated you took the time.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@forehalo @chief-nerd