Arturo2R•7mo ago

Convex Auth Error with Microsoft Entra

Hi Convex Community. When I try to sign in using Microsoft Entra, I keep hitting a roadblock with an HTTP action error. Has anyone else faced this issue or have any insights on how to resolve it?

18 Replies

Michal Srb•7mo ago

There should be a __Host-<provider id>OAuthpkce cookie set. Can you check the network tab for whether it is being set? Any warnings in the response headers from the initial redirect to your backend?

Arturo2ROP•6mo ago

it says __Host-microsoft-entra-id OAuthNonce, i dont know if they are the same.

Michal Srb•6mo ago

Ok, so the pkce cookie is missing.

Arturo2ROP•6mo ago

What could be the cause of the cookie missing?

Michal Srb•6mo ago

@Arturo2R can you retry after upgrading to @convex-dev/auth@0.0.43, I made a bunch of OAuth fixes

Arturo2ROP•6mo ago

Hi @Michal Srb how can i fix this problem ?

ballingt•6mo ago

Hi @Arturo2R, it sounds like microsoft entra might not be compatible with the oauth4webapi library we're using for oauth What is Microsoft Entra, how can we set up a repro to debug? Could you modify the auth library code to print this JWT token?

Arturo2ROP•5mo ago

Microsoft entra is the oauth library of microsoft. I was searching someway of debugging the JWT. I find an option in authjs to activate the debug flag. But i don't know how to access that from convex auth.

Arturo2ROP•5mo ago

It is supported https://authjs.dev/getting-started/providers/microsoft-entra-id

Auth.js | Microsoft Entra Id

Authentication for the Web

Arturo2ROP•5mo ago

Yep oauth rigth now has a problem with microsoft entra, and the fix merge is in process but can it may take a while. I need to patch the version that convex uses on ther server, convex supports patches ? How do i pass my patch to the server?

diff --git a/build/index.js b/build/index.js
index 5ff49a6829964666737efcec17e344930a8d592e..f777ff31c685c6d10bd01b7acb89f0e273e9d265 100644
--- a/build/index.js
+++ b/build/index.js
@@ -1029,11 +1029,17 @@ function validateOptionalIssuer(expected, result) {
     }
     return result;
 }
+//replace 'common' with 'organizations' or 'consumers' if using a different account type for the Entra app:
 function validateIssuer(expected, result) {
-    if (result.claims.iss !== expected) {
-        throw new OPE('unexpected JWT "iss" (issuer) claim value');
+    if (expected === 'https://login.microsoftonline.com/common/v2.0'
+        && result.claims.tid !== undefined
+        && result.claims.iss === `https://login.microsoftonline.com/${result.claims.tid}/v2.0`) {
+        return result;
     }
-    return result;
+    if (result.claims.iss === expected) {
+        return result
+    }
+    throw new OPE('unexpected JWT "iss" (issuer) claim value')
 }
 const branded = new WeakSet();
 function brand(searchParams) {

diff --git a/build/index.js b/build/index.js
index 5ff49a6829964666737efcec17e344930a8d592e..f777ff31c685c6d10bd01b7acb89f0e273e9d265 100644
--- a/build/index.js
+++ b/build/index.js
@@ -1029,11 +1029,17 @@ function validateOptionalIssuer(expected, result) {
     }
     return result;
 }
+//replace 'common' with 'organizations' or 'consumers' if using a different account type for the Entra app:
 function validateIssuer(expected, result) {
-    if (result.claims.iss !== expected) {
-        throw new OPE('unexpected JWT "iss" (issuer) claim value');
+    if (expected === 'https://login.microsoftonline.com/common/v2.0'
+        && result.claims.tid !== undefined
+        && result.claims.iss === `https://login.microsoftonline.com/${result.claims.tid}/v2.0`) {
+        return result;
     }
-    return result;
+    if (result.claims.iss === expected) {
+        return result
+    }
+    throw new OPE('unexpected JWT "iss" (issuer) claim value')
 }
 const branded = new WeakSet();
 function brand(searchParams) {

https://github.com/nextauthjs/next-auth/issues/8374 https://github.com/nextauthjs/next-auth/pull/9718

GitHub

AzureADProvider does not work with default (common) endpoint · Issu...

Provider type Azure Active Directory Environment "next" : N/A "react": N/A "@auth/core": "0.12.0" "@auth/sveltekit": "0.3.1" Reproduction...

GitHub

fix(providers): Handle Azure AD tenants correctly by JibbityJobbity...

☕️ Reasoning Endpoints returned by Azure AD want us to edit the path so that each request gets routed to their proper tenant IDs. The old implementation didn't handle this properly when usi...

ballingt•5mo ago

Ah great research!

ballingt•5mo ago

Could you open an issue on https://github.com/get-convex/convex-auth/issues

GitHub

Issues · get-convex/convex-auth

Library for built-in auth. Contribute to get-convex/convex-auth development by creating an account on GitHub.

ballingt•5mo ago

If I'm going to work on this do you know how to get a Microsoft Entra account, what kind of MS setup do I need?

Arturo2ROP•5mo ago

Hi @ballingt you just need a microsoft account register and app, and enter entra.microsoft.com register new app and create an api key, authjs have a better documentation https://authjs.dev/getting-started/providers/microsoft-entra-id. Hi @ballingt it seems the pull request to fix the issue on authjs will take time to get approved and merged. Meanwhile my development have been halted for nearly a month. There is a way a can modify the dependencies used by the auth convex backend. To put the patch? Or i have to self host to do that?

v•5mo ago

I think you can publish the fork of convex auth or just pull it directly in your project

ballingt•5mo ago

You can also set an override in your package.json @Arturo2R https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides and you can override with a GitHub repo

v•5mo ago

https://tenor.com/view/i-didn%27t-know-this-existed-raphael-gomes-i-had-no-idea-it-existed-i-had-no-idea-there-was-such-a-thing-i-never-knew-it-was-real-gif-17631679554047609566

Tenor

Arturo2ROP•5mo ago

Great thanks @ballingt

Convex Auth Error with Microsoft Entra

Did you find this page helpful?