Azure AD provider: Use userinfo endpoint (#1009)

lucia-auth · Aug 22, 2023 · 9c31e82 · 9c31e82
1 parent 30a114d
commit 9c31e82
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 15 deletions.
diff --git a/documentation/content/oauth/providers/azure-ad.md b/documentation/content/oauth/providers/azure-ad.md
@@ -88,11 +88,11 @@ type AzureADTokens = {
 ```ts
 type AzureADUser = {
 	sub: string;
-	roles: string[];
-	oid: string;
 	name: string;
-	preferred_username: string;
-	email?: string; // require `email` scope
+	family_name: string;
+	given_name: string;
+	picture: string;
+	email?: string; // requires `email` scope
 };
 ```
 

diff --git a/packages/oauth/src/providers/azure-ad.ts b/packages/oauth/src/providers/azure-ad.ts
@@ -8,6 +8,7 @@ import { decodeIdToken } from "../core/oidc.js";
 import { ProviderUserAuth } from "../core/provider.js";
 
 import type { Auth } from "lucia";
+import { authorizationHeader, handleRequest } from "../utils/request.js";
 
 type Config = {
 	clientId: string;
@@ -62,7 +63,7 @@ export class AzureADAuth<
 			code,
 			code_verifier
 		);
-		const azureADUser = decodeIdToken<AzureADUser>(azureADTokens.idToken);
+		const azureADUser = await getAzureADUser(azureADTokens.accessToken);
 		return new AzureADUserAuth(this.auth, azureADUser, azureADTokens);
 	};
 
@@ -97,6 +98,18 @@ export class AzureADAuth<
 	};
 }
 
+const getAzureADUser = async (accessToken: string): Promise<AzureADUser> => {
+	const azureADUserRequest = new Request(
+		"https://graph.microsoft.com/oidc/userinfo",
+		{
+			headers: {
+				Authorization: authorizationHeader("bearer", accessToken)
+			}
+		}
+	);
+	return await handleRequest(azureADUserRequest);
+};
+
 export class AzureADUserAuth<
 	_Auth extends Auth = Auth
 > extends ProviderUserAuth<_Auth> {
@@ -123,9 +136,9 @@ export type AzureADTokens = {
 
 export type AzureADUser = {
 	sub: string;
-	roles: string[];
-	oid: string;
 	name: string;
-	preferred_username: string;
-	email?: string; // may require `email` scope
+	family_name: string;
+	given_name: string;
+	picture: string;
+	email?: string;
 };
diff --git a/packages/oauth/src/providers/github.ts b/packages/oauth/src/providers/github.ts
@@ -52,12 +52,7 @@ export class GithubAuth<_Auth extends Auth = Auth> extends OAuth2ProviderAuth<
 		code: string
 	): Promise<GithubUserAuth<_Auth>> => {
 		const githubTokens = await this.validateAuthorizationCode(code);
-		const githubUserRequest = new Request("https://api.github.com/user", {
-			headers: {
-				Authorization: authorizationHeader("bearer", githubTokens.accessToken)
-			}
-		});
-		const githubUser = await handleRequest<GithubUser>(githubUserRequest);
+		const githubUser = await getGithubUser(githubTokens.accessToken);
 		return new GithubUserAuth(this.auth, githubUser, githubTokens);
 	};
 
@@ -91,6 +86,15 @@ export class GithubAuth<_Auth extends Auth = Auth> extends OAuth2ProviderAuth<
 	};
 }
 
+const getGithubUser = async (accessToken: string): Promise<GithubUser> => {
+	const githubUserRequest = new Request("https://api.github.com/user", {
+		headers: {
+			Authorization: authorizationHeader("bearer", accessToken)
+		}
+	});
+	return await handleRequest<GithubUser>(githubUserRequest);
+};
+
 export class GithubUserAuth<
 	_Auth extends Auth
 > extends ProviderUserAuth<_Auth> {