Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugfix(authentication): Refresh AuthToken for Azure AD #75

Merged
merged 1 commit into from
Jan 22, 2025
Merged

Bugfix(authentication): Refresh AuthToken for Azure AD #75

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 41 additions & 7 deletions src/authConfig.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ export const authOptions: AuthOptions = {
]
: [
AzureADProvider({
clientId: process.env.AD_CLIENT_ID ? process.env.AD_CLIENT_ID : '',
clientId: process.env.AD_CLIENT_ID ?? '',
clientSecret: process.env.AD_SECRET_VALUE ?? '',
tenantId: process.env.AD_TENANT_ID,
authorization: { params: { scope: `openid ${requestedResource}admin.write` } },
authorization: { params: { scope: `openid ${requestedResource}admin.write offline_access` } },
}),
]),
],
Expand All @@ -60,11 +60,13 @@ export const authOptions: AuthOptions = {
return token;
}

if (!keycloakEnabled) return token;

try {
console.warn('Refreshing access token...');
return await refreshAccessToken(token);
if (keycloakEnabled) {
return await refreshAccessToken(token);
} else {
return await refreshAzureADToken(token);
}
} catch (error) {
console.error('Error refreshing access token', error);
return { ...token, error: 'RefreshAccessTokenError' };
Expand All @@ -82,8 +84,8 @@ const refreshAccessToken = async (token: JWT) => {
const resp = await fetch(`${keycloakIssuer}/realms/${realm}/protocol/openid-connect/token`, {
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({
client_id: process.env.KEYCLOAK_CLIENT_ID ? process.env.KEYCLOAK_CLIENT_ID : '',
client_secret: '-', // not required by the AuthFlow but required by NextAuth Provider, here placeholder only
client_id: process.env.KEYCLOAK_CLIENT_ID ?? '',
client_secret: '-', // placeholder
grant_type: 'refresh_token',
refresh_token: token.refresh_token as string,
}),
Expand All @@ -100,3 +102,35 @@ const refreshAccessToken = async (token: JWT) => {
refresh_token: refreshToken.refresh_token,
};
};

const refreshAzureADToken = async (token: JWT) => {
const response = await fetch(`https://login.microsoftonline.com/${process.env.AD_TENANT_ID}/oauth2/v2.0/token`, {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
},
body: new URLSearchParams({
client_id: process.env.AD_CLIENT_ID ?? '',
client_secret: process.env.AD_SECRET_VALUE ?? '',
grant_type: 'refresh_token',
refresh_token: token.refresh_token as string,
scope: `openid ${requestedResource}admin.write offline_access`,
}),
});

const refreshedTokens = await response.json();

if (!response.ok) {
console.error('Error refreshing Azure AD token', refreshedTokens);
throw new Error(`Failed to refresh token: ${refreshedTokens.error_description || 'An error occurred'}`);
}

return {
...token,
access_token: refreshedTokens.access_token,
id_token: refreshedTokens.id_token,
expires_at: Math.floor(Date.now() / 1000) + refreshedTokens.expires_in,
refresh_token: refreshedTokens.refresh_token ?? token.refresh_token, // Fallback to old refresh token if not provided
};
};

Loading