feat: add azure b2c oauth provider (#362)

Co-authored-by: Sébastien Chopin <[email protected]>

Author: n-rowe

playground/app.vue

@@ -74,6 +74,12 @@ const providers = computed(() =>
       disabled: Boolean(user.value?.microsoft),
       icon: 'i-simple-icons-microsoft',
     },
+    {
+      label: user.value?.azureb2c || 'Azure B2C',
+      to: '/auth/azureb2c',
+      disabled: Boolean(user.value?.azureb2c),
+      icon: 'i-simple-icons-microsoftazure',
+    },
     {
       label: user.value?.cognito || 'Cognito',
       to: '/auth/cognito',
@@ -223,7 +229,7 @@ const providers = computed(() =>
     prefetch: false,
     external: true,
     to: inPopup.value ? '#' : p.to,
-    click: inPopup.value ? () => openInPopup(p.to) : p.click,
+    click: inPopup.value && p.to ? () => openInPopup(p.to) : p.click,
   })),
 )
 </script>
@@ -235,9 +241,7 @@ const providers = computed(() =>
     </template>
     <template #right>
       <AuthState>
-        <template
-          #default="{ loggedIn, clear }"
-        >
+        <template #default="{ loggedIn, clear }">
           <AuthRegister />
           <AuthLogin />
           <WebAuthnModal />
@@ -279,7 +283,8 @@ const providers = computed(() =>
   <UMain>
     <UContainer>
       <div class="text-xs mt-4">
-        Popup mode <UToggle
+        Popup mode
+        <UToggle
           v-model="inPopup"
           size="xs"
           name="open-in-popup"

playground/auth.d.ts

@@ -38,6 +38,7 @@ declare module '#auth-utils' {
     hubspot?: string
     atlassian?: string
     apple?: string
+    azureb2c?: string
   }
 
   interface UserSession {

playground/server/routes/auth/azureb2c.get.ts

@@ -0,0 +1,12 @@
+export default defineOAuthAzureB2CEventHandler({
+  async onSuccess(event, { user }) {
+    await setUserSession(event, {
+      user: {
+        azureb2c: user.email,
+      },
+      loggedInAt: Date.now(),
+    })
+
+    return sendRedirect(event, '/')
+  },
+})

src/module.ts

@@ -235,6 +235,17 @@ export default defineNuxtModule<ModuleOptions>({
       userURL: '',
       redirectURL: '',
     })
+    // Azure OAuth
+    runtimeConfig.oauth.azureb2c = defu(runtimeConfig.oauth.azureb2c, {
+      clientId: '',
+      policy: '',
+      tenant: '',
+      scope: [],
+      authorizationURL: '',
+      tokenURL: '',
+      userURL: '',
+      redirectURL: '',
+    })
     // Discord OAuth
     runtimeConfig.oauth.discord = defu(runtimeConfig.oauth.discord, {
       clientId: '',

src/runtime/server/lib/oauth/azureb2c.ts

@@ -0,0 +1,152 @@
+import type { H3Event } from 'h3'
+import { eventHandler, getQuery, sendRedirect } from 'h3'
+import { withQuery } from 'ufo'
+import { defu } from 'defu'
+import { handleMissingConfiguration, handleAccessTokenErrorResponse, getOAuthRedirectURL, requestAccessToken, handlePkceVerifier, handleState, handleInvalidState } from '../utils'
+import { useRuntimeConfig, createError } from '#imports'
+import type { OAuthConfig } from '#auth-utils'
+
+export interface OAuthAzureB2CConfig {
+  /**
+   * Azure OAuth Client ID
+   * @default process.env.NUXT_OAUTH_AZUREB2C_CLIENT_ID
+   */
+  clientId?: string
+  /**
+   * Azure OAuth Policy
+   * @default process.env.NUXT_OAUTH_AZUREB2C_POLICY
+   */
+  policy?: string
+  /**
+   * Azure OAuth Tenant ID
+   * @default process.env.NUXT_OAUTH_AZUREB2C_TENANT
+   */
+  tenant?: string
+  /**
+   * Azure OAuth Scope
+   * @default ['offline_access']
+   * @see https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens#scopes
+   */
+  scope?: string[]
+  /**
+   * Azure OAuth Authorization URL
+   * @default 'https://${tenant}.onmicrosoft.com/${policy}/oauth2/v2.0/token'
+   * @see https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
+   */
+  authorizationURL?: string
+  /**
+   * Azure OAuth Token URL
+   * @default 'https://${tenant}.onmicrosoft.com/${policy}/oauth2/v2.0/token'
+   * @see https://learn.microsoft.com/en-us/azure/active-directory-b2c/openid-connect
+   */
+  tokenURL?: string
+  /**
+   * Azure OAuth User URL
+   * @default 'https://graph.microsoft.com/v1.0/me'
+   * @see https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
+   */
+  userURL?: string
+  /**
+   * Extra authorization parameters to provide to the authorization URL
+   * @see https://learn.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow
+   */
+  authorizationParams?: Record<string, string>
+  /**
+   * Redirect URL to prevent in prod prevent redirect_uri mismatch http to https
+   * @default process.env.NUXT_OAUTH_AZUREB2C_REDIRECT_URL
+   * @see https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
+   */
+  redirectURL?: string
+}
+
+export function defineOAuthAzureB2CEventHandler({ config, onSuccess, onError }: OAuthConfig<OAuthAzureB2CConfig>) {
+  return eventHandler(async (event: H3Event) => {
+    config = defu(config, useRuntimeConfig(event).oauth?.azureb2c, {
+      authorizationParams: {},
+    }) as OAuthAzureB2CConfig
+
+    const query = getQuery<{ code?: string, state?: string }>(event)
+
+    if (!config.clientId || !config.policy || !config.tenant) {
+      return handleMissingConfiguration(event, 'azureb2c', ['clientId', 'policy', 'tenant'], onError)
+    }
+
+    const authorizationURL = config.authorizationURL || `https://${config.tenant}.b2clogin.com/${config.tenant}.onmicrosoft.com/${config.policy}/oauth2/v2.0/authorize`
+    const tokenURL = config.tokenURL || `https://${config.tenant}.b2clogin.com/${config.tenant}.onmicrosoft.com/${config.policy}/oauth2/v2.0/token`
+
+    const redirectURL = config.redirectURL || getOAuthRedirectURL(event)
+
+    // guarantee uniqueness of the scope
+    config.scope = config.scope && config.scope.length > 0 ? config.scope : ['openid']
+    config.scope = [...new Set(config.scope)]
+
+    // Create pkce verifier
+    const verifier = await handlePkceVerifier(event)
+    const state = await handleState(event)
+
+    if (!query.code) {
+      // Redirect to Azure B2C Oauth page
+      return sendRedirect(
+        event,
+        withQuery(authorizationURL as string, {
+          client_id: config.clientId,
+          response_type: 'code',
+          redirect_uri: redirectURL,
+          scope: config.scope.join(' '),
+          state,
+          code_challenge: verifier.code_challenge,
+          code_challenge_method: verifier.code_challenge_method,
+          ...config.authorizationParams,
+        }),
+      )
+    }
+
+    if (query.state !== state) {
+      handleInvalidState(event, 'azureb2c', onError)
+    }
+
+    console.info('code verifier', verifier.code_verifier)
+    const tokens = await requestAccessToken(tokenURL, {
+      body: {
+        grant_type: 'authorization_code',
+        client_id: config.clientId,
+        scope: config.scope.join(' '),
+        code: query.code as string,
+        redirect_uri: redirectURL,
+        response_type: 'code',
+        code_verifier: verifier.code_verifier,
+      },
+    })
+
+    if (tokens.error) {
+      return handleAccessTokenErrorResponse(event, 'azureb2c', tokens, onError)
+    }
+
+    const tokenType = tokens.token_type
+    const accessToken = tokens.access_token
+    const userURL = config.userURL || 'https://graph.microsoft.com/v1.0/me'
+    // TODO: improve typing
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    const user: any = await $fetch(userURL, {
+      headers: {
+        Authorization: `${tokenType} ${accessToken}`,
+      },
+    }).catch((error) => {
+      return { error }
+    })
+    if (user.error) {
+      const error = createError({
+        statusCode: 401,
+        message: `azureb2c login failed: ${user.error || 'Unknown error'}`,
+        data: user,
+      })
+      if (!onError) throw error
+      return onError(event, error)
+    }
+
+    return onSuccess(event, {
+      tokens,
+      user,
+    })
+  })
+}

src/runtime/server/lib/utils.ts

@@ -1,8 +1,9 @@
-import type { H3Event } from 'h3'
+import { type H3Event, deleteCookie, getCookie, setCookie } from 'h3'
 import { getRequestURL } from 'h3'
 import { FetchError } from 'ofetch'
 import { snakeCase, upperFirst } from 'scule'
 import * as jose from 'jose'
+import { subtle, getRandomValues } from 'uncrypto'
 import type { OAuthProvider, OnError } from '#auth-utils'
 import { createError } from '#imports'
 
@@ -100,6 +101,18 @@ export function handleMissingConfiguration(event: H3Event, provider: OAuthProvid
   return onError(event, error)
 }
 
+export function handleInvalidState(event: H3Event, provider: OAuthProvider, onError?: OnError) {
+  const message = `${upperFirst(provider)} login failed: state mismatch`
+
+  const error = createError({
+    statusCode: 500,
+    message,
+  })
+
+  if (!onError) throw error
+  return onError(event, error)
+}
+
 /**
  * JWT signing using jose
  *
@@ -156,3 +169,49 @@ export async function verifyJwt<T>(
 
   return payload as T
 }
+
+function encodeBase64Url(input: Uint8Array): string {
+  return btoa(String.fromCharCode.apply(null, input as unknown as number[]))
+    .replace(/\+/g, '-')
+    .replace(/\//g, '_')
+    .replace(/=+$/g, '')
+}
+
+function getRandomBytes(size: number = 32) {
+  return getRandomValues(new Uint8Array(size))
+}
+
+export async function handlePkceVerifier(event: H3Event) {
+  let verifier = getCookie(event, 'nuxt-auth-pkce')
+  if (verifier) {
+    deleteCookie(event, 'nuxt-auth-pkce')
+    return { code_verifier: verifier }
+  }
+
+  // Create new verifier
+  verifier = encodeBase64Url(getRandomBytes())
+  setCookie(event, 'nuxt-auth-pkce', verifier)
+
+  // Get pkce
+  const encodedPkce = new TextEncoder().encode(verifier)
+  const pkceHash = await subtle.digest('SHA-256', encodedPkce)
+  const pkce = encodeBase64Url(new Uint8Array(pkceHash))
+
+  return {
+    code_verifier: verifier,
+    code_challenge: pkce,
+    code_challenge_method: 'S256',
+  }
+}
+
+export async function handleState(event: H3Event) {
+  let state = getCookie(event, 'nuxt-auth-state')
+  if (state) {
+    deleteCookie(event, 'nuxt-auth-state')
+    return state
+  }
+
+  state = encodeBase64Url(getRandomBytes(8))
+  setCookie(event, 'nuxt-auth-state', state)
+  return state
+}

src/runtime/types/oauth-config.ts

@@ -2,7 +2,7 @@ import type { H3Event, H3Error } from 'h3'
 
 export type ATProtoProvider = 'bluesky'
 
-export type OAuthProvider = ATProtoProvider | 'atlassian' | 'auth0' | 'authentik' | 'battledotnet' | 'cognito' | 'discord' | 'dropbox' | 'facebook' | 'gitea' | 'github' | 'gitlab' | 'google' | 'hubspot' | 'instagram' | 'keycloak' | 'line' | 'linear' | 'linkedin' | 'microsoft' | 'paypal' | 'polar' | 'spotify' | 'seznam' | 'steam' | 'strava' | 'tiktok' | 'twitch' | 'vk' | 'workos' | 'x' | 'xsuaa' | 'yandex' | 'zitadel' | 'apple' | 'livechat' | (string & {})
+export type OAuthProvider = ATProtoProvider | 'atlassian' | 'auth0' | 'authentik' | 'azureb2c' | 'battledotnet' | 'cognito' | 'discord' | 'dropbox' | 'facebook' | 'gitea' | 'github' | 'gitlab' | 'google' | 'hubspot' | 'instagram' | 'keycloak' | 'line' | 'linear' | 'linkedin' | 'microsoft' | 'paypal' | 'polar' | 'spotify' | 'seznam' | 'steam' | 'strava' | 'tiktok' | 'twitch' | 'vk' | 'workos' | 'x' | 'xsuaa' | 'yandex' | 'zitadel' | 'apple' | 'livechat' | (string & {})
 
 export type OnError = (event: H3Event, error: H3Error) => Promise<void> | void