Fix SSO redirect URI by setting authorization.params explicitly
next-auth v5 beta ignores redirectProxyUrl when constructing the redirect_uri sent to Microsoft — it strips the pathname from AUTH_URL and uses only the origin. Passing redirect_uri directly in authorization.params guarantees the /hp-prod-tracker basePath is included in the callback URL. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Vadym Samoilenko
parent
aae25a0959
commit
6fd240860c
1 changed files with 11 additions and 7 deletions
|
|
@ -4,11 +4,12 @@ import { PrismaAdapter } from "@auth/prisma-adapter";
|
|||
import { prisma } from "@/lib/prisma";
|
||||
import type { Role } from "@/generated/prisma/client";
|
||||
|
||||
// Build the OAuth redirect proxy URL so the callback includes the Next.js
|
||||
// basePath (/hp-prod-tracker). Auth.js route matching uses basePath="/api/auth"
|
||||
// (without the prefix), but the redirect_uri sent to Microsoft must include it.
|
||||
const redirectProxyUrl = process.env.AUTH_URL
|
||||
? `${process.env.AUTH_URL}/api/auth`
|
||||
// next-auth v5 beta ignores redirectProxyUrl when building the redirect_uri
|
||||
// sent to the OAuth provider — it strips the pathname from AUTH_URL and appends
|
||||
// basePath directly to the origin. We must pass redirect_uri explicitly so the
|
||||
// /hp-prod-tracker basePath is included in the Microsoft callback URL.
|
||||
const explicitRedirectUri = process.env.AUTH_URL
|
||||
? `${process.env.AUTH_URL}/api/auth/callback/microsoft-entra-id`
|
||||
: undefined;
|
||||
|
||||
export const { handlers, auth, signIn, signOut } = NextAuth({
|
||||
|
|
@ -25,8 +26,11 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
|
|||
// Safe for Entra ID — Microsoft verifies organizational emails.
|
||||
// Required to link SSO accounts to pre-seeded User records by email match.
|
||||
allowDangerousEmailAccountLinking: true,
|
||||
// Include the Next.js basePath in the OAuth redirect URI
|
||||
redirectProxyUrl,
|
||||
// Explicitly set redirect_uri so /hp-prod-tracker basePath is included.
|
||||
// next-auth v5 beta strips the pathname from AUTH_URL otherwise.
|
||||
...(explicitRedirectUri && {
|
||||
authorization: { params: { redirect_uri: explicitRedirectUri } },
|
||||
}),
|
||||
}),
|
||||
],
|
||||
session: {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue