From 6fd240860cc5ead8ffcf250bffe138e00499a5c9 Mon Sep 17 00:00:00 2001
From: Vadym Samoilenko <vadymsamoilenko@oliver.agency>
Date: Wed, 15 Apr 2026 15:04:42 +0100
Subject: [PATCH] Fix SSO redirect URI by setting authorization.params
 explicitly
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

next-auth v5 beta ignores redirectProxyUrl when constructing the
redirect_uri sent to Microsoft — it strips the pathname from AUTH_URL
and uses only the origin. Passing redirect_uri directly in
authorization.params guarantees the /hp-prod-tracker basePath is
included in the callback URL.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/lib/auth.ts | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index f90bc66..abc3c8d 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -4,11 +4,12 @@ import { PrismaAdapter } from "@auth/prisma-adapter";
 import { prisma } from "@/lib/prisma";
 import type { Role } from "@/generated/prisma/client";
 
-// Build the OAuth redirect proxy URL so the callback includes the Next.js
-// basePath (/hp-prod-tracker). Auth.js route matching uses basePath="/api/auth"
-// (without the prefix), but the redirect_uri sent to Microsoft must include it.
-const redirectProxyUrl = process.env.AUTH_URL
-  ? `${process.env.AUTH_URL}/api/auth`
+// next-auth v5 beta ignores redirectProxyUrl when building the redirect_uri
+// sent to the OAuth provider — it strips the pathname from AUTH_URL and appends
+// basePath directly to the origin. We must pass redirect_uri explicitly so the
+// /hp-prod-tracker basePath is included in the Microsoft callback URL.
+const explicitRedirectUri = process.env.AUTH_URL
+  ? `${process.env.AUTH_URL}/api/auth/callback/microsoft-entra-id`
   : undefined;
 
 export const { handlers, auth, signIn, signOut } = NextAuth({
@@ -25,8 +26,11 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       // Safe for Entra ID — Microsoft verifies organizational emails.
       // Required to link SSO accounts to pre-seeded User records by email match.
       allowDangerousEmailAccountLinking: true,
-      // Include the Next.js basePath in the OAuth redirect URI
-      redirectProxyUrl,
+      // Explicitly set redirect_uri so /hp-prod-tracker basePath is included.
+      // next-auth v5 beta strips the pathname from AUTH_URL otherwise.
+      ...(explicitRedirectUri && {
+        authorization: { params: { redirect_uri: explicitRedirectUri } },
+      }),
     }),
   ],
   session: {