Skip to content

feat(oidc): add Azure AD B2C OpenID Connect Provider#201

Draft
halvaradop wants to merge 1 commit into
masterfrom
feat/add-azure-dir-b2c-oidc
Draft

feat(oidc): add Azure AD B2C OpenID Connect Provider#201
halvaradop wants to merge 1 commit into
masterfrom
feat/add-azure-dir-b2c-oidc

Conversation

@halvaradop

@halvaradop halvaradop commented Jun 26, 2026

Copy link
Copy Markdown
Member

Description

This pull request adds support for the Azure Active Directory B2C OAuth 2.0 / OpenID Connect (OIDC) provider to the list of authentication providers available in Aura Auth.

Usage

import { createAuth } from "@aura-stack/auth"

export const auth = createAuth({
  oauth: ["azure-ad-b2c"],
})

export const { handlers } = auth

Note

This PR will remain in draft until the Azure AD B2C OAuth 2.0 / OIDC provider has been fully validated with Aura Auth.

The implementation successfully passes the basic authentication flows and core use cases, but it has not yet been comprehensively tested. Additional validation is required to ensure provider-specific behaviors work correctly and to identify any edge cases before this feature is considered production-ready.

Notes

During the implementation of this provider, several inconsistencies and gaps were identified in the Azure AD B2C documentation.

The OAuth 2.0 documentation describes the authorization and token endpoints:

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/token

However, it does not mention a /userinfo endpoint or any alternative endpoint for retrieving authenticated user profile information.

Azure AD B2C also supports OpenID Connect, which introduces policy-specific endpoints:

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token

Despite advertising OpenID Connect support, the discovery document:

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration

does not expose a userinfo_endpoint.

Although the UserInfo endpoint is optional in both OAuth 2.0 and OpenID Connect, the documentation does not explain how applications are expected to retrieve user profile information or whether the issued access token can be used with Microsoft APIs (for example, GET /me in Microsoft Graph). Because of this uncertainty, the provider will remain in draft status until these behaviors are fully understood and validated.

During this investigation, it also became clear that Microsoft implements OAuth 2.0 and OpenID Connect with protocol-specific differences that require additional handling within the provider implementation.

Finally, this work led to the discovery of the Microsoft Identity Platform, which appears to be a better foundation for implementing future Microsoft authentication providers.

For reference:

https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc

@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auth Ready Ready Preview, Comment Jun 26, 2026 4:09pm

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new Azure AD B2C OAuth provider factory and a documentation page covering app registration, environment variables, auth instance setup, provider customization, sign-in examples, session retrieval, and reference links.

Changes

Azure AD B2C Integration

Layer / File(s) Summary
Provider factory and claim shape
packages/core/src/oauth/azure-ad-b2c.ts
Introduces the Azure AD B2C profile interface and OAuth provider factory with default endpoints, scope, and profile mapping.
App registration and environment setup
docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
Adds the documentation frontmatter, application registration guidance, installation step, and required environment variables.
Auth instance and provider customization
docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
Adds the auth instance example and the provider customization example for azureADB2C.
Sign-in and session usage
docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
Adds direct, client-side, and server-side sign-in examples and the client and server session retrieval examples, plus resource links.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

oauth

Poem

A bunny hops through Azure's gate,
With B2C keys set just right and straight.
It sniffs the claims, then dances on,
Until the session is safely drawn.
🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding an Azure AD B2C OpenID Connect provider.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/add-azure-dir-b2c-oidc

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx (1)

177-181: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Server-side session retrieval example lacks request context clarity.

The comment states "You must pass the native Web Request object or Headers" but the example only shows api.getSession(request) without clarifying where request originates. In Next.js App Router this would be headers() or the incoming Request; in other frameworks it differs. Consider adding a brief framework-specific hint or showing the import source of request.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/content/docs/`(core)/oauth/azure-ad-b2c.mdx around lines 177 - 181,
The session retrieval example is missing the source of the native request
context, so update the docs snippet around api.getSession(request) to clearly
show where request comes from or mention the framework-specific alternative such
as the incoming Request or headers() in App Router. Keep the example aligned
with the existing api.getSession and session.user usage, but add a brief hint
that makes the required request/headers input unambiguous.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/src/content/docs/`(core)/oauth/azure-ad-b2c.mdx:
- Around line 85-103: The scope override example in azureADB2C is using
GitHub-specific scopes, so update the example under createAuth/azureADB2C to use
Azure AD B2C/OpenID Connect scopes instead. Replace the authorize.params.scope
value with appropriate B2C scopes such as openid, profile, email, or a
tenant-registered custom scope, and keep the snippet aligned with the auth.ts
example shown in the doc.
- Around line 36-44: The Azure AD B2C setup docs are missing required tenant and
policy environment variables, so the endpoint templates in azure-ad-b2c.ts
cannot be resolved. Update the environment example in the OAuth Azure AD B2C
docs to include the missing AURA_AUTH_AZURE_AD_B2C_TENANT and
AURA_AUTH_AZURE_AD_B2C_POLICY variables alongside CLIENT_ID and CLIENT_SECRET.
Make sure the section clearly matches the placeholders used by the AzureAdB2C
provider factory so users can configure the authorization, token, and metadata
URLs correctly.

---

Nitpick comments:
In `@docs/src/content/docs/`(core)/oauth/azure-ad-b2c.mdx:
- Around line 177-181: The session retrieval example is missing the source of
the native request context, so update the docs snippet around
api.getSession(request) to clearly show where request comes from or mention the
framework-specific alternative such as the incoming Request or headers() in App
Router. Keep the example aligned with the existing api.getSession and
session.user usage, but add a brief hint that makes the required request/headers
input unambiguous.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1633bc96-8e6f-47c9-aca6-37236d060c00

📥 Commits

Reviewing files that changed from the base of the PR and between d82a096 and a2aa142.

📒 Files selected for processing (2)
  • docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
  • packages/core/src/oauth/azure-ad-b2c.ts

Comment on lines +36 to +44
```bash title=".env" lineNumbers
# Aura Secrets
AURA_AUTH_SECRET="your-32-byte-secret"
AURA_AUTH_SALT="your-32-byte-salt"

# Azure AD B2C Credentials
AURA_AUTH_AZURE_AD_B2C_CLIENT_ID="your_azure_ad_b2c_client_id"
AURA_AUTH_AZURE_AD_B2C_CLIENT_SECRET="your_azure_ad_b2c_client_secret"
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Missing required environment variables for Azure AD B2C tenant and policy.

The provider factory uses URL templates with {tenant} and {policy} placeholders (packages/core/src/oauth/azure-ad-b2c.ts:45-65), but the documentation only lists CLIENT_ID and CLIENT_SECRET. Without AURA_AUTH_AZURE_AD_B2C_TENANT and AURA_AUTH_AZURE_AD_B2C_POLICY (or equivalent configuration), the authorization, token, and metadata endpoints cannot be resolved.

Add these required variables to the environment setup section:

 # Azure AD B2C Credentials
 AURA_AUTH_AZURE_AD_B2C_CLIENT_ID="your_azure_ad_b2c_client_id"
 AURA_AUTH_AZURE_AD_B2C_CLIENT_SECRET="your_azure_ad_b2c_client_secret"
+AURA_AUTH_AZURE_AD_B2C_TENANT="your_azure_ad_b2c_tenant_name"
+AURA_AUTH_AZURE_AD_B2C_POLICY="your_azure_ad_b2c_policy_name"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
```bash title=".env" lineNumbers
# Aura Secrets
AURA_AUTH_SECRET="your-32-byte-secret"
AURA_AUTH_SALT="your-32-byte-salt"
# Azure AD B2C Credentials
AURA_AUTH_AZURE_AD_B2C_CLIENT_ID="your_azure_ad_b2c_client_id"
AURA_AUTH_AZURE_AD_B2C_CLIENT_SECRET="your_azure_ad_b2c_client_secret"
```
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/content/docs/`(core)/oauth/azure-ad-b2c.mdx around lines 36 - 44,
The Azure AD B2C setup docs are missing required tenant and policy environment
variables, so the endpoint templates in azure-ad-b2c.ts cannot be resolved.
Update the environment example in the OAuth Azure AD B2C docs to include the
missing AURA_AUTH_AZURE_AD_B2C_TENANT and AURA_AUTH_AZURE_AD_B2C_POLICY
variables alongside CLIENT_ID and CLIENT_SECRET. Make sure the section clearly
matches the placeholders used by the AzureAdB2C provider factory so users can
configure the authorization, token, and metadata URLs correctly.

Comment on lines +85 to +103
```ts title="auth.ts" lineNumbers
import { createAuth } from "@aura-stack/auth"
import { azureADB2C } from "@aura-stack/auth/oauth/azure-ad-b2c"

export const auth = createAuth({
oauth: [
azureADB2C({
authorize: {
params: {
// Override default scopes
scope: "read:user user:email",
},
},
}),
],
})

export const { handlers, api, jose } = auth
```

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Incorrect scope override example uses GitHub OAuth scopes.

The customization example overrides the default scope to "read:user user:email", which are GitHub-specific OAuth scopes. Azure AD B2C uses OpenID Connect scopes like openid, profile, email, and custom application scopes registered in the B2C tenant. Using GitHub scopes in Azure AD B2C documentation will confuse users and cause authorization failures.

Correct the override example to use Azure AD B2C appropriate scopes:

           // Override default scopes
-          scope: "read:user user:email",
+          scope: "openid profile email",
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
```ts title="auth.ts" lineNumbers
import { createAuth } from "@aura-stack/auth"
import { azureADB2C } from "@aura-stack/auth/oauth/azure-ad-b2c"
export const auth = createAuth({
oauth: [
azureADB2C({
authorize: {
params: {
// Override default scopes
scope: "read:user user:email",
},
},
}),
],
})
export const { handlers, api, jose } = auth
```
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/content/docs/`(core)/oauth/azure-ad-b2c.mdx around lines 85 - 103,
The scope override example in azureADB2C is using GitHub-specific scopes, so
update the example under createAuth/azureADB2C to use Azure AD B2C/OpenID
Connect scopes instead. Replace the authorize.params.scope value with
appropriate B2C scopes such as openid, profile, email, or a tenant-registered
custom scope, and keep the snippet aligned with the auth.ts example shown in the
doc.

@halvaradop halvaradop marked this pull request as draft June 26, 2026 16:30
@halvaradop halvaradop added the oauth Changes related to OAuth flows, providers, tokens, or authentication integration. label Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

oauth Changes related to OAuth flows, providers, tokens, or authentication integration.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant