Merge branch 'main' into patch-2

nextauthjs · Feb 6, 2025 · 422de91 · 422de91
2 parents 7981de7 + 6a7d251
commit 422de91
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/docs/pages/getting-started/providers/microsoft-entra-id.mdx b/docs/pages/getting-started/providers/microsoft-entra-id.mdx
@@ -161,7 +161,7 @@ In `.env.local` create the following entries:
 ```
 AUTH_MICROSOFT_ENTRA_ID_ID=<copy Application (client) ID here>
 AUTH_MICROSOFT_ENTRA_ID_SECRET=<copy generated client secret value here>
-AUTH_MICROSOFT_ENTRA_ID_ISSUER=<copy the issuer here>
+AUTH_MICROSOFT_ENTRA_ID_ISSUER=https://login.microsoftonline.com/<copy the issuer here>/v2.0
 ```
 
 That will default the tenant to use the `common` authorization endpoint. [For more details see here](https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints).

diff --git a/packages/core/src/lib/actions/signin/authorization-url.ts b/packages/core/src/lib/actions/signin/authorization-url.ts
@@ -30,7 +30,15 @@ export async function getAuthorizationUrl(
       // TODO: move away from allowing insecure HTTP requests
       [o.allowInsecureRequests]: true,
     })
-    const as = await o.processDiscoveryResponse(issuer, discoveryResponse)
+    const as = await o
+      .processDiscoveryResponse(issuer, discoveryResponse)
+      .catch((error) => {
+        if (!(error instanceof TypeError) || error.message !== "Invalid URL")
+          throw error
+        throw new TypeError(
+          `Discovery request responded with an invalid issuer. expected: ${issuer}`
+        )
+      })
 
     if (!as.authorization_endpoint) {
       throw new TypeError(