Skip to content

feat(oidc): add Azure AD B2C OpenID Connect Provider#201

Draft
halvaradop wants to merge 1 commit into
masterfrom
feat/add-azure-dir-b2c-oidc
Draft

feat(oidc): add Azure AD B2C OpenID Connect Provider#201
halvaradop wants to merge 1 commit into
masterfrom
feat/add-azure-dir-b2c-oidc

Conversation

@halvaradop

@halvaradop halvaradop commented Jun 26, 2026

Copy link
Copy Markdown
Member

Description

This pull request adds support for the Azure Active Directory B2C OAuth 2.0 / OpenID Connect (OIDC) provider to the list of authentication providers available in Aura Auth.

Usage

import { createAuth } from "@aura-stack/auth"

export const auth = createAuth({
  oauth: ["azure-ad-b2c"],
})

export const { handlers } = auth

Note

This PR will remain in draft until the Azure AD B2C OAuth 2.0 / OIDC provider has been fully validated with Aura Auth.

The implementation successfully passes the basic authentication flows and core use cases, but it has not yet been comprehensively tested. Additional validation is required to ensure provider-specific behaviors work correctly and to identify any edge cases before this feature is considered production-ready.

Notes

During the implementation of this provider, several inconsistencies and gaps were identified in the Azure AD B2C documentation.

The OAuth 2.0 documentation describes the authorization and token endpoints:

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/authorize
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/oauth2/v2.0/token

However, it does not mention a /userinfo endpoint or any alternative endpoint for retrieving authenticated user profile information.

Azure AD B2C also supports OpenID Connect, which introduces policy-specific endpoints:

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/authorize
https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/oauth2/v2.0/token

Despite advertising OpenID Connect support, the discovery document:

https://{tenant}.b2clogin.com/{tenant}.onmicrosoft.com/{policy}/v2.0/.well-known/openid-configuration

does not expose a userinfo_endpoint.

Although the UserInfo endpoint is optional in both OAuth 2.0 and OpenID Connect, the documentation does not explain how applications are expected to retrieve user profile information or whether the issued access token can be used with Microsoft APIs (for example, GET /me in Microsoft Graph). Because of this uncertainty, the provider will remain in draft status until these behaviors are fully understood and validated.

During this investigation, it also became clear that Microsoft implements OAuth 2.0 and OpenID Connect with protocol-specific differences that require additional handling within the provider implementation.

Finally, this work led to the discovery of the Microsoft Identity Platform, which appears to be a better foundation for implementing future Microsoft authentication providers.

For reference:

https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc

@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
auth Ready Ready Preview, Comment Jun 26, 2026 4:09pm

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new Azure AD B2C OAuth provider factory and a documentation page covering app registration, environment variables, auth instance setup, provider customization, sign-in examples, session retrieval, and reference links.

Changes

Azure AD B2C Integration

Layer / File(s) Summary
Provider factory and claim shape
packages/core/src/oauth/azure-ad-b2c.ts
Introduces the Azure AD B2C profile interface and OAuth provider factory with default endpoints, scope, and profile mapping.
App registration and environment setup
docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
Adds the documentation frontmatter, application registration guidance, installation step, and required environment variables.
Auth instance and provider customization
docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
Adds the auth instance example and the provider customization example for azureADB2C.
Sign-in and session usage
docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
Adds direct, client-side, and server-side sign-in examples and the client and server session retrieval examples, plus resource links.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

oauth

Poem

A bunny hops through Azure's gate,
With B2C keys set just right and straight.
It sniffs the claims, then dances on,
Until the session is safely drawn.
🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding an Azure AD B2C OpenID Connect provider.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/add-azure-dir-b2c-oidc

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx (1)

177-181: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Server-side session retrieval example lacks request context clarity.

The comment states "You must pass the native Web Request object or Headers" but the example only shows api.getSession(request) without clarifying where request originates. In Next.js App Router this would be headers() or the incoming Request; in other frameworks it differs. Consider adding a brief framework-specific hint or showing the import source of request.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/src/content/docs/`(core)/oauth/azure-ad-b2c.mdx around lines 177 - 181,
The session retrieval example is missing the source of the native request
context, so update the docs snippet around api.getSession(request) to clearly
show where request comes from or mention the framework-specific alternative such
as the incoming Request or headers() in App Router. Keep the example aligned
with the existing api.getSession and session.user usage, but add a brief hint
that makes the required request/headers input unambiguous.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/src/content/docs/`(core)/oauth/azure-ad-b2c.mdx:
- Around line 85-103: The scope override example in azureADB2C is using
GitHub-specific scopes, so update the example under createAuth/azureADB2C to use
Azure AD B2C/OpenID Connect scopes instead. Replace the authorize.params.scope
value with appropriate B2C scopes such as openid, profile, email, or a
tenant-registered custom scope, and keep the snippet aligned with the auth.ts
example shown in the doc.
- Around line 36-44: The Azure AD B2C setup docs are missing required tenant and
policy environment variables, so the endpoint templates in azure-ad-b2c.ts
cannot be resolved. Update the environment example in the OAuth Azure AD B2C
docs to include the missing AURA_AUTH_AZURE_AD_B2C_TENANT and
AURA_AUTH_AZURE_AD_B2C_POLICY variables alongside CLIENT_ID and CLIENT_SECRET.
Make sure the section clearly matches the placeholders used by the AzureAdB2C
provider factory so users can configure the authorization, token, and metadata
URLs correctly.

---

Nitpick comments:
In `@docs/src/content/docs/`(core)/oauth/azure-ad-b2c.mdx:
- Around line 177-181: The session retrieval example is missing the source of
the native request context, so update the docs snippet around
api.getSession(request) to clearly show where request comes from or mention the
framework-specific alternative such as the incoming Request or headers() in App
Router. Keep the example aligned with the existing api.getSession and
session.user usage, but add a brief hint that makes the required request/headers
input unambiguous.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1633bc96-8e6f-47c9-aca6-37236d060c00

📥 Commits

Reviewing files that changed from the base of the PR and between d82a096 and a2aa142.

📒 Files selected for processing (2)
  • docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
  • packages/core/src/oauth/azure-ad-b2c.ts

Comment thread docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
Comment thread docs/src/content/docs/(core)/oauth/azure-ad-b2c.mdx
@halvaradop halvaradop marked this pull request as draft June 26, 2026 16:30
@halvaradop halvaradop added the oauth Changes related to OAuth flows, providers, tokens, or authentication integration. label Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

oauth Changes related to OAuth flows, providers, tokens, or authentication integration.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant