Microsoft provider doesn't work

[alexitron77]

Hi,

I'm trying to connect Strapi to my azure active directory through an app registration.

I need to configure the tenant Id, but Strapi does not provide this option through the dashboard.
We tried to modify the Provider.js file for the Microsoft provider with the following config :

"microsoft": {
"https://graph.microsoft.com": {
"__domain": {
"auth": {
"auth": {"bearer": "[0]"}
}
},
"[version]/{endpoint}": {
"__path": {
"alias": "__default",
"version": "v1.0"
}
}
},
"https://login.microsoftonline.com": {
"XXX-tenant-id-XXX/oauth2/{endpoint}": {
"__path": {
"alias": "oauth"
}
}
}
}

But it did not take into account the tenantId (the Purest provider is hardcoded to /common).

Here is the following error :

AADSTS50194: Application XXX is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

Please help !

Alexis

[lauriejim]

Did you follow this documentation https://github.com/strapi/strapi-examples/blob/master/login-react/doc/microsoft_setup.md
Just tested it and it work well!

[jsve]

The documentation @lauriejim refers to the old way of registering an azure application. However, some of it probably translates pretty well to the new way of doing things.

Related to the original question, @alexitron77 is probably right about the issue being in the libraries used and that they are configured only for the /common/ endpoint, and not for single tenant applications. My hack to be able to use this with a single tenant application was to edit /plugins/users-permissions/node_modules/grant/build/config/oauth.json (and /plugins/users-permissions/node_modules/grant/config/oauth.json) in my project. You could probably pretty safely do a find and replace in the project folder for login.microsoftonline.com/common/ and replace it with your tenant id.

[lauriejim]

Okay but the old way work. For now I suggest to use this solution.
We plan te review the provider auth system to make it works with providers (like email and upload plugins)
So we will not update things right now.

And thank you for your hack ;)

[wh1337]

Just letting everyone know that this is still an issues. When building a new net strapi build, there is no /plugins/* folder to do the hack that @jsve recommended. I even wen through the docs to look about adding a new provider, however the stuff for Microsoft looked correct to actually call the graph. Anyone know where the login.microsoftonline.com/common/ is actually located? Trying to get this connected to my companies Active Directory :)

edit: spelling

[zbrcz]

The hack still works, just those oauth.json files are located elsewhere (at least on my system) because grant has been installed to top-level node_modules.

Once you locate the files there, replace common with <your-tenant-endpoint> (e.g. yourtenant.onmicrosoft.com) in the URLs and rebuild your Strapi instance, it should start working.

However, a much cleaner solution is to copy https://github.com/strapi/strapi/blob/master/packages/strapi-plugin-users-permissions/controllers/Auth.js into <your-project-root>/extensions/users-permissions/controllers/Auth.js and override the URLs just above the return statement of the connect function.

grantConfig[provider].authorize_url =
  'https://login.microsoftonline.com/<your-tenant-endpoint>/oauth2/v2.0/authorize';
grantConfig[provider].access_url =
  'https://login.microsoftonline.com/<your-tenant-endpoint>/oauth2/v2.0/token';

Then, of course, rebuild Strapi.

[lauriejim]

Hello! can you please submit a PR to fix this for everyone please. Thank you :)

[zbrcz]

Well, I think the real fix should be different than my "hack". I'd say a field for the tenant endpoint should be added into the Microsoft provider configuration dialog and the endpoint should be stored in the DB and then used in the requests.

I'd love to help but the solution is non-trivial and I am unfortunately working on a project past its deadline at the moment... Maybe when it's over...

[khaelys]

Another hack is to override the grant configuration inside /config/functions/bootstrap.js of your strapi project.

const _ = require('lodash');

module.exports = async () => {
  const pluginStore = strapi
    .store({
      environment: '',
      type: 'plugin',
      name: 'users-permissions',
      key: 'grant',
    })
  const prevGrantConfig = (await pluginStore.get({key: 'grant'})) || {};
  // store grant auth config to db
  // when plugin_users-permissions_grant is not existed in db
  // or we have added/deleted provider here.

  const grantConfig = {
    microsoft: {
      authorize_url: "https://login.microsoftonline.com/<your-tenant-endpoint>/oauth2/v2.0/authorize",
      access_url: "https://login.microsoftonline.com/<your-tenant-endpoint>/oauth2/v2.0/token"
    }
  }
  if (!prevGrantConfig || !_.isEqual(_.keys(prevGrantConfig), _.keys(grantConfig))) {
    // merge with the previous provider config.
    _.keys(grantConfig).forEach(key => {
      if (key in prevGrantConfig) {
        grantConfig[key] = _.merge(grantConfig[key], prevGrantConfig[key]);
      }
    });
    await pluginStore.set({key: 'grant', value: grantConfig});
  }

};

In this way, you do not need to rebuild strapi or modify external dependencies.

[baermathias]

Did you follow this documentation https://github.com/strapi/strapi-examples/blob/master/login-react/doc/microsoft_setup.md
Just tested it and it work well!

@lauriejim the link doesn't exist

[derrickmehaffy]

Well I would say it should be on: https://strapi.io/documentation/v3.x/plugins/users-permissions.html#setting-up-the-provider-examples

But I just noticed we are missing the microsoft one there. Can you open a new issue for that and we can add it to the docs? Thank you

[jfngoo]

This is still an issue, and should be re-opened in my opinion.

From what I understand, Microsoft provider does work with multi-tenant apps but not single-tenant. As @jsve and @zbrcz stated it comes from the /common endpoint that should be the tenant ID instead. I think we should be able to provide the Microsoft tenant ID in the admin panel configuration, so the link generates with the right tenant ID for single-tenant apps instead of /common.

Meanwhile the workaround provided by @khaelys helped me a lot. I gave it my little twist, because his code snippet didn't work when I changed the tenant ID somehow. It will override with the right tenant ID every time the server restarts. Might help some people struggling too:

module.exports = async () => {
  const pluginStore = strapi
    .store({
      environment: '',
      type: 'plugin',
      name: 'users-permissions',
      key: 'grant',
    })

  // Get actual grant config
  const prevGrantConfig = (await pluginStore.get({key: 'grant'})) || {}

  // Setup Microsoft grant config
  const endpoint = process.env.MICROSOFT_AUTH_TENANT_ID || 'common'
  const microsoftGrantConfig = {
    authorize_url: `https://login.microsoftonline.com/${endpoint}/oauth2/v2.0/authorize`,
    access_url: `https://login.microsoftonline.com/${endpoint}/oauth2/v2.0/token`
  }

  // Merge previous config and overwrite with our custom Microsoft grant config
  const newGrantConfig = {
    ...prevGrantConfig,
    microsoft: {
      ...prevGrantConfig.microsoft,
      ...microsoftGrantConfig
    }
  }

  // Overwrite grant Config
  await pluginStore.set({key: 'grant', value: newGrantConfig})
}

[strapi-bot]

This issue has been mentioned on Strapi Community Forum. There might be relevant details there:

https://forum.strapi.io/t/microsoft-auth-with-specific-tenant/234/3