Merge pull request #975 from Azure/developer/long/issuer

LongOddCode · web-flow · commit 2102e1cd6204 · 2025-09-05T11:14:02.000+08:00
fix: find auth_endpoint from OpenIDIssuer for aad
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
-  "name": "@azure/static-web-apps-cli",
   "version": "2.0.6",
+  "name": "@azure/static-web-apps-cli",
   "description": "Azure Static Web Apps CLI",
   "type": "module",
   "scripts": {
@@ -55,6 +55,7 @@
     "keytar": "^7.9.0",
     "node-fetch": "^2.7.0",
     "open": "^8.4.2",
+    "openid-client": "^6.7.1",
     "ora": "^5.4.1",
     "pem": "^1.14.8",
     "prompts": "^2.4.2",
diff --git a/src/core/utils/openidHelper.ts b/src/core/utils/openidHelper.ts
@@ -0,0 +1,35 @@
+import * as client from "openid-client";
+
+export class OpenIdHelper {
+  private issuerUrl: URL;
+  private clientId: string;
+
+  constructor(issuerUrl: string, clientId: string) {
+    if (!issuerUrl || issuerUrl.trim() === "") {
+      throw new Error("Issuer URL is required");
+    }
+    if (!clientId || clientId.trim() === "") {
+      throw new Error("Client ID is required");
+    }
+    this.issuerUrl = new URL(issuerUrl);
+    this.clientId = clientId;
+  }
+
+  /**
+   * Discover issuer metadata from the OpenID Connect provider
+   */
+  async discoverIssuer() {
+    return await client.discovery(this.issuerUrl, this.clientId);
+  }
+
+  /**
+   * Retrieve the authorization endpoint from the issuer
+   */
+  async getAuthorizationEndpoint(): Promise<string> {
+    const issuer = await this.discoverIssuer();
+    if (!issuer.serverMetadata().authorization_endpoint) {
+      throw new Error("Authorization endpoint not found in issuer metadata");
+    }
+    return issuer.serverMetadata().authorization_endpoint!;
+  }
+}
diff --git a/src/msha/auth/routes/auth-login-provider-custom.ts b/src/msha/auth/routes/auth-login-provider-custom.ts
@@ -4,6 +4,7 @@ import { response } from "../../../core/utils/net.js";
 import { CUSTOM_AUTH_REQUIRED_FIELDS, ENTRAID_FULL_NAME, SWA_CLI_APP_PROTOCOL } from "../../../core/constants.js";
 import { DEFAULT_CONFIG } from "../../../config.js";
 import { encryptAndSign, extractPostLoginRedirectUri, hashStateGuid, newNonceWithExpiration } from "../../../core/utils/auth.js";
+import { OpenIdHelper } from "../../../core/utils/openidHelper.js";
 
 export const normalizeAuthProvider = function (providerName?: string) {
   if (providerName === ENTRAID_FULL_NAME) {
@@ -87,7 +88,8 @@ const httpTrigger = async function (context: Context, request: IncomingMessage,
       location = `https://github.com/login/oauth/authorize?response_type=code&client_id=${authFields?.clientIdSettingName}&redirect_uri=${redirectUri}/.auth/login/github/callback&scope=read:user&state=${hashedState}`;
       break;
     case "aad":
-      location = `${authFields?.openIdIssuer}/authorize?response_type=code&client_id=${authFields?.clientIdSettingName}&redirect_uri=${redirectUri}/.auth/login/aad/callback&scope=openid+profile+email&state=${hashedState}`;
+      const authorizationEndpoint = await new OpenIdHelper(authFields?.openIdIssuer, authFields?.clientIdSettingName).getAuthorizationEndpoint();
+      location = `${authorizationEndpoint}?response_type=code&client_id=${authFields?.clientIdSettingName}&redirect_uri=${redirectUri}/.auth/login/aad/callback&scope=openid+profile+email&state=${hashedState}`;
       break;
     case "facebook":
       location = `https://facebook.com/v11.0/dialog/oauth?client_id=${authFields?.appIdSettingName}&redirect_uri=${redirectUri}/.auth/login/facebook/callback&scope=openid&state=${hashedState}&response_type=code`;
