Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Entra ID provider causes JWTInvalid: JWTs must use Compact JWS serialization, JWT must be a string error #12187

Closed
ay13 opened this issue Nov 5, 2024 · 11 comments
Closed

Entra ID provider causes JWTInvalid: JWTs must use Compact JWS serialization, JWT must be a string error #12187

ay13 opened this issue Nov 5, 2024 · 11 comments
Labels
bug Something isn't working providers triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@ay13
Copy link

ay13 commented Nov 5, 2024
edited
Loading

Provider type

This is using Entra ID provider. Entra wasnt an option in the drop down so I chose AD
Azure Active Directory

Environment

  System:
    OS: macOS 14.5
    CPU: (10) arm64 Apple M1 Pro
    Memory: 27.52 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.18.0 - ~/.nvm/versions/node/v20.18.0/bin/node
    Yarn: 1.22.22 - ~/.nvm/versions/node/v20.18.0/bin/yarn
    npm: 10.8.2 - ~/.nvm/versions/node/v20.18.0/bin/npm
    pnpm: 9.9.0 - ~/.nvm/versions/node/v20.18.0/bin/pnpm
  Browsers:
    Chrome: 130.0.6723.92
    Edge: 130.0.2849.68
    Safari: 17.5
  npmPackages:
    @auth/sveltekit: ^1.7.3 => 1.7.3

Reproduction URL

https://github.com/ay13/auth-entra

Describe the issue

After the initial auth process it redirects back to the app and displays the message:

Server error

There is a problem with the server configuration.

Check the server logs for more information.

in the console I see the error:

[auth][details]: {
"provider": "microsoft-entra-id"
}
[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: JWTInvalid: JWTs must use Compact JWS serialization, JWT must be a string

How to reproduce

  1. New SvelteKit project using npx sv create
  2. Set up SvelteKit integration using directions from https://authjs.dev/getting-started/installation?framework=SvelteKit
  3. Set up the Entra ID provider using https://authjs.dev/getting-started/providers/microsoft-entra-id
  4. Try to sign in.

Expected behavior

I expected to authenticate without an error
@ay13 ay13 added bug Something isn't working providers triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. labels Nov 5, 2024
@diego-gt
Copy link

Hi @ay13 !
I ran into this issue as well, my specific cause was that I was not setting the issuer url correctly.

Assuming that you're trying to use a Microsoft 365 business plan for this, please try to verify that your issuer variable is set to https://login.microsoftonline.com/{tenantId}/v2.0, you can reference the docs here https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri.

Hopefully that helps.

@ay13
Copy link
Author

ay13 commented Nov 11, 2024

Thanks for the reply @diego-gt , I verified that my issuer is set up the correct way. Same issue.

@ay13
Copy link
Author

ay13 commented Nov 11, 2024

Disregard this issue, it was my mistake.

In the redirect section of Entra ID I set my redirect as a Single-page app, when I set it as a web app it worked correctly.

@ay13 ay13 closed this as completed Nov 11, 2024
@warrantor
Copy link

Hi @ay13
I've also been racking my brain on this for 3 days.
Is this the proposed fix, setting the redirect as a web app?
Does everything work as expected?

Thanks!

@ay13
Copy link
Author

ay13 commented Nov 11, 2024
edited
Loading

@warrantor For me, setting the platform to Web worked and Single-page application did not. I believe Entra returns the token differntly based on which of those you select.
image

How my Authentication settings look now.
image

@diego-gt
Copy link

Glad you got it working!
Yes, the redirect should be set as a Web app instead of SPA, the Entra platform will provide different tokens (Access Tokens for SPAs vs ID Tokens for Web app) depending on that type.
It doesn't limit you to use only server components, it works on both. The way you access the session is different though.
Docs for app types: https://learn.microsoft.com/en-us/entra/identity-platform/v2-app-types

@brandonavant
Copy link

Disregard this issue, it was my mistake.

In the redirect section of Entra ID I set my redirect as a Single-page app, when I set it as a web app it worked correctly.

I'd like to confirm that this fixed the issue for me as well.

@yangyao1234
Copy link

@warrantor For me, setting the platform to Web worked and Single-page application did not. I believe Entra returns the token differntly based on which of those you select. image

How my Authentication settings look now. image

great . it works ,

@sicarius97
Copy link

@yangyao1234 @ay13 @brandonavant Are you guys on next auth v5 or v4? Im using nextjs but I am having issues with this as well, even when set up as a web app

@sicarius97
Copy link

@warrantor @diego-gt This is the error that I am getting on the callback:
image

@brandonavant
Copy link

@yangyao1234 @ay13 @brandonavant Are you guys on next auth v5 or v4? Im using nextjs but I am having issues with this as well, even when set up as a web app

@sicarius97 , I am using v5 but will be moving down to v4 as v5 is still beta.

For v5, the fix was setting the platform to web.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working providers triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@ay13 @warrantor @brandonavant @sicarius97 @diego-gt @yangyao1234