feat(oauth-providers): Add MSEntra OAuth Provider

Author: TimBarley

Diff for: .changeset/sixty-cobras-live.md

@@ -0,0 +1,5 @@
+---
+'@hono/oauth-providers': minor
+---
+
+The PR adds Microsoft Entra (AzureAD) to the list of supported 3rd-party OAuth providers.

Diff for: packages/oauth-providers/README.md

@@ -1086,6 +1086,128 @@ The validation endpoint helps your application detect when tokens become invalid
 
 > For security and compliance, make sure to implement regular token validation in your application. If a token becomes invalid, promptly sign out the user and terminate their OAuth session.
 
+### MSEntra
+
+```ts
+import { Hono } from 'hono'
+import { msentraAuth } from '@hono/oauth-providers/msentra'
+
+const app = new Hono()
+
+app.use(
+  '/msentra',
+  msentraAuth({
+    client_id: process.env.MSENTRA_ID,
+    client_secret: process.env.MSENTRA_SECRET,
+    tenant_id: process.env.MSENTRA_TENANT_ID
+    scope: [
+      'openid',
+      'profile',
+      'email',
+      'https;//graph.microsoft.com/.default',
+    ]
+  })
+)
+
+export default app
+```
+
+### Parameters
+
+- `client_id`:
+  - Type: `string`.
+  - `Required`.
+  - Your app client Id. You can find this in your Azure Portal.
+- `client_secret`:
+  - Type: `string`.
+  - `Required`.
+  - Your app client secret. You can find this in your Azure Portal.
+    > ⚠️ Do **not** share your **client secret** to ensure the security of your app.
+- `tenant_id`:
+  - Type: `string`
+  - `Required`.
+  - Your Microsoft Tenant's Id. You can find this in your Azure Portal.
+- `scope`:
+  - Type: `string[]`.
+  - `Required`.
+  - Set of **permissions** to request the user's authorization to access your app for retrieving
+    user information and performing actions on their behalf.
+
+#### Authentication Flow
+
+After the completion of the MSEntra OAuth flow, essential data has been prepared for use in the
+subsequent steps that your app needs to take.
+
+`msentraAuth` method provides 4 set key data:
+
+- `token`:
+  - Access token to make requests to the MSEntra API for retrieving user information and
+    performing actions on their behalf.
+  - Type:
+    ```
+    {
+      token: string
+      expires_in: number
+      refresh_token: string
+    }
+    ```
+- `granted-scopes`:
+  - Scopes for which the user has granted permissions.
+  - Type: `string[]`.
+- `user-msentra`:
+  - User basic info retrieved from MSEntra
+  - Type:
+    ```
+    {
+      businessPhones: string[],
+      displayName: string
+      givenName: string
+      jobTitle: string
+      mail: string
+      mobilePhone: string
+      officeLocation: string
+      surname: string
+      userPrincipalName: string
+      id: string
+    }
+    ```
+
+> [!NOTE]
+> To access this data, utilize the `c.get` method within the callback of the upcoming HTTP request
+> handler.
+
+```ts
+app.get('/msentra', (c) => {
+  const token = c.get('token')
+  const grantedScopes = c.get('granted-scopes')
+  const user = c.get('user-msentra')
+
+  return c.json({
+    token,
+    grantedScopes,
+    user,
+  })
+})
+```
+
+#### Refresh Token
+
+Once the user token expires you can refresh their token without the need to prompt the user again
+for access. In such scenario, you can utilize the `refreshToken` method, which accepts the
+`client_id`, `client_secret`, `tenant_id`, and `refresh_token` as parameters.
+
+> [!NOTE]
+> The `refresh_token` can be used once. Once the token is refreshed MSEntra gives you a new
+> `refresh_token` along with the new token.
+
+```ts
+import { msentraAuth, refreshToken } from '@hono/oauth-providers/msentra'
+
+app.get('/msentra/refresh', (c, next) => {
+  const newTokens = await refreshToken({ client_id, client_secret, tenant_id, refresh_token })
+})
+```
+
 ## Advance Usage
 
 ### Customize `redirect_uri`

Diff for: packages/oauth-providers/package.json

@@ -93,6 +93,16 @@
         "types": "./dist/providers/twitch/index.d.ts",
         "default": "./dist/providers/twitch/index.js"
       }
+    },
+    "./msentra": {
+      "import": {
+        "types": "./dist/providers/msentra/index.d.mts",
+        "default": "./dist/providers/msentra/index.mjs"
+      },
+      "require": {
+        "types": "./dist/providers/msentra/index.d.ts",
+        "default": "./dist/providers/msentra/index.js"
+      }
     }
   },
   "typesVersions": {
@@ -117,6 +127,9 @@
       ],
       "twitch": [
         "./dist/providers/twitch/index.d.ts"
+      ],
+      "msentra": [
+        "./dist/providers/msentra/index.d.ts"
       ]
     }
   },

Diff for: packages/oauth-providers/src/providers/msentra/authFlow.ts

@@ -0,0 +1,124 @@
+import { HTTPException } from 'hono/http-exception'
+
+import { toQueryParams } from '../../utils/objectToQuery'
+import type { MSEntraErrorResponse, MSEntraToken, MSEntraTokenResponse, MSEntraUser } from './types'
+
+type MSEntraAuthFlow = {
+  client_id: string
+  client_secret: string
+  tenant_id: string
+  redirect_uri: string
+  code: string | undefined
+  token: MSEntraToken | undefined
+  scope: string[]
+  state?: string
+}
+
+export class AuthFlow {
+  client_id: string
+  client_secret: string
+  tenant_id: string
+  redirect_uri: string
+  code: string | undefined
+  token: MSEntraToken | undefined
+  scope: string[]
+  state: string | undefined
+  user: Partial<MSEntraUser> | undefined
+  granted_scopes: string[] | undefined
+
+  constructor({
+    client_id,
+    client_secret,
+    tenant_id,
+    redirect_uri,
+    code,
+    token,
+    scope,
+    state,
+  }: MSEntraAuthFlow) {
+    this.client_id = client_id
+    this.client_secret = client_secret
+    this.tenant_id = tenant_id
+    this.redirect_uri = redirect_uri
+    this.code = code
+    this.token = token
+    this.scope = scope
+    this.state = state
+    this.user = undefined
+
+    if (
+      this.client_id === undefined ||
+      this.client_secret === undefined ||
+      this.tenant_id === undefined ||
+      this.scope.length <= 0
+    ) {
+      throw new HTTPException(400, {
+        message: 'Required parameters were not found. Please provide them to proceed.',
+      })
+    }
+  }
+
+  redirect() {
+    const parsedOptions = toQueryParams({
+      response_type: 'code',
+      redirect_uri: this.redirect_uri,
+      client_id: this.client_id,
+      include_granted_scopes: true,
+      scope: this.scope.join(' '),
+      state: this.state,
+    })
+    return `https://login.microsoft.com/${this.tenant_id}/oauth2/v2.0/authorize?${parsedOptions}`
+  }
+
+  async getTokenFromCode() {
+    const parsedOptions = toQueryParams({
+      client_id: this.client_id,
+      client_secret: this.client_secret,
+      redirect_uri: this.redirect_uri,
+      code: this.code,
+      grant_type: 'authorization_code',
+    })
+    const response = (await fetch(
+      `https://login.microsoft.com/${this.tenant_id}/oauth2/v2.0/token`,
+      {
+        method: 'POST',
+        headers: {
+          'content-type': 'application/x-www-form-urlencoded',
+        },
+        body: parsedOptions,
+      }
+    ).then((res) => res.json())) as MSEntraTokenResponse | MSEntraErrorResponse
+
+    if ('error' in response) {
+      throw new HTTPException(400, { message: response.error })
+    }
+
+    if ('access_token' in response) {
+      this.token = {
+        token: response.access_token,
+        expires_in: response.expires_in,
+        refresh_token: response.refresh_token,
+      }
+
+      this.granted_scopes = response.scope.split(' ')
+    }
+  }
+
+  async getUserData() {
+    await this.getTokenFromCode()
+    //TODO: add support for extra fields
+    const response = (await fetch('https://graph.microsoft.com/v1.0/me', {
+      headers: {
+        authorization: `Bearer ${this.token?.token}`,
+      },
+    }).then(async (res) => res.json())) as MSEntraUser | MSEntraErrorResponse
+
+    if ('error' in response) {
+      throw new HTTPException(400, { message: response.error })
+    }
+
+    if ('id' in response) {
+      this.user = response
+    }
+  }
+}

Diff for: packages/oauth-providers/src/providers/msentra/index.ts

@@ -0,0 +1,11 @@
+export { msentraAuth } from './msentraAuth'
+export { refreshToken } from './refreshToken'
+export * from './types'
+import type { OAuthVariables } from '../../types'
+import type { MSEntraUser } from './types'
+
+declare module 'hono' {
+  interface ContextVariableMap extends OAuthVariables {
+    'user-msentra': Partial<MSEntraUser> | undefined
+  }
+}

Diff for: packages/oauth-providers/src/providers/msentra/msentraAuth.ts

@@ -0,0 +1,63 @@
+import type { MiddlewareHandler } from 'hono'
+import { env } from 'hono/adapter'
+import { getCookie, setCookie } from 'hono/cookie'
+import { HTTPException } from 'hono/http-exception'
+
+import { getRandomState } from '../../utils/getRandomState'
+import { AuthFlow } from './authFlow'
+
+export function msentraAuth(options: {
+  client_id?: string
+  client_secret?: string
+  tenant_id?: string
+  redirect_uri?: string
+  code?: string | undefined
+  scope: string[]
+  state?: string
+}): MiddlewareHandler {
+  return async (c, next) => {
+    // Generate encoded "keys" if not provided
+    const newState = options.state || getRandomState()
+    // Create new Auth instance
+    const auth = new AuthFlow({
+      client_id: options.client_id || (env(c).MSENTRA_ID as string),
+      client_secret: options.client_secret || (env(c).MSENTRA_SECRET as string),
+      tenant_id: options.tenant_id || (env(c).MSENTRA_TENANT_ID as string),
+      redirect_uri: options.redirect_uri || c.req.url.split('?')[0],
+      code: c.req.query('code'),
+      token: {
+        token: c.req.query('access_token') as string,
+        expires_in: Number(c.req.query('expires_in')) as number,
+      },
+      scope: options.scope,
+    })
+
+    // Redirect to login dialog
+    if (!auth.code) {
+      setCookie(c, 'state', newState, {
+        maxAge: 60 * 10,
+        httpOnly: true,
+        path: '/',
+      })
+      return c.redirect(auth.redirect())
+    }
+
+    // Avoid CSRF attack by checking state
+    if (c.req.url.includes('?')) {
+      const storedState = getCookie(c, 'state')
+      if (c.req.query('state') !== storedState) {
+        throw new HTTPException(401)
+      }
+    }
+
+    // Retrieve user data from Microsoft Entra
+    await auth.getUserData()
+
+    // Set return info
+    c.set('token', auth.token)
+    c.set('user-msentra', auth.user)
+    c.set('granted-scopes', auth.granted_scopes)
+
+    await next()
+  }
+}