feat: add auth via Microsoft Entra ID as an additional auth option

Fixes #1821
langfuse · Apr 23, 2024 · 3dd8d9d · 3dd8d9d
1 parent 10c0b18
commit 3dd8d9d
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 0 deletions.
diff --git a/.env.prod.example b/.env.prod.example
@@ -50,6 +50,10 @@ LANGFUSE_CSP_ENFORCE_HTTPS="true"
 # AUTH_AZURE_AD_CLIENT_SECRET=
 # AUTH_AZURE_AD_TENANT_ID=
 # AUTH_AZURE_ALLOW_ACCOUNT_LINKING=false
+# AUTH_MICROSOFT_ENTRA_ID_ID=
+# AUTH_MICROSOFT_ENTRA_ID_SECRET=
+# AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=
+# AUTH_MICROSOFT_ENTRA_ID_ALLOW_ACCOUNT_LINKING=false
 # AUTH_OKTA_CLIENT_ID=
 # AUTH_OKTA_CLIENT_SECRET=
 # AUTH_OKTA_ISSUER=

diff --git a/web/src/env.mjs b/web/src/env.mjs
@@ -51,6 +51,10 @@ export const env = createEnv({
     AUTH_AZURE_AD_CLIENT_SECRET: z.string().optional(),
     AUTH_AZURE_AD_TENANT_ID: z.string().optional(),
     AUTH_AZURE_ALLOW_ACCOUNT_LINKING: z.enum(["true", "false"]).optional(),
+    AUTH_MICROSOFT_ENTRA_ID_ID: z.string().optional(),
+    AUTH_MICROSOFT_ENTRA_ID_SECRET: z.string().optional(),
+    AUTH_MICROSOFT_ENTRA_ID_TENANT_ID: z.string().optional(),
+    AUTH_MICROSOFT_ENTRA_ID_ALLOW_ACCOUNT_LINKING: z.enum(["true", "false"]).optional(),
     AUTH_OKTA_CLIENT_ID: z.string().optional(),
     AUTH_OKTA_CLIENT_SECRET: z.string().optional(),
     AUTH_OKTA_ISSUER: z.string().optional(),
@@ -143,6 +147,10 @@ export const env = createEnv({
     AUTH_AZURE_AD_TENANT_ID: process.env.AUTH_AZURE_AD_TENANT_ID,
     AUTH_AZURE_ALLOW_ACCOUNT_LINKING:
       process.env.AUTH_AZURE_ALLOW_ACCOUNT_LINKING,
+    AUTH_MICROSOFT_ENTRA_ID_ID: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
+    AUTH_MICROSOFT_ENTRA_ID_SECRET: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
+    AUTH_MICROSOFT_ENTRA_ID_TENANT_ID: process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
+    AUTH_MICROSOFT_ENTRA_ID_ALLOW_ACCOUNT_LINKING: process.env.AUTH_MICROSOFT_ENTRA_ID_ALLOW_ACCOUNT_LINKING,
     AUTH_OKTA_CLIENT_ID: process.env.AUTH_OKTA_CLIENT_ID,
     AUTH_OKTA_CLIENT_SECRET: process.env.AUTH_OKTA_CLIENT_SECRET,
     AUTH_OKTA_ISSUER: process.env.AUTH_OKTA_ISSUER,
@@ -185,3 +193,4 @@ export const env = createEnv({
   // DOCKER_BUILD is set in Dockerfile
   skipValidation: process.env.DOCKER_BUILD === "1",
 });
+
diff --git a/web/src/server/auth.ts b/web/src/server/auth.ts
@@ -20,6 +20,7 @@ import GitHubProvider from "next-auth/providers/github";
 import OktaProvider from "next-auth/providers/okta";
 import Auth0Provider from "next-auth/providers/auth0";
 import AzureADProvider from "next-auth/providers/azure-ad";
+import MicrosoftEntraIdProvider from "next-auth/providers/microsoft-entra-id";
 import { type Provider } from "next-auth/providers/index";
 import { getCookieName, cookieOptions } from "./utils/cookies";
 import {
@@ -178,6 +179,21 @@ if (
     }),
   );
 
+if (
+  env.AUTH_MICROSOFT_ENTRA_ID_ID &&
+  env.AUTH_MICROSOFT_ENTRA_ID_SECRET &&
+  env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID
+)
+  staticProviders.push(
+    MicrosoftEntraIdProvider({
+      clientId: process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
+      clientSecret: process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
+      tenantId: process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
+      allowDangerousEmailAccountLinking:
+        process.env.AUTH_MICROSOFT_ENTRA_ID_ALLOW_ACCOUNT_LINKING === "true",
+    }),
+  );
+
 // Extend Prisma Adapter
 const prismaAdapter = PrismaAdapter(prisma);
 const extendedPrismaAdapter: Adapter = {