next-auth: Azure AD B2C throws auth_callback_error JWT not active yet

Question 💬

I’m using this repo but commented out all providers and just set Azure AD B2C.

export default NextAuth({
  providers: [
    AzureB2CProvider({
      tenantId: process.env.AZURE_AD_B2C_TENANT_NAME,
      clientId: process.env.AZURE_AD_B2C_CLIENT_ID,
      clientSecret: process.env.AZURE_AD_B2C_CLIENT_SECRET,
      primaryUserFlow: process.env.AZURE_AD_B2C_PRIMARY_USER_FLOW,
      authorization: { params: { scope: "offline_access openid" } }, // btw, this is not explained properly in the documentation
    })
  ]
 // everything else equal to the example repo...
})

I have followed the basic configuration described here. Not sure if the Advanced is also needed or optional.

I’ve set my Azure AD B2C callback URL to http://localhost:3000/api/auth/callback/azure-ad-b2c

When I click Sign In with Azure AD B2C, I see in the network tab of my devtools that I’m indeed being redirected to my B2C tenant /authorize endpoint and then back to /api/callback/azure-ad-b2c with a state query string param.

The browser is redirected to /api/auth/error?error=OAuthCallback and the console shows the following (debug enabled).

[next-auth][debug][OAUTH_CALLBACK_PROTECTION] {
  state: '18e7f650b6217557a54f8759c7f3f087a3df1b8d7b8c3d7a44c0831d060a9694',   
  csrfToken: 'af9b2355283971f4ba4809f0c1e41fab417bc8cd1d50fb212ec30fa4a4afa051'
}
[next-auth][debug][GET_AUTHORIZATION_URL] {
  url: 'https://dgpav2dev.b2clogin.com/dgpav2dev.onmicrosoft.com/b2c_1_signupsignin1/oauth2/v2.0/authorize?client_id=0d3c674a-8aaf-41c0-8bad-36ebf325f59d&scope=offline_access%20openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fazure-ad-b2c&nextauth=signin%2Cazure-ad-b2c&state=18e7f650b6217557a54f8759c7f3f087a3df1b8d7b8c3d7a44c0831d060a9694'
}
[next-auth][debug][PROFILE_DATA] {
  OAuthProfile: {
    exp: 1635524073,
    nbf: 1635520473,
    ver: '1.0',
    iss: 'https://dgpav2dev.b2clogin.com/bd51fb4d-a1b4-42b2-a322-3e8d6a829dd3/v2.0/',
    sub: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    aud: '0d3c674a-8aaf-41c0-8bad-36ebf325f59d',
    iat: 1635520473,
    auth_time: 1635520471,
    oid: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    newUser: true,
    country: 'Spain',
    given_name: 'Emiliano',
    state: 'Palma',
    family_name: 'Parizzi',
    tfp: 'B2C_1_signupsignin1',
    user: null
  }
}
[next-auth][error][OAUTH_PARSE_PROFILE_ERROR] 
https://next-auth.js.org/errors#oauth_parse_profile_error Cannot read property '0' of undefined {
  error: {
    message: "Cannot read property '0' of undefined",
    stack: "TypeError: Cannot read property '0' of undefined\n" +
      '    at Object.profile (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\providers\\azure-ad-b2c.js:24:30)\n' +
      '    at getProfile (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\lib\\oauth\\callback.js:161:36)\n' +
      '    at oAuthCallback (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\lib\\oauth\\callback.js:131:33)\n' +
      '    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n' +
      '    at async Object.callback (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\routes\\callback.js:50:11)\n' +
      '    at async NextAuthHandler (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\index.js:103:28)\n' +
      '    at async NextAuthNextHandler (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\next\\index.js:40:7)\n' +
      '    at async C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\next\\index.js:80:32\n' +
      '    at async Object.apiResolver (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next\\dist\\server\\api-utils.js:102:9)\n' +
      '    at async DevServer.handleApiRequest (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next\\dist\\server\\next-server.js:1017:9)',
    name: 'TypeError'
  },
  OAuthProfile: {
    exp: 1635524073,
    nbf: 1635520473,
    ver: '1.0',
    iss: 'https://dgpav2dev.b2clogin.com/bd51fb4d-a1b4-42b2-a322-3e8d6a829dd3/v2.0/',
    sub: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    aud: '0d3c674a-8aaf-41c0-8bad-36ebf325f59d',
    iat: 1635520473,
    auth_time: 1635520471,
    oid: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    newUser: true,
    country: 'Spain',
    given_name: 'Emiliano',
    state: 'Palma',
    family_name: 'Parizzi',
    tfp: 'B2C_1_signupsignin1',
    user: null
  },
  message: "Cannot read property '0' of undefined"
}
[next-auth][debug][OAUTH_CALLBACK_RESPONSE] {
  profile: null,
  account: null,
  OAuthProfile: {
    exp: 1635524073,
    nbf: 1635520473,
    ver: '1.0',
    iss: 'https://dgpav2dev.b2clogin.com/bd51fb4d-a1b4-42b2-a322-3e8d6a829dd3/v2.0/',
    sub: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    aud: '0d3c674a-8aaf-41c0-8bad-36ebf325f59d',
    iat: 1635520473,
    auth_time: 1635520471,
    oid: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    newUser: true,
    country: 'Spain',
    given_name: 'Emiliano',
    state: 'Palma',
    family_name: 'Parizzi',
    tfp: 'B2C_1_signupsignin1',
    user: null
  }
}
[next-auth][debug][OAUTH_CALLBACK_PROTECTION] {
  state: '18e7f650b6217557a54f8759c7f3f087a3df1b8d7b8c3d7a44c0831d060a9694',
  csrfToken: 'af9b2355283971f4ba4809f0c1e41fab417bc8cd1d50fb212ec30fa4a4afa051'
}
[next-auth][debug][GET_AUTHORIZATION_URL] {
  url: 'https://dgpav2dev.b2clogin.com/dgpav2dev.onmicrosoft.com/b2c_1_signupsignin1/oauth2/v2.0/authorize?client_id=0d3c674a-8aaf-41c0-8bad-36ebf325f59d&scope=offline_access%20openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fazure-ad-b2c&nextauth=signin%2Cazure-ad-b2c&state=18e7f650b6217557a54f8759c7f3f087a3df1b8d7b8c3d7a44c0831d060a9694'
}
[next-auth][debug][PROFILE_DATA] {
  OAuthProfile: {
    exp: 1635524313,
    nbf: 1635520713,
    ver: '1.0',
    iss: 'https://dgpav2dev.b2clogin.com/bd51fb4d-a1b4-42b2-a322-3e8d6a829dd3/v2.0/',
    sub: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    aud: '0d3c674a-8aaf-41c0-8bad-36ebf325f59d',
    iat: 1635520713,
    auth_time: 1635520710,
    oid: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    newUser: true,
    country: 'Spain',
    given_name: 'Emiliano',
    state: 'Palma',
    family_name: 'Parizzi',
    tfp: 'B2C_1_signupsignin1',
    user: null
  }
}
[next-auth][error][OAUTH_PARSE_PROFILE_ERROR] 
https://next-auth.js.org/errors#oauth_parse_profile_error Cannot read property '0' of undefined {
  error: {
    message: "Cannot read property '0' of undefined",
    stack: "TypeError: Cannot read property '0' of undefined\n" +
      '    at Object.profile (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\providers\\azure-ad-b2c.js:24:30)\n' +
      '    at getProfile (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\lib\\oauth\\callback.js:161:36)\n' +
      '    at oAuthCallback (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\lib\\oauth\\callback.js:131:33)\n' +
      '    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n' +
      '    at async Object.callback (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\routes\\callback.js:50:11)\n' +
      '    at async NextAuthHandler (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\index.js:103:28)\n' +
      '    at async NextAuthNextHandler (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\next\\index.js:40:7)\n' +
      '    at async C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\next\\index.js:80:32\n' +
      '    at async Object.apiResolver (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next\\dist\\server\\api-utils.js:102:9)\n' +
      '    at async DevServer.handleApiRequest (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next\\dist\\server\\next-server.js:1017:9)',
    name: 'TypeError'
  },
  OAuthProfile: {
    exp: 1635524313,
    nbf: 1635520713,
    ver: '1.0',
    iss: 'https://dgpav2dev.b2clogin.com/bd51fb4d-a1b4-42b2-a322-3e8d6a829dd3/v2.0/',
    sub: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    aud: '0d3c674a-8aaf-41c0-8bad-36ebf325f59d',
    iat: 1635520713,
    auth_time: 1635520710,
    oid: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
    newUser: true,
    country: 'Spain',
    given_name: 'Emiliano',
    state: 'Palma',
    family_name: 'Parizzi',
    tfp: 'B2C_1_signupsignin1',
    user: null
  },
  message: "Cannot read property '0' of undefined"
}
[next-auth][debug][OAUTH_CALLBACK_RESPONSE] {
  profile: null,
  account: null,
  OAuthProfile: {
    exp: 1635524313,
    nbf: 1635520713,
    ver: '1.0',
    iss: 'https://dgpav2dev.b2clogin.com/bd51fb4d-a1b4-42b2-a322-3e8d6a829dd3/v2.0/',
    sub: 'bca5df8c-2d64-47df-bdc1-201bd5be8146',
PS C:\Users\epari\Coding\next-auth-example> npm run dev

> next-auth-example@0.0.0 dev C:\Users\epari\Coding\next-auth-example
> next

ready - started server on 0.0.0.0:3000, url: http://localhost:3000
info  - Loaded env from C:\Users\epari\Coding\next-auth-example\.env.local
event - compiled successfully in 2.2s (190 modules)
warn  - using beta Middleware (not covered by semver) - https://nextjs.org/docs/messages/beta-middleware
wait  - compiling /_middleware (client only)...
event - compiled successfully in 371 ms (306 modules)
wait  - compiling /api/auth/[...nextauth] (server only)...
event - compiled successfully in 160 ms (318 modules)
[next-auth][debug][OAUTH_CALLBACK_PROTECTION] {
  state: '18e7f650b6217557a54f8759c7f3f087a3df1b8d7b8c3d7a44c0831d060a9694',   
  csrfToken: 'af9b2355283971f4ba4809f0c1e41fab417bc8cd1d50fb212ec30fa4a4afa051'
}
[next-auth][debug][GET_AUTHORIZATION_URL] {
  url: 'https://dgpav2dev.b2clogin.com/dgpav2dev.onmicrosoft.com/b2c_1_signupsignin1/oauth2/v2.0/authorize?client_id=0d3c674a-8aaf-41c0-8bad-36ebf325f59d&scope=offline_access%20openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fazure-ad-b2c&nextauth=signin%2Cazure-ad-b2c&state=18e7f650b6217557a54f8759c7f3f087a3df1b8d7b8c3d7a44c0831d060a9694'
}
[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error JWT not active yet, now 1635520790, nbf 1635520791 {
  error: {
    message: 'JWT not active yet, now 1635520790, nbf 1635520791',
    stack: 'RPError: JWT not active yet, now 1635520790, nbf 1635520791\n' +
      '    at Client.validateJWT (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\openid-client\\lib\\client.js:888:15)\n' +
      '    at Client.validateIdToken (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\openid-client\\lib\\client.js:706:60)\n' +        
      '    at Client.callback (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\openid-client\\lib\\client.js:462:18)\n' +
      '    at processTicksAndRejections (internal/process/task_queues.js:95:5)\n' +
      '    at async oAuthCallback (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\lib\\oauth\\callback.js:103:16)\n' +
      '    at async Object.callback (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\routes\\callback.js:50:11)\n' +   
      '    at async NextAuthHandler (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\core\\index.js:103:28)\n' +
      '    at async NextAuthNextHandler (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\next\\index.js:40:7)\n' +
      '    at async C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next-auth\\next\\index.js:80:32\n' +
      '    at async Object.apiResolver (C:\\Users\\epari\\Coding\\next-auth-example\\node_modules\\next\\dist\\server\\api-utils.js:102:9)',       
    name: 'RPError'
  },
  providerId: 'azure-ad-b2c',
  message: 'JWT not active yet, now 1635520790, nbf 1635520791'
}
[next-auth][error][CALLBACK_OAUTH_ERROR] 
https://next-auth.js.org/errors#callback_oauth_error JWT not active yet, now 1635520790, nbf 1635520791 RPError: JWT not active yet, now 1635520790, nbf 1635520791        
    at Client.validateJWT (C:\Users\epari\Coding\next-auth-example\node_modules\openid-client\lib\client.js:888:15)
    at Client.validateIdToken (C:\Users\epari\Coding\next-auth-example\node_modules\openid-client\lib\client.js:706:60)
    at Client.callback (C:\Users\epari\Coding\next-auth-example\node_modules\openid-client\lib\client.js:462:18)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async oAuthCallback (C:\Users\epari\Coding\next-auth-example\node_modules\next-auth\core\lib\oauth\callback.js:103:16)
    at async Object.callback (C:\Users\epari\Coding\next-auth-example\node_modules\next-auth\core\routes\callback.js:50:11)
    at async NextAuthHandler (C:\Users\epari\Coding\next-auth-example\node_modules\next-auth\core\index.js:103:28)
    at async NextAuthNextHandler (C:\Users\epari\Coding\next-auth-example\node_modules\next-auth\next\index.js:40:7)
    at async C:\Users\epari\Coding\next-auth-example\node_modules\next-auth\next\index.js:80:32
    at async Object.apiResolver (C:\Users\epari\Coding\next-auth-example\node_modules\next\dist\server\api-utils.js:102:9) {
  name: 'OAuthCallbackError'
}

It seems it cannot read the profile. What am I missing here?

Anyway, better documentation and examples would be highly appreciated.

How to reproduce ☕️

https://github.com/nextauthjs/next-auth-example.git

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 22 (10 by maintainers)

Most upvoted comments

it is the Account you need to extend. it’s not up to us what the provider returns. instead of stripping away anything other than a subset, we just let the user decide. this worked the other way around in v3, but made extending very cumbersome.

not_before: Int?
id_token_expires_in: String? 
profile_info: String?

just add that to your model and you are good to go.

heads up, if you don’t plan using Twitter, the oauth_token and oauth_token_secret fields are unnecessary.

id_token_expires_in should be an Int? and also refresh_token_expires_in Int? is missing.

Here’s the full Account model working with Azure AD B2C in case you want to write it down somewhere in the docs.

model Account {
  id                       String  @id @default(cuid())
  userId                   String
  type                     String
  provider                 String
  providerAccountId        String
  refresh_token            String?
  access_token             String?
  expires_at               Int?
  token_type               String?
  scope                    String?
  id_token                 String?
  session_state            String?
  not_before               Int?
  id_token_expires_in      Int?
  refresh_token_expires_in Int?
  profile_info             String?

  user User @relation(fields: [userId], references: [id], onDelete: Cascade)

  @@unique([provider, providerAccountId])
}
+1
dg-eparizzi on Oct 30, 2021

It doesn’t feel right that we need to change the Account model depending on which Providers we use, but okay.

Anyway, I’m back with the “JWT not active yet” (a 1s difference) error and I can’t resync my clock.

+1
dg-eparizzi on Oct 30, 2021

@dg-eparizzi you should absolutely not share some of these logs! you expose refresh, id and access tokens on your behalf! ⚠

I know, I know, this is just a test tenant and I’m going to delete this B2C account anyway.

+1
dg-eparizzi on Oct 30, 2021

Haha this is a terrible error 😢 I don’t think there is anything wrong with your B2C setup per-se, because by all accounts you are logging in with a B2C-issued token. ​It suggests that there is some disconnect between your local machine time and the server time when the token is issued.

I’m on MacOS, and if I manually set my date/time (to yesterday, or even to 1 hour ago) with a default B2C User Policy I can reproduce this error.

I’m not sure whose fault this is…like is this a commonly produceable error with a user in Hawaii and a B2C server in US Mainland? Or is it only an issue if the user has somehow manually adjusted their time?

@dg-eparizzi can you confirm if your system time is set manually or synced automatically?

Unrelatedly, thanks for the callout on authorization: { params: { scope: "offline_access openid" } }, - I don’t actually think it’s needed, although would have to test a little more to confirm

+1
BenjaminWFox-Lumedic on Oct 29, 2021
Read more comments on GitHub
← next-auth: @auth/core@{0.22.0 / 0.23.0 / 0.24.0} breaking custom OAuth provider
next-auth: AzureADProvider does not work with default (common) endpoint →