gotrue: Azure Auth: http://localhost:5000/?error=server_error&error_description=Error+getting+user+email+from+external+provider

Bug report

When I login using Azure Auth for a newly created Azure App Registration, I get this error

To Reproduce

Register a new app registration in azure portal, giving access to organisations and personal accounts
Register the supabase redirect uri as a “Web” redirect uri (in azure portal)
Create a secret for this new app registration
enable azure auth in supabase, pasting in the client id and secret of the new app registration
Invoke:

const {user, session, error} = await supabase.auth.signIn({
            provider: 'azure',
        })

That calls https://rlgaaitetwbkhisssmkq.supabase.co/auth/v1/authorize?provider=azure
Which returns with a 302 to https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=16d4a427-b73c-45fc-b04f-9545e7273f21&redirect_uri=https://rlgaaitetwbkhisssmkq.supabase.co/auth/v1/callback&response_type=code&scope=openid&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJle…
Which returns with a 200 and pops the Microsoft Auth dialog, asking for me to grant permission to the app. Note, it does not ask me what Microsoft identity to use, I assume its using the identity I am using to log into Azure Portal.
I grant permission, then it seems to load https://login.live.com/Me.htm?v=3
Then it seems to load https://login.live.com/oauth20_authorize.srf?client_id=16d4a427-b73c-45fc-b04f-9545e7273f21&scope=openid&redirect_uri=https://rlgaaitetwbkhisssmkq.supabase.co/auth/v1/callback&response_type=code&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ....&uaid=95c5d4c9a43f406ca88c5b1b22ea432a&msproxy=1&issuer=mso&tenant=common&ui_locales=en-GB
Then it loads https://account.live.com/Consent/Update?mkt=EN-GB&uiflavor=web&id=293577&ru=https://login.live.com/oauth20_authorize.srf?uaid=95c5d4c9a43f406ca88c5b1b22ea432a&opid=A353DB724539E16F&opidt=1640691597
Eventually we get to https://login.live.com/oauth20_authorize.srf?uaid=95c5d4c9a43f406ca88c5b1b22ea432a&opid=A353DB724539E16F&opidt=1640691597&res=success&route=R3_BAY
which returns a 302 to https://rlgaaitetwbkhisssmkq.supabase.co/auth/v1/callback?code=M.R3_BAY.f96be895-105c-c9f1-5462-d0b31af76746&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey…
Invoking https://rlgaaitetwbkhisssmkq.supabase.co/auth/v1/callback?code=M.R3_BAY.f96be895-105c-c9f1-5462-d0b31af76746&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.ey… returns a 302 to http://localhost:5000/?error=server_error&error_description=Error+getting+user+email+from+external+provider

Expected behavior

I have done the same steps for Google Auth, and it worked, expect the same to happen for Azure auth.

Also, I have successfully logged in using Azure using similar steps using the Microsoft Native javascript sdk for auth, @azure/msal-browser

I am aware of https://github.com/supabase/gotrue/pull/54 , but two things on that. The first is: I was not presented with an option to select an email address to login with (presumably because I am already logged into azure portal?) but even if I was, the second point is that I don’t expect my customers to login using this weird azure specific email address. I expect them to login using their “usual” azure identity.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 2
Comments: 17 (3 by maintainers)

Most upvoted comments

Hey so there was a report that on some Azure accounts the email is encoded differently. @silentworks do you recall?

hf on Jun 7, 2023

Hey everyone, GoTrue requires that Azure provide back an email address for the user that is signing in. Make sure you always use this code snippet which includes the email scope:

async function signInWithAzure() {
  const { user, session, error } = await supabase.auth.signIn(
    {
      provider: 'azure',
    },
    {
      scopes: 'email',
    }
  )
}

Please reopen the issue if this does not solve the problem for you.

hf on Sep 29, 2022

I can confirm that if I log out of Azure portal, I am prompted to enter an email address

mike-hogan on Dec 28, 2021