feat: add support for OIDC auth

oss-apps · Jan 22, 2025 · ce65a5c · ce65a5c
1 parent 8adb205
commit ce65a5c
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/src/env.js b/src/env.js
@@ -48,6 +48,10 @@ export const env = createEnv({
     WEB_PUSH_PUBLIC_KEY: z.string().optional(),
     FEEDBACK_EMAIL: z.string().optional(),
     DISCORD_WEBHOOK_URL: z.string().optional(),
+    OIDC_NAME: z.string().optional(),
+    OIDC_CLIENT_ID: z.string().optional(),
+    OIDC_CLIENT_SECRET: z.string().optional(),
+    OIDC_WELL_KNOWN_URL: z.string().optional(),
   },
 
   /**
@@ -90,6 +94,10 @@ export const env = createEnv({
     WEB_PUSH_PUBLIC_KEY: process.env.WEB_PUSH_PUBLIC_KEY,
     FEEDBACK_EMAIL: process.env.FEEDBACK_EMAIL,
     DISCORD_WEBHOOK_URL: process.env.DISCORD_WEBHOOK_URL,
+    OIDC_NAME: process.env.OIDC_NAME,
+    OIDC_CLIENT_ID: process.env.OIDC_CLIENT_ID,
+    OIDC_CLIENT_SECRET: process.env.OIDC_CLIENT_SECRET,
+    OIDC_WELL_KNOWN_URL: process.env.OIDC_WELL_KNOWN_URL,
   },
   /**
    * Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation. This is especially

diff --git a/src/server/auth.ts b/src/server/auth.ts
@@ -1,9 +1,10 @@
 import { PrismaAdapter } from '@next-auth/prisma-adapter';
 import { type GetServerSidePropsContext } from 'next';
-import { getServerSession, type DefaultSession, type NextAuthOptions } from 'next-auth';
+import { getServerSession, type DefaultSession, type NextAuthOptions, User } from 'next-auth';
 import DiscordProvider from 'next-auth/providers/discord';
 import GoogleProvider from 'next-auth/providers/google';
 import EmailProvider from 'next-auth/providers/email';
+import { OAuthConfig } from 'next-auth/providers/oauth';
 import AuthentikProvider from 'next-auth/providers/authentik';
 
 import { env } from '~/env';
@@ -32,6 +33,14 @@ declare module 'next-auth' {
   }
 }
 
+interface OIDCProfile {
+  sub: string,
+  name: string,
+  email: string,
+  picture: string,
+  preferred_username: string
+}
+
 /**
  * Options for NextAuth.js used to configure adapters, providers, callbacks, etc.
  *
@@ -155,7 +164,33 @@ function getProviders() {
       })
     );
   }
-
+
+  if (env.OIDC_CLIENT_ID && env.OIDC_CLIENT_SECRET && env.OIDC_WELL_KNOWN_URL) {
+    providersList.push(
+      {
+        id: 'custom-oidc',
+        name: env.OIDC_NAME ?? 'OIDC',
+        type: "oauth",
+        wellKnown: env.OIDC_WELL_KNOWN_URL,
+        authorization: { params: { scope: "openid email profile" } },
+        idToken: true,
+        profile(profile: OIDCProfile) {
+          // This function expects a "standard" next-auth user but we override
+          // what a next-auth user is above.  The expected next-auth user must be
+          // a record that has an id, a name, an email, and an image.
+          //
+          // To work around this, we case to unknown and then `User`.
+          return {
+            id: profile.sub,
+            name: profile.name,
+            email: profile.email,
+            image: profile.picture,
+          } as unknown as User
+        }
+      } satisfies OAuthConfig<OIDCProfile>
+    );
+  }
+
   return providersList;
 }