'expires_in' response from Oauth token server is sometimes string

[ManavDia]

What happened?

I was using @auth/sveltekit with Azure-AD provider and ran into this issue. The expires_in is returned as a string, which fails this library's JWT checks.

Oauth Provider: Azure Active Directory (Azure AD)
Project: Sveltekit
Auth Library: @auth
Nodejs 18x

Version

2.3.0

Runtime

Node.js

Runtime Details

18.x

Code to reproduce

import { SvelteKitAuth } from '@auth/sveltekit'
import AzureAD, { type AzureADProfile } from '@auth/core/providers/azure-ad'
import type {
	AuthorizationEndpointHandler,
	OAuth2Config,
	TokenEndpointHandler
} from '@auth/core/providers/oauth'
const token: TokenEndpointHandler = {
	url: //url,
	request: async (context: any) => {
		console.log({ context })
	}
}
const authorization: AuthorizationEndpointHandler = {
	url: //url,
	request: async (context: any) => {
		console.log({ context })
	}
}
const params: OAuth2Config<AzureADProfile> = {
	id: 'azure',
	type: 'oauth',
	issuer: // issuer,
	name: 'Azure AD',
	authorization,
	token,
	clientId: process.env.AZURE_AD_CLIENT_ID,
	clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
	client: {
		client_id: process.env.AZURE_AD_CLIENT_ID,
		client_secret: process.env.AZURE_AD_CLIENT_SECRET,
		redirect_uris: ['https://localhost:5173/auth/login/azure'],
		default_max_age: 60 * 60,
		require_auth_time: true
	}
}

export const handle = SvelteKitAuth({
	providers: [
		// eslint-disable-next-line @typescript-eslint/ban-ts-comment
		// @ts-ignore
		AzureAD({ ...params, tenantId: process.env.AZURE_AD_TENANT_ID })
	],
	secret: process.env.AUTH_SECRET,
	session: {
		maxAge: 60 * 60 // 1 hour
	}
})

Required

• I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
• I agree to follow this project's Code of Conduct

[panva]

It's the defined as a number, so the rejection is right in place. If you want, you can parse the Response instance and re-instantiate it with a fixed expires_in member or have authjs deal with this in its provider abstraction.

[balazsorban44]

Correct! Both libraries (this and @auth/core) expect the value as a number. It sounds like for some reason Azure returns it as a string.

There is a way to make the provider's response conform to spec, here is an example: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/twitch.ts/#L87-L115

If you could open this issue on the right repository at https://github.com/nextauthjs/next-auth we could look into this. We also accept a PR if you want to fix this. The file that needs to fix is https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/azure-ad.ts