From 70eeb1a7468c60807a655c4ed2203827ecbd0048 Mon Sep 17 00:00:00 2001
From: Mythie <me@lucasjamessmith.me>
Date: Thu, 30 May 2024 22:15:45 +1000
Subject: [PATCH] chore: improve oidc provider support

Adds fields to the Account model to support various pieces
of data returned by OIDC providers such as AzureAD and GitLab.

Additionally passes through the email verification status and handles
retrieving the email for providers such as AzureAD who use a different
claim instead.
---
 packages/lib/next-auth/auth-options.ts              | 13 +++++++++----
 .../migration.sql                                   |  3 +++
 packages/prisma/schema.prisma                       |  4 ++++
 3 files changed, 16 insertions(+), 4 deletions(-)
 create mode 100644 packages/prisma/migrations/20240530120101_add_missing_fields_to_account_model_for_oidc/migration.sql

diff --git a/packages/lib/next-auth/auth-options.ts b/packages/lib/next-auth/auth-options.ts
index e05fae573..107548e9b 100644
--- a/packages/lib/next-auth/auth-options.ts
+++ b/packages/lib/next-auth/auth-options.ts
@@ -139,19 +139,24 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
     {
       id: 'oidc',
       name: 'OIDC',
+      type: 'oauth',
+
       wellKnown: process.env.NEXT_PRIVATE_OIDC_WELL_KNOWN,
       clientId: process.env.NEXT_PRIVATE_OIDC_CLIENT_ID,
       clientSecret: process.env.NEXT_PRIVATE_OIDC_CLIENT_SECRET,
+
       authorization: { params: { scope: 'openid email profile' } },
-      idToken: true,
       checks: ['pkce', 'state'],
-      type: 'oauth',
+
+      idToken: true,
       allowDangerousEmailAccountLinking: true,
+
       profile(profile) {
         return {
-          id: Number(profile.sub),
-          email: profile.email,
+          id: profile.sub,
+          email: profile.email || profile.preferred_username,
           name: profile.name || `${profile.given_name} ${profile.family_name}`.trim(),
+          emailVerified: profile.email_verified ? new Date().toISOString() : null,
         };
       },
     },
diff --git a/packages/prisma/migrations/20240530120101_add_missing_fields_to_account_model_for_oidc/migration.sql b/packages/prisma/migrations/20240530120101_add_missing_fields_to_account_model_for_oidc/migration.sql
new file mode 100644
index 000000000..6d7bc841a
--- /dev/null
+++ b/packages/prisma/migrations/20240530120101_add_missing_fields_to_account_model_for_oidc/migration.sql
@@ -0,0 +1,3 @@
+-- AlterTable
+ALTER TABLE "Account" ADD COLUMN     "created_at" INTEGER,
+ADD COLUMN     "ext_expires_in" INTEGER;
diff --git a/packages/prisma/schema.prisma b/packages/prisma/schema.prisma
index f9902ab35..908bb10c1 100644
--- a/packages/prisma/schema.prisma
+++ b/packages/prisma/schema.prisma
@@ -233,6 +233,10 @@ model Account {
   refresh_token     String? @db.Text
   access_token      String? @db.Text
   expires_at        Int?
+  // Some providers return created_at so we need to make it optional
+  created_at        Int?
+  // Stops next-auth from crashing when dealing with AzureAD
+  ext_expires_in    Int?
   token_type        String?
   scope             String?
   id_token          String? @db.Text