♻️ refactor: refactor azure ad to ms entra id

docs/self-hosting/advanced/auth/next-auth/microsoft-entra-id.mdx

@@ -25,7 +25,7 @@ Fill in the desired application name to be displayed to organizational users, ch
 In the `Redirect URI (optional)` section, for the application type, select `Web`, and in the Callback URL, enter:
 
 ```bash
-https://your-domain/api/auth/callback/azure-ad
+https://your-domain/api/auth/callback/microsoft-entra-id
 ```
 
 <Callout type={'info'}>
@@ -72,10 +72,10 @@ When deploying LobeChat, you need to configure the following environment variabl
 | Environment Variable | Type | Description |
 | --- | --- | --- |
 | `NEXT_AUTH_SECRET` | Required | Key used to encrypt Auth.js session tokens. You can generate the key using the following command: `openssl rand -base64 32` |
-| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LoboChat. Use `azure-ad` for Microsoft Entra ID. |
-| `AUTH_AZURE_AD_ID` | Required | Client ID of the Microsoft Entra ID application. |
-| `AUTH_AZURE_AD_SECRET` | Required | Client Secret of the Microsoft Entra ID application. |
-| `AUTH_AZURE_AD_TENANT_ID` | Required | Tenant ID of the Microsoft Entra ID application. |
+| `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LoboChat. Use `microsoft-entra-id` for Microsoft Entra ID. |
+| `AUTH_MICROSOFT_ENTRA_ID_ID` | Required | Client ID of the Microsoft Entra ID application. |
+| `AUTH_MICROSOFT_ENTRA_ID_SECRET` | Required | Client Secret of the Microsoft Entra ID application. |
+| `AUTH_MICROSOFT_ENTRA_ID_TENANT_ID` | Required | Tenant ID of the Microsoft Entra ID application. |
 | `NEXTAUTH_URL` | Required | This URL is used to specify the callback address for Auth.js when performing OAuth authentication. It is only necessary to set it when the default generated redirect address is incorrect. `https://example.com/api/auth` |
 
 <Callout type={'tip'}>

docs/self-hosting/advanced/auth/next-auth/microsoft-entra-id.zh-CN.mdx

@@ -24,7 +24,7 @@ tags:
 在 `Redirect URI (optional)` 中，应用类型选择 `Web`，Callback URL, 处填写：
 
 ```bash
-https://your-domain/api/auth/callback/azure-ad
+https://your-domain/api/auth/callback/microsoft-entra-id
 ```
 
 <Callout type={'info'}>
@@ -70,9 +70,9 @@ https://your-domain/api/auth/callback/azure-ad
 | --- | --- | --- |
 | `NEXT_AUTH_SECRET` | 必选 | 用于加密 Auth.js 会话令牌的密钥。您可以使用以下命令生成秘钥： `openssl rand -base64 32` |
 | `NEXT_AUTH_SSO_PROVIDERS` | 必选 | 选择 LoboChat 的单点登录提供商。使用 Microsoft Entra ID 请填写 `azure-ad`。 |
-| `AUTH_AZURE_AD_ID` | 必选 | Microsoft Entra ID 应用程序的 Client ID |
-| `AUTH_AZURE_AD_SECRET` | 必选 | Microsoft Entra ID 应用程序的 Client Secret |
-| `AUTH_AZURE_AD_TENANT_ID` | 必选 | Microsoft Entra ID 应用程序的 Tenant ID |
+| `AUTH_MICROSOFT_ENTRA_ID_ID` | 必选 | Microsoft Entra ID 应用程序的 Client ID |
+| `AUTH_MICROSOFT_ENTRA_ID_SECRET` | 必选 | Microsoft Entra ID 应用程序的 Client Secret |
+| `AUTH_MICROSOFT_ENTRA_ID_TENANT_ID` | 必选 | Microsoft Entra ID 应用程序的 Tenant ID |
 | `NEXTAUTH_URL` | 必选 | 该 URL 用于指定 Auth.js 在执行 OAuth 验证时的回调地址，当默认生成的重定向地址发生不正确时才需要设置。`https://example.com/api/auth` |
 
   <Callout type={'tip'}>

src/config/auth.ts

@@ -202,6 +202,11 @@ export const getAuthConfig = () => {
       LOGTO_ISSUER: z.string().optional(),
       LOGTO_WEBHOOK_SIGNING_KEY: z.string().optional(),
 
+      // Microsoft Entra ID
+      MICROSOFT_ENTRA_ID_ID: z.string().optional(),
+      MICROSOFT_ENTRA_ID_SECRET: z.string().optional(),
+      MICROSOFT_ENTRA_ID_TENANT_ID: z.string().optional(),
+
       // Casdoor
       CASDOOR_WEBHOOK_SECRET: z.string().optional(),
     },
@@ -265,6 +270,13 @@ export const getAuthConfig = () => {
 
       // Casdoor
       CASDOOR_WEBHOOK_SECRET: process.env.CASDOOR_WEBHOOK_SECRET,
+
+      // Microsoft Entra ID
+      MICROSOFT_ENTRA_ID_ID: process.env.MICROSOFT_ENTRA_ID_ID || process.env.AZURE_AD_CLIENT_ID,
+      MICROSOFT_ENTRA_ID_SECRET:
+        process.env.MICROSOFT_ENTRA_ID_SECRET || process.env.AZURE_AD_CLIENT_SECRET,
+      MICROSOFT_ENTRA_ID_TENANT_ID:
+        process.env.MICROSOFT_ENTRA_ID_TENANT_ID || process.env.AZURE_AD_TENANT_ID,
     },
   });
 };

src/libs/next-auth/sso-providers/index.ts

@@ -7,6 +7,7 @@ import CloudflareZeroTrust from './cloudflare-zero-trust';
 import GenericOIDC from './generic-oidc';
 import Github from './github';
 import Logto from './logto';
+import MicrosoftEntraID from './microsoft-entra-id';
 import Zitadel from './zitadel';
 
 export const ssoProviders = [
@@ -20,4 +21,5 @@ export const ssoProviders = [
   Logto,
   CloudflareZeroTrust,
   Casdoor,
+  MicrosoftEntraID,
 ];

src/libs/next-auth/sso-providers/microsoft-entra-id.ts

@@ -0,0 +1,32 @@
+import MicrosoftEntraID from 'next-auth/providers/microsoft-entra-id';
+
+import { authEnv } from '@/config/auth';
+
+import { CommonProviderConfig } from './sso.config';
+
+const provider = {
+  id: 'microsoft-entra-id',
+  provider: MicrosoftEntraID({
+    ...CommonProviderConfig,
+    // Specify auth scope, at least include 'openid email'
+    // all scopes in Azure AD ref: https://learn.microsoft.com/en-us/entra/identity-platform/scopes-oidc#openid-connect-scopes
+    authorization: { params: { scope: 'openid email profile' } },
+    // TODO(NextAuth ENVs Migration): Remove once nextauth envs migration time end
+    clientId: authEnv.MICROSOFT_ENTRA_ID_ID ?? process.env.AUTH_MICROSOFT_ENTRA_ID_ID,
+    clientSecret: authEnv.MICROSOFT_ENTRA_ID_SECRET ?? process.env.AUTH_MICROSOFT_ENTRA_ID_SECRET,
+    tenantId: authEnv.MICROSOFT_ENTRA_ID_TENANT_ID ?? process.env.AUTH_MICROSOFT_ENTRA_ID_TENANT_ID,
+    // Remove end
+    // TODO(NextAuth): map unique user id to `providerAccountId` field
+    // profile(profile) {
+    //   return {
+    //     email: profile.email,
+    //     image: profile.picture,
+    //     name: profile.name,
+    //     providerAccountId: profile.user_id,
+    //     id: profile.user_id,
+    //   };
+    // },
+  }),
+};
+
+export default provider;