🐛 Require oidc issuer url (#1738)

apps/docs/self-hosting/configuration.mdx

@@ -119,6 +119,13 @@ https://<YOUR_DOMAIN>/api/auth/callback/microsoft-entra-id
 
 ### Custom SSO (OIDC)
 
+The following must be set for OIDC to work:
+
+- `OIDC_DISCOVERY_URL`
+- `OIDC_CLIENT_ID`
+- `OIDC_CLIENT_SECRET`
+- `OIDC_ISSUER_URL`
+
 <Accordion title="Setup">
 Your OAuth 2.0 application needs to be configured with the following scopes:
 
@@ -141,6 +148,11 @@ https://<YOUR-DOMAIN>/api/auth/callback/oidc
   URL of the `.well-known/openid-configuration` endpoint for your OIDC provider
 </ParamField>
 
+<ParamField path="OIDC_ISSUER_URL">
+  URL of the issuer for your OIDC provider. You can get this from your OpenId
+  Configuration endpoint.
+</ParamField>
+
 <ParamField path="OIDC_CLIENT_ID">
   The client ID of your OIDC application
 </ParamField>

apps/web/src/app/[locale]/(auth)/login/components/login-with-oidc.tsx

@@ -4,7 +4,7 @@ import { signIn } from "next-auth/react";
 
 import { Trans } from "@/components/trans";
 
-export async function LoginWithOIDC({
+export function LoginWithOIDC({
   name,
   redirectTo,
 }: {
@@ -18,7 +18,8 @@ export async function LoginWithOIDC({
           redirectTo,
         });
       }}
-      variant="link"
+      className="w-full"
+      size="lg"
     >
       <Trans
         i18nKey="continueWithProvider"

apps/web/src/auth/providers/oidc.ts

@@ -5,19 +5,26 @@ import { env } from "@/env";
 import { getValueByPath } from "@/utils/get-value-by-path";
 
 export const OIDCProvider = () => {
-  if (
-    process.env.OIDC_DISCOVERY_URL &&
-    process.env.OIDC_CLIENT_ID &&
-    process.env.OIDC_CLIENT_SECRET
-  ) {
+  if (env.OIDC_DISCOVERY_URL && env.OIDC_CLIENT_ID && env.OIDC_CLIENT_SECRET) {
+    if (!env.OIDC_ISSUER_URL) {
+      console.warn(
+        "OIDC_ISSUER_URL is not set. Please set it to the issuer URL of your OpenID Connect provider.",
+      );
+      return;
+    }
     return {
       id: "oidc",
-      name: process.env.OIDC_NAME ?? "OpenID Connect",
+      name: env.OIDC_NAME ?? "OpenID Connect",
       type: "oidc",
-      wellKnown: process.env.OIDC_DISCOVERY_URL,
-      authorization: { params: { scope: "openid email profile" } },
-      clientId: process.env.OIDC_CLIENT_ID,
-      clientSecret: process.env.OIDC_CLIENT_SECRET,
+      wellKnown: env.OIDC_DISCOVERY_URL,
+      authorization: {
+        params: {
+          scope: "openid email profile",
+        },
+      },
+      issuer: env.OIDC_ISSUER_URL,
+      clientId: env.OIDC_CLIENT_ID,
+      clientSecret: env.OIDC_CLIENT_SECRET,
       idToken: true,
       checks: ["pkce", "state"],
       allowDangerousEmailAccountLinking: true,

apps/web/src/env.ts

@@ -19,6 +19,7 @@ export const env = createEnv({
     OIDC_DISCOVERY_URL: z.string().optional(),
     OIDC_CLIENT_ID: z.string().optional(),
     OIDC_CLIENT_SECRET: z.string().optional(),
+    OIDC_ISSUER_URL: z.string().optional(),
     OIDC_EMAIL_CLAIM_PATH: z.string().default("email"),
     OIDC_NAME_CLAIM_PATH: z.string().default("name"),
     OIDC_PICTURE_CLAIM_PATH: z.string().default("picture"),
@@ -104,6 +105,7 @@ export const env = createEnv({
     OIDC_DISCOVERY_URL: process.env.OIDC_DISCOVERY_URL,
     OIDC_CLIENT_ID: process.env.OIDC_CLIENT_ID,
     OIDC_CLIENT_SECRET: process.env.OIDC_CLIENT_SECRET,
+    OIDC_ISSUER_URL: process.env.OIDC_ISSUER_URL,
     OIDC_EMAIL_CLAIM_PATH: process.env.OIDC_EMAIL_CLAIM_PATH,
     OIDC_NAME_CLAIM_PATH: process.env.OIDC_NAME_CLAIM_PATH,
     OIDC_PICTURE_CLAIM_PATH: process.env.OIDC_PICTURE_CLAIM_PATH,

turbo.json

@@ -90,6 +90,7 @@
     "NOREPLY_EMAIL",
     "OIDC_CLIENT_ID",
     "OIDC_CLIENT_SECRET",
+    "OIDC_ISSUER_URL",
     "OIDC_DISCOVERY_URL",
     "OIDC_EMAIL_CLAIM_PATH",
     "OIDC_NAME_CLAIM_PATH",