[Bug] Microsoft Entra ID Error AADSTS50011 with OpenID authentication

[gemnioo]

📦 Environment

Docker

📌 Version

lobehub/lobe-chat-database v1.31.10

💻 Operating System

Other Linux

🌐 Browser

Firefox

🐛 Bug Description

Follow this tutorial https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/microsoft-entra-id

I successful add Microsoft Entra ID info in the lobe-chat.env config. but shows error Error AADSTS50011

Follow Microsoft docs https://learn.microsoft.com/en-us/troubleshoot/entra/entra-id/app-integration/error-code-AADSTS50011-redirect-uri-mismatch#resolution

"On the app registration page, select Authentication. In the Platform configurations section, select Add URI to add the redirect URI displayed in the error message to Microsoft Entra ID."

I modify the Web Redirect URIs

But shows error like this

if click the Reload button

and click will looped to the first Ooops page.

the config in the lobe-chat.env like

NEXT_AUTH_SECRET=openssl rand -base64 32
NEXT_AUTH_SSO_PROVIDERS=microsoft-entra-id
AUTH_MICROSOFT_ENTRA_ID_ID=
AUTH_MICROSOFT_ENTRA_ID_SECRET=
AUTH_MICROSOFT_ENTRA_ID_TENANT_ID=
NEXTAUTH_URL= https://example.com/api/auth

I tried modify the NEXTAUTH_URL with /api/auth ending or /api/auth/callback/microsoft-entra-id

the only difference were "/api/auth/callback/microsoft-entra-id" will Reload to Sign in with Microsoft Entra ID Page.
Pls advise. Should I ADD user "LobeChat" into Home -> Microsoft Entra ID -> App registrations -> Owner ?

📷 Recurrence Steps

Docker deploy with

lobe-chat-database docker
pgvector/pgvector:pg17
Cloudflare R2 bucket
Microsoft Entra ID
"tailscale serve or tailscale funnel"

🚦 Expected Behavior

No response

📝 Additional Information

No response

[lobehubbot]

👀 @gemnioo

Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
非常感谢您提交 issue。我们会尽快调查此事，并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

[dosubot]

I found a similar discussion and issue related to Microsoft Entra ID errors in Lobe Chat:

1. A similar discussion titled "Problem Of Microsoft Entra ID :在zeabur平台上使用docker部署服务端数据库版本时使用Microsoft Entra ID部署时回调地址无响应" was resolved by correcting a domain error ^[1].
2. A closed issue titled "[Bug] Microsoft Entra ID 身份验证服务报错" was resolved by addressing a Docker image problem ^[2].

For your specific issue with the AADSTS50011 error, here are some troubleshooting steps you can follow:

1. Ensure Correct Redirect URI: Double-check that the redirect URI in your Microsoft Entra ID application matches exactly with the one specified in your lobe-chat.env file. It should be set to https://your-domain/api/auth/callback/microsoft-entra-id if that's the path your application uses ^[3].

2. Modify Redirect URIs: If you haven't already, modify the Redirect URIs in the Microsoft Entra ID app registration to include the exact URI shown in the error message. This is crucial for resolving redirect URI mismatches ^[3].

3. Check Environment Variables: Ensure that all environment variables in your lobe-chat.env file are correctly set, especially NEXTAUTH_URL, which should match the callback URL configured in your Microsoft Entra ID settings ^[3].

4. Add Users: Adding "LobeChat" as an owner in the Microsoft Entra ID app registration is not typically necessary for resolving redirect URI issues. Focus on ensuring that the redirect URIs and environment variables are correctly configured.

By following these steps, you should be able to resolve the redirect URI mismatch error. If the issue persists, consider reviewing the Microsoft documentation for additional troubleshooting tips.

To continue talking to Dosu, mention @dosu.

[BrandonStudio]

NEXT_AUTH_SECRET should be a base64 string

[gemnioo]

NEXT_AUTH_SECRET should be a base64 string

yep I use "openssl rand -base64 32" instead

[BrandonStudio]

What did it say in docker logs?

[gemnioo]

What did it say in docker logs?

docker logs $(docker ps -a | grep lobe-chat-database | awk '{print $1}').

🌐 DNS Server: [ '127.0.0.11' ]
-------------------------------------
[Database] Start to migration...
✅ database migration pass.
-------------------------------------
  ▲ Next.js 14.2.8
  - Local:        http://localhost:3210
  - Network:      http://0.0.0.0:3210

 ✓ Starting...
 ✓ Ready in 119ms
[auth][error] MissingCSRF: CSRF token was missing during an action signin. Read more at https://errors.authjs.dev#missingcsrf
    at tR (/app/.next/server/chunks/38106.js:1:39757)
    at i0 (/app/.next/server/chunks/38106.js:368:52432)
    at async i2 (/app/.next/server/chunks/38106.js:368:56596)
    at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
    at async eC.handle (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186)
    at async doRender (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/base-server.js:1359:42)
    at async cacheEntry.responseCache.get.routeKind (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/base-server.js:1581:28)
    at async NextNodeServer.renderToResponseWithComponentsImpl (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/base-server.js:1489:28)
    at async NextNodeServer.renderPageComponent (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/base-server.js:1913:24)
[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: u: JWTs must use Compact JWS serialization, JWT must be a string
    at /app/.next/server/chunks/38106.js:368:33665
    at iH (/app/.next/server/chunks/38106.js:368:34195)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async iz (/app/.next/server/chunks/38106.js:368:40333)
    at async i0 (/app/.next/server/chunks/38106.js:368:51902)
    at async i2 (/app/.next/server/chunks/38106.js:368:56596)
    at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
    at async eC.handle (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186)
    at async doRender (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/base-server.js:1359:42)

and

[auth][details]: {
 "provider": "microsoft-entra-id"
}
[NextAuth] Error: {
 cause: 'Configuration',
 message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
 name: 'NextAuth Error'
}
[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: u: JWTs must use Compact JWS serialization, JWT must be a string
   at /app/.next/server/chunks/38106.js:368:33665
   at iH (/app/.next/server/chunks/38106.js:368:34195)
   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
   at async iz (/app/.next/server/chunks/38106.js:368:40333)
   at async i0 (/app/.next/server/chunks/38106.js:368:51902)
   at async i2 (/app/.next/server/chunks/38106.js:368:56596)
   at async /app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
   at async eC.execute (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
   at async eC.handle (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186)
   at async doRender (/app/node_modules/.pnpm/next@14.2.8_@babel+core@7.23.6_@opentelemetry+api@1.9.0_react-dom@18.3.1_react@18.3.1__react@18.3.1/node_modules/next/dist/server/base-server.js:1359:42)
[auth][details]: {
 "provider": "microsoft-entra-id"
}
[NextAuth] Error: {
 cause: 'Configuration',
 message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
 name: 'NextAuth Error'
}
[NextAuth] Error: {
 cause: 'Configuration',
 message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
 name: 'NextAuth Error'
}
[NextAuth] Error: {
 cause: 'Configuration',
 message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
 name: 'NextAuth Error'
}

[gemnioo]

the main "JWTs must use Compact JWS serialization, JWT must be a string"

looks like this error BerriAI/litellm#6793

https://authjs.dev/guides/refresh-token-rotation#jwt-strategy

[BrandonStudio]

What if removing NEXTAUTH_URL?

[BrandonStudio]

BTW, have you set APP_URL?

[gemnioo]

follow the just released tutorial, switch NextAuth methods from Microsoft Entra ID to Cloudflare Zero Trust

https://lobehub.com/zh/docs/self-hosting/advanced/auth/next-auth/cloudflare-zero-trust

I could success login. seems like this ""JWTs must use Compact JWS serialization, JWT must be a string"" error in Microsoft Entra ID auth lead to this issue.

and I can confirm the "NEXTAUTH_URL=" in lobe-chat.env should end with "example.com/api/auth" and the Web Redirect URIs in Microsoft Entra ID -- Callback URL or "Platform configurations section, select Add URI to add the redirect URI" should be end "/api/auth/callback/microsoft-entra-id"

PS: some one need update the tutorial screenshort (need update the "/api/auth/callback/azure-ad"

[BrandonStudio]

It's wierd because I have just tried login to my deployment and succeeded. My deployment is on Vercel, but I don't think that makes any difference. Besides,

• I use the latest version
• I does not set NEXTAUTH_URL