Environment
@auth/core 0.39.x through 0.41.2, and main as of 2026-06-25. Provider: microsoft-entra-id. Single-tenant app configured with an explicit GUID tenant issuer.
Reproduction / Description
The Microsoft Entra ID provider extracts the tenant ID from config.issuer to rewrite the {tenantid} placeholder Microsoft returns in its OIDC discovery document, using this regex in packages/core/src/providers/microsoft-entra-id.ts:
const tenantRe = /microsoftonline\.com\/(\w+)\/v2\.0/
const tenantId = config.issuer?.match(tenantRe)?.[1] ?? "common"
\w matches [A-Za-z0-9_] but not the hyphens in a GUID. So for a normal GUID tenant issuer such as:
https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0
the regex finds no match (the \w+ group can never be followed by /v2.0 because a hyphen always intervenes), so .match(...)?.[1] is undefined and tenantId falls back to "common". The discovery issuer is then rewritten to .../common/v2.0, which no longer matches the real per-tenant issuer — and sign-in fails with an issuer mismatch for single-tenant deployments.
Minimal demonstration of the regex behavior:
const issuer = "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0"
issuer.match(/microsoftonline\.com\/(\w+)\/v2\.0/) // => null (falls back to "common")
issuer.match(/microsoftonline\.com\/([\w-]+)\/v2\.0/)?.[1] // => "9188040d-6c67-4c5b-b112-36a304b66dad"
Expected
The configured GUID tenant should be preserved when rewriting the discovery issuer, not replaced with common.
Suggested fix
Widen the capture group to include hyphens:
- const tenantRe = /microsoftonline\.com\/(\w+)\/v2\.0/
+ const tenantRe = /microsoftonline\.com\/([\w-]+)\/v2\.0/
(Distinct from #13171, which is about the hacks being skipped when the provider id is customized — this one is the tenant-extraction regex itself.)
Environment
@auth/core0.39.x through 0.41.2, andmainas of 2026-06-25. Provider:microsoft-entra-id. Single-tenant app configured with an explicit GUID tenant issuer.Reproduction / Description
The Microsoft Entra ID provider extracts the tenant ID from
config.issuerto rewrite the{tenantid}placeholder Microsoft returns in its OIDC discovery document, using this regex inpackages/core/src/providers/microsoft-entra-id.ts:\wmatches[A-Za-z0-9_]but not the hyphens in a GUID. So for a normal GUID tenant issuer such as:the regex finds no match (the
\w+group can never be followed by/v2.0because a hyphen always intervenes), so.match(...)?.[1]isundefinedandtenantIdfalls back to"common". The discoveryissueris then rewritten to.../common/v2.0, which no longer matches the real per-tenant issuer — and sign-in fails with an issuer mismatch for single-tenant deployments.Minimal demonstration of the regex behavior:
Expected
The configured GUID tenant should be preserved when rewriting the discovery issuer, not replaced with
common.Suggested fix
Widen the capture group to include hyphens:
(Distinct from #13171, which is about the hacks being skipped when the provider
idis customized — this one is the tenant-extraction regex itself.)