Does SSO work with Microsoft?

Hello, the SSO authentication with Microsoft Entra ID fails with invalid_provider and token_response_not_found errors.
I am using React Router v7.

I registered the provider using:

const res = await authClient.sso.register({
    providerId: "entra",
    discoveryEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/v2.0/.well-known/openid-configuration",
    issuer: "https://login.microsoftonline.com/[TENANT_ID]/v2.0",
    domain: "mydomain.com",
    clientId: "[CLIENT_ID]",
    clientSecret: "",
    authorizationEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/v2.0/authorize",
    tokenEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/token",
    jwksEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/discovery/v2.0/keys",
    mapping: {
        id: "sub",
        email: "email",
        emailVerified: "email_verified",
        name: "name",
        image: "",
    },
    pkce: true,
    scopes: ["User.Read"],
});

const res = await authClient.sso.register({
    providerId: "entra",
    discoveryEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/v2.0/.well-known/openid-configuration",
    issuer: "https://login.microsoftonline.com/[TENANT_ID]/v2.0",
    domain: "mydomain.com",
    clientId: "[CLIENT_ID]",
    clientSecret: "",
    authorizationEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/v2.0/authorize",
    tokenEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/token",
    jwksEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/discovery/v2.0/keys",
    mapping: {
        id: "sub",
        email: "email",
        emailVerified: "email_verified",
        name: "name",
        image: "",
    },
    pkce: true,
    scopes: ["User.Read"],
});

const res = await authClient.sso.register({
    providerId: "entra",
    discoveryEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/v2.0/.well-known/openid-configuration",
    issuer: "https://login.microsoftonline.com/[TENANT_ID]/v2.0",
    domain: "mydomain.com",
    clientId: "[CLIENT_ID]",
    clientSecret: "",
    authorizationEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/v2.0/authorize",
    tokenEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/token",
    jwksEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/discovery/v2.0/keys",
    mapping: {
        id: "sub",
        email: "email",
        emailVerified: "email_verified",
        name: "name",
        image: "",
    },
    pkce: true,
    scopes: ["User.Read"],
});

const res = await authClient.sso.register({
    providerId: "entra",
    discoveryEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/v2.0/.well-known/openid-configuration",
    issuer: "https://login.microsoftonline.com/[TENANT_ID]/v2.0",
    domain: "mydomain.com",
    clientId: "[CLIENT_ID]",
    clientSecret: "",
    authorizationEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/v2.0/authorize",
    tokenEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/oauth2/v2.0/token",
    jwksEndpoint: "https://login.microsoftonline.com/[TENANT_ID]/discovery/v2.0/keys",
    mapping: {
        id: "sub",
        email: "email",
        emailVerified: "email_verified",
        name: "name",
        image: "",
    },
    pkce: true,
    scopes: ["User.Read"],
});

Then i attempt to sign in with:

const res = await authClient.signIn.sso({
    email: email,
    callbackURL: "/dashboard",
});

const res = await authClient.signIn.sso({
    email: email,
    callbackURL: "/dashboard",
});

const res = await authClient.signIn.sso({
    email: email,
    callbackURL: "/dashboard",
});

const res = await authClient.signIn.sso({
    email: email,
    callbackURL: "/dashboard",
});

What Happens:

User is redirected to Microsoft's authorization endpoint
Microsoft returns 302 FOUND with authorization code to callback URL:
http://localhost:5173/api/auth/sso/callback/entra?code=[AUTH_CODE]&state=[STATE]&session_state=[SESSION_STATE]
This immediately redirects again with 302 FOUND to:
http://localhost:5173/api/auth/error/error?error=invalid_provider&error_description=token_response_not_found

Is SSO authentication with Microsoft Entra ID supported in Better Auth? The authorization flow appears to work correctly but it still fails.

Does SSO work with Microsoft?

Similar Threads

Similar Threads

Similar Threads