@mulverse/mulguard-core 1.0.0

package/providers/authentik.js

@@ -0,0 +1,65 @@
+/**
+ * Add Authentik login to your page.
+ *
+ * ### Setup
+ *
+ * #### Callback URL
+ * ```
+ * https://example.com/api/auth/callback/authentik
+ * ```
+ *
+ * #### Configuration
+ *```ts
+ * import { Auth } from "@auth/core"
+ * import Authentik from "@auth/core/providers/authentik"
+ *
+ * const request = new Request(origin)
+ * const response = await Auth(request, {
+ *   providers: [
+ *     Authentik({
+ *       clientId: AUTHENTIK_CLIENT_ID,
+ *       clientSecret: AUTHENTIK_CLIENT_SECRET,
+ *       issuer: AUTHENTIK_ISSUER,
+ *     }),
+ *   ],
+ * })
+ * ```
+ *
+ * :::note
+ * issuer should include the slug without a trailing slash – e.g., https://my-authentik-domain.com/application/o/My_Slug
+ * :::
+ *
+ * ### Resources
+ *
+ *  - [Authentik OAuth documentation](https://goauthentik.io/docs/providers/oauth2)
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Authentik provider is
+ * based on the [Open ID Connect](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The Authentik provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/authentik.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function Authentik(options) {
+    return {
+        id: "authentik",
+        name: "Authentik",
+        type: "oidc",
+        options,
+    };
+}

package/providers/azure-ad-b2c.d.ts

@@ -0,0 +1,104 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#0072c6", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Azure AD B2C</b> integration.</span>
+ * <a href="https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/azure.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/azure-ad-b2c
+ */
+import type { OIDCConfig, OIDCUserConfig } from "./index.js";
+/** @see [Claims](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview#claims) */
+export interface AzureADB2CProfile {
+    exp: number;
+    nbf: number;
+    ver: string;
+    iss: string;
+    sub: string;
+    aud: string;
+    iat: number;
+    auth_time: number;
+    oid: string;
+    country: string;
+    name: string;
+    postalCode: string;
+    emails: string[];
+    tfp: string;
+    preferred_username: string;
+}
+/**
+ * Add Azure AD B2C login to your page.
+ *
+ *
+ * ## Configuration
+ *
+ * ### Basic
+ *
+ * Basic configuration sets up Azure AD B2C to return an ID Token. This should be done as a prerequisite prior to running through the Advanced configuration.
+ *
+ * 1. [Azure AD B2C Tenant](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant)
+ * 2. [App Registration](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications)
+ * 3. [User Flow](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows)
+ *
+ * For the step "User attributes and token claims" set the following:
+ *
+ * - Collect attribute:
+ *   - Email Address
+ *   - Display Name
+ *   - Given Name
+ *   - Surname
+ * - Return claim:
+ *   - Email Addresses
+ *   - Display Name
+ *   - Given Name
+ *   - Surname
+ *   - Identity Provider
+ *   - Identity Provider Access Token
+ *   - User's Object ID
+ *
+ * @example
+ *
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import AzureADB2C from "@auth/core/providers/azure-ad-b2c"
+ *
+ * const request = new Request("https://example.com")
+ * const response = await AuthHandler(request, {
+ *   // optionally, you can pass `tenantId` and `primaryUserFlow` instead of `issuer`
+ *   providers: [AzureADB2C({ clientId: "", clientSecret: "", issuer: "" })],
+ * })
+ * ```
+ *
+ * ---
+ *
+ * ### Resources
+ *
+ * - [Azure Active Directory B2C documentation](https://learn.microsoft.com/en-us/azure/active-directory-b2c)
+ *
+ * ---
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Azure AD B2C provider is
+ * based on the [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The Azure AD B2C provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/azure-ad-b2c.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function AzureADB2C(options: OIDCUserConfig<AzureADB2CProfile>): OIDCConfig<AzureADB2CProfile>;
+//# sourceMappingURL=azure-ad-b2c.d.ts.map

package/providers/azure-ad-b2c.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-ad-b2c.d.ts","sourceRoot":"","sources":["../src/providers/azure-ad-b2c.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,YAAY,CAAA;AAE5D,yGAAyG;AACzG,MAAM,WAAW,iBAAiB;IAChC,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,GAAG,EAAE,MAAM,CAAA;IACX,SAAS,EAAE,MAAM,CAAA;IACjB,GAAG,EAAE,MAAM,CAAA;IACX,OAAO,EAAE,MAAM,CAAA;IACf,IAAI,EAAE,MAAM,CAAA;IACZ,UAAU,EAAE,MAAM,CAAA;IAClB,MAAM,EAAE,MAAM,EAAE,CAAA;IAChB,GAAG,EAAE,MAAM,CAAA;IACX,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwEG;AACH,MAAM,CAAC,OAAO,UAAU,UAAU,CAChC,OAAO,EAAE,cAAc,CAAC,iBAAiB,CAAC,GACzC,UAAU,CAAC,iBAAiB,CAAC,CAgB/B"}

package/providers/azure-ad-b2c.js

@@ -0,0 +1,100 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#0072c6", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Azure AD B2C</b> integration.</span>
+ * <a href="https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/azure.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/azure-ad-b2c
+ */
+/**
+ * Add Azure AD B2C login to your page.
+ *
+ *
+ * ## Configuration
+ *
+ * ### Basic
+ *
+ * Basic configuration sets up Azure AD B2C to return an ID Token. This should be done as a prerequisite prior to running through the Advanced configuration.
+ *
+ * 1. [Azure AD B2C Tenant](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant)
+ * 2. [App Registration](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications)
+ * 3. [User Flow](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows)
+ *
+ * For the step "User attributes and token claims" set the following:
+ *
+ * - Collect attribute:
+ *   - Email Address
+ *   - Display Name
+ *   - Given Name
+ *   - Surname
+ * - Return claim:
+ *   - Email Addresses
+ *   - Display Name
+ *   - Given Name
+ *   - Surname
+ *   - Identity Provider
+ *   - Identity Provider Access Token
+ *   - User's Object ID
+ *
+ * @example
+ *
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import AzureADB2C from "@auth/core/providers/azure-ad-b2c"
+ *
+ * const request = new Request("https://example.com")
+ * const response = await AuthHandler(request, {
+ *   // optionally, you can pass `tenantId` and `primaryUserFlow` instead of `issuer`
+ *   providers: [AzureADB2C({ clientId: "", clientSecret: "", issuer: "" })],
+ * })
+ * ```
+ *
+ * ---
+ *
+ * ### Resources
+ *
+ * - [Azure Active Directory B2C documentation](https://learn.microsoft.com/en-us/azure/active-directory-b2c)
+ *
+ * ---
+ *
+ * ### Notes
+ *
+ * By default, Auth.js assumes that the Azure AD B2C provider is
+ * based on the [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The Azure AD B2C provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/azure-ad-b2c.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/configuring-oauth-providers).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function AzureADB2C(options) {
+    return {
+        id: "azure-ad-b2c",
+        name: "Azure AD B2C",
+        type: "oidc",
+        profile(profile) {
+            return {
+                id: profile.sub,
+                name: profile.name ?? profile.preferred_username,
+                email: profile?.emails?.[0],
+                image: null,
+            };
+        },
+        style: { text: "#fff", bg: "#0072c6" },
+        options,
+    };
+}

package/providers/azure-ad.d.ts

@@ -0,0 +1,19 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#0072c6", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Azure AD</b> integration.</span>
+ * <a href="https://learn.microsoft.com/en-us/azure/active-directory">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/azure-ad.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/azure-ad
+ */
+import MicrosoftEntraID, { MicrosoftEntraIDProfile } from "./microsoft-entra-id.js";
+export type AzureADProfile = MicrosoftEntraIDProfile;
+/**
+ * @deprecated
+ * Azure Active Directory has been renamed to [Microsoft Entra ID](/getting-started/providers/microsoft-entra-id).
+ * Import this provider from the `providers/microsoft-entra-id` submodule instead of `providers/azure-ad`.
+ */
+export default function AzureAD(config: Parameters<typeof MicrosoftEntraID>[0]): ReturnType<typeof MicrosoftEntraID>;
+//# sourceMappingURL=azure-ad.d.ts.map

package/providers/azure-ad.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-ad.d.ts","sourceRoot":"","sources":["../src/providers/azure-ad.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AACH,OAAO,gBAAgB,EAAE,EACvB,uBAAuB,EACxB,MAAM,yBAAyB,CAAA;AAEhC,MAAM,MAAM,cAAc,GAAG,uBAAuB,CAAA;AAEpD;;;;GAIG;AACH,MAAM,CAAC,OAAO,UAAU,OAAO,CAC7B,MAAM,EAAE,UAAU,CAAC,OAAO,gBAAgB,CAAC,CAAC,CAAC,CAAC,GAC7C,UAAU,CAAC,OAAO,gBAAgB,CAAC,CAMrC"}

package/providers/azure-ad.js

@@ -0,0 +1,23 @@
+/**
+ * <div class="provider" style={{backgroundColor: "#0072c6", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>Azure AD</b> integration.</span>
+ * <a href="https://learn.microsoft.com/en-us/azure/active-directory">
+ *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/azure-ad.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * @module providers/azure-ad
+ */
+import MicrosoftEntraID from "./microsoft-entra-id.js";
+/**
+ * @deprecated
+ * Azure Active Directory has been renamed to [Microsoft Entra ID](/getting-started/providers/microsoft-entra-id).
+ * Import this provider from the `providers/microsoft-entra-id` submodule instead of `providers/azure-ad`.
+ */
+export default function AzureAD(config) {
+    return {
+        ...MicrosoftEntraID(config),
+        id: "azure-ad",
+        name: "Azure Active Directory",
+    };
+}

package/providers/azure-devops.d.ts

@@ -0,0 +1,128 @@
+import { OAuthConfig, OAuthUserConfig } from "./index.js";
+/** @see [Azure DevOps Services REST API 7.0 · Profiles · Get](https://learn.microsoft.com/en-us/rest/api/azure/devops/profile/profiles/get?view=azure-devops-rest-7.0&tabs=HTTP#examples) */
+export interface AzureDevOpsProfile extends Record<string, any> {
+    id: string;
+    displayName: string;
+    emailAddress: string;
+    coreAttributes: {
+        Avatar: {
+            value: {
+                value: string;
+            };
+        };
+    };
+}
+/**
+ *
+ * @deprecated
+ * While still available, Microsoft is [no longer supporting](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#available-oauth-models) Azure DevOps OAuth and recommends using [Microsoft Entra ID](/getting-started/providers/microsoft-entra-id) instead.
+ *
+ * ## Documentation
+ *
+ * [Microsoft Docs](https://docs.microsoft.com/en-us) · [Azure DevOps](https://docs.microsoft.com/en-us/azure/devops/) · [Authorize access to REST APIs with OAuth 2.0](https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops])
+ *
+ * ## Configuration
+ *
+ * ### Register application
+ *
+ * :::tip
+ * [`https://app.vsaex.visualstudio.com/app/register`](https://app.vsaex.visualstudio.com/app/register)
+ * :::
+ *
+ * Provide the required details:
+ *
+ * - Company name
+ * - Application name
+ * - Application website
+ * - Authorization callback URL
+ *   - `https://example.com/api/auth/callback/azure-devops` for production
+ *   - `https://localhost/api/auth/callback/azure-devops` for development
+ * - Authorized scopes
+ *   - Required minimum is `User profile (read)`
+ *
+ * Click ‘Create Application’
+ *
+ * :::warning
+ * You are required to use HTTPS even for the localhost
+ * :::
+ *
+ * :::warning
+ * You will have to delete and create a new application to change the scopes later
+ * :::
+ *
+ * The following data is relevant for the next step:
+ *
+ * - App ID
+ * - Client Secret (after clicking the ‘Show’ button, ignore App Secret entry above it)
+ * - Authorized Scopes
+ *
+ * ### Set up the environment variables
+ *
+ * In `.env.local` create the following entries:
+ *
+ * ```
+ * AZURE_DEVOPS_APP_ID=<copy App ID value here>
+ * AZURE_DEVOPS_CLIENT_SECRET=<copy generated client secret value here>
+ * AZURE_DEVOPS_SCOPE=<copy space separated Authorized Scopes list here>
+ * ```
+ *
+ * ## Example
+ *
+ * ```ts
+ * import AzureDevOps from "@auth/core/providers/azure-devops"
+ * ...
+ * providers: [
+ *   AzureDevOps({
+ *     clientId: process.env.AZURE_DEVOPS_APP_ID,
+ *     clientSecret: process.env.AZURE_DEVOPS_CLIENT_SECRET,
+ *     scope: process.env.AZURE_DEVOPS_SCOPE,
+ *   }),
+ * ]
+ * ...
+ * ```
+ *
+ * ### Refresh token rotation
+ *
+ * Use the [main guide](/guides/basics/refresh-token-rotation) as your starting point with the following considerations:
+ *
+ * ```ts
+ * async jwt({ token, user, account }) {
+ *   ...
+ *   // The token has an absolute expiration time
+ *   const accessTokenExpires = account.expires_at * 1000
+ *   ...
+ * }
+ *
+ * async function refreshAccessToken(token) {
+ *   ...
+ *   const response = await fetch(
+ *     "https://app.vssps.visualstudio.com/oauth2/token",
+ *     {
+ *       headers: { "Content-Type": "application/x-www-form-urlencoded" },
+ *       method: "POST",
+ *       body: new URLSearchParams({
+ *         client_assertion_type:
+ *           "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+ *         client_assertion: process.env.AZURE_DEVOPS_CLIENT_SECRET,
+ *         grant_type: "refresh_token",
+ *         assertion: token.refreshToken,
+ *         redirect_uri:
+ *           process.env.NEXTAUTH_URL + "/api/auth/callback/azure-devops",
+ *       }),
+ *     }
+ *   )
+ *   ...
+ *   // The refreshed token comes with a relative expiration time
+ *   const accessTokenExpires = Date.now() + newToken.expires_in * 1000
+ *   ...
+ * }
+ * ```
+ */
+export default function AzureDevOpsProvider<P extends AzureDevOpsProfile>(options: OAuthUserConfig<P> & {
+    /**
+     * https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#scopes
+     * @default vso.profile
+     */
+    scope?: string;
+}): OAuthConfig<P>;
+//# sourceMappingURL=azure-devops.d.ts.map

package/providers/azure-devops.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"azure-devops.d.ts","sourceRoot":"","sources":["../src/providers/azure-devops.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,YAAY,CAAA;AAEzD,6LAA6L;AAC7L,MAAM,WAAW,kBAAmB,SAAQ,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;IAC7D,EAAE,EAAE,MAAM,CAAA;IACV,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,cAAc,EAAE;QAAE,MAAM,EAAE;YAAE,KAAK,EAAE;gBAAE,KAAK,EAAE,MAAM,CAAA;aAAE,CAAA;SAAE,CAAA;KAAE,CAAA;CACzD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyGG;AACH,MAAM,CAAC,OAAO,UAAU,mBAAmB,CAAC,CAAC,SAAS,kBAAkB,EACtE,OAAO,EAAE,eAAe,CAAC,CAAC,CAAC,GAAG;IAC5B;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,GACA,WAAW,CAAC,CAAC,CAAC,CA2DhB"}

package/providers/azure-devops.js

@@ -0,0 +1,158 @@
+/**
+ *
+ * @deprecated
+ * While still available, Microsoft is [no longer supporting](https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops#available-oauth-models) Azure DevOps OAuth and recommends using [Microsoft Entra ID](/getting-started/providers/microsoft-entra-id) instead.
+ *
+ * ## Documentation
+ *
+ * [Microsoft Docs](https://docs.microsoft.com/en-us) · [Azure DevOps](https://docs.microsoft.com/en-us/azure/devops/) · [Authorize access to REST APIs with OAuth 2.0](https://docs.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops])
+ *
+ * ## Configuration
+ *
+ * ### Register application
+ *
+ * :::tip
+ * [`https://app.vsaex.visualstudio.com/app/register`](https://app.vsaex.visualstudio.com/app/register)
+ * :::
+ *
+ * Provide the required details:
+ *
+ * - Company name
+ * - Application name
+ * - Application website
+ * - Authorization callback URL
+ *   - `https://example.com/api/auth/callback/azure-devops` for production
+ *   - `https://localhost/api/auth/callback/azure-devops` for development
+ * - Authorized scopes
+ *   - Required minimum is `User profile (read)`
+ *
+ * Click ‘Create Application’
+ *
+ * :::warning
+ * You are required to use HTTPS even for the localhost
+ * :::
+ *
+ * :::warning
+ * You will have to delete and create a new application to change the scopes later
+ * :::
+ *
+ * The following data is relevant for the next step:
+ *
+ * - App ID
+ * - Client Secret (after clicking the ‘Show’ button, ignore App Secret entry above it)
+ * - Authorized Scopes
+ *
+ * ### Set up the environment variables
+ *
+ * In `.env.local` create the following entries:
+ *
+ * ```
+ * AZURE_DEVOPS_APP_ID=<copy App ID value here>
+ * AZURE_DEVOPS_CLIENT_SECRET=<copy generated client secret value here>
+ * AZURE_DEVOPS_SCOPE=<copy space separated Authorized Scopes list here>
+ * ```
+ *
+ * ## Example
+ *
+ * ```ts
+ * import AzureDevOps from "@auth/core/providers/azure-devops"
+ * ...
+ * providers: [
+ *   AzureDevOps({
+ *     clientId: process.env.AZURE_DEVOPS_APP_ID,
+ *     clientSecret: process.env.AZURE_DEVOPS_CLIENT_SECRET,
+ *     scope: process.env.AZURE_DEVOPS_SCOPE,
+ *   }),
+ * ]
+ * ...
+ * ```
+ *
+ * ### Refresh token rotation
+ *
+ * Use the [main guide](/guides/basics/refresh-token-rotation) as your starting point with the following considerations:
+ *
+ * ```ts
+ * async jwt({ token, user, account }) {
+ *   ...
+ *   // The token has an absolute expiration time
+ *   const accessTokenExpires = account.expires_at * 1000
+ *   ...
+ * }
+ *
+ * async function refreshAccessToken(token) {
+ *   ...
+ *   const response = await fetch(
+ *     "https://app.vssps.visualstudio.com/oauth2/token",
+ *     {
+ *       headers: { "Content-Type": "application/x-www-form-urlencoded" },
+ *       method: "POST",
+ *       body: new URLSearchParams({
+ *         client_assertion_type:
+ *           "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+ *         client_assertion: process.env.AZURE_DEVOPS_CLIENT_SECRET,
+ *         grant_type: "refresh_token",
+ *         assertion: token.refreshToken,
+ *         redirect_uri:
+ *           process.env.NEXTAUTH_URL + "/api/auth/callback/azure-devops",
+ *       }),
+ *     }
+ *   )
+ *   ...
+ *   // The refreshed token comes with a relative expiration time
+ *   const accessTokenExpires = Date.now() + newToken.expires_in * 1000
+ *   ...
+ * }
+ * ```
+ */
+export default function AzureDevOpsProvider(options) {
+    const scope = options.scope ?? "vso.profile";
+    const tokenEndpointUrl = "https://app.vssps.visualstudio.com/oauth2/authorize";
+    const userInfoEndpointUrl = "https://app.vssps.visualstudio.com/_apis/profile/profiles/me?details=true&coreAttributes=Avatar&api-version=6.0";
+    return {
+        id: "azure-devops",
+        name: "Azure DevOps",
+        type: "oauth",
+        authorization: {
+            url: "https://app.vssps.visualstudio.com/oauth2/authorize",
+            params: { response_type: "Assertion", scope },
+        },
+        token: {
+            url: tokenEndpointUrl,
+            async request(context) {
+                const response = await fetch(tokenEndpointUrl, {
+                    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+                    method: "POST",
+                    body: new URLSearchParams({
+                        client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+                        client_assertion: context.provider.clientSecret,
+                        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+                        assertion: context.params.code,
+                        redirect_uri: context.provider.callbackUrl,
+                    }),
+                });
+                return { tokens: await response.json() };
+            },
+        },
+        userinfo: {
+            url: userInfoEndpointUrl,
+            async request(context) {
+                const accessToken = context.tokens.access_token;
+                const response = await fetch(userInfoEndpointUrl, {
+                    headers: {
+                        Authorization: `Bearer ${accessToken}`,
+                    },
+                });
+                return response.json();
+            },
+        },
+        profile(profile) {
+            return {
+                id: profile.id,
+                name: profile.displayName,
+                email: profile.emailAddress,
+                image: `data:image/jpeg;base64,${profile.coreAttributes.Avatar.value.value}`,
+            };
+        },
+        options,
+    };
+}