Manually Test Providers (v4)

[0ubbe]

Description 📓

Before the release of v4 we want to manually test most (if not all) the current OAuth providers to make sure the changes that happen on v4 to their configuration didn't break any of them 🤞🏽

We also haven't enforced any kind of testing prior to v4, so there is a big chance that some providers do not even work in v3, which might have gone undetected if there was no interest from users to open issues.

Here's the table where we keep track of this testing:

Provider	Account created	Manually tested	Comments
42	✅	✅	#3189, tested by @estarossa0
Apple	✅	✅	#2875. Thanks @sergeymishin and @theobr for the help! See #2875 (comment) for caveats
Atlassian	✅	🚨	Not able to redirect back to callback_url, internal error at Atlassian
Auth0	✅	✅
Azure B2C	✅	✅	#2862, @BenjaminWFox provided me test account/client. We could not retrieve a profile picture
Azure AD	✅	✅	Fixed in #2818, @ndom91 has the account for this to test. Default profile picture size is 64x64 #2910
Basecamp	❌	❌	Removed see, #511 (comment)
BattleNet	N/A
Box	N/A
Bungie
Cognito	✅	✅	#2829, AWS provided by @s-kris
Coinbase	✅	✅
Discord	✅	✅
Dropbox	✅
Eve Online
Facebook	✅	✅
FaceIT	✅
FourSquare	✅	✅
Freshbooks	✅
FusionAuth		✅	#3376 by @alessandrojcm
Github	✅	✅
Gitlab	✅	✅
Google	✅	✅
IS4	✅	✅
Instagram	✅
Kakao	✅
Keycloak	✅	✅	#2485, #2851
Line	✅	✅	#2917, email needs special setup. tested by @ThangHuuVu
LinkedIn	✅	✅	#2821
MailChimp	✅
MailRu
Medium
Naver
Netlify
Okta	✅	✅	#2856
OneLogin	✅	✅
Osso
Reddit
Salesforce
Slack	✅	✅	Fixed in #2848. Requires https for redirect URLs, even for local development. Used ngrok
Spotify	✅	✅
Strava
Twtich	✅	✅
Twitter	✅	✅
VK
Wordpress
WorkOS	✅	✅	WIP #3886 thanks @m-abdelwahab for the infra support
Yandex
Zoho
Zoom

@balazsorban44 @ndom91 if you could mark the ones you have already manually tested and verified they're working so we can know which ones are left to test 🙏🏽

Notes

• BattleNet requires Battle.net Authenticator (possibly replaceable via their first-party app. This is different from normal TOTP)
• Box only has paid plans
• Coinbase requires to know your customer (KYC) verification via video chat like when opening a bank account

The relevant PR making this required is #2411. Checks its description for more info.

The documentation page here might also be useful: https://next-auth.js.org/configuration/providers/oauth-provider#options

[ndom91]

Made some updates and wrote notes regarding providers that will be difficult / impossible for us to manually test.

I'll manually try some of the additional ones for which we have clientId's / secrets soon 👍

[balazsorban44]

Anyone reading this, if you use any of the built-in providers, we would highly appreciate your help making sure that those will work in the future! Until now, we haven't enforced anything at all, and so some built-in providers might have never even worked properly...

Please leave a comment here if you find an issue or have anything related to say! 🙏 💚

[inu4g0t]

Hi, @lluia . I'm trying to integrate nextjs with azure ad.
I found it always report "Insufficient privileges" with 403 on getting the user.

After detailed check, I think the issue is at auth step where to "scope" is always set to "openid" rather than the one defined in doc which should be 'offline_access User.Read'
From the debug, the auth scope 'openid' is coming from
https://github.com/panva/node-openid-client/blob/main/lib/client.js
function authorizationParams(params) {
const authParams = {
client_id: this.client_id,
scope: 'openid',
response_type: resolveResponseType.call(this),
redirect_uri: resolveRedirectUri.call(this),
...params,
};

This scope 'openid', the get user function does not have enough permission to retrive user information with graph api /me and always generate 403.

I'm not expert on either aad or next-auth so I can hardly sure if this is a bug or something wrong with my setting but I have tried to force the scope to 'offline_access User.Read' which makes it work.

[javigonz]

Hi @lluia, I´m trying to upgrade Next-auth v4.0.0-beta.2 with CognitoProvider.
Passing an empty string in clientSecret parameter, return an error message.

import NextAuth from 'next-auth';
import CognitoProvider from 'next-auth/providers/cognito';

export default NextAuth({
  providers: [
    CognitoProvider({
      clientId: process.env.COGNITO_CLIENT_ID,
      clientSecret: '',
      domain: process.env.COGNITO_DOMAIN,
      issuer: `https://${process.env.COGNITO_DOMAIN}/`
    })
  ],
  callbacks: {...}
});

message: 'client_secret_basic client authentication method requires a client_secret',

After a little research, this error is not in your library, it is due to a dependence library "openid-client": "^4.7.4".
I´ve just opened an issue where I explain the situation. panva/openid-client#402

[panva]

@javigonz you should set the client's token endpoint auth method to none, not your client secret to an empty string. That's the very much intended state.

Whether next-auth abstracts setting the method to none for you or exposes a client auth property is out of openid-client Lin's control.

[javigonz]

Yeah @panva, probably that the key, add a way to set this token endpoint auth method into https://next-auth.js.org/configuration/providers/oauth-provider#options

[balazsorban44]

Going to expose further options through #2717, I'll just test it out locally.

[balazsorban44]

@javigonz could you test out? #2717 (comment)

Check the new client option

[mckernanin]

Testing the EVE Online integration, I receive the following error from EVE's login server:

{
"error": "invalid_scope",
"error_description": "The requested scopes either don't exist, or are not valid for this client"
}

If I update the scope in the URL to publicData then the EVE login succeeds.
I added an authorization object like this, but I'm still having the same issue.

    EVEOnlineProvider({
      clientId: config.esiId,
      clientSecret: config.esiSecret,
      authorization: { params: {scope: 'publicData'}}
    })

After investigating further and testing myself, I got it working with an updated provider where I specified the authorization property in the default parameters for the provider. I opened a PR with these changes, where I also rewrote the EVE Provider in TypeScript.

[idac73]

Hi! Thanks so much for what is shaping up to be an excellent library.

I'm testing 4.0.0-beta.2 using the AzureADProvider and the profile.user is undefined, which may be rooted in an error at line 149 ./server/lib/oauth/callback.js when attempting profile.id.toString() for the providerAccountId property. Hacking this property to use OAuthProfile.sub and running with debug: true outputs fully populated OAuthProfile and account objects. The profile object from the OAUTH_CALLBACK_RESPONSE is profile: { id: undefined, name: undefined, email: undefined, image: null }

I first referenced the documentation for this provider, but using this config provided a successful response for me:

    AzureADProvider({
      authorization: {
        params: {
          audience: process.env.AZURE_AD_CLIENT_ID,
          response_mode: 'form_post',
          response_type: 'code id_token',
          scope: 'offline_access openid profile email User.Read'
        }
      },
      clientId: process.env.AZURE_AD_CLIENT_ID,
      clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
      tenantId: process.env.AZURE_AD_TENANT_ID,
      wellKnown: process.env.AZURE_AD_OPENID
    })

[taep96]

AzureADProvider({
  authorization: {
    params: {
      audience: process.env.AZURE_AD_CLIENT_ID,
      response_mode: 'form_post',
      response_type: 'code id_token',
      scope: 'offline_access openid profile email User.Read'
    }
  },
  clientId: process.env.AZURE_AD_CLIENT_ID,
  clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
  tenantId: process.env.AZURE_AD_TENANT_ID,
  wellKnown: process.env.AZURE_AD_OPENID
})

URL still only has openid for me

[squeezeday]

I just set up a Salesforce with NextAuth using the example:

// /api/auth/[...nextauth].ts
import NextAuth from "next-auth/next";
import SalesFoceProvider from "next-auth/providers/salesforce";

export default NextAuth({
  debug: true,
  secret: "NEXTAUTH_SECRET",
  providers: [
    SalesFoceProvider({
      clientId: "SALESFORCE_CLIENT_ID",
      clientSecret: "SALESFORCE_CLIENT_SECRET",
      },
    }),
  ],
});

But got stuck at this callback error:

[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error id_token detected in the response, you must use client.callback() instead of client.oauthCallback() {
  error: {
    message: 'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
    stack: 'RPError: id_token detected in the response, you must use client.callback() instead of client.oauthCallback()\n' +
  },
...
  providerId: 'salesforce',
  message: 'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()'
}

I added scope as an authorization parameter and now the login flow is working.

// /api/auth/[...nextauth].ts
import NextAuth from "next-auth/next";
import SalesFoceProvider from "next-auth/providers/salesforce";

export default NextAuth({
  debug: true,
  secret: "NEXTAUTH_SECRET",
  providers: [
    SalesFoceProvider({
      clientId: "SALESFORCE_CLIENT_ID",
      clientSecret: "SALESFORCE_CLIENT_SECRET",
      authorization: {
        params: {
          scope: "api id web",
        },
      },
    }),
  ],
});

[ndom91]

Thanks for reporting that back to us @squeezeday! I'll make sure to add it to the docs.

[geraldm74]

EVEOnline provider not working in v4 .... The problem is that a Scope query parameter is being inserted in the URL which EVE Online is reporting as invalid (Invalid scope). The scope parameter needs to be removed or set to blank (example: ..&scope=&..)

See bug report #3760

Also some additional information ... even removing the Scope parameter manually it allows you to authenticate with EVE Online, however in the callback Next-Auth throws a OAuthCallbackError error:

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error id_token not present in TokenSet {
error: {
message: 'id_token not present in TokenSet',
stack: 'TypeError: id_token not present in TokenSet\n'

It seems that EVE Online does not return an id_token which next-auth is expecting?

When you get and use the code returned to get the access token, you get a response that looks like this from EVE Online:

{"access_token":"jZOzkRtA8B...LQJg2","token_type":"Bearer","expires_in":1199,"refresh_token":"RGuc...w1"}

Could it be that Next-Auth is expecting id_token and not access_token ?

Update:

Changing the EVE Online application type from Authentication Only to Authentication & API Access and adding the publicData scope, it now successfully redirects you to the EVE Online login screen.

However I am now receiving a OAUTH_CALLBACK_ERROR saying the id_token is not present in TokenSet?

So only error still remaining is the id_token ?

EDIT:

Interesting enough the access_token returned is a JWT token ... the payload data in the token includes the following:

{
"scp": "publicData",
"jti": "f13e056c-6e4b-4f3b-bef9-2af9fb86ab48",
"kid": "JWT-Signature-Key",
"sub": "CHARACTER:EVE:character ID",
"azp": "640d8f12cdba4dad941fbea400a5cd7b",
"tenant": "tranquility",
"tier": "live",
"region": "world",
"name": "character name",
"owner": "owner",
"exp": 1643528344,
"iat": 1643527144,
"iss": "login.eveonline.com"
}

So to get the returned user data for NextAuth. All we need is the access_token as it contains the character name and character id which is all we need.

So the flow should be:

1. SSO to login.eveonline.com
2. Exchange code for access_token (JWT), token_expiry, token_refresh
3. Verify access_token (JWT) via https://login.eveonline.com/oauth/jwks
4. Extract user data from access_token (JWT).

Would the above be easy to implement with NextAuth?

[geraldm74]

@mckernanin are you able to comment on my post above please?

[mckernanin]

@balazsorban44 and I worked through it a bit, CCP does some non-standard stuff which is annoying. The provider that I'm successfully using in an app of mine looks like this:

function EVEOnlineUpdated<P extends Record<string, any> = EVEOnlineProfile>(
  options: OAuthUserConfig<P>
): OAuthConfig<P> {
  return {
    id: "eveonline",
    name: "EVE Online",
    type: "oauth",
    wellKnown: "https://login.eveonline.com/.well-known/oauth-authorization-server",
    authorization: {
      params: {
        scope: "publicData esi-planets.manage_planets.v1",
      },
    },
    idToken: true,
    profile(profile: P) {
      const characterId = profile.sub.split(":")[2];
      return {
        id: characterId,
        name: profile.name,
        ownerHash: profile.owner,
        email: null,
        image: `https://image.eveonline.com/Character/${characterId}_128.jpg`,
      };
    },
    token: {
      async request({ client, provider, params, checks }) {
        const tokens = await client.oauthCallback(provider.callbackUrl, params, checks);
        tokens.id_token = tokens.access_token;
        return { tokens };
      },
    },

    options,
  };
}

The custom token callback copies access_token to id_token

[geraldm74]

@mckernanin thank you for the above code. I've now created a custom provider and the SSO login now works!

I now have an issue getting the user details from the session?

I'm using the following in my component:

const {session, loading} = useSession();`

however, session.user.id is not defined?

I'm also getting session cookie length errors:

[next-auth][debug][CHUNKING_SESSION_COOKIE] {
  message: 'Session cookie exceeds allowed 4096 bytes.',
  emptyCookieSize: 163,
  valueSize: 4756,
  chunks: [ 4096, 986 ]
}

Am I missing something here?

[ndom91]

Yeah so it seems like you're trying to store too much in the cookie (in the jwt callback?), which then therefore cannot be read back out in the following callback functions, thats probably why your session.user.id is undefined.

See the warning right above the start of this section: https://next-auth.js.org/configuration/callbacks#session-callback

[geraldm74]

@ndom91

Ah ok thanks!

I changed my callback to just include the account and user information as follows:

The reason why I did the if (token.token.user) is because the callback seems to be executed twice so only want to make one modification to it.

I'm not sure if that is the correct approach or not ... then in the session callback, I did the following:

(yes, I need to fix the double session object)

It works ... but seems messy :(

UPDATE:

Actually, I don't need to duplicate the session information - the information is there, just in a different section so I don't need to copy it etc.

[hyunoosung]

@balazsorban44 and I worked through it a bit, CCP does some non-standard stuff which is annoying. The provider that I'm successfully using in an app of mine looks like this:

function EVEOnlineUpdated<P extends Record<string, any> = EVEOnlineProfile>(
  options: OAuthUserConfig<P>
): OAuthConfig<P> {
  return {
    id: "eveonline",
    name: "EVE Online",
    type: "oauth",
    wellKnown: "https://login.eveonline.com/.well-known/oauth-authorization-server",
    authorization: {
      params: {
        scope: "publicData esi-planets.manage_planets.v1",
      },
    },
    idToken: true,
    profile(profile: P) {
      const characterId = profile.sub.split(":")[2];
      return {
        id: characterId,
        name: profile.name,
        ownerHash: profile.owner,
        email: null,
        image: `https://image.eveonline.com/Character/${characterId}_128.jpg`,
      };
    },
    token: {
      async request({ client, provider, params, checks }) {
        const tokens = await client.oauthCallback(provider.callbackUrl, params, checks);
        tokens.id_token = tokens.access_token;
        return { tokens };
      },
    },

    options,
  };
}

The custom token callback copies access_token to id_token

I followed this code to get name and email from profile but id_token is overwritten and I cannot get id_token again where I need at the federated_logout.

Any work around to save raw id_token?

[0ubbe]

Just verified the Coinbase Provider is working correctly with the latest version of NextAuth 💚, when well configured...

[qw-in]

Atlassian is giving me some cryptic internal error in the latest version. Perhaps it should be removed - or a note should be added to the docs?

[DarkAxi0m]

Did you every manged to get something working with Atlassian?

[foobarnes]

Mailchimp (similar to EVEOnline above) was returning invalid_scope unless I manually set the scope auth param to an empty string (as well as add a couple of other params manually that Mailchimp expects according to their docs):

MailchimpProvider({
      clientId: process.env.MAILCHIMP_CLIENT_ID,
      clientSecret: process.env.MAILCHIMP_CLIENT_SECRET,
      authorization: {
        params: {
          scope: '',
          response_type: 'code',
          client_id: process.env.MAILCHIMP_CLIENT_ID,
          redirect_uri: `${process.env.NEXTAUTH_URL}/api/auth/callback/mailchimp`,
        },
      },
    }),

I'm now getting an OAuthCallbackError: State cookie was missing. and I'm having a hard time understanding how to move forward. Any help would be appreciated!

[insanebaba]

I'm getting this error when using instagram provider.

"response" body "token_type" property must be a non-empty string

here's sample response json returned by instagram

{
access_token:"some long string",
user_id:123123123
}

[emilaleksanteri]

same here

[emilaleksanteri]

https://github.com/emilaleksanteri/igauthtest issue recreated here

[MyWay]

same here

[Kurochen]

VK provider

[next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR] 
https://next-auth.js.org/errors#oauth_callback_handler_error
Invalid `prisma.account.create()` invocation:

{
  data: {
    provider: "vk",
    type: "oauth",
    providerAccountId: "93746972",
    access_token: "vk1.a.h********zhf8W",
    expires_at: 1702643485,
    user_id: 93746972,
    ~~~~~~~
    userId: 7,
?   id?: String,
?   refresh_token?: String | Null,
?   token_type?: String | Null,
?   scope?: String | Null,
?   id_token?: String | Null,
?   session_state?: String | Null
  }
}

Unknown argument `user_id`. Did you mean `userId`? Available options are marked with ?. PrismaClientValidationError:

If you add user_id to default Schema.prisma, then everything works.

P.S. VK no send mail before. The email address in provider was null. But now, we can add an email address in settings. But then we get another error

[next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR] 
https://next-auth.js.org/errors#oauth_callback_handler_error
Invalid `prisma.account.create()` invocation:

{
  data: {
    provider: "vk",
    type: "oauth",
    providerAccountId: "93746972",
    access_token: "vk1.a.J04********kabfMbg",
    expires_at: 1702712346,
    user_id: 93746972,
    email: "[email protected]",
    ~~~~~
    userId: 8,
?   id?: String,
?   refresh_token?: String | Null,
?   token_type?: String | Null,
?   scope?: String | Null,
?   id_token?: String | Null,
?   session_state?: String | Null
  }
}

Unknown argument `email`. Available options are marked with ?. PrismaClientValidationError:

I can’t figure out where the problem is, in the provider or the adapter

[pogran]

how to solve this problem with auth vk
OperationProcessingError: "response" body "token_type" property must be a string #11633

[mshndev]

I had the same issue getting token from Figma. Found a solution with the WeChat provider and it worked for me. Maybe try something similar for VK (haven’t tested it):

    token: {
      url: `https://oauth.vk.com/access_token?v=${apiVersion}`,

      async conform(response: Response) {
        const data = (await response.json()) as Record<string, unknown>
        return Response.json({ ...data, token_type: "bearer" }, response)
      },
    },