Provider configs token and userinfo ignore url and request properties

[joonhyungshin]

Environment

  System:
    OS: macOS 14.4.1
    CPU: (8) arm64 Apple M1 Pro
    Memory: 2.24 GB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.12.2 - /usr/local/bin/node
    npm: 10.5.0 - /usr/local/bin/npm
  Browsers:
    Chrome: 124.0.6367.92
    Safari: 17.4.1
  npmPackages:
    next: 14.2.3 => 14.2.3
    next-auth: ^5.0.0-beta.17 => 5.0.0-beta.17
    react: ^18 => 18.3.0

Reproduction URL

https://github.com/joonhyungshin/next-auth-mre

Describe the issue

I am working on a personal project with social account. I did not want Auth.js to call userinfo/ endpoint, because in my case token verification and user info fetch are done in a separate backend server. So I only wanted Auth.js to receive an access token using the standard OAuth2 flow, so in my root auth.ts file I replaced userinfo.request with a no-op function.

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    Twitter({
      userinfo: { request: () => {} }
    })
  ],
  // callbacks and events omitted
})

However, I realized that Auth.js still calls the userinfo/ endpoint. It seems like the url and request properties are all ignored, since the following config worked with no error.

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    Twitter({
      userinfo: { url: "asdf", request: () => {} }
    })
  ],
  // callbacks and events omitted
})

On the other hand, the following code errors as expected.

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    Twitter({
      userinfo: "asdf",
    })
  ],
  // callbacks and events omitted
})

So I suspect that Auth.js just falls back to the default config if userinfo is not a string. The code doesn't seem to do so, so I don't understand why.

I also noticed that the token property has the same issue.

How to reproduce

1. Start a new Next.js app with npx create-next-app@latest.
2. Install Auth.js with npm i next-auth@beta.
3. Create auth.ts at the root, token.request and userinfo.request replaced with no-op functions.

import NextAuth from "next-auth"
import Twitter from "next-auth/providers/twitter"

export const { handlers, signIn, signOut, auth } = NextAuth({
  providers: [
    Twitter({
      token: { request: () => {} },
      userinfo: { request: () => {} }
    })
  ],
})

4. Create app/api/auth/[...nextauth]/route.ts.

import { handlers } from "@/auth"
export const { GET, POST } = handlers

5. Add environment variables to .env.local.

AUTH_SECRET=***
AUTH_TWITTER_ID=***
AUTH_TWITTER_SECRET=***

6. Replace app/page.tsx with the following code.

import { signIn } from "@/auth"

export default function Home() {
  return (
    <main className="flex min-h-screen flex-col items-center justify-between p-24">
      <form
       action={async () => {
         "use server"
         await signIn("twitter")
       }}
      >
        <button type="submit">Signin with Twitter</button>
      </form>
    </main>
  );
}

7. Run npm run dev. The Signin with Twitter button still works.

Expected behavior

Error, because Auth.js must not be able to fetch access token or user info.

[balazsorban44]

userinfo.request should work: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/actions/callback/oauth/callback.ts/#L160

token.request is replaced by conform, which is an internal API (so the type is hidden for it). We don't really want people to patch the standard OAuth token request.

[joonhyungshin]

userinfo.request should work: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/actions/callback/oauth/callback.ts/#L160

That's exactly why I filed this issue. I read that code, but userinfo.request does not work as expected.

[bigbigbo]

userinfo.request should work: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/actions/callback/oauth/callback.ts/#L160

token.request is replaced by conform, which is an internal API (so the type is hidden for it). We don't really want people to patch the standard OAuth token request.

In version 4, the custom provider worked well, but I don't understand why the token.request was removed, and the corresponding TypeScript type definitions were not removed either, nor was there any documentation explaining this. Our OAuth service provider will not change their service in the short term, what should I do to make token.request work?

I've spent an entire night troubleshooting why the custom provider failed. I looked through the source code and found the issue, but I still don't know how to resolve it. Additionally, there are some minor issues with version 4, such as the fact that returning null in the JWT callback throws an error, preventing the session from being cleared.

Awaiting your response, thank you.

[Nik-Novak]

userinfo.request should work: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/actions/callback/oauth/callback.ts/#L160
token.request is replaced by conform, which is an internal API (so the type is hidden for it). We don't really want people to patch the standard OAuth token request.

In version 4, the custom provider worked well, but I don't understand why the token.request was removed, and the corresponding TypeScript type definitions were not removed either, nor was there any documentation explaining this. Our OAuth service provider will not change their service in the short term, what should I do to make token.request work?

I've spent an entire night troubleshooting why the custom provider failed. I looked through the source code and found the issue, but I still don't know how to resolve it. Additionally, there are some minor issues with version 4, such as the fact that returning null in the JWT callback throws an error, preventing the session from being cleared.

Awaiting your response, thank you.

Yeah please help, this has been a nightmare. Thank you so much for tracking this down @bigbigbo and for clarifying @balazsorban44

[Nik-Novak]

userinfo.request should work: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/actions/callback/oauth/callback.ts/#L160

token.request is replaced by conform, which is an internal API (so the type is hidden for it). We don't really want people to patch the standard OAuth token request.

If I'm understanding this correctly you're enforcing a very strict pattern on auth that does not consider edge cases.

[k0l11]

@balazsorban44 You are aware that being unable to overwrite token.request directly breaks the existing Azure DevOps provider in v5 (in fact, it is broken because of this right now), right? Not allowing this to be overwritten prevents people dealing with weird OAuth providers (like Microsoft...).