New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provider configs token
and userinfo
ignore url
and request
properties
#10732
Comments
token
or userinfo
ignore url
and request
propertiestoken
and userinfo
ignore url
and request
properties
|
That's exactly why I filed this issue. I read that code, but |
In version 4, the custom provider worked well, but I don't understand why the I've spent an entire night troubleshooting why the custom provider failed. I looked through the source code and found the issue, but I still don't know how to resolve it. Additionally, there are some minor issues with version 4, such as the fact that returning null in the JWT callback throws an error, preventing the session from being cleared. Awaiting your response, thank you. |
Yeah please help, this has been a nightmare. Thank you so much for tracking this down @bigbigbo and for clarifying @balazsorban44 |
If I'm understanding this correctly you're enforcing a very strict pattern on auth that does not consider edge cases. |
@balazsorban44 You are aware that being unable to overwrite token.request directly breaks the existing Azure DevOps provider in v5 (in fact, it is broken because of this right now), right? Not allowing this to be overwritten prevents people dealing with weird OAuth providers (like Microsoft...). |
Environment
Reproduction URL
https://github.com/joonhyungshin/next-auth-mre
Describe the issue
I am working on a personal project with social account. I did not want Auth.js to call
userinfo/
endpoint, because in my case token verification and user info fetch are done in a separate backend server. So I only wanted Auth.js to receive an access token using the standard OAuth2 flow, so in my rootauth.ts
file I replaceduserinfo.request
with a no-op function.However, I realized that Auth.js still calls the
userinfo/
endpoint. It seems like theurl
andrequest
properties are all ignored, since the following config worked with no error.On the other hand, the following code errors as expected.
So I suspect that Auth.js just falls back to the default config if
userinfo
is not a string. The code doesn't seem to do so, so I don't understand why.I also noticed that the
token
property has the same issue.How to reproduce
npx create-next-app@latest
.npm i next-auth@beta
.auth.ts
at the root,token.request
anduserinfo.request
replaced with no-op functions.app/api/auth/[...nextauth]/route.ts
..env.local
.app/page.tsx
with the following code.npm run dev
. The Signin with Twitter button still works.Expected behavior
Error, because Auth.js must not be able to fetch access token or user info.
The text was updated successfully, but these errors were encountered: