Manually Test Providers (v4)

[ubbe-xyz]

Description 📓

Before the release of v4 we want to manually test most (if not all) the current OAuth providers to make sure the changes that happen on v4 to their configuration didn't break any of them 🤞🏽

We also haven't enforced any kind of testing prior to v4, so there is a big chance that some providers do not even work in v3, which might have gone undetected if there was no interest from users to open issues.

Here's the table where we keep track of this testing:

Provider	Account created	Manually tested	Comments
42	✅	✅	#3189, tested by @estarossa0
Apple	✅	✅	#2875. Thanks @sergeymishin and @theobr for the help! See #2875 (comment) for caveats
Atlassian	✅	🚨	Not able to redirect back to callback_url, internal error at Atlassian
Auth0	✅	✅
Azure B2C	✅	✅	#2862, @BenjaminWFox provided me test account/client. We could not retrieve a profile picture
Azure AD	✅	✅	Fixed in #2818, @ndom91 has the account for this to test. Default profile picture size is 64x64 #2910
Basecamp	❌	❌	Removed see, #511 (comment)
BattleNet	N/A
Box	N/A
Bungie
Cognito	✅	✅	#2829, AWS provided by @s-kris
Coinbase	N/A
Discord	✅	✅
Dropbox	✅
Eve Online
Facebook	✅	✅
FaceIT	✅
FourSquare	✅	✅
Freshbooks	✅
FusionAuth		✅	#3376 by @alessandrojcm
Github	✅	✅
Gitlab	✅	✅
Google	✅	✅
IS4	✅	✅
Instagram	✅
Kakao	✅
Keycloak	✅	✅	#2485, #2851
Line	✅	✅	#2917, email needs special setup. tested by @ThangHuuVu
LinkedIn	✅	✅	#2821
MailChimp	✅
MailRu
Medium
Naver
Netlify
Okta	✅	✅	#2856
OneLogin	✅	✅
Osso
Reddit
Salesforce
Slack	✅	✅	Fixed in #2848. Requires https for redirect URLs, even for local development. Used ngrok
Spotify	✅	✅
Strava
Twtich	✅	✅
Twitter	✅	✅
VK
Wordpress
WorkOS	✅	✅	WIP #3886 thanks @m-abdelwahab for the infra support
Yandex
Zoho
Zoom

@balazsorban44 @ndom91 if you could mark the ones you have already manually tested and verified they're working so we can know which ones are left to test 🙏🏽

Notes

• BattleNet requires Battle.net Authenticator (possibly replaceable via their first-party app. This is different from normal TOTP)
• Box only has paid plans
• Coinbase requires to know your customer (KYC) verification via video chat like when opening a bank account

The relevant PR making this required is #2411. Checks its description for more info.

The documentation page here might also be useful: https://next-auth.js.org/configuration/providers/oauth-provider#options

[ndom91]

Made some updates and wrote notes regarding providers that will be difficult / impossible for us to manually test.

I'll manually try some of the additional ones for which we have clientId's / secrets soon 👍

[balazsorban44]

Anyone reading this, if you use any of the built-in providers, we would highly appreciate your help making sure that those will work in the future! Until now, we haven't enforced anything at all, and so some built-in providers might have never even worked properly...

Please leave a comment here if you find an issue or have anything related to say! 🙏 💚

[inu4g0t]

Hi, @lluia . I'm trying to integrate nextjs with azure ad.
I found it always report "Insufficient privileges" with 403 on getting the user.

After detailed check, I think the issue is at auth step where to "scope" is always set to "openid" rather than the one defined in doc which should be 'offline_access User.Read'
From the debug, the auth scope 'openid' is coming from
https://github.com/panva/node-openid-client/blob/main/lib/client.js
function authorizationParams(params) {
const authParams = {
client_id: this.client_id,
scope: 'openid',
response_type: resolveResponseType.call(this),
redirect_uri: resolveRedirectUri.call(this),
...params,
};

This scope 'openid', the get user function does not have enough permission to retrive user information with graph api /me and always generate 403.

I'm not expert on either aad or next-auth so I can hardly sure if this is a bug or something wrong with my setting but I have tried to force the scope to 'offline_access User.Read' which makes it work.

[javigonz]

Hi @lluia, I´m trying to upgrade Next-auth v4.0.0-beta.2 with CognitoProvider.
Passing an empty string in clientSecret parameter, return an error message.

import NextAuth from 'next-auth';
import CognitoProvider from 'next-auth/providers/cognito';

export default NextAuth({
  providers: [
    CognitoProvider({
      clientId: process.env.COGNITO_CLIENT_ID,
      clientSecret: '',
      domain: process.env.COGNITO_DOMAIN,
      issuer: `https://${process.env.COGNITO_DOMAIN}/`
    })
  ],
  callbacks: {...}
});

message: 'client_secret_basic client authentication method requires a client_secret',

After a little research, this error is not in your library, it is due to a dependence library "openid-client": "^4.7.4".
I´ve just opened an issue where I explain the situation. panva/node-openid-client#402

[panva]

@javigonz you should set the client's token endpoint auth method to none, not your client secret to an empty string. That's the very much intended state.

Whether next-auth abstracts setting the method to none for you or exposes a client auth property is out of openid-client Lin's control.

[javigonz]

Yeah @panva, probably that the key, add a way to set this token endpoint auth method into https://next-auth.js.org/configuration/providers/oauth-provider#options

[balazsorban44]

Going to expose further options through #2717, I'll just test it out locally.

[balazsorban44]

@javigonz could you test out? #2717 (comment)

Check the new client option

[mckernanin]

Testing the EVE Online integration, I receive the following error from EVE's login server:

{
"error": "invalid_scope",
"error_description": "The requested scopes either don't exist, or are not valid for this client"
}

If I update the scope in the URL to publicData then the EVE login succeeds.
I added an authorization object like this, but I'm still having the same issue.

    EVEOnlineProvider({
      clientId: config.esiId,
      clientSecret: config.esiSecret,
      authorization: { params: {scope: 'publicData'}}
    })

After investigating further and testing myself, I got it working with an updated provider where I specified the authorization property in the default parameters for the provider. I opened a PR with these changes, where I also rewrote the EVE Provider in TypeScript.

[idac73]

Hi! Thanks so much for what is shaping up to be an excellent library.

I'm testing 4.0.0-beta.2 using the AzureADProvider and the profile.user is undefined, which may be rooted in an error at line 149 ./server/lib/oauth/callback.js when attempting profile.id.toString() for the providerAccountId property. Hacking this property to use OAuthProfile.sub and running with debug: true outputs fully populated OAuthProfile and account objects. The profile object from the OAUTH_CALLBACK_RESPONSE is profile: { id: undefined, name: undefined, email: undefined, image: null }

I first referenced the documentation for this provider, but using this config provided a successful response for me:

    AzureADProvider({
      authorization: {
        params: {
          audience: process.env.AZURE_AD_CLIENT_ID,
          response_mode: 'form_post',
          response_type: 'code id_token',
          scope: 'offline_access openid profile email User.Read'
        }
      },
      clientId: process.env.AZURE_AD_CLIENT_ID,
      clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
      tenantId: process.env.AZURE_AD_TENANT_ID,
      wellKnown: process.env.AZURE_AD_OPENID
    })

[taep96]

AzureADProvider({
  authorization: {
    params: {
      audience: process.env.AZURE_AD_CLIENT_ID,
      response_mode: 'form_post',
      response_type: 'code id_token',
      scope: 'offline_access openid profile email User.Read'
    }
  },
  clientId: process.env.AZURE_AD_CLIENT_ID,
  clientSecret: process.env.AZURE_AD_CLIENT_SECRET,
  tenantId: process.env.AZURE_AD_TENANT_ID,
  wellKnown: process.env.AZURE_AD_OPENID
})

URL still only has openid for me

[spencerpowell]

I'm seeing this for the Wordpress Provider

[ndom91]

@spencerpowell can you share your config section where you setup the Wordpress Provider?

[tmtk75]

I got this error log with dropbox provider.

---

• The client_id and client_secret of dropbox I used worked with next-auth v3.
• GitHub provider and Twitter provider work well.

% node -v
v16.13.1

% cat node_modules/next-auth/package.json | jq .version
"4.0.5"

Can I check something other of my environment?

[ndom91]

I got this error log with dropbox provider.

• The client_id and client_secret of dropbox I used worked with next-auth v3.
• GitHub provider and Twitter provider work well.

% node -v
v16.13.1

% cat node_modules/next-auth/package.json | jq .version
"4.0.5"

Can I check something other of my environment?

Hey @tmtk75 thanks for pointing this out, looks like the dropbox URLs for their OAuth endpoints might be wrong. I'll double check this and get back to you 👍

EDIT: So I dug into this and was able to reproduce it. I also double checked all URLs and they seemed correct. The error is happening in the openid-connect function, Client.userInfo, so I'd think it was something to do with the userinfo URL ("https://api.dropboxapi.com/2/users/get_current_account"). This has not changed since v3, however.

[Inshiku-Han]

Hi. I'm trying to use KakaoProvider but somthing is wrong.

Here's my Error.

Here's my [...nextauth].ts

import NextAuth from 'next-auth';
import { VARIABLES } from 'src/common';
import KakaoProvider from 'next-auth/providers/kakao';
import NaverProvider from 'next-auth/providers/naver';
import GoogleProvider from 'next-auth/providers/google';

export default NextAuth({
  providers: [
    KakaoProvider({
      clientId: VARIABLES.KAKAO_REST_KEY,
      clientSecret: VARIABLES.KAKAO_CLIENT_SECRET,
    }),
    NaverProvider({
      clientId: VARIABLES.NAVER_CLIENT_ID,
      clientSecret: VARIABLES.NAVER_SECRET,
      profile: profile => {
        return profile.response;
      },
    }),
    GoogleProvider({
      clientId: VARIABLES.GOOGLE_CLIENT_ID,
      clientSecret: VARIABLES.GOOGLE_SECRET,
    }),
  ],
  callbacks: {
    session: async ({ session, token }) => {
      return session;
    },
  },
  pages: {
    error: '/auth/error',
  },
});

Thank you

[csbok]

@insik-han I also face same issue and created a PR

Or other solution you can try right now
pages/api/auth/[...nextauth].ts

import NextAuth from "next-auth"
import KakaoProvider from "next-auth/providers/kakao"

export default NextAuth({
  providers: [
    KakaoProvider({
        authorization: "https://kauth.kakao.com/oauth/authorize?scope=",
        client: {
          token_endpoint_auth_method: 'client_secret_post'
        },
        
        clientId: process.env.KAKAO_CLIENT_ID,
        clientSecret: process.env.KAKAO_CLIENT_SECRET,
    })
  ],
})

[krautwigundrueben]

@balazsorban44 : just tested Strava and it doesn't work properly. can't really point you to the problem, though... can I help with anything? it might be that the callback includes one to many params as this is the only difference I found compared to github oauth, which does work: http://localhost:3000/api/auth/callback/strava?state=$STATE&code=$CODE&scope=read

[markandrewj]

@krautwigundrueben I just noticed you replied to this issue as well. I documented what I tried here #2524 (comment), but I couldn't get it to work properly either. Are you receiving the same error?

[ndom91]

Just to confirm, @insik-han and @csbok did that token_endpoint_auth_method additional parameter work for yall with Kakao?

I created a draft PR if it worked for you 👍

#3513

[csbok]

@ndom91 hi I already create a PR #3501

And we need to remove scope query param from authorization URL when we use kakao provider. because solve this problem.

as is - Invalid scope: openid error in kakao provider

https://kauth.kakao.com/oauth/authorize?client_id=***&scope=openid&response_type=code&redirect_uri=~~~

to be - success!

https://kauth.kakao.com/oauth/authorize?client_id=***&response_type=code&redirect_uri=~~~

please check my PR #3501 for additional information.

[arunsathiya]

@ndom91 If it helps, I am running into the same issue as @spencerpowell for the WordPress.com provider. My [...nextauth].js config file is below:

import NextAuth from "next-auth"
import WordpressProvider from "next-auth/providers/wordpress"

export default NextAuth({
  // Configure one or more authentication providers
  providers: [
    WordpressProvider({
      clientId: process.env.WORDPRESS_CLIENT_ID,
      clientSecret: process.env.WORDPRESS_CLIENT_SECRET,
      scope: "global"
    }),
    // ...add more providers here
  ],
})

I found another thing but I am not sure if they are relevant to the ongoing issue:

Setting scope: "global" does not reflect on the authorization flow. It remains "scope=auth"

Is that because it's hard-coded here?

next-auth/src/providers/wordpress.js

Line 8 in 0e8be0c

"https://public-api.wordpress.com/oauth2/authorize?scope=auth",

When I remove that part on the src/providers/wordpress.js file, the scope changes to openid instead and WordPress.com reports there aren't any sites on the user account, which is expected because openid is not a valid scope:

https://developer.wordpress.com/docs/oauth2/

I tried scope=global on the src/providers/wordpress.js file directly, but that results in the same error as #3389

[squeezeday]

I just set up a Salesforce with NextAuth using the example:

// /api/auth/[...nextauth].ts
import NextAuth from "next-auth/next";
import SalesFoceProvider from "next-auth/providers/salesforce";

export default NextAuth({
  debug: true,
  secret: "NEXTAUTH_SECRET",
  providers: [
    SalesFoceProvider({
      clientId: "SALESFORCE_CLIENT_ID",
      clientSecret: "SALESFORCE_CLIENT_SECRET",
      },
    }),
  ],
});

But got stuck at this callback error:

[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error id_token detected in the response, you must use client.callback() instead of client.oauthCallback() {
  error: {
    message: 'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()',
    stack: 'RPError: id_token detected in the response, you must use client.callback() instead of client.oauthCallback()\n' +
  },
...
  providerId: 'salesforce',
  message: 'id_token detected in the response, you must use client.callback() instead of client.oauthCallback()'
}

I added scope as an authorization parameter and now the login flow is working.

// /api/auth/[...nextauth].ts
import NextAuth from "next-auth/next";
import SalesFoceProvider from "next-auth/providers/salesforce";

export default NextAuth({
  debug: true,
  secret: "NEXTAUTH_SECRET",
  providers: [
    SalesFoceProvider({
      clientId: "SALESFORCE_CLIENT_ID",
      clientSecret: "SALESFORCE_CLIENT_SECRET",
      authorization: {
        params: {
          scope: "api id web",
        },
      },
    }),
  ],
});

[ndom91]

Thanks for reporting that back to us @squeezeday! I'll make sure to add it to the docs.

[geraldm74]

EVEOnline provider not working in v4 .... The problem is that a Scope query parameter is being inserted in the URL which EVE Online is reporting as invalid (Invalid scope). The scope parameter needs to be removed or set to blank (example: ..&scope=&..)

See bug report #3760

Also some additional information ... even removing the Scope parameter manually it allows you to authenticate with EVE Online, however in the callback Next-Auth throws a OAuthCallbackError error:

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error id_token not present in TokenSet {
error: {
message: 'id_token not present in TokenSet',
stack: 'TypeError: id_token not present in TokenSet\n'

It seems that EVE Online does not return an id_token which next-auth is expecting?

When you get and use the code returned to get the access token, you get a response that looks like this from EVE Online:

{"access_token":"jZOzkRtA8B...LQJg2","token_type":"Bearer","expires_in":1199,"refresh_token":"RGuc...w1"}

Could it be that Next-Auth is expecting id_token and not access_token ?

Update:

Changing the EVE Online application type from Authentication Only to Authentication & API Access and adding the publicData scope, it now successfully redirects you to the EVE Online login screen.

However I am now receiving a OAUTH_CALLBACK_ERROR saying the id_token is not present in TokenSet?

So only error still remaining is the id_token ?

EDIT:

Interesting enough the access_token returned is a JWT token ... the payload data in the token includes the following:

{
"scp": "publicData",
"jti": "f13e056c-6e4b-4f3b-bef9-2af9fb86ab48",
"kid": "JWT-Signature-Key",
"sub": "CHARACTER:EVE:character ID",
"azp": "640d8f12cdba4dad941fbea400a5cd7b",
"tenant": "tranquility",
"tier": "live",
"region": "world",
"name": "character name",
"owner": "owner",
"exp": 1643528344,
"iat": 1643527144,
"iss": "login.eveonline.com"
}

So to get the returned user data for NextAuth. All we need is the access_token as it contains the character name and character id which is all we need.

So the flow should be:

1. SSO to login.eveonline.com
2. Exchange code for access_token (JWT), token_expiry, token_refresh
3. Verify access_token (JWT) via https://login.eveonline.com/oauth/jwks
4. Extract user data from access_token (JWT).

Would the above be easy to implement with NextAuth?

[geraldm74]

@mckernanin are you able to comment on my post above please?

[mckernanin]

@balazsorban44 and I worked through it a bit, CCP does some non-standard stuff which is annoying. The provider that I'm successfully using in an app of mine looks like this:

function EVEOnlineUpdated<P extends Record<string, any> = EVEOnlineProfile>(
  options: OAuthUserConfig<P>
): OAuthConfig<P> {
  return {
    id: "eveonline",
    name: "EVE Online",
    type: "oauth",
    wellKnown: "https://login.eveonline.com/.well-known/oauth-authorization-server",
    authorization: {
      params: {
        scope: "publicData esi-planets.manage_planets.v1",
      },
    },
    idToken: true,
    profile(profile: P) {
      const characterId = profile.sub.split(":")[2];
      return {
        id: characterId,
        name: profile.name,
        ownerHash: profile.owner,
        email: null,
        image: `https://image.eveonline.com/Character/${characterId}_128.jpg`,
      };
    },
    token: {
      async request({ client, provider, params, checks }) {
        const tokens = await client.oauthCallback(provider.callbackUrl, params, checks);
        tokens.id_token = tokens.access_token;
        return { tokens };
      },
    },

    options,
  };
}

The custom token callback copies access_token to id_token

[geraldm74]

@mckernanin thank you for the above code. I've now created a custom provider and the SSO login now works!

I now have an issue getting the user details from the session?

I'm using the following in my component:

const {session, loading} = useSession();`

however, session.user.id is not defined?

I'm also getting session cookie length errors:

[next-auth][debug][CHUNKING_SESSION_COOKIE] {
  message: 'Session cookie exceeds allowed 4096 bytes.',
  emptyCookieSize: 163,
  valueSize: 4756,
  chunks: [ 4096, 986 ]
}

Am I missing something here?

[ndom91]

Yeah so it seems like you're trying to store too much in the cookie (in the jwt callback?), which then therefore cannot be read back out in the following callback functions, thats probably why your session.user.id is undefined.

See the warning right above the start of this section: https://next-auth.js.org/configuration/callbacks#session-callback

[geraldm74]

@ndom91

Ah ok thanks!

I changed my callback to just include the account and user information as follows:

The reason why I did the if (token.token.user) is because the callback seems to be executed twice so only want to make one modification to it.

I'm not sure if that is the correct approach or not ... then in the session callback, I did the following:

(yes, I need to fix the double session object)

It works ... but seems messy :(

UPDATE:

Actually, I don't need to duplicate the session information - the information is there, just in a different section so I don't need to copy it etc.

[hyunoosung]

@balazsorban44 and I worked through it a bit, CCP does some non-standard stuff which is annoying. The provider that I'm successfully using in an app of mine looks like this:

function EVEOnlineUpdated<P extends Record<string, any> = EVEOnlineProfile>(
  options: OAuthUserConfig<P>
): OAuthConfig<P> {
  return {
    id: "eveonline",
    name: "EVE Online",
    type: "oauth",
    wellKnown: "https://login.eveonline.com/.well-known/oauth-authorization-server",
    authorization: {
      params: {
        scope: "publicData esi-planets.manage_planets.v1",
      },
    },
    idToken: true,
    profile(profile: P) {
      const characterId = profile.sub.split(":")[2];
      return {
        id: characterId,
        name: profile.name,
        ownerHash: profile.owner,
        email: null,
        image: `https://image.eveonline.com/Character/${characterId}_128.jpg`,
      };
    },
    token: {
      async request({ client, provider, params, checks }) {
        const tokens = await client.oauthCallback(provider.callbackUrl, params, checks);
        tokens.id_token = tokens.access_token;
        return { tokens };
      },
    },

    options,
  };
}

The custom token callback copies access_token to id_token

I followed this code to get name and email from profile but id_token is overwritten and I cannot get id_token again where I need at the federated_logout.

Any work around to save raw id_token?