OAUTH_CALLBACK_ERROR Unexpected token < in JSON

[chukwumaokere]

I'm receiving an issue when using in Next 13.4 with Next-Auth 4.22.1 and latest next-auth-steam

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error Unexpected token < in JSON at position 0 {
  error: SyntaxError: Unexpected token < in JSON at position 0
      at JSON.parse (<anonymous>)
      at parseJSONFromBytes (node:internal/deps/undici/undici:6498:19)
      at successSteps (node:internal/deps/undici/undici:6472:27)
      at node:internal/deps/undici/undici:1145:60
      at node:internal/process/task_queues:140:7
      at AsyncResource.runInAsyncScope (node:async_hooks:204:9)
      at AsyncResource.runMicrotask (node:internal/process/task_queues:137:8)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'steam',
  message: 'Unexpected token < in JSON at position 0'
}

entire config looks like

export default function handler (req: NextApiRequest, res: NextApiResponse) {
    return NextAuth(req, res, {
        providers: [
            TwitchProvider({
                clientId: process.env.TWITCH_CLIENT_ID ?? '',
                clientSecret: process.env.TWITCH_CLIENT_SECRET ?? '',
            }),
            SteamProvider(req, {
                clientSecret: process.env.STEAM_SECRET!,
                callbackUrl: `${process.env.NEXTAUTH_URL}/api/auth/callback`,
            }),
            // ...Add more providers here
        ],
        callbacks: {
            async jwt({ token, account, profile }) {
                // Persist the Twitch User Id and pass to session callback
                if (profile) {
                    token.id = profile.sub;
                    try {
                        const response = await axios.post(PlayFabAPIURL + 'GetPlayFabIDsFromTwitchIDs', {
                            TwitchIds: [profile.sub as string],
                        }, {
                            headers: {
                                'Content-Type': 'application/json',
                                'X-SecretKey': process.env.PLAYFAB_API_KEY ?? '',
                            },
                        });

                        const playfabResponse = response.data as PlayFabTwitchIDResponse;
                        token.playFabData = playfabResponse;
                    } catch (e) {
                        console.error(e);
                    }
                }

                if (account?.provider === PROVIDER_ID) {
                    token.steam = profile;
                }

                return token;
            },
            async session({session, token, user}) {
                // Add twitch user Id and playfabId from JWT flow to session
                if (session) {
                    // Only set session info (Twitch and PlayFab) if we have a valid PlayFab ID. Else just return the session without the new data
                    if ((token.playFabData as PlayFabTwitchIDResponse).data.Data[0].PlayFabId) {
                        //@ts-ignore
                        session.user.id = token.id;
                        //@ts-ignore
                        session.user.playFabId = token.playFabData.data.Data[0].PlayFabId ?? null;
                    }
                    if ('steam' in token) {
                        // @ts-expect-error
                        session.user.steam = token.steam;
                    }
                }
                return session;
            },
        },
    } as NextAuthOptions);
};

the nextauth url is just http://localhost:3000 so that wont be an issue

[chukwumaokere]

@Nekonyx have any insight into this?

[chukwumaokere]

Anyone having this issue: you need to set STEAM_SECRET in the environment variables with this information https://steamcommunity.com/dev/apikey create an APIKey there and use that. The docs for some reason dont mention this. Didn't know this wasn't a public API call..

[Nekonyx]

Hey @chukwumaokere. I apologize for the long response. Glad the problem is resolved.

Yes, maybe I really should specify in documentation that STEAM_SECRET should be taken from https://steamcommunity.com/dev/apikey