search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
25.11k stars 3.56k forks source link

Not using PKCE with the Discord provider makes Discord return an error when getting the tokens #10352

Open april83c opened 8 months ago

april83c commented 8 months ago

Environment

  System:
    OS: Windows 11 10.0.22621
    CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-12650H
    Memory: 2.25 GB / 15.67 GB
  Binaries:
    Node: 20.11.1 - ~\AppData\Local\Temp\xfs-cca4d7a1\node.CMD
    Yarn: 4.1.1 - ~\AppData\Local\Temp\xfs-cca4d7a1\yarn.CMD
    npm: 10.1.0 - C:\Program Files\nodejs\npm.CMD
  Browsers: {}
  npmPackages:
    @auth/core: file:./auth.js/packages/core => 0.28.0
    @auth/express: file:./auth.js/packages/frameworks-express => 0.5.0
    @auth/prisma-adapter: file:./auth.js/packages/adapter-prisma => 1.5.0

(I'm not using Auth.js from NPM because of #10333 and because #10340 hasn't been merged yet, but this issue reproduces on the repro project which does use Auth.js from NPM)

Reproduction URL

https://github.com/april83c/authjs-discord-without-pkce-repro

Describe the issue

When not using PKCE with the Discord provider, the authorization will go fine, but there'll be an error when it tries to get the tokens.

error {
  error: 'invalid_request',
  error_description: 'Invalid "code_verifier"'
}

This is because, in the request to get the tokens, it's including a code_verifier (which, since we didn't use PKCE, is just "auth")

This default code_verifier is there because the library oauth4webapi requires you to include a code_verifier, and they consider not using PKCE out of scope.

Unfortunately, if you didn't use PKCE in the initial authorization with Discord, the Discord API will return that error (Invalid "code_verifier") if you include any code_verifier, instead of just ignoring it and letting you get the tokens.

But why don't you want to use PKCE?

To integrate with Discord's new Linked Roles feature, you have to not be using PKCE.

It would probably be fine if they just ignored the PKCE parameters, but it does sort of make sense to error (since the Discord API does usually support PKCE but doesn't in this one specific circumstance, and the developer of an app might overlook that...).

How to reproduce

  1. Clone repro repo
  2. Fill out .env.local with a Discord app's client ID and secret (https://discord.com/developers/applications)
  3. Start it and try to log in

Expected behavior

It should get the tokens correctly without including a code_verifier in the request.

ScreamZ commented 1 month ago

+1

Edit by maintainer bot: Comment was automatically minimized because it was considered unhelpful. (If you think this was by mistake, let us know). Please only comment if it adds context to the issue. If you want to express that you have the same problem, use the upvote 👍 on the issue description or subscribe to the issue for updates. Thanks!