theogravity
commented
3 weeks ago I spent a good 5 hours troubleshooting this until I got to this thread.
Adding in faProvider.type = "oidc"; did fix the issue.
Here's my full configuration. I'm using next-auth@5.0.0-beta.20:
import { serverEnvs } from "@/config/constants.server";
import NextAuth from "next-auth";
import FusionAuthProvider from "next-auth/providers/fusionauth";
const faProvider = FusionAuthProvider({
issuer: serverEnvs.FUSIONAUTH_ISSUER,
clientId: serverEnvs.FUSIONAUTH_CLIENT_ID,
clientSecret: serverEnvs.FUSIONAUTH_CLIENT_SECRET,
wellKnown: `${serverEnvs.FUSIONAUTH_URL}/.well-known/openid-configuration/${serverEnvs.FUSIONAUTH_TENANT_ID}`,
tenantId: serverEnvs.FUSIONAUTH_TENANT_ID,
authorization: {
url: `${serverEnvs.FUSIONAUTH_URL}/oauth2/authorize`,
params: {
scope: "openid offline_access email profile",
tenantId: serverEnvs.FUSIONAUTH_TENANT_ID,
},
},
userinfo: `${serverEnvs.FUSIONAUTH_URL}/oauth2/userinfo`,
token: {
url: `${serverEnvs.FUSIONAUTH_URL}/oauth2/token`,
conform: async (response: Response) => {
if (response.status === 401) return response;
const newHeaders = Array.from(response.headers.entries())
.filter(([key]) => key.toLowerCase() !== "www-authenticate")
.reduce((headers, [key, value]) => (headers.append(key, value), headers), new Headers());
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: newHeaders,
});
},
},
});
// https://github.com/nextauthjs/next-auth/issues/10867
faProvider.type = "oidc";
export const { handlers, signIn, signOut, auth } = NextAuth({
session: { strategy: "jwt" },
providers: [faProvider],
pages: {
// https://github.com/nextauthjs/next-auth/discussions/4078#discussioncomment-9806999
signIn: "/api/sign-in",
},
callbacks: {
authorized: async ({ auth }) => {
// Logged in users are authenticated, otherwise redirect to login page
return !!auth;
},
},
});And my .env file
NEXTAUTH_URL=http://localhost:3000
FUSIONAUTH_ISSUER=http://localhost:9011
FUSIONAUTH_CLIENT_ID="..."
FUSIONAUTH_TENANT_ID=...
FUSIONAUTH_URL=http://localhost:9011
FUSIONAUTH_CLIENT_SECRET="..."
NEXTAUTH_SECRET="..."One other thing to note is that you must configure the issuer in the tenant to match the FUSIONAUTH_ISSUER value. I got burned by that one as well as oauth4webapi does a check against the issuer values and I had a different configuration at the time where I forgot to include the tenantId in the authorization.params, which would end up getting the default tenant issuer.
Provider type
FusionAuth
Environment
Reproduction URL
https://github.com/alex-fusionauth/fusionauth-sveltekit
Describe the issue
Within the current provider it is set as
type: "oauth".https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/fusionauth.ts
Then it sets the scopes as requesting
openid.Ideally we would like to have this set to our standard and not require someone to override the provider. Currently this causes errors as it expects to go down the
oauthonly path and then is trying to fetchopeniddetails without setting it as the correct type. While I haven't seen this in a problem usingnext-authI do see it causing more issues in things like SvelteKit using the direct@auth/corepackage which is used within@auth/sveltekit.I would like to have our provider updated to reflect the changes in this file https://github.com/alex-fusionauth/fusionauth-sveltekit/blob/afb3d9134aa43f5d540de972692b782928971aa4/complete-application/src/auth.ts
How to reproduce
if you set type back to its default value
fusionAuth.type = 'oauth';you will get an error like belowExpected behavior
PR added: #10868
If you then set it back
fusionAuth.type = 'oidc';it will then have success and you can access details on the profile.I would like to propose that we update the provider to
Also addresses users needing to update to beta but it is not available in core. https://github.com/nextauthjs/next-auth/issues/8745#issuecomment-1907799026