Discogs oauth flow

[maur8ino]

Describe the bug Discogs oauth requires the exact same oauth_token_secret from the first getOAuthRequestToken, instead the library calls getOAuthRequestToken again in /api/auth/callback, generating a different token: https://github.com/nextauthjs/next-auth/blob/ae26df091d6a1f4420f872051a741e036c854bcc/src/server/lib/oauth/callback.js#L76 (I also think that in ^ token_secret is always undefined as the response contains oauth_token_secret and not token_secret)

Steps to reproduce

• Register to Discogs
• Create an app here
• Get the Consumer Key and Consumer Secret

Add a custom provider like:

export default (options) => {
  return {
    id: "discogs",
    name: "Discogs",
    type: "oauth",
    version: "1.0a",
    scope: "",
    accessTokenUrl: "https://api.discogs.com/oauth/access_token",
    requestTokenUrl: "https://api.discogs.com/oauth/request_token",
    authorizationUrl: "https://www.discogs.com/oauth/authorize",
    profileUrl: "https://api.discogs.com/oauth/identity",
    async profile(profile, tokens) {
      return {
        id: profile.id,
        name: profile.name,
        email: profile.email,
        image: profile.picture,
      };
    },
    headers: {
      "User-Agent": "next-auth",
    },
    clientId: null,
    clientSecret: null,
    encoding: "PLAINTEXT",
    ...options,
  };
};

Expected behavior The oauth_token_secret from the first getOAuthRequestToken needs passed here: https://github.com/nextauthjs/next-auth/blob/ae26df091d6a1f4420f872051a741e036c854bcc/src/server/lib/oauth/callback.js#L77

Screenshots or error logs

Additional context Discogs oauth flow documentation is here but there's actually an error and this folk figured it out.

I guess that oauth_token_secret from the first getOAuthRequestToken has to be stored somewhere to be used later.

Feedback Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• [x] Found the documentation helpful
• [ ] Found documentation but was incomplete
• [ ] Could not find relevant documentation
• [x] Found the example project helpful
• [ ] Did not find the example project helpful

[balazsorban44]

Yeah, OAuth 1 support hasn't gotten much attention, and I'm not sure how much effort we want to put into keeping it.

In https://github.com/nextauthjs/next-auth/pull/1698, openid-client doesn't even support it, so if we want to keep supporting OAuth 1, we will have to rely on node-oauth which hasn't been updated in 4 years... :confused:

Currently, I think the only reason it is around is to support Twitter, which is kind of in a transition to OAuth 2 I believe.

@iaincollins could explain it better.

[maur8ino]

Yeah dig down a bit after opening the issue and I've come to realize that it seems that Discogs' OAuth implementation isn't that easy to work with, so there's also that.

I guess I'll work on some custom implementation on top of next-auth for my project; feel free to close the issue 😉

Thanks for the reply! 😃

[balazsorban44]

OK, thank you! If you come around with a fairly straightforward way, please report back here, others might find it useful, or we can even try to take it into consideration and try to help somehow!