search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
23.39k stars 3.21k forks source link

TypeError: id_token not present in TokenSet #4061

Open bmichotte opened 2 years ago

bmichotte commented 2 years ago

Provider type

Apple

Environment

  System:
    OS: Linux 5.13 Ubuntu 21.10 21.10 (Impish Indri)
    CPU: (2) x64 Intel Core Processor (Broadwell, IBRS)
    Memory: 1.38 GB / 6.62 GB
    Container: Yes
    Shell: 5.1.8 - /bin/bash
  Binaries:
    Node: 16.13.2 - /usr/local/bin/node
    Yarn: 1.22.15 - /usr/bin/yarn
    npm: 8.1.2 - /usr/local/bin/npm
  npmPackages:
    next: ^12.1.0 => 12.1.0 
    next-auth: ^4.2.1 => 4.2.1 
    react: ^17.0.2 => 17.0.2

Reproduction URL

https://github.com/nextauthjs/next-auth

Describe the issue

When trying to connect with the Apple provider, I receive the following error :

[next-auth][error][CALLBACK_OAUTH_ERROR] 
https://next-auth.js.org/errors#callback_oauth_error id_token not present in TokenSet TypeError: id_token not present in TokenSet
    at TokenSet.claims (/var/www/site/node_modules/openid-client/lib/token_set.js:23:13)
    at oAuthCallback (/var/www/site/node_modules/next-auth/core/lib/oauth/callback.js:130:24)
    at Object.callback (/var/www/site/node_modules/next-auth/core/routes/callback.js:50:11)
    at NextAuthHandler (/var/www/site/node_modules/next-auth/core/index.js:139:28)
    at NextAuthNextHandler (/var/www/site/node_modules/next-auth/next/index.js:21:19)
    at middleware (/var/www/site/.next/server/chunks/9237.js:485:38)
    at Object.apiResolver (/var/www/site/node_modules/next/server/api-utils/node.ts:240:5)
    at NextNodeServer.runApi (/var/www/site/node_modules/next/server/next-server.ts:543:5)
    at Object.fn (/var/www/site/node_modules/next/server/base-server.ts:815:27)
    at Router.execute (/var/www/site/node_modules/next/server/router.ts:383:24)
    at NextNodeServer.run (/var/www/site/node_modules/next/server/base-server.ts:958:23)
    at NextNodeServer.handleRequest (/var/www/site/node_modules/next/server/base-server.ts:586:14) {
  name: 'OAuthCallbackError',
  code: undefined
}

How to reproduce

The config is

providers.push(AppleProvider({
        clientId: process.env.APPLE_ID,
        clientSecret: process.env.APPLE_SECRET,
    }))

The APPLE_SECRET has been generated using https://bal.so/apple-gen-secret as describe in the documentation.

One thing really strange is the url. On a next-auth 3.x project in which the login works, the url is the following https://appleid.apple.com/auth/authorize?response_type=code&id_token&response_mode=form_post&scope=name%20email&redirect_uri=[URL]&client_id=[CLIENT]

and in this project the url is https://appleid.apple.com/auth/authorize?client_id=[CLIENT]&scope=name%20email&response_type=code&redirect_uri=[URL]&response_mode=form_post&code_challenge=[CHALLENGE]&code_challenge_method=S256

I don't know if the problem is here but the id_token is not added in the url

Expected behavior

No error :D

balazsorban44 commented 2 years ago

response_type=id_token should be unrelated. See the OAuth spec.

Unfortunately I cannot test this, because Apple makes it virtually impossible to get access to a test account for an OSS organization, and IMO their docs is horrible as well.

One idea is to add

authorization: { params: { scope: "openid name email" }, },

to your AppleProvider config. Can you check if that helps?

bmichotte commented 2 years ago

It does not change anything.

Maybe I could try to tweak openid options... but I have a no idea of which one

balazsorban44 commented 2 years ago

The relevant one should be to add openid as a scope. that's what should tell Apple to return an id_token 🤔.

Could you create a small, reproduction repository? I'll still have to figure out where I can get a test client, but we would be closer. If you think you could help me with a client, you can contact me privately with the details. 👍

balazsorban44 commented 2 years ago

@bmichotte could you reach out to me on Twitter? If you would be able to share access to an Apple test client, I would be happy to look more into this.

ekeric13 commented 1 year ago

also hitting this. agree apple docs are terrible lol

edit:

     AppleProvider({
        clientId: appleId,
        clientSecret: appleSecret,
        authorization: {
          params: {
            scope: 'openid',
          },
        },
      }),

this failed to work

edit2:

     AppleProvider({
        clientId: appleId,
        clientSecret: appleSecret,
        authorization: {
          params: {
            scope: 'openid name email',
          },
        },
      }),

this just broke the login

Screen Shot 2023-05-14 at 12 03 46 PM

@balazsorban44 any other ideas?

achinth commented 9 months ago

What is the solution for this issue?

liringlas commented 7 months ago

I have the same issue with error in logs, though my provider is Google:

"next": "^13.4.3",
"next-auth": "^4.24.5",
GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      allowDangerousEmailAccountLinking: true,
      checks: ["none"],
      authorization: {
        params: {
          scope: "email profile openid",
        },
      },
})
[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error id_token not present in TokenSet {
  error: TypeError: id_token not present in TokenSet
      at TokenSet.claims (/Users/konstantinryzhov/Projects/web-app/node_modules/openid-client/lib/token_set.js:28:13)
      at oAuthCallback (/Users/konstantinryzhov/Projects/web-app/node_modules/next-auth/core/lib/oauth/callback.js:127:24)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async Object.callback (/Users/konstantinryzhov/Projects/web-app/node_modules/next-auth/core/routes/callback.js:52:11)
      at async AuthHandler (/Users/konstantinryzhov/Projects/web-app/node_modules/next-auth/core/index.js:208:28)
      at async NextAuthApiHandler (/Users/konstantinryzhov/Projects/web-app/node_modules/next-auth/next/index.js:22:19)
      at async auth (webpack-internal:///(api)/./src/pages/api/auth/[...nextauth].ts:18:12)
      at async /Users/konstantinryzhov/Projects/web-app/node_modules/@sentry/nextjs/cjs/server/wrapApiHandlerWithSentry.js:136:35 {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'google',
  message: 'id_token not present in TokenSet'
}

Then, I decided to debug the next-auth/core/lib/oauth/callback.js in node_modules, and added checks in the following condition:

... 
else if (provider.idToken) {
    tokens = await client.callback(provider.callbackUrl, params, checks);
    console.log(JSON.stringify({
      params,
      checks,
      callbackUrl: provider.callbackUrl
    }));
}
...

And here are the steps that I got during this debug: 1) provider.idToken exists, and script logs params:

{"params":{"code":"SOME_CODE"},"checks":{},"callbackUrl":"http://localhost:3000/api/auth/callback/google"}

2) Then, depending on whether the user exists or not, next-auth emits events -> createUser 3) Then, events -> signIn is emitted. 4) After signIn event it seems that next-auth calls core/lib/oauth/callback.js again (!), but this time params with code are empty object, which emits:

{"params":{},"checks":{},"callbackUrl":"http://localhost:3000/api/auth/callback/google"}

And later in code fails to run here:

...
else if (provider.idToken) {
  // That's where it fails I suppose
  profile = tokens.claims();
}

So, overall it seems to work (since the first callback executes correctly), but it still has oAuth callback error in callback url.

squale71 commented 2 months ago

This issue still exists. I've set everything up correctly and can confirm that despite things being configured, Next Auth thinks that id_token is empty.