Open bmichotte opened 2 years ago
response_type=id_token should be unrelated. See the OAuth spec.
Unfortunately I cannot test this, because Apple makes it virtually impossible to get access to a test account for an OSS organization, and IMO their docs is horrible as well.
One idea is to add
authorization: { params: { scope: "openid name email" }, },
to your AppleProvider config. Can you check if that helps?
It does not change anything.
Maybe I could try to tweak openid options... but I have a no idea of which one
The relevant one should be to add openid
as a scope. that's what should tell Apple to return an id_token
🤔.
Could you create a small, reproduction repository? I'll still have to figure out where I can get a test client, but we would be closer. If you think you could help me with a client, you can contact me privately with the details. 👍
@bmichotte could you reach out to me on Twitter? If you would be able to share access to an Apple test client, I would be happy to look more into this.
also hitting this. agree apple docs are terrible lol
edit:
AppleProvider({
clientId: appleId,
clientSecret: appleSecret,
authorization: {
params: {
scope: 'openid',
},
},
}),
this failed to work
edit2:
AppleProvider({
clientId: appleId,
clientSecret: appleSecret,
authorization: {
params: {
scope: 'openid name email',
},
},
}),
this just broke the login
@balazsorban44 any other ideas?
What is the solution for this issue?
I have the same issue with error in logs, though my provider is Google:
"next": "^13.4.3",
"next-auth": "^4.24.5",
GoogleProvider({
clientId: process.env.GOOGLE_CLIENT_ID!,
clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
allowDangerousEmailAccountLinking: true,
checks: ["none"],
authorization: {
params: {
scope: "email profile openid",
},
},
})
[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error id_token not present in TokenSet {
error: TypeError: id_token not present in TokenSet
at TokenSet.claims (/Users/konstantinryzhov/Projects/web-app/node_modules/openid-client/lib/token_set.js:28:13)
at oAuthCallback (/Users/konstantinryzhov/Projects/web-app/node_modules/next-auth/core/lib/oauth/callback.js:127:24)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async Object.callback (/Users/konstantinryzhov/Projects/web-app/node_modules/next-auth/core/routes/callback.js:52:11)
at async AuthHandler (/Users/konstantinryzhov/Projects/web-app/node_modules/next-auth/core/index.js:208:28)
at async NextAuthApiHandler (/Users/konstantinryzhov/Projects/web-app/node_modules/next-auth/next/index.js:22:19)
at async auth (webpack-internal:///(api)/./src/pages/api/auth/[...nextauth].ts:18:12)
at async /Users/konstantinryzhov/Projects/web-app/node_modules/@sentry/nextjs/cjs/server/wrapApiHandlerWithSentry.js:136:35 {
name: 'OAuthCallbackError',
code: undefined
},
providerId: 'google',
message: 'id_token not present in TokenSet'
}
Then, I decided to debug the next-auth/core/lib/oauth/callback.js
in node_modules
, and added checks in the following condition:
...
else if (provider.idToken) {
tokens = await client.callback(provider.callbackUrl, params, checks);
console.log(JSON.stringify({
params,
checks,
callbackUrl: provider.callbackUrl
}));
}
...
And here are the steps that I got during this debug:
1) provider.idToken
exists, and script logs params:
{"params":{"code":"SOME_CODE"},"checks":{},"callbackUrl":"http://localhost:3000/api/auth/callback/google"}
2) Then, depending on whether the user exists or not, next-auth
emits events -> createUser
3) Then, events -> signIn
is emitted.
4) After signIn
event it seems that next-auth
calls core/lib/oauth/callback.js
again (!), but this time params with code are empty object, which emits:
{"params":{},"checks":{},"callbackUrl":"http://localhost:3000/api/auth/callback/google"}
And later in code fails to run here:
...
else if (provider.idToken) {
// That's where it fails I suppose
profile = tokens.claims();
}
So, overall it seems to work (since the first callback executes correctly), but it still has oAuth callback error in callback url.
This issue still exists. I've set everything up correctly and can confirm that despite things being configured, Next Auth thinks that id_token is empty.
Provider type
Apple
Environment
Reproduction URL
https://github.com/nextauthjs/next-auth
Describe the issue
When trying to connect with the Apple provider, I receive the following error :
How to reproduce
The config is
The APPLE_SECRET has been generated using https://bal.so/apple-gen-secret as describe in the documentation.
One thing really strange is the url. On a next-auth 3.x project in which the login works, the url is the following https://appleid.apple.com/auth/authorize?response_type=code&id_token&response_mode=form_post&scope=name%20email&redirect_uri=[URL]&client_id=[CLIENT]
and in this project the url is https://appleid.apple.com/auth/authorize?client_id=[CLIENT]&scope=name%20email&response_type=code&redirect_uri=[URL]&response_mode=form_post&code_challenge=[CHALLENGE]&code_challenge_method=S256
I don't know if the problem is here but the
id_token
is not added in the urlExpected behavior
No error :D