search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
23.24k stars 3.18k forks source link

Custom `request` handler for `token` missing (and `authorization` unimplemented) in `@auth/core` #8304

Open ThomasMcFarlane opened 11 months ago

ThomasMcFarlane commented 11 months ago

Environment

System: OS: Linux 6.4 Arch Linux CPU: (128) x64 AMD Ryzen Threadripper 3990X 64-Core Processor Memory: 234.29 GB / 251.55 GB Container: Yes Shell: 5.9 - /usr/bin/zsh Binaries: Node: 18.14.0 - ~/.nvm/versions/node/v18.14.0/bin/node Yarn: 1.22.19 - ~/.nvm/versions/node/v18.14.0/bin/yarn npm: 9.6.7 - ~/.nvm/versions/node/v18.14.0/bin/npm pnpm: 8.6.12 - ~/.nvm/versions/node/v18.14.0/bin/pnpm

Reproduction URL

https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/oauth/callback.ts

Describe the issue

Not entirely sure where to classify this as it is a question, feature request, and bug with the migration from next-auth to @auth/core

While attempting to implement a new provider that requires a customised process (for Plex, see: https://github.com/ThomasMcFarlane/next-auth/pull/1) I noticed that the provider.token.request config option was still typed but not actually used within @auth/core. The function in question is present in next-auth here: https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/core/lib/oauth/callback.ts#L90 And documented here: https://next-auth.js.org/configuration/providers/oauth#token-option

But is not present in the new package: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/oauth/callback.ts

The config option for provider.userinfo.request has, however, been implemented: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/oauth/callback.ts#L155

Additionally, there are loose types allowing the override of the provider.authorization.request config option, but there is no implemented code to support this, nor is it documented.

To summarise:

  1. Has the provider.token.request config option been intentionally omitted?
  2. Is there a concern against implementing the functionality to manually override the provider.authorization.request config option? (I am unaware of any other configuration options that would meet the need I had of a preliminary HTTP request that then appends a parameter on to the authorization request)

I am happy to contribute towards both of these items and have a dirty effort branch PR that I built to support the use case I had: https://github.com/ThomasMcFarlane/next-auth/pull/1

Please also let me know if this needs to further be split into separate issues for the authorization and token items.

How to reproduce

  1. Create a new OAuth Provider
  2. Implement a custom token.request handler
  3. Handler is completely ignored

Expected behavior

  1. Create a new OAuth Provider
  2. Implement a custom token.request handler
  3. Handler is used to perform the neccessary token request
indigo-travel commented 10 months ago

I am experiencing the same. Any news on this Thomas? :)

ThomasMcFarlane commented 10 months ago

No response yet. My linked PR should handle the general usage if needed - I'm just using it with a patch file.

ramarivera commented 5 months ago

Any update on this one? Would be great to know whether the current typing of token was just an oversight and it should not support custom requests, or if it was planned and just not implemented yet cc @balazsorban44