search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
23.78k stars 3.27k forks source link

Custom token parameters missing in OAuth2 request body for custom providers #8895

Open danilopeixoto opened 10 months ago

danilopeixoto commented 10 months ago

Environment

System:
    OS: Linux 5.15 Ubuntu 22.04.2 LTS 22.04.2 LTS (Jammy Jellyfish)
    CPU: (12) x64 Intel(R) Core(TM) i7-10850H CPU @ 2.70GHz
    Memory: 6.49 GB / 15.50 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
Binaries:
    Node: 18.17.1 - /usr/bin/node
    Yarn: 1.22.19 - /usr/bin/yarn
    npm: 9.6.7 - /usr/bin/npm
    pnpm: 8.9.1 - ~/.local/share/pnpm/pnpm
NPM Packages:
   react: 18.2.0
   next: 13.4.19
   next-auth: 4.23.2

Reproduction URL

https://github.com/nextauthjs/next-auth-example

Describe the issue

The panva/node-openid-client will not use the custom token parameters set by next-auth as in packages/next-auth/src/core/lib/oauth/callback.ts:

tokens = await client.callback(provider.callbackUrl, params, checks)

Possible solution

We found a solution using exchangeBody argument, however, this requires investigation to confirm this is safe for OAuth2 protocol.

const bodyParams = {
      exchangeBody: params
}

tokens = await client.callback(provider.callbackUrl, params, checks, bodyParams)

How to reproduce

Inject custom parameters to tokens:

// AuthOptions

...

token: {
    params: {
        client_id: process.env.OAUTH2_CLIENT_ID
    }
}

...

The parameters will not be injected in the body of requests and an error will be returned by custom provider:

{
    "error": "Invalid_Request",
    "error_description": "Missing client_id",
    "error_uri": ""
}

Expected behavior

The token parameters should be added to request body for custom providers and Missing client_id error should not be returned by provider.

deltazero-cz commented 2 months ago

As of 5.0.0-beta.18, token.request function in auth options is ignored :(

client_id and client_secret are by passed as http basic auth header. However, you can change this behaviour by using client.token_endpoint_auth_method parameter.

token: {
  url: '...',
},
client: {
  token_endpoint_auth_method: 'none', // only client_id added to to body
  token_endpoint_auth_method: 'client_secret_post', // both client_id and client_secret added to body
},