OperationProcessingError: unexpected ID Token "nonce" claim value for SlackProvider

Starefossen commented 11 months ago

Provider type

Slack

Environment

System:

OS: macOS 14.1
CPU: Apple M1

Binaries:

Node: 20.8.1
npm: 10.2.0

Browsers:

Firefox: 120.0b2

npmPackages:

next: 14.0.0 => 14.0.0
next-auth: ^5.0.0-beta.3 => 5.0.0-beta.3
react: 18.2.0 => 18.2.0

Reproduction URL

https://github.com/Starefossen/next-auth-example

import NextAuth from "next-auth"
import SlackProvider from "next-auth/providers/slack"

import type { NextAuthConfig } from "next-auth"

export const config = {
  theme: {
    logo: "https://next-auth.js.org/img/logo/logo-sm.png",
  },
  debug: true,
  providers: [
    SlackProvider({
      clientId: process.env.SLACK_CLIENT_ID!,
      clientSecret: process.env.SLACK_CLIENT_SECRET!,
    }),
  ],
  callbacks: {
    authorized({ request, auth }) {
      const { pathname } = request.nextUrl
      return pathname === "/middleware-example" && !!auth
    },
  },
} satisfies NextAuthConfig

export const { handlers, auth, signIn, signOut } = NextAuth(config)

Describe the issue

With standard config for Slack Provider auth. After authenticating with Slack the return request fails with the following error: unexpected ID Token "nonce" claim value

[auth][error][CallbackRouteError]: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: OperationProcessingError: unexpected ID Token "nonce" claim value
    at Module.processAuthorizationCodeOpenIDResponse (webpack-internal:///(rsc)/./node_modules/oauth4webapi/build/index.js:1091:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async handleOAuth (webpack-internal:///(rsc)/./node_modules/@auth/core/lib/oauth/callback.js:77:24)
    at async Module.callback (webpack-internal:///(rsc)/./node_modules/@auth/core/lib/routes/callback.js:34:41)
    at async AuthInternal (webpack-internal:///(rsc)/./node_modules/@auth/core/lib/index.js:104:38)
    at async Auth (webpack-internal:///(rsc)/./node_modules/@auth/core/index.js:121:30)
    at async /Users/hans/go/src/github.com/nextauthjs/next-auth-example/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:61856
[auth][details]: {
  "provider": "slack"
}

How to reproduce

npm run dev
browse to /api/auth/signin
click login with slack

Expected behavior

Expected the user to be logged in successfully.

neptaco commented 8 months ago

Had the same problem, but was able to get it to work by adding nonce to the check.

    Slack({
        checks: ['pkce', 'nonce']
    })

It seems there is a bug where 'nonce' is being checked even when it is not supposed to be. Explicitly including it as a target can circumvent this issue.

"next": "14.0.4",
"next-auth": "^5.0.0-beta.5",
"react": "^18",

If 'nonce' is not a check target, it returns undefined. https://github.com/nextauthjs/next-auth/blob/60cb83ea04032c0c69b499d931c679e2104a4e68/packages/core/src/lib/actions/callback/oauth/checks.ts#L205-L213

Processed as o.expectNoNonce without checking whether the Nonce is subject to check or not. https://github.com/nextauthjs/next-auth/blob/60cb83ea04032c0c69b499d931c679e2104a4e68/packages/core/src/lib/actions/callback/oauth/callback.ts#L133-L139

Starefossen commented 6 months ago

Yes, this worked for me. Thanks a lot @neptaco 💯

export const config = {
  providers: [
    SlackProvider({
      checks: ['pkce', 'nonce'],
      …
    })
  ]
}

sdornan commented 3 months ago

This is still an issue with 5.0.0-beta.19.

nextauthjs / next-auth