search

nextauthjs / next-auth

Authentication for the Web.
https://authjs.dev
ISC License
24.1k stars 3.34k forks source link

Google provider not working in @auth/core 0.19.1 #9558

Closed WhyAsh5114 closed 8 months ago

WhyAsh5114 commented 8 months ago

Provider type

Google

Environment

  System:
    OS: Windows 11 10.0.22621
    CPU: (12) x64 AMD Ryzen 5 3600 6-Core Processor
    Memory: 5.83 GB / 15.91 GB
  Binaries:
    Node: 18.18.2 - C:\Program Files\nodejs\node.EXE
    npm: 10.2.3 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: Chromium (120.0.2210.91)
    Internet Explorer: 11.0.22621.1
  npmPackages:
    @auth/core: ^0.19.0 => 0.19.1 
    @auth/mongodb-adapter: ^2.0.10 => 2.0.11 
    @auth/sveltekit: ^0.5.0 => 0.5.1

Reproduction URL

https://github.com/WhyAsh5114/authjs-google-v19.1

Describe the issue

Google provider breaks in @auth/core v0.19.1, works fine in v0.19.0. Issue only present in Google provider AFAIK, checked GitHub, which is working in both versions.

Try logging in, throws this error, only Google provider, only @auth/core 0.19.1

error {
  error: 'invalid_client',
  error_description: 'The OAuth client was not found.'
}
[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: Error: TODO: Handle OIDC response body error
    at handleOAuth (file:///D:/Programming/Web/authjs-google-v19.1/node_modules/@auth/core/lib/actions/callback/oauth/callback.js:78:19)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Module.callback (file:///D:/Programming/Web/authjs-google-v19.1/node_modules/@auth/core/lib/actions/callback/index.js:21:41)
    at async AuthInternal (file:///D:/Programming/Web/authjs-google-v19.1/node_modules/@auth/core/lib/index.js:27:24)
    at async Module.Auth (file:///D:/Programming/Web/authjs-google-v19.1/node_modules/@auth/core/index.js:104:29)
    at async Module.respond (D:/Programming/Web/authjs-google-v19.1/node_modules/@sveltejs/kit/src/runtime/server/respond.js:291:20)
    at async file:///D:/Programming/Web/authjs-google-v19.1/node_modules/@sveltejs/kit/src/exports/vite/dev/index.js:502:22
[auth][details]: {
  "provider": "google"
}

How to reproduce

Try logging in with the latest versions of @auth/core and sveltekit, should throw a CallbackRouteError

Expected behavior

Should login normally like the other providers do (checked GitHub)

HereIsKevin commented 8 months ago

I also encountered this issue while trying to use @auth/core with SvelteKit. After digging around, it seems like an issue with the dependency oauth4webapi used by @auth/core. In the patch release v2.4.2, oauth4webapi seems to have changed the way it encodes the client ID and secret while obtaining the OAuth token, as seen in commit https://github.com/panva/oauth4webapi/commit/f926175cdf6caa467029a57e76375054fff7c57b. This seems to break Google completely because Google's client ID contains -s and .s. Reading through the RFC6749 section 2.3.1, it seems like this is might be correct as the referenced HTML 4.01 spec states that

Non-alphanumeric characters are replaced by `%HH', a percent sign and two hexadecimal digits representing the ASCII code of the character

which includes - and .. Since I'm relatively inexperienced with OAuth, I'm probably wrong, but here are just my two cents.

balazsorban44 commented 8 months ago

Appreciate the deep dive @HereIsKevin! I'll look into this

panva commented 8 months ago

I've reverted the fixes, just run npm upgrade, as pointed out the fix is correct but unfortunately it's the server implementations that lack conformance in this regard.

declanlscott commented 8 months ago

I was in the middle of creating an issue about this too, glad I found this one before submitting. I first discovered it while using AuthJS Nuxt, but made a reproduction based on the nextjs example template as well. Will try out what has already been mentioned in this thread.

Edit: Upgraded dependencies and we're back in business! Thanks @panva for the quick fix!

balazsorban44 commented 8 months ago

Closing as this has been fixed upstream. It's a shame that Google is not spec-compliant. 😢

panva commented 8 months ago

In the future major revisions of openid-client and oauth4webapi I will reinstate the correct behaviour so I advise this project to use the client_secret_post client authentication scheme for the affected providers until they fix their implementation.

valse commented 8 months ago

Same of #9554.

The problem was the version of the openid-client package: reinstalling force to update it at 5.6.4 version that fix the invalid client issue.

jinsley8 commented 8 months ago

I had a similar problem using bun install as the package manager. If I use yarn install it works fine.

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error invalid_client (The OAuth client was not found.) {
  error: OPError: invalid_client (The OAuth client was not found.)
      at processResponse (/Users/****/app-name/node_modules/openid-client/lib/helpers/process_response.js:38:13)
      at Client.grant (/Users/****/app-name/node_modules/openid-client/lib/client.js:1354:22)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async Client.callback (/Users/****/app-name/node_modules/openid-client/lib/client.js:493:24)
      at async oAuthCallback (/Users/****/app-name/node_modules/next-auth/core/lib/oauth/callback.js:109:16)
      at async Object.callback (/Users/****/app-name/node_modules/next-auth/core/routes/callback.js:52:11)
      at async AuthHandler (/Users/****/app-name/node_modules/next-auth/core/index.js:208:28)
      at async NextAuthApiHandler (/Users/****/app-name/node_modules/next-auth/next/index.js:22:19)
      at async NextAuth._args$ (/Users/****/app-name/node_modules/next-auth/next/index.js:108:14)
      at async /Users/****/app-name/node_modules/@sentry/nextjs/cjs/common/wrapApiHandlerWithSentry.js:133:37 {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'google',
  message: 'invalid_client (The OAuth client was not found.)'
}
XantreDev commented 8 months ago

I've struggled with the problem, errors is quite confusing

XantreDev commented 8 months ago

Resolves this issue

"pnpm": {
  "overrides": {
    "oauth4webapi": "2.4.3"     
  }
}
balazsorban44 commented 8 months ago

Please read the comments above. https://github.com/nextauthjs/next-auth/issues/9558#issuecomment-1879624021 You don't need overrides. That would make you stuck on 2.4.3 and not get updates in the future.