V5 potential bug: Using checks: ['none'] not respected #10798
Unanswered
jamespantalones
asked this question in
Help
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am in the middle of migrating an app to
next-auth@5
, and getting an error upon doing so that thecode_verifier
length is not between 43 and 128 chars. When i remove thechecks: ['none']
, then i do not get this error. I was under the impression that usingchecks: ['none']
, should NOT run the PKCE code verifier? Using next-auth@4, this all worksIt seems like this line is the culprit: https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/lib/actions/callback/oauth/callback.ts#L112
codeVerifier ?? "auth"
if a
pkce
value is not included in checks,codeVerifier
will be empty, which will send thecode_verifier
value ofauth
, which does not meet the length criteria.This value of
auth
gets passed to theoauth4webapi
library, where it fails verification, as this value gets set into request query params. In my view, ifchecks: ['none']
exists, there should be no value set in query params. I ranpatch-package
on this library, and sending nocode_verifier
query param if value isauth
worksAny ideas around this? We need to continue using
checks: ['none']
Beta Was this translation helpful? Give feedback.
All reactions