New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provider configs token
and userinfo
ignore url
and request
properties
#10732
Comments
token
or userinfo
ignore url
and request
propertiestoken
and userinfo
ignore url
and request
properties
|
That's exactly why I filed this issue. I read that code, but |
In version 4, the custom provider worked well, but I don't understand why the I've spent an entire night troubleshooting why the custom provider failed. I looked through the source code and found the issue, but I still don't know how to resolve it. Additionally, there are some minor issues with version 4, such as the fact that returning null in the JWT callback throws an error, preventing the session from being cleared. Awaiting your response, thank you. |
Yeah please help, this has been a nightmare. Thank you so much for tracking this down @bigbigbo and for clarifying @balazsorban44 |
If I'm understanding this correctly you're enforcing a very strict pattern on auth that does not consider edge cases. |
@balazsorban44 You are aware that being unable to overwrite token.request directly breaks the existing Azure DevOps provider in v5 (in fact, it is broken because of this right now), right? Not allowing this to be overwritten prevents people dealing with weird OAuth providers (like Microsoft...). |
Personally, I have decided to step away from Auth.js and placed all the auth logic to my separate backend server. I am very happy with it. I hope that maintainers take a closer look at the issues before closing them. I understand that their time is limited there are many more important issues to handle, but people are also taking their time to debug the library, read the code, create minimal reproducible examples, and describe the issues.
To me, simply saying something like 'this should work' and closing the issue counts as ignoring it, because this means the maintainers didn't bother to look at the reproducible example, despite my effort trying to make it as minimal as possible to save their time. I believe they should either tell me what I did wrong or keep the issue open (if this is indeed a bug). For the future issues, I wish the maintainers take them more seriously and provide better response to the authors. |
Environment
Reproduction URL
https://github.com/joonhyungshin/next-auth-mre
Describe the issue
I am working on a personal project with social account. I did not want Auth.js to call
userinfo/
endpoint, because in my case token verification and user info fetch are done in a separate backend server. So I only wanted Auth.js to receive an access token using the standard OAuth2 flow, so in my rootauth.ts
file I replaceduserinfo.request
with a no-op function.However, I realized that Auth.js still calls the
userinfo/
endpoint. It seems like theurl
andrequest
properties are all ignored, since the following config worked with no error.On the other hand, the following code errors as expected.
So I suspect that Auth.js just falls back to the default config if
userinfo
is not a string. The code doesn't seem to do so, so I don't understand why.I also noticed that the
token
property has the same issue.How to reproduce
npx create-next-app@latest
.npm i next-auth@beta
.auth.ts
at the root,token.request
anduserinfo.request
replaced with no-op functions.app/api/auth/[...nextauth]/route.ts
..env.local
.app/page.tsx
with the following code.npm run dev
. The Signin with Twitter button still works.Expected behavior
Error, because Auth.js must not be able to fetch access token or user info.
The text was updated successfully, but these errors were encountered: