AuthJS do not redirect to set URL, instead it redirect to Docker container internal IP

[J4v4Scr1pt]

Environment

System:
OS: Windows 10 10.0.19045
CPU: (12) x64 Intel(R) Core(TM) i7-9850H CPU @ 2.60GHz
Memory: 7.73 GB / 31.71 GB
Binaries:
Node: 20.5.0 - C:\Program Files\nodejs\node.EXE
npm: 9.8.0 - C:\Program Files\nodejs\npm.CMD
pnpm: 8.6.12 - ~\AppData\Local\pnpm\pnpm.EXE
Browsers:
Edge: Spartan (44.19041.1266.0), Chromium (116.0.1938.54)
Internet Explorer: 11.0.19041.1566

Reproduction URL

Describe the issue

When using nextJS and authJS I get redirected to the internal ip-address of Docker instead of set environment variable when trying to access protected urls.

I'm using the app router:

Tried the suggested solutions in this thread but it does not work.

.env:

NEXTAUTH_SECRET=secrect
NEXTAUTH_URL=myDomain

docker-compose.yaml:

version: '3'

services:
  wt-nxt:
    container_name: wt-nxt
    build:
      context: .
      dockerfile: Dockerfile
    restart: always
    ports:
      - 3000:3000

Docker:

FROM node:18-alpine AS base

FROM base AS builder

WORKDIR /app

COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
RUN \
  if [ -f yarn.lock ]; then yarn --frozen-lockfile; \
  elif [ -f package-lock.json ]; then npm ci; \
  elif [ -f pnpm-lock.yaml ]; then yarn global add pnpm && pnpm i; \
  # Allow install without lockfile, so example works even without Node.js installed locally
  else echo "Warning: Lockfile not found. It is recommended to commit lockfiles to version control." && yarn install; \
  fi

COPY . .

RUN \
  if [ -f yarn.lock ]; then yarn build; \
  elif [ -f package-lock.json ]; then npm run build; \
  elif [ -f pnpm-lock.yaml ]; then pnpm build; \
  else yarn build; \
  fi

FROM base AS runner

WORKDIR /app

RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
USER nextjs

COPY --from=builder /app/public ./public

COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

CMD ["node", "server.js"]

auth-api-route:

import NextAuth from 'next-auth';
import type { AuthOptions } from 'next-auth';
import CredentialsProvider from 'next-auth/providers/credentials';

const authOptions: AuthOptions = {
	providers: [
		CredentialsProvider({
			credentials: {
				username: { label: 'Username', type: 'text' },
				password: { label: 'Password', type: 'password' },
			},
			async authorize(credentials, req) {

				const res = await fetch('/my/endpoint', {
					method: 'POST',
					body: JSON.stringify(credentials),
				 	headers: { 'Content-Type': 'application/json' },
				});
				const res = await res.json();

			
				if (res.ok && user) {
					return user;
				}
				return null;
			},
		}),
	],
	session: { strategy: 'jwt' },
	pages: {
		signIn: '/Login',
	},
};

const handler = NextAuth(authOptions);

export { handler as GET, handler as POST };

middleware:

import { withAuth } from 'next-auth/middleware';

export default withAuth({
	callbacks: {
		authorized({ req, token }) {
			return !!token;
		},
	},
	pages: { signIn: '/Login' },
});

export const config = {
	matcher: [
		'/((?!api/|_next/|_static/|_vercel|[\\w-]+\\.\\w+).*)',
	],
};

How to reproduce

Setup NextJS with AuthJS with latest versions.
Then setup a basic docker and dockercompose file.

Expected behavior

Should redirect to set environment variable.

[lujun2]

Encounter the same issue...

After some research, seems like it is related to vercel/next.js#37536

next-auth use req.nextUrl.origin to get the host, but it always return localhost

Still under investigation...

[J4v4Scr1pt]

Ahhh makes sense thx for the info, I tried to downgrade and it looks like it working locally but the build in my Azure-pipeline got some other error instead 😅.

Edit, works with these versions:
"next": "13.4.3",
"next-auth": "4.22.1",

[lujun2]

managed to work when set custom signIn page

const authUrl = process.env['NEXTAUTH_URL'] ?? 'http://localhost:3000';

export default withAuth({
  pages: {
    signIn: `${authUrl}/api/auth/signin`
  }
});

but I don't think this is a solution ...

[soulchild]

This is definitely an issue. All I did was npm update --save. All worked well locally, but when I deployed it to our test environment (running with Docker) the login was broken, redirecting my browser to the local docker IP address.

[J4v4Scr1pt]

I downgrade the versions to
"next": "13.4.3",
"next-auth": "4.22.1",

And now everything works.

[Kiborgik]

have in .env NEXTAUTH_URL_INTERNAL=http://localhost:3000
try add this to docker:
ENV HOSTNAME "0.0.0.0" CMD ["node", "server.js"]

[J4v4Scr1pt]

Did not work, not for me at least 😅

[VictorGlindasPaf]

Didn't work for us either

[axinzi]

i tryed, and it worked!!! thanks

[aronei44]

Its worked. thanks
you must change your NEXTAUTH_URL to http://0.0.0.0:port (container port)
UPDATE
in stag and prod server its not working....
just work in development (local docker)

[Kiborgik]

Did not work, not for me at least 😅
do you have in .env NEXTAUTH_URL_INTERNAL=http://localhost:3000/ thought? (also last versions for both packages)

[skull8888888]

any updates on this?

[J4v4Scr1pt]

Don't think so, it seems to be about settings.
I have latest version of all packages and it works like a charm for me.
The person that handle our platform removed some trailing slash in k8s, and now it works in prod.

this is my docker file:

FROM node:18-alpine AS base

# Step 1. Rebuild the source code only when needed
FROM base AS builder

WORKDIR /app

# Install dependencies based on the preferred package manager
COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
# Copy Authentication
COPY .npmrc .
# Omit --production flag for TypeScript devDependencies
RUN \
  if [ -f yarn.lock ]; then yarn --frozen-lockfile; \
  elif [ -f package-lock.json ]; then npm ci; \
  elif [ -f pnpm-lock.yaml ]; then yarn global add pnpm && pnpm i; \
  # Allow install without lockfile, so example works even without Node.js installed locally
  else echo "Warning: Lockfile not found. It is recommended to commit lockfiles to version control." && yarn install; \
  fi
COPY . .
  # if this is the sandbox deployment environment

# Environment variables must be present at build time
# https://github.com/vercel/next.js/discussions/14030

ARG NODE_ENV
ENV NODE_ENV=production
ARG NEXTAUTH_SECRET
ENV NEXTAUTH_SECRET=${NEXTAUTH_SECRET}
ARG NEXTAUTH_URL
ENV NEXTAUTH_URL=${NEXTAUTH_URL}
ARG VERSION
ENV VERSION=${VERSION}
ARG SOURCEVERSION
ENV SOURCEVERSION=${SOURCEVERSION}

# Next.js collects completely anonymous telemetry data about general usage. Learn more here: https://nextjs.org/telemetry
# Uncomment the following line to disable telemetry at build time
ENV NEXT_TELEMETRY_DISABLED 1

# Build Next.js based on the preferred package manager
RUN \
  if [ -f yarn.lock ]; then yarn build; \
  elif [ -f package-lock.json ]; then npm run build; \
  elif [ -f pnpm-lock.yaml ]; then pnpm build; \
  else yarn build; \
  fi

# Note: It is not necessary to add an intermediate step that does a full copy of `node_modules` here

# Step 2. Production image, copy all the files and run next
FROM base AS runner

WORKDIR /app

# Don't run production as root
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs

COPY --from=builder /app/public ./public

# Set the correct permission for prerender cache
RUN mkdir .next
RUN chown nextjs:nodejs .next

# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static

# Environment variables must be redefined at run time
ARG NODE_ENV
ENV NODE_ENV=production
ARG NEXTAUTH_SECRET
ENV NEXTAUTH_SECRET=${NEXTAUTH_SECRET}
ARG NEXTAUTH_URL
ENV NEXTAUTH_URL=${NEXTAUTH_URL}
ARG VERSION
ENV VERSION=${VERSION}
ARG SOURCEVERSION
ENV SOURCEVERSION=${SOURCEVERSION}

# Uncomment the following line to disable telemetry at run time
ENV NEXT_TELEMETRY_DISABLED 1

USER nextjs

CMD ["node", "server.js"]

[akutruff]

I just hit this too. Anyone have any idea?

[abdulqadeerqureshi]

Downgrade nextjs back to v13.4.12 and everything works fine. Plus I also added ENV HOSTNAME 0.0.0.0 to my Dockerfile.

[aronei44]

try this. work for me (production too)

i have some problem. the first one is next-auth always redirect to internal docker ip. so, i do this

1. add env in dockerfile

ENV HOSTNAME 0.0.0.0

now, the redirect is going to ip given. not worked with DNS. so i do this

2. set NEXTAUTH_URL to your domain

example:

NEXTAUTH_URL='https://yourdomain.com'

its worked but 'bad gateway' appear. after some search, i found this problem is from NGINX. so i do this

3. setup NGINX

add this into your nginx.conf in http section

http {
# another setup

proxy_buffers 8 16k;
proxy_buffer_size 32k;
}

i hope this work for you too

[soulchild]

Shouldn't this be a bug instead of a discussion, @balazsorban44? Especially, given that it used to work without applying a band-aid? I've worked with a lot of different frameworks over the years, but never have I had to explicitly set my hostname to 0.0.0.0 to make an app work… Just feels strange.

[xfathurrahman]

any update for this issuess?

[masterjanic]

Same issue here using "next-auth": "^5.0.0-beta.15" and "next": "^14.1.1". I have setup ENV HOSTNAME and NEXTAUTH_URL / AUTH_URL which sets the OAuth redirect url to the correct path but once signed in with any provider it redirects to the internal Docker address which is 0.0.0.0.

[adamspotlite]

@tetsuo-keystone I also use cloudrun and am experiencing this issue. Are you using ENV HOSTNAME in your Dockerfile? Is this to say that we need to explictly set AUTH_URL as well during build? Can that be done at runtime instead? Also, is AUTH_URL just the domain mapping you applied + api/auth?

[tetsuo-keystone]

Yes, I have ENV HOSTNAME "0.0.0.0" in my Dockerfile.

I don't set the AUTH_URL value in the .env files at all, I only have it set on the cloudrun container as an environment variable (not sure this makes a difference, also I haven't tested this setup too extensively yet but this is correct to my knowledge right now)

I don't think the AUTH_URL can be set at runtime, based on the behaviour I'm seeing.

My AUTH_URL value is set to {custom domain}/api/auth, so yes!

[Nishidh25]

Hi Can you share your docker file and .env config
I have tried everything but i cannot get this to work. In app engine or cloud run
I have also tried all the combinations.

Would also help if you can share a working repo

Currently running "next-auth": "^5.0.0-beta.4", "next": "^14.1.0"

.env

AZURE_AD_CLIENT_ID=""
AZURE_AD_CLIENT_SECRET=""
AZURE_AD_TENANT_ID=""

GOOGLE_CLIENT_ID=""
GOOGLE_CLIENT_SECRET=""


DIALOGFLOW_PROJECT_ID=""
DIALOGFLOW_KEY_FILE="

GOOGLE_APPLICATION_CREDENTIALS=""

Dockerfile

FROM base AS deps
libc6-compat might be needed.
RUN apk add --no-cache libc6-compat
WORKDIR /app

COPY package.json yarn.lock* package-lock.json* pnpm-lock.yaml* ./
RUN \
  if [ -f yarn.lock ]; then yarn --frozen-lockfile; \
  elif [ -f package-lock.json ]; then npm ci; \
  elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm i --frozen-lockfile; \
  else echo "Lockfile not found." && exit 1; \
  fi


# Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY --from=deps /app/node_modules ./node_modules
COPY . .


ENV HOSTNAME "0.0.0.0"
ENV PORT 8080
ENV NEXT_TELEMETRY_DISABLED 1
ENV AUTH_SECRET=
ENV AZURE_AD_CLIENT_ID=""
ENV AZURE_AD_CLIENT_SECRET=""
ENV AZURE_AD_TENANT_ID=""
ENV GOOGLE_CLIENT_ID=""
ENV GOOGLE_CLIENT_SECRET=""
ENV DIALOGFLOW_PROJECT_ID=""
ENV DIALOGFLOW_KEY_FILE=""
ENV GOOGLE_APPLICATION_CREDENTIALS=""
ENV AUTH_URL="https://my-production-url/api/auth"


RUN \
  if [ -f yarn.lock ]; then yarn run build; \
  elif [ -f package-lock.json ]; then npm run build; \
  elif [ -f pnpm-lock.yaml ]; then corepack enable pnpm && pnpm run build; \
  else echo "Lockfile not found." && exit 1; \
  fi

FROM base AS runner
WORKDIR /app
ENV NODE_ENV production
ENV NEXT_TELEMETRY_DISABLED 1
ENV AUTH_SECRET=
ENV AZURE_AD_CLIENT_ID=""
ENV AZURE_AD_CLIENT_SECRET=""
ENV AZURE_AD_TENANT_ID=""
ENV GOOGLE_CLIENT_ID=""
ENV GOOGLE_CLIENT_SECRET=""
ENV DIALOGFLOW_PROJECT_ID=""
ENV DIALOGFLOW_KEY_FILE=""
ENV GOOGLE_APPLICATION_CREDENTIALS=""
ENV AUTH_URL="https://my-production-url/api/auth"
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
COPY --from=builder /app/public ./public
# Set the correct permission for prerender cache
RUN mkdir .next
RUN chown nextjs:nodejs .next
# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
# copy the public folder from the project as this is not included in the build process
COPY --from=builder --chown=nextjs:nodejs /app/public ./public
# copy the standalone folder inside the .next folder generated from the build process
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
# copy the static folder inside the .next folder generated from the build process
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
USER nextjs
# set hostname to localhost
ENV HOSTNAME "0.0.0.0"
ENV PORT 8080
EXPOSE 8080
# server.js is created by next build from the standalone output
# https://nextjs.org/docs/pages/api-reference/next-config-js/output
CMD ["node", "server.js"]

I have been stuck here for almost a month: almost thinking about switching my development to Nodejs and use some other well known auth

[adamspotlite]

Hey, I was able to get this going with @tetsuo-keystone 's suggestion.

tldr: add ENV HOSTNAME "0.0.0.0" and ensure AUTH_URL is set on the container runtime.

The setup that worked:

FROM node:20-alpine AS base
 
FROM base AS builder
RUN apk add --no-cache libc6-compat
RUN apk update
RUN npm install -g pnpm

# Set working directory
WORKDIR /app
RUN npm install -g turbo
COPY . .
RUN turbo prune @spotlite/nextjs --docker
 
# Add lockfile and package.json's of isolated subworkspace
FROM base AS installer
RUN apk add --no-cache libc6-compat
RUN apk update
RUN npm install -g pnpm

WORKDIR /app
 
# First install the dependencies (as they change less often)
COPY .gitignore .gitignore
COPY --from=builder /app/out/json/ .
COPY --from=builder /app/out/pnpm-lock.yaml ./pnpm-lock.yaml
RUN pnpm install
 
# Build the project
COPY --from=builder /app/out/full/ .
RUN CI=true SKIP_ENV_VALIDATION=true pnpm turbo run build --filter=@spotlite/nextjs...
 
FROM base AS runner
WORKDIR /app
 
# Don't run production as root
RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs
USER nextjs
 
COPY --from=installer /app/apps/nextjs/next.config.js .
COPY --from=installer /app/apps/nextjs/package.json .
 
# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
COPY --from=installer --chown=nextjs:nodejs /app/apps/nextjs/.next/standalone ./
COPY --from=installer --chown=nextjs:nodejs /app/apps/nextjs/.next/static ./apps/nextjs/.next/static
COPY --from=installer --chown=nextjs:nodejs /app/apps/nextjs/public ./apps/nextjs/public
 
EXPOSE 3000
ENV PORT 3000
ENV HOSTNAME "0.0.0.0"

CMD node apps/nextjs/server.js

NOTE: This is from the t3-turbo repo - I can't speak to how things are different in a setting outside of that.

Additionally, I deploy to Cloud Run and pass AUTH_URL as an env var into the container. That's to say, deployment line looks like this:

run: gcloud run deploy ${{ env.SERVICE }} --image="${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_NAME }}/${{ env.REPOSITORY }}/${{ env.SERVICE }}:${{ github.sha }}" --region="${{ env.REGION }}" --env-vars-file=.env

Hope this helps!

[eliaspasche]

This results in an redirect loop if i run the container locally with http://localhost:3000/api/auth as AUTH_URL. Any ideas?

[renanzan]

I'm facing the same issue. Currently, I'm using version "^5.0.0-beta.15" of next-auth with the Keycloak provider. Even after setting up all the suggested environment variables, I'm unable to proceed with authentication. Keycloak keeps reporting an invalid redirect_uri error, pointing to the Docker's internal host.

[teamsmiley]

hey , i had same issue,
but i delete this

# ENV HOSTNAME "0.0.0.0"

then it works please check if you have this.

[D3nn7]

We've updated today to Nextjs 14.2.2 and removed the env HOSTNAME in Dockerfile. Now everything works as expected again.

[highree]

hey @D3nn7,

can you share some insights ? I managed to run nextauth locally, as dev and build. As soon as i deploy on a dedicated server wiith https, it seems nothing happens. i get logged in i see the session for a second, and immediatly logged out.

some insights how u get it running would be great.

[D3nn7]

@highree I have created a sample project that you can take a look at if you like :) Our production application and the sample project are working again.

https://github.com/D3nn7/nextauth-discussion-8449

[highree]

thanks, i have the exact same config besides that i use siwe, and i found the solution there. seems the signOut declaration in the siwe config of web3modal caused an auto logout when session is there, but no network was connected.

thanks for providing your sample project
cheers (oder prost in deinem fall)

[Qbason]

I got the same issue. On the website is written that AUTH_URL is not needed but without this I am redirecting to name of kubernetes pod instead to proper url website. I used dockerfile directly from next.js repo. I don't if this is important but I am also using AUTH_TRUST_HOST because of traefik.

Summary:

• Set AUTH_URL environment
• Use docker from https://github.com/vercel/next.js/blob/canary/examples%2Fwith-docker%2FDockerfile
• Set AUTH_TRUST_HOST environment if you behind reverse proxy

#Extra info
In new version of dockerfile the end command is different. I am using:

CMD ["node", "server.js"]

[johanwulf]

Yup, this is what did it for me as well. I've deployed my Next.js application to Google Cloud Run and spent some time scratching my head with this. AUTH_URL=mydomain.com and AUTH_TUST_HOST=true solved my problems.

[rylincoln]

This works for me in caprover deployment.

[benmarte]

I'm running into this issue as well I managed to get a bit further by adding the authorization option to the Keycloak options and now it tries to login but I still end up with the ECONNREFUSED error.

I made a repo with instructions on how to reproduce the issue in docker and how everything just works when you run nextjs locally and keycloak in docker.

Any help is appreciated, thanks.

https://github.com/benmarte/authjs-docker

[benmarte]

If anyone is using docker-compose and is still running into this issue I got it resolved thanks to the help of another keycloak user in their forums: https://keycloak.discourse.group/t/issues-running-keycloak-in-docker-and-authenticating-with-authjs/26443/14

[balazsorban44]

Hi everyone, we have an official section for deploying Docker here: https://authjs.dev/getting-started/deployment#docker

It includes the recommended Docker config, and can be seen deployed (running on Render.com, but it should work the same everywhere) here: https://nextjs-docker-example.authjs.dev

You should not need to set AUTH_URL NEXTAUTH_URL, NEXTAUTH_URL_INTERNAL and the like anymore.

[gnowland]

Unfortunately it's not the case -- running next-auth 5.0.0-beta.19 on next 14.2.4 any auth actions redirect to http://0.0.0.0 when running in Docker unless AUTH_URL is set or I use the src/app/api/[...nextauth]/route.ts reqWithTrustedOrigin() workaround as shown in this (closed) issue comment: #10928 (comment).

I hope this workaround can be added to core in the next patch so we don't have to add that to each project 🙏

[VladBo]

In my case the problem was caused by NEXTAUTH_URL and NEXTAUTH_URL_INTERNAL which were not removed from GCP Cloud Run instance after upgrade from NextAuth v4 to v5. They caused such a redirect loop. After 5 days of debugging I've finally fixed it 🫠