Skip to content

FusionAuth - Provider Type Conflict #10867

New issue
New issue
Open
Open
FusionAuth - Provider Type Conflict#10867
Labels
bugSomething isn't workingproviderstriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
@alex-fusionauth

Description

@alex-fusionauth
alex-fusionauth
opened on May 9, 2024

Provider type

FusionAuth

Environment

  System:
    OS: macOS 14.4.1
    CPU: (12) arm64 Apple M2 Pro
    Memory: 192.58 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 21.7.3 - /opt/homebrew/bin/node
    Yarn: 1.22.22 - /opt/homebrew/bin/yarn
    npm: 10.5.0 - /opt/homebrew/bin/npm
    pnpm: 9.0.5 - /opt/homebrew/bin/pnpm
    bun: 1.1.4 - /opt/homebrew/bin/bun
  Browsers:
    Brave Browser: 124.1.65.126
    Chrome: 124.0.6367.119
    Safari: 17.4.1
  npmPackages:
    @auth/sveltekit: ^1.0.1 => 1.0.1

Reproduction URL

https://github.com/alex-fusionauth/fusionauth-sveltekit

Describe the issue

Within the current provider it is set as type: "oauth".

https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/fusionauth.ts

Then it sets the scopes as requesting openid.

authorization: {
  params: {
    scope: "openid offline_access",

Ideally we would like to have this set to our standard and not require someone to override the provider. Currently this causes errors as it expects to go down the oauth only path and then is trying to fetch openid details without setting it as the correct type. While I haven't seen this in a problem using next-auth I do see it causing more issues in things like SvelteKit using the direct @auth/core package which is used within @auth/sveltekit.

I would like to have our provider updated to reflect the changes in this file https://github.com/alex-fusionauth/fusionauth-sveltekit/blob/afb3d9134aa43f5d540de972692b782928971aa4/complete-application/src/auth.ts

import { SvelteKitAuth } from "@auth/sveltekit"
import FusionAuth from "@auth/core/providers/fusionauth"
import { FUSIONAUTH_ISSUER, FUSIONAUTH_CLIENT_ID, FUSIONAUTH_CLIENT_SECRET, FUSIONAUTH_URL, FUSIONAUTH_TENANT_ID } from "$env/static/private"

const fusionAuth =     FusionAuth({
  issuer: FUSIONAUTH_ISSUER,
  clientId: FUSIONAUTH_CLIENT_ID,
  clientSecret: FUSIONAUTH_CLIENT_SECRET,
  // wellKnown: `${FUSIONAUTH_URL}/.well-known/openid-configuration/${FUSIONAUTH_TENANT_ID}`,
  tenantId: FUSIONAUTH_TENANT_ID, // Only required if you're using multi-tenancy
  authorization: {
    params: {
      scope: "offline_access email openid profile",
      tenantId: FUSIONAUTH_TENANT_ID,
    },
  },
  userinfo: `${FUSIONAUTH_URL}/oauth2/userinfo`,
  // This is due to a known processing issue
  // TODO: https://github.com/nextauthjs/next-auth/issues/8745#issuecomment-1907799026
  token: {
    url: `${FUSIONAUTH_URL}/oauth2/token`,
    conform: async (response: Response) => {
      if (response.status === 401) return response;

      const newHeaders = Array.from(response.headers.entries())
        .filter(([key]) => key.toLowerCase() !== "www-authenticate")
        .reduce((headers, [key, value]) => (headers.append(key, value), headers), new Headers());

      return new Response(response.body, {
        status: response.status,
        statusText: response.statusText,
        headers: newHeaders,
      });
    },
  },
})

// reset to oidc provider
fusionAuth.type = 'oidc';

export const { handle } = SvelteKitAuth({
  providers: [
    fusionAuth
  ],
})

How to reproduce

if you set type back to its default value fusionAuth.type = 'oauth'; you will get an error like below

[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: OperationProcessingError: Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing

Expected behavior

PR added: #10868

If you then set it back fusionAuth.type = 'oidc'; it will then have success and you can access details on the profile.

I would like to propose that we update the provider to

export default function FusionAuth<P extends FusionAuthProfile>(
  // tenantId only needed if there is more than one tenant configured on the server
  options: OAuthUserConfig<P> & { tenantId?: string }
): OAuthConfig<P> {
  return {
    id: "fusionauth",
    name: "FusionAuth",
    type: "oidc",
    wellKnown: options?.tenantId
      ? `${options.issuer}/.well-known/openid-configuration?tenantId=${options.tenantId}`
      : `${options.issuer}/.well-known/openid-configuration`,
    authorization: {
      params: {
        scope: "openid offline_access email profile",
        ...(options?.tenantId && { tenantId: options.tenantId }),
      },
    },
  userinfo: `${options.issuer}/oauth2/userinfo`,
  // This is due to a known processing issue
  // TODO: https://github.com/nextauthjs/next-auth/issues/8745#issuecomment-1907799026
  token: {
    url: `${options.issuer}/oauth2/token`,
    conform: async (response: Response) => {
      if (response.status === 401) return response;

      const newHeaders = Array.from(response.headers.entries())
        .filter(([key]) => key.toLowerCase() !== "www-authenticate")
        .reduce((headers, [key, value]) => (headers.append(key, value), headers), new Headers());

      return new Response(response.body, {
        status: response.status,
        statusText: response.statusText,
        headers: newHeaders,
      });
    },
  },
    checks: ["pkce", "state"],
    profile(profile) {
      return {
        id: profile.sub,
        email: profile.email,
        name: profile?.preferred_username,
      }
    },
    options,
  }
}

Also addresses users needing to update to beta but it is not available in core.
#8745 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingproviderstriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions