Calling oauth url with http results in an error

[anton-mauritzson]

Environment

System:
OS: macOS 14.2.1
CPU: (10) x64 Apple M1 Max
Memory: 810.92 MB / 64.00 GB
Shell: 3.2.57 - /bin/bash
Binaries:
Node: 20.11.0 - ~/.nvm/versions/node/v20.11.0/bin/node
Yarn: 1.22.17 - /usr/local/bin/yarn
npm: 10.2.4 - ~/.nvm/versions/node/v20.11.0/bin/npm
Browsers:
Chrome: 130.0.6723.116
Safari: 17.2.1
Safari Technology Preview: 14.0.1
npmPackages:
next: 15.0.1 => 15.0.1
next-auth: ^5.0.0-beta.19 => 5.0.0-beta.25
react: 19.0.0-rc-69d4b800-20241021 => 19.0.0-rc-69d4b800-20241021

Reproduction URL

https://github.com/panva/oauth4webapi

Describe the issue

after upgrading to next 15 and thus upgrading next-auth to beta-25 it seems that next-auth has upgraded its dependency of https://github.com/panva/oauth4webapi to 3.0 that included breaking changes to not allow by default requests from the module to insecure addresses. panva/oauth4webapi@4829da6

This commit seem to have something missing 0244513 i'm unable to trace why but we're getting an error from next-auth

We are running an oAuth server in a kubernetes cluster and the service calling the oauth server is in the same cluster so https is not required for us.

How to reproduce

install next 15 and the latest next-auth 5.0.0-beta.25.
set up a custom provider with http protocol for the token request.

Expected behavior

looking at the code in the commit where oauth4webapi was upgraded, it seems that it should be allowed from this package.

[panva]

You can see in the specific PR that bumped oauth4webapi that all http-triggering requests made are configured to allow http requests.

[anton-mauritzson]

@panva yes i can see that, however that doesn't explain how oauth4webapi is throwing the error i'm getting. Because this error

is from oauth4webapi

[panva]

Providing a source-map based stack trace would probably come a long way towards being able to identify the actual reason for this behaviour.