-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/nonce check type #4100
Feature/nonce check type #4100
Conversation
This pull request is being automatically deployed with Vercel (learn more). 🔍 Inspect: https://vercel.com/nextauthjs/next-auth/HggmkVHNf7hrWyf2YA3TjN518wT6 |
@balazsorban44 - If you require a test-cognito endpoint and credentials I can potentially set this up for you on my personal account, just give me some notice and I can set it up :) |
Hi @balazsorban44 sorry to bug you, but would it be possible to give an indication if this fix is viable and something you may be willing to accept into the project? I wouldn't normally chase up on PRs, but we are faced with a difficult decision on our project at the moment. Basically:
I realise this is a side-project and you are busy, but just looking for some confidence that a fix will be forthcoming if we chose Option1 even if its not immediate. |
@ThangHuuVu @ndom91 - Sorry to tag you but would you be able to answer the above? |
Hi, I'm sorry, I'm currently taking a small break from the project to work through personal issues. Thanks for tagging the others. I'll look into all PRs once I feel better. 💚🙏 |
No problem. Thanks for letting us know. Take care of yourself and hope you feel better soon! |
Hi james, so from my side this looks like it makes a lot of sense and the PR looks clean as well. I dont want to speak for Balazs and we're waiting to release any versions on him anyway, but for the time being you could use something like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a comment about docs
Thanks James! I'll mark this as "ready" so we can take a look as soon as we continue with cutting releases 👍 |
@ndom91 @james-bjss We're also facing the same issues with this missing nouce check type. Any updates on this PR and when it will be a candidate for a release ? |
Hi Sorry, I don't have any news I am also keen to see this merged too. We are currently using the code form this PR with |
can you share the |
Probably this one: https://www.npmjs.com/package/patch-package |
I have created a patch package on NPM until this PR has been merged. https://www.npmjs.com/package/next-auth-patch-feature-nonce-check |
I currently use this patches/openid-client+5.1.6.patch which disables the nonce check and bypasses the nonce error, and the sign in process is seamless. I'll try replacing the entire package with the patched one (though a gist containing the .patch would be preferable) to see if I get the extra protection of the nonce. |
@w0otness I created a gist of the patch we use: https://gist.github.com/hamidbjss/b6408e48080f247edd22ec04a3b983e3 |
72f663d
to
06f1021
Compare
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
Created a patch for version 4.10.3 if it's of help to anyone next-auth+4.10.3.patch. @balazsorban44 @ndom91 @ThangHuuVu @lluia really would be good if we could get this merged in please, it's a pain having to constantly create new patches. |
This error is blocking me from using a third-party IDP with Cognito |
You can use the patch provided by @hamidbjss above until this is merged. This PR seems to be in limbo though. Posts above do suggest that it's being considered as a candidate for a new release but it doesn't look like there is a roadmap for future releases and the only changes that are being merged currently are critical fixes and doc changes. I understand the pressures of maintaining a popular OS project and am immensely grateful for this great library, but it's quite dissappointing when asked to raise a PR for a fix and it just languishes for 6months. We chose to stick with nextauth as we thought this would likely be fixed in the future. @ndom91 would it be possible to get an update on why it has stalled? It's clear it is affecting a number of people who have chosen to use this lib (have seen this pop up on stack overflow too). Sorry for the nagging! Also, for what its worth we have been using the patched version for many months now without issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Folks, we understand your frustration, and are sorry for the delayed action.
@james-bjss I just tested this PR locally with Google using nonce
with and without state
and pkce
, everything works as expected. 🎉 I also added some comments, could you check and let me know what you think? Thanks again for the PR! Let's work together to get this one merged soon 🙌
Co-authored-by: Thang Vu <thvu@hey.com>
Great. Thanks! Just going ahead and making these changes and we will test with Cognito + IDP (Azure AD) and will update on status. |
@ThangHuuVu - @hamidbjss and I have tested this against our Cognito setup and it works as-expected with those changes. |
Thanks @ThangHuuVu and all. Sorry for all the nagging! This will be a huge help to our team. 🌟 Have donated you all some beer money :) |
Hey team, thanks for all your hard work on this! Will these changes be released in a new version? |
I'm all excited about it to be released 😊 |
This is now available in the latest release (though is absent from release notes). Will. Zap my fork in the next few days, |
Hmm..that's interesting, today I installed: "next-auth": "^4.12.3", with the following configuration: providers: [
CognitoProvider({
clientId: process.env.COGNITO_CLIENT_ID,
clientSecret: process.env.COGNITO_CLIENT_SECRET,
issuer: process.env.COGNITO_ISSUER,
idToken: true,
checks: "nonce",
} as OAuthUserConfig<CognitoProfile>),
], And I'm still getting:
Am I missing something? |
@matewilk I think checks should be array of string, not a string. |
The typings in typescript tell (assuming they are correct) that declare type ChecksType = "pkce" | "state" | "none" | "nonce";
// ...
export interface OAuthConfig<P> extends CommonProviderOptions, PartialIssuer {
// ...
checks?: ChecksType | ChecksType[];
// ...
} |
@matewilk you should be able to provide an array or string literal. Your config seems fine. I'd perhaps follow the usual troubleshooting steps:
|
next-auth.session-token cookie is not set when I deployed to aws but works fine in vercel |
import NextAuth from 'next-auth'; /*
],
async redirect({ url, baseUrl }) { }, }, }; export default NextAuth(authOptions); jwt callback was fine but session callback is not triiggered |
Reasoning 💡
Adding the ability to generate and validate a nonce value when authenticating against an Open ID provider.
This resolves a "nonce missmatch" error raised when authenticating against an external IDP with Cognito.
Specifically this is to fix the following issue: #3551
Checklist 🧢
Affected issues 🎟
Fixes: #3551
Notes On Usage