feat(core): make next-auth optionally opt-into Web-compatible mode
#4299
Conversation
|
This pull request is being automatically deployed with Vercel (learn more). 🔍 Inspect: https://vercel.com/nextauthjs/next-auth/DUoR4N6DybecdR4evEHQzWcVYeR1 [Deployment for 2267292 canceled] |
github-actions
bot
added
core
| @@ -112,8 +98,8 @@ export interface OAuthConfig<P> extends CommonProviderOptions, PartialIssuer { | |||
| version?: string | |||
| profile?: (profile: P, tokens: TokenSet) => Awaitable<User & { id: string }> | |||
| checks?: ChecksType | ChecksType[] | |||
| client?: Partial<ClientMetadata> | |||
| jwks?: { keys: JWK[] } | |||
There was a problem hiding this comment.
We might not need this anymore, as the new Client doesn't require it.
There was a problem hiding this comment.
This exists to be able to override the usage of openid-client. I wonder if we can truly get rid of it and still be flexible. We should discuss.
There was a problem hiding this comment.
Example: #4286
How could we solve it otherwise?
| @@ -130,9 +116,6 @@ export interface OAuthConfig<P> extends CommonProviderOptions, PartialIssuer { | |||
| region?: string | |||
| // TODO: only allow for some | |||
| issuer?: string | |||
| /** Read more at: https://github.com/panva/node-openid-client/tree/main/docs#customizing-http-requests */ | |||
| httpOptions?: HttpOptions | |||
There was a problem hiding this comment.
This is specific to Node.js
| */ | ||
| checks: OAuthChecks |
There was a problem hiding this comment.
I removed this because I think it's unnecessary. I couldn't find the equivalent in oauth4webapi
There was a problem hiding this comment.
It's basically the way to tell if the provider wants to use state, pkce, both or none. (nonce support is WIP #4100, but I haven't had the time to have a look yet).
If omitted, our default is to use state currently.
| @@ -18,13 +18,13 @@ export default function Facebook< | |||
| url: "https://graph.facebook.com/me", | |||
| // https://developers.facebook.com/docs/graph-api/reference/user/#fields | |||
| params: { fields: "id,name,email,picture" }, | |||
| async request({ tokens, client, provider }) { | |||
There was a problem hiding this comment.
I'm leaving this out because I'm not sure about the API. Can't we abstract this away?
There was a problem hiding this comment.
Unfortunately, the request method was added (see #1846) to support providers that do not follow the spec properly... It's a shame that Facebook doesn't do it. (Note, it might have changed since, but I haven't checked in a while). If we can get rid of it, I'm all for though. But there might be other providers still using it.
We should discuss if we want to start discouraging (read: drop support/request) providers that do not implement the spec 100% correctly...
What I absolutely want to avoid is to go back to handling provider-specific stuff in our core. (eg if (provider.id === "facebook"), etc.)
ThangHuuVu
force-pushed
the
feat/oauth4webapi
branch
from
260f2b2
to
e3e3cf1
Compare
ThangHuuVu
changed the title
- handle pkce discovery - update `validateAuthResponse` to use `expectState`
| @@ -5,11 +5,10 @@ import { usePKCECodeVerifier } from "./pkce-handler" | |||
| import { OAuthCallbackError } from "../../errors" | |||
| import { | |||
| authorizationCodeGrantRequest, | |||
| clientCredentialsGrantRequest, | |||
There was a problem hiding this comment.
| clientCredentialsGrantRequest, |
| if (!provider?.checks?.includes("pkce") || !codeVerifier) { | ||
| if ( | ||
| !provider?.checks?.includes("pkce") || | ||
| !codeVerifier || |
There was a problem hiding this comment.
| !codeVerifier || |
| if ( | ||
| !provider?.checks?.includes("pkce") || | ||
| !codeVerifier || | ||
| code_challenge_methods_supported?.length === 0 |
There was a problem hiding this comment.
| code_challenge_methods_supported?.length === 0 | |
| code_challenge_methods_supported?.includes('S256') === false |
| client, | ||
| callbackParameters, | ||
| provider.callbackUrl, | ||
| pkce?.codeVerifier as string |
There was a problem hiding this comment.
I need to ask Filip about this, as I'm not sure how to call this method without the codeVerifier.
There was a problem hiding this comment.
You don't, that's the whole point. The API is designed so that you always use S256 PKCE. The discussion we had about AS not supporting PKCE means that you'd use nonce (if openid), or state (if not openid) in addition to PKCE since you don't know if PKCE is supported or not.
There was a problem hiding this comment.
Thanks for taking a look, @panva! 🙏
I thought that this API would also handle requesting the access token in the cases PKCE is not supported, like https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1 and https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth. How would you suggest we make the token request in those cases?
There was a problem hiding this comment.
The client always uses PKCE. And in cases where you're not sure if PKCE is supported on the AS you still use PKCE but add nonce (when using OIDC) or state (when not using OIDC).
There was a problem hiding this comment.
Got it, I just updated the PKCE handler to always return a value. 🙏
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
balazsorban44
changed the title
balazsorban44
changed the title
next-authoptionally opt-into Web-compatible mode
balazsorban44
changed the title
next-authoptionally opt-into Web-compatible modenext-auth optionally opt-into Web-compatible mode
|
With the upcoming end of the active phase of node 16, is there a plan to move this forward as it seems to be the main blocker of official support of higher versions? |
balazsorban44
force-pushed
the
feat/oauth4webapi
branch
from
bde0b22
to
f48e0f1
Compare
|
Superseded by #5536 |
Reasoning 💡
This PR removes openid-client dependency and adds oauth4webapi. It would decouple NextAuth.js from Node.js and enable us to run NextAuth.js on other JS runtimes like the edge runtime.
Notes on using PKCE and state/nonce
PKCE is always used. See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-2.1.1
If PKCE support is missing (either missing from AS metadata or we are not sure), use
statein addition. Nonce support for OpenID is WIP at #4100Checklist 🧢
Affected issues 🎟
References
https://github.com/panva/oauth4webapi/blob/main/examples/code.ts
https://github.com/panva/oauth4webapi/blob/main/examples/oauth.ts