next-auth icon indicating copy to clipboard operation
next-auth copied to clipboard

Published 20 hours ago verified publisher icon nextauthjs

Not using PKCE with the Discord provider makes Discord return an error when getting the tokens

Open april83c opened this issue 11 months ago • 1 comments

Environment

  System:
    OS: Windows 11 10.0.22621
    CPU: (16) x64 12th Gen Intel(R) Core(TM) i7-12650H
    Memory: 2.25 GB / 15.67 GB
  Binaries:
    Node: 20.11.1 - ~\AppData\Local\Temp\xfs-cca4d7a1\node.CMD
    Yarn: 4.1.1 - ~\AppData\Local\Temp\xfs-cca4d7a1\yarn.CMD
    npm: 10.1.0 - C:\Program Files\nodejs\npm.CMD
  Browsers: {}
  npmPackages:
    @auth/core: file:./auth.js/packages/core => 0.28.0
    @auth/express: file:./auth.js/packages/frameworks-express => 0.5.0
    @auth/prisma-adapter: file:./auth.js/packages/adapter-prisma => 1.5.0

(I'm not using Auth.js from NPM because of #10333 and because #10340 hasn't been merged yet, but this issue reproduces on the repro project which does use Auth.js from NPM)

Reproduction URL

https://github.com/april83c/authjs-discord-without-pkce-repro

Describe the issue

When not using PKCE with the Discord provider, the authorization will go fine, but there'll be an error when it tries to get the tokens.

error {
  error: 'invalid_request',
  error_description: 'Invalid "code_verifier"'
}

This is because, in the request to get the tokens, it's including a code_verifier (which, since we didn't use PKCE, is just "auth")

This default code_verifier is there because the library oauth4webapi requires you to include a code_verifier, and they consider not using PKCE out of scope.

Unfortunately, if you didn't use PKCE in the initial authorization with Discord, the Discord API will return that error (Invalid "code_verifier") if you include any code_verifier, instead of just ignoring it and letting you get the tokens.

But why don't you want to use PKCE?

To integrate with Discord's new Linked Roles feature, you have to not be using PKCE.

It would probably be fine if they just ignored the PKCE parameters, but it does sort of make sense to error (since the Discord API does usually support PKCE but doesn't in this one specific circumstance, and the developer of an app might overlook that...).

How to reproduce

  1. Clone repro repo
  2. Fill out .env.local with a Discord app's client ID and secret (https://discord.com/developers/applications)
  3. Start it and try to log in

Expected behavior

It should get the tokens correctly without including a code_verifier in the request.

april83c avatar Mar 18 '24 18:03 april83c