'500 Internal Server Error' with Bungie Provider

[royanger]

Question 💬

I'm trying to get Next Auth working with Bungie. There is a provider included with Next Auth, but it doesn't work out of the box. I have solved one problem with it, but am now stumped with a second.

Bungie requires a few unique things for their Oauth. One, you need to use https even locally. Two, you can't use 'localhost'. You need 127.0.0.1 or something configured in your hosts file. I have that setup -- Next is running with SSL on 127.0.0.1. I have even configured the GitHub Provider and that continues to work perfectly.

The first thing I did is recreate the Provider as a file/import within my project so I could modify it. I needed to change that authorization line to the following as Bungie errors out if you send any scope.

authorization: {
         url: 'https://www.bungie.net/en/OAuth/Authorize?reauth=true',
         params: {
            scope: '',
         },
      },

Now I am getting the following error after approving the request on Bungie's site. Again, the GitHub provider continues to work while Bungie is giving this error. I also got confirmation that I had authorized the app on my Bungie account the first time I completed this.

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error expected 200 OK, got: 500 Internal Server Error {
  error: {
    message: 'expected 200 OK, got: 500 Internal Server Error',
    stack: 'OPError: expected 200 OK, got: 500 Internal Server Error\n' +
      '    at processResponse (F:\\websites\\projects\\destiny-watch\\node_modules\\openid-client\\lib\\helpers\\process_response.js:41:11)\n' +
      '    at Client.userinfo (F:\\websites\\projects\\destiny-watch\\node_modules\\openid-client\\lib\\client.js:1257:18)\n' +
      '    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n' +
      '    at async oAuthCallback (F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\core\\lib\\oauth\\callback.js:134:17)\n' +
      '    at async Object.callback (F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\core\\routes\\callback.js:50:11)\n' +
      '    at async NextAuthHandler (F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\core\\index.js:139:28)\n' +
      '    at async NextAuthNextHandler (F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\next\\index.js:21:19)\n' +
      '    at async F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\next\\index.js:57:32\n' +
      '    at async Object.apiResolver (F:\\websites\\projects\\destiny-watch\\node_modules\\next\\dist\\server\\api-utils\\node.js:185:9)\n' +
      '    at async DevServer.runApi (F:\\websites\\projects\\destiny-watch\\node_modules\\next\\dist\\server\\next-server.js:395:9)',
    name: 'OPError'
  },
  providerId: 'bungie2',
  message: 'expected 200 OK, got: 500 Internal Server Error'
}

How to reproduce ☕️

1. Install Next, Next Auth
2. Configure Next to use SSL and 127.0.0.1, including adding NEXTAUTH_URL=https://127.0.0.1:3000 to .env files. I followed the instructions at https://next-auth.js.org/providers/bungie and the linked page (https://medium.com/@anMagpie/secure-your-local-development-server-with-https-next-js-81ac6b8b3d68)
3. Create my own provider for Bungie based off of the one that ships with Next. See https://github.com/royanger/destiny-item-watch/blob/86c0468da7d35c27523c9095d4a39775e8f3c652/libs/auth/bungie.js
4. Configure Bungie App (see image)
5. Run Next app and attempt to login via Bungie.

The follow is the output from the procees:

[next-auth][debug][CREATE_STATE] { state: 'tFS-qq68Dx7D-q58oq_FkSb82WBVp3IM9YcoJa0kIO4', maxAge: 900 }
[next-auth][debug][GET_AUTHORIZATION_URL] {
  url: 'https://www.bungie.net/en/OAuth/Authorize?reauth=true&client_id=40576&scope=&response_type=code&redirect_uri=https%3A%2F%2F127.0.0.1%3A3000%2Fapi%2Fauth%2Fcallback%2Fbungie2&state=tFS-qq68Dx7D-q58oq_FkSb82WBVp3IM9YcoJa0kIO4',
  cookies: [
    {
      name: '__Secure-next-auth.state',
      value: 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..dSzcoBCsMiZT7XyU.uZtRDBS1F4r-mZpcuKxdwgXoxXwm9N3vrqb9CnDyqqtVZ1qMZjOZh_gVUrZlBfdtRDrCHIwsMm6o6OrZKicuL2oGlka5kiMOgKpEQ6ehGDyrTrPt1fKmTvk92J1JBE1vBN-2Z-6ufK6cjUvSVQQScfh2mJ_r0f_9_QXOkm57e5xwjSHdAu8.679kdC7wStAQpoy2Ow_eDg',
      options: [Object]
    }
  ]
}
[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error expected 200 OK, got: 500 Internal Server Error {
  error: {
    message: 'expected 200 OK, got: 500 Internal Server Error',
    stack: 'OPError: expected 200 OK, got: 500 Internal Server Error\n' +
      '    at processResponse (F:\\websites\\projects\\destiny-watch\\node_modules\\openid-client\\lib\\helpers\\process_response.js:41:11)\n' +
      '    at Client.userinfo (F:\\websites\\projects\\destiny-watch\\node_modules\\openid-client\\lib\\client.js:1257:18)\n' +
      '    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n' +
      '    at async oAuthCallback (F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\core\\lib\\oauth\\callback.js:134:17)\n' +
      '    at async Object.callback (F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\core\\routes\\callback.js:50:11)\n' +
      '    at async NextAuthHandler (F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\core\\index.js:139:28)\n' +
      '    at async NextAuthNextHandler (F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\next\\index.js:21:19)\n' +
      '    at async F:\\websites\\projects\\destiny-watch\\node_modules\\next-auth\\next\\index.js:57:32\n' +
      '    at async Object.apiResolver (F:\\websites\\projects\\destiny-watch\\node_modules\\next\\dist\\server\\api-utils\\node.js:185:9)\n' +
      '    at async DevServer.runApi (F:\\websites\\projects\\destiny-watch\\node_modules\\next\\dist\\server\\next-server.js:395:9)',
    name: 'OPError'
  },
  providerId: 'bungie2',
  message: 'expected 200 OK, got: 500 Internal Server Error'
}

The repo is located at https://github.com/royanger/destiny-item-watch

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[ConnorNail]

I am having this same issue.

[ThangHuuVu]

Hi, thanks for reporting the issue 🔎 For now, you could override the userinfo option to replace {membershipId} with the actual user ID as a temporary solution. This is because the userinfo URL contains a dummy path for {membershipId}. See https://github.com/nextauthjs/next-auth/blob/8853000fd524b074f82ad38c57671fe1f640172f/packages/next-auth/src/providers/bungie.js#L9-L10. We should definitely restore the logic to replace {membershipId} with the actual user ID in the provider. PR welcomes!

[CiaronHowell]

Hey All, I've ran into this issue and think I've narrowed it down to an authorization issue. When the userinfo url is used, it seems like there is no x-api-key header which is necessary for any HTTP requests made to the Bungie Net API. Happy to attempt to fix this but unsure where the userinfo is executed.

Also, just to note that I couldn't seem to find the endpoint /User/GetBungieAccount/{membershipId}/254/ in the Bungie-Net API references, so not too sure whether it's deprecated or there's a better alternative (just to chuck this out there).

[royanger]

I ended up getting Bungie working for Passport and Remix-auth. I didn't revisit this yet, as I haven't needed to (I'm building with Vite+React and Passport). That said, there is a separate URL to that you can use for OAuth tools like this to get the membership info -> https://www.bungie.net/Platform/User/GetMembershipsForCurrentUser/ As you can see you don't need a membershipID or anything.

[CiaronHowell]

That said, there is a separate URL to that you can use for OAuth tools like this to get the membership info -> https://www.bungie.net/Platform/User/GetMembershipsForCurrentUser/ As you can see you don't need a membershipID or anything.

I saw the same endpoint and thought the same thing but unfortunately didn't work and gave the same error as before. Took @ThangHuuVu 's advice and tried and /User/GetBungieAccount/1/254/ which fails in NextAuth but works from a quick curl test with the x-api-key header. This is why I'm thinking that it's the api key header not being added and only being used for the OAuth (which is where we've added it).

[royanger]

Apologies, I should have been more clear. Yes, you will need the x-api-key, as you will need it later for hitting non-auth endpoints and getting data. I meant that as a 'here's an endpoint that returns the authed user's info without needing to get the membership id and build that default endpoint URL'. I used the latter one with passport as it was a simple workaround to their default behaviour.

[CiaronHowell]

Ah I get you now, I'd definitely use that as the default userinfo URL. Using that URL, even though it requires OAuth login, still requires the x-api-key header.

When I get chance the next steps is to ensure that header is used in the userinfo request.

[royanger]

Something I just recalled, and I'm not sure if you saw in the API docs as its barely mentioned, is that you need to be running https even locally for dev. You can't auth with Bungie from http://localhost.

[CiaronHowell]

Yeah, running as HTTPS through what it says on the docs otherwise the redirect wouldn't work to get the error we've ran into. Annoyingly still haven't had chance to investigate my theory

[stale[bot]]

It looks like this issue did not receive any activity for 60 days. It will be closed in 7 days if no further activity occurs. If you think your issue is still relevant, commenting will keep it open. Thanks!

[stale[bot]]

To keep things tidy, we are closing this issue for now. If you think your issue is still relevant, leave a comment and we might reopen it. Thanks!

[johnpschmidt]

Yeah, running as HTTPS through what it says on the docs otherwise the redirect wouldn't work to get the error we've ran into. Annoyingly still haven't had chance to investigate my theory

Theory checks out I think.

Looks like openid-client isn't receiving any custom headers from NEXTAUTH. Hard coding the API-Key Header in the userinfo() options.headers['X-API-KEY'] =PROCESS.ENV.BUNGIE-API-KEY here solves the issue for me in dev. Hard to locate how to send it to OPENID in NEXTAuth. Need to keep looking.

[johnpschmidt]

Defining the API key with the httpOptions field in the BungieProvider solves this problem. This is missing from the documentation.

EDIT: This, along with https://github.com/nextauthjs/next-auth/issues/4710#issuecomment-1184288635 solves the issue for me

[lmuller18]

Defining the API key with the httpOptions field in the BungieProvider solves this problem. This is missing from the documentation.

Are you seeing this resolve all the 500 issues on your end? I am running into the same problems. I adjusted the authorization to get around the scopes issue mentioned at the top, am running https, and am adding the api key to the headers:

BungieProvider({
  clientId: env.BUNGIE_CLIENT_ID,
  clientSecret: env.BUNGIE_CLIENT_SECRET,
  authorization: {
    url: "https://www.bungie.net/en/OAuth/Authorize?reauth=true",
    params: {
      scope: "",
    },
  },
  httpOptions: {
    headers: {
      "X-API-Key": env.BUNGIE_API_KEY,
    },
  },
}),

But I'm still experiencing the same error:

https://next-auth.js.org/errors#oauth_callback_error expected 200 OK, got: 500 Internal Server Error 

[johnpschmidt]

Defining the API key with the httpOptions field in the BungieProvider solves this problem. This is missing from the documentation.

Are you seeing this resolve all the 500 issues on your end? I am running into the same problems. I adjusted the authorization to get around the scopes issue mentioned at the top, am running https, and am adding the api key to the headers:

BungieProvider({
  clientId: env.BUNGIE_CLIENT_ID,
  clientSecret: env.BUNGIE_CLIENT_SECRET,
  authorization: {
    url: "https://www.bungie.net/en/OAuth/Authorize?reauth=true",
    params: {
      scope: "",
    },
  },
  httpOptions: {
    headers: {
      "X-API-Key": env.BUNGIE_API_KEY,
    },
  },
}),

But I'm still experiencing the same error:

https://next-auth.js.org/errors#oauth_callback_error expected 200 OK, got: 500 Internal Server Error 

This fix https://github.com/nextauthjs/next-auth/issues/4710#issuecomment-1184288635 should also be made. Forgot to clarify. Did you make that change as well? Sorry for not stating that as well.

[lmuller18]

I didn't see how to get the membershipId into the userinfo.url property so I ended up using the https://www.bungie.net/Platform/User/GetMembershipsForCurrentUser/ URL mentioned above instead.

My current BungieProvider looks like this now and seems to work:

BungieProvider({
  clientId: env.BUNGIE_CLIENT_ID,
  clientSecret: env.BUNGIE_CLIENT_SECRET,
  authorization: {
    url: "https://www.bungie.net/en/OAuth/Authorize?reauth=true",
    params: {
      scope: "",
    },
  },
  userinfo: {
    url: "https://www.bungie.net/Platform/User/GetMembershipsForCurrentUser/",
  },
  httpOptions: {
    headers: {
      "X-API-Key": env.BUNGIE_API_KEY,
    },
  },
}),

Everything else seems to be working for me now after making these updates, but if using the original userinfo URL and dynamically replacing the membershipId is more "correct", I'd like to get that changed.