next-auth icon indicating copy to clipboard operation
next-auth copied to clipboard
verified publisher icon nextauthjs

OAuth: should a `client_id` be sent to the token endpoint?

Open ksnll opened this issue 3 years ago • 0 comments

Question 💬

I'm implementing an OAuth provider, for the website lichess.org. This provider requires a client_id to be sent in the token endpoint request body. The authentication fails, as it looks like nextauth doesn't send client_id automatically for the token endpoint.

From a quick read of the OAuth RFC, it looks like client_id should be pretty standard for the token endpoint: https://www.rfc-editor.org/rfc/rfc6749#section-3.2.1, in particular:

In the "authorization_code" "grant_type" request to the token endpoint, an unauthenticated client MUST send its "client_id" to prevent itself from inadvertently accepting a code intended for a client with a different "client_id".

it looks like the underlying library for OAuth used by nextauth, doesn't automatically send the client_id, but it supports sending arbitrary parameters from the callback, called exchangeBody, that could be implemented when calling the callback from nextauth

So I'm wondering, first of all, how is it possible that other OAuth providers are working, as it looks like the client_id should be a pretty commonly required parameter. So the question is if I'm missing something obvious. Secondo of all, in case the above investigation is correct, should the parameter be added through the exchangeBody parameter from nextauth, or should the underlying library (node-openid-client) be fixed instead.

How to reproduce ☕️

const lichessHost = "https://lichess.org";
const scope = "email:read";

export default NextAuth({
  debug: true,
  providers: [
    {
      id: "lichess",
      name: "Lichess",
      type: "oauth",
      clientId: "client-id-test",
      clientSecret: "secret",
      authorization: {
        url: `${lichessHost}/oauth`,
        params: { scope },
      },
      token: `${lichessHost}/api/token`,
      userinfo: `${lichessHost}/api/account`,
      checks: ["pkce", "state"],
      profile(profile) {
        return {
          id: profile.id,
          username: profile.username,
        };
      },
    },
  ],
});

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

ksnll avatar Aug 09 '22 19:08 ksnll

Please check the docs https://next-auth.js.org/configuration/providers/oauth#client-option

specifically token_endpoint_auth_method

https://github.com/panva/node-openid-client/blob/main/docs/README.md#client-authentication-methods

balazsorban44 avatar Aug 10 '22 22:08 balazsorban44

thank you 🙏

ksnll avatar Aug 11 '22 05:08 ksnll