feat(core): re-introduce idToken: boolean (#11161)

* feat(core): support JWT signed userinfo endpoint response

* chore(deps): bump `oauth4webapi`

* use `idToken: boolean` instead

* docs: mention `idToken` changed behavior

* move helpers

Author: balazsorban44

docs/pages/getting-started/migrating-to-v5.mdx

@@ -43,6 +43,7 @@ npm install next-auth@beta
 - The minimum required Next.js version is now [14.0](https://nextjs.org/14).
 - The import `next-auth/next` is replaced. See [Authenticating server-side](#authenticating-server-side) for more details.
 - The import `next-auth/middleware` is replaced. See [Authenticating server-side](#authenticating-server-side) for more details.
+- When the `idToken: boolean` option is set to `false`, it won't entirely disable the ID token. Instead, it signals `next-auth` to also visit the `userinfo_endpoint` for the final user data. Previously, `idToken: false` opted out to check the `id_token` validity at all.
 
 ## Migration
 

packages/core/package.json

@@ -66,7 +66,7 @@
     "@types/cookie": "0.6.0",
     "cookie": "0.6.0",
     "jose": "^5.1.3",
-    "oauth4webapi": "^2.9.0",
+    "oauth4webapi": "^2.10.4",
     "preact": "10.11.3",
     "preact-render-to-string": "5.2.3"
   },

packages/core/src/lib/actions/callback/oauth/callback.ts

@@ -14,8 +14,9 @@ import type {
   TokenSet,
   User,
 } from "../../../../types.js"
-import type { OAuthConfigInternal } from "../../../../providers/index.js"
+import { type OAuthConfigInternal } from "../../../../providers/index.js"
 import type { Cookie } from "../../../utils/cookie.js"
+import { isOIDCProvider } from "../../../utils/providers.js"
 
 /**
  * Handles the following OAuth steps.
@@ -140,30 +141,49 @@ export async function handleOAuth(
   let profile: Profile = {}
   let tokens: TokenSet & Pick<Account, "expires_at">
 
-  if (provider.type === "oidc") {
+  if (isOIDCProvider(provider)) {
     const nonce = await checks.nonce.use(cookies, resCookies, options)
-    const result = await o.processAuthorizationCodeOpenIDResponse(
-      as,
-      client,
-      codeGrantResponse,
-      nonce ?? o.expectNoNonce
-    )
+    const processedCodeResponse =
+      await o.processAuthorizationCodeOpenIDResponse(
+        as,
+        client,
+        codeGrantResponse,
+        nonce ?? o.expectNoNonce
+      )
 
-    if (o.isOAuth2Error(result)) {
-      console.log("error", result)
+    if (o.isOAuth2Error(processedCodeResponse)) {
+      console.log("error", processedCodeResponse)
       throw new Error("TODO: Handle OIDC response body error")
     }
 
-    profile = o.getValidatedIdTokenClaims(result)
-    tokens = result
+    const idTokenClaims = o.getValidatedIdTokenClaims(processedCodeResponse)
+    profile = idTokenClaims
+
+    if (provider.idToken === false) {
+      const userinfoResponse = await o.userInfoRequest(
+        as,
+        client,
+        processedCodeResponse.access_token
+      )
+
+      profile = await o.processUserInfoResponse(
+        as,
+        client,
+        idTokenClaims.sub,
+        userinfoResponse
+      )
+    }
+    tokens = processedCodeResponse
   } else {
-    tokens = await o.processAuthorizationCodeOAuth2Response(
-      as,
-      client,
-      codeGrantResponse
-    )
-    if (o.isOAuth2Error(tokens as any)) {
-      console.log("error", tokens)
+    const processedCodeResponse =
+      await o.processAuthorizationCodeOAuth2Response(
+        as,
+        client,
+        codeGrantResponse
+      )
+    tokens = processedCodeResponse
+    if (o.isOAuth2Error(processedCodeResponse)) {
+      console.log("error", processedCodeResponse)
       throw new Error("TODO: Handle OAuth 2.0 response body error")
     }
 
@@ -174,7 +194,7 @@ export async function handleOAuth(
       const userinfoResponse = await o.userInfoRequest(
         as,
         client,
-        (tokens as any).access_token
+        processedCodeResponse.access_token
       )
       profile = await userinfoResponse.json()
     } else {

packages/core/src/lib/utils/providers.ts

@@ -153,3 +153,22 @@ function normalizeEndpoint(
   }
   return { url, request: e?.request, conform: e?.conform }
 }
+
+export function isOIDCProvider(
+  provider: InternalProvider<"oidc" | "oauth">
+): provider is InternalProvider<"oidc"> {
+  return provider.type === "oidc"
+}
+
+export function isOAuth2Provider(
+  provider: InternalProvider<"oidc" | "oauth">
+): provider is InternalProvider<"oauth"> {
+  return provider.type === "oauth"
+}
+
+/** Either OAuth 2 or OIDC */
+export function isOAuthProvider(
+  provider: InternalProvider<any>
+): provider is InternalProvider<"oauth" | "oidc"> {
+  return provider.type === "oauth" || provider.type === "oidc"
+}

packages/core/src/providers/index.ts

@@ -1,4 +1,4 @@
-import { Profile } from "../types.js"
+import type { Profile } from "../types.js"
 import CredentialsProvider from "./credentials.js"
 import type {
   CredentialsConfig,
@@ -12,7 +12,7 @@ import type {
   OAuthProviderType,
   OIDCConfig,
 } from "./oauth.js"
-import { WebAuthnConfig, WebAuthnProviderType } from "./webauthn.js"
+import type { WebAuthnConfig, WebAuthnProviderType } from "./webauthn.js"
 
 export * from "./credentials.js"
 export * from "./email.js"

packages/core/src/providers/oauth.ts

@@ -239,6 +239,11 @@ export interface OIDCConfig<Profile>
   extends Omit<OAuth2Config<Profile>, "type" | "checks"> {
   type: "oidc"
   checks?: Array<NonNullable<OAuth2Config<Profile>["checks"]>[number] | "nonce">
+  /**
+   * If set to `false`, the `userinfo_endpoint` will be fetched for the user data.
+   * @note An `id_token` is still required to be returned during the authorization flow.
+   */
+  idToken?: boolean
 }
 
 export type OAuthConfig<Profile> = OIDCConfig<Profile> | OAuth2Config<Profile>
@@ -281,6 +286,7 @@ export type OAuthConfigInternal<Profile> = Omit<
 
 export type OIDCConfigInternal<Profile> = OAuthConfigInternal<Profile> & {
   checks: OIDCConfig<Profile>["checks"]
+  idToken: OIDCConfig<Profile>["idToken"]
 }
 
 export type OAuthUserConfig<Profile> = Omit<