fix: strip code_verifier from request body when the provider doesn't support PKCE (#10765)

* fix: strip `code_verifier` when provider does not support it

* drop `PKCE` check for LinkedIn

* add LinkedIn to dev app

* drop session callback from dev app

* drop default profile

* fix: nextjs dev app fallback avatar URL

---------

Co-authored-by: ndom91 <[email protected]>

Author: balazsorban44

apps/dev/nextjs/auth.config.ts

@@ -5,6 +5,7 @@ import Google from "next-auth/providers/google"
 import Facebook from "next-auth/providers/facebook"
 import Twitter from "next-auth/providers/twitter"
 import Keycloak from "next-auth/providers/keycloak"
+import LinkedIn from "next-auth/providers/linkedin"
 
 declare module "next-auth" {
   /**
@@ -41,20 +42,13 @@ export default {
     Keycloak,
     Facebook,
     Twitter,
+    LinkedIn,
   ].filter(Boolean) as NextAuthConfig["providers"],
   callbacks: {
     jwt({ token, trigger, session }) {
       if (trigger === "update") token.name = session.user.name
       return token
     },
-    async session({ session, token }) {
-      return {
-        ...session,
-        user: {
-          ...token,
-        },
-      }
-    },
   },
   basePath: "/auth",
 } satisfies NextAuthConfig

apps/dev/nextjs/components/header.tsx

@@ -16,7 +16,8 @@ export function Header({
       <div className={styles.signedInStatus}>
         <img
           src={
-            session?.user?.image ?? "https://source.boringavatars.com/beam/120"
+            session?.user?.image ??
+            "https://source.boringavatars.com/marble/120"
           }
           className={styles.avatar}
         />

packages/core/src/lib/actions/callback/oauth/callback.ts

@@ -109,7 +109,18 @@ export async function handleOAuth(
     client,
     codeGrantParams,
     redirect_uri,
-    codeVerifier ?? "auth" // TODO: review fallback code verifier
+    codeVerifier ?? "auth", // TODO: review fallback code verifier,
+    {
+      [o.experimental_customFetch]: (...args) => {
+        if (
+          !provider.checks.includes("pkce") &&
+          args[1]?.body instanceof URLSearchParams
+        ) {
+          args[1].body.delete("code_verifier")
+        }
+        return fetch(...args)
+      },
+    }
   )
 
   if (provider.token?.conform) {

packages/core/src/providers/linkedin.ts

@@ -79,15 +79,8 @@ export default function LinkedIn<P extends LinkedInProfile>(
     type: "oidc",
     client: { token_endpoint_auth_method: "client_secret_post" },
     issuer: "https://www.linkedin.com/oauth",
-    async profile(profile) {
-      return {
-        id: profile.sub,
-        name: profile.name,
-        email: profile.email,
-        image: profile.picture,
-      }
-    },
     style: { bg: "#069", text: "#fff" },
+    checks: ["state"],
     options,
   }
 }