V4: How to dynamically set redirect_uri for token endpoint in multi-tenant setup with a custom base path?

[MaroIT]

Hi everyone,

I'm implementing a multi-tenant application using [email protected] with a "realm-per-subdomain" strategy. My setup has two specific requirements:

Multi-tenancy: The authentication provider (Keycloak) issuer is determined dynamically based on the request's subdomain (e.g., tenant1.localhost, tenant2.localhost).

Custom Base Path: The NextAuth API handler is located at /web-auth/api/auth instead of the default /api/auth, because /api is used by our internal backend.

I've managed to correctly generate the redirect_uri for the initial authorization request by dynamically building it and passing it into the provider's authorization.params. The redirect to my identity provider works perfectly.

However, the process fails during the server-to-server code-for-token exchange. The logs from my identity provider (Keycloak) confirm that this second request is sent with an incorrect redirect_uri (it defaults to http://tenant1.localhost/api/auth instead of http://tenant1.localhost/web-auth/api/auth), which results in an invalid_grant (Incorrect redirect_uri) error.

My attempt to solve this by injecting redirect_uri into both authorization.params and token.params in the dynamic getAuthOptions function does not work for the token exchange step.

Here is the code I tried:

// This function builds the full, dynamic options object for each request
async function getAuthOptions(req) {
    const host = req.headers["x-forwarded-host"] || req.headers.host;
    const protocol = req.headers["x-forwarded-proto"] || 'http';
    const dynamicRedirectUri = `${protocol}://${host}/web-auth/api/auth/callback/keycloak`;

    const realm = getRealmFromRequest(req) || process.env.KEYCLOAK_DEFAULT_REALM;
    const credentials = await getDynamicCredentials(realm);
    const browserIssuer = getIssuer(process.env.KEYCLOAK_ISSUER_BROWSER, realm);
    const internalIssuer = getIssuer(process.env.KEYCLOAK_ISSUER_INTERNAL, realm);

    return {
        providers: [
            {
                id: "keycloak",
                // ... other provider config
                issuer: browserIssuer,
                authorization: {
                    url: `${browserIssuer}/protocol/openid-connect/auth`,
                    params: { 
                        scope: "...",
                        // This part works for the initial redirect
                        redirect_uri: dynamicRedirectUri,
                    },
                },
                token: {
                    url: `${internalIssuer}/protocol/openid-connect/token`,
                    // This part seems to be ignored by next-auth's internal logic
                    params: {
                        redirect_uri: dynamicRedirectUri,
                    },
                },
                clientId: credentials.clientId,
                clientSecret: credentials.clientSecret,
                // ...
            },
        ],
        // ... other options
    };
}

My core question is:

In [email protected], is there a supported, request-scoped way to override the redirect_uri used in the server-side token grant request, without resorting to globally modifying process.env.NEXTAUTH_URL at runtime?

It seems that the internal logic for the token grant ignores the token.params.redirect_uri and falls back to a faulty host detection mechanism, which is problematic in a containerized development environment.

Thank you for your help!