Help with custom OpenID Identity Provider - Implicit flow - Error when recieving JWT Bearer token

[MadsGosvig]

Your question

I have problems creating a custom provider that uses the implicit flow and OpenID.

What are you trying to do

Connect to a custom OpenID provider, and handle the JWT token it gives back.
The issues that I'm seeing is:

• state not returned from IdP when configuration is "just right"
• OAuth error on callback and JWT not read

Reproduction

For now I have the following configuration:

const options: InitOptions = {
  providers: [
    {
      id: [removed],
      name: [removed],
      type: "oauth",
      version: "2.0",
      accessTokenUrl: "https://[removed]/runtime/oauth2/token.idp",
      authorizationUrl: "https://[removed]/runtime/oauth2/authorize.idp?response_type=token id_token&nonce=ff447cbc7845432b941ab5a5bc86e4b5",
      clientId: "dhp-external-tester-localhost",
      scope: "openid agora",
      params: { grant_type: "implicit" },
      profile: (profile: any) => {
        console.log(profile);
        return {
          id: profile.sub,
          name: profile.name,
          email: profile.email,
        };
      },
    },
  ],
  secret: "12345dawkdawdwah", // TODO: fix this
  session: {
    jwt: true,
  },
  debug: false,
};

My first issue was that the Identity Provider gave an error stating I needed the response_type & nonce in the URL, so I added that.
Next I get an error with state not being compared correctly:

[next-auth][debug][oauth_callback_protection] Comparing received and expected state {
  state: undefined,
  expectedState: '54bf64b52ad2b681c49ba286917cb28d64fc6374aee1af65dfcc28afc039c4f4'
}

Now - This works if I remove the parameters from the authorizationUrl but then the Identiy Provider complains...
So I can obviously just set protection to none but that also feels like a cheat.

Does anyone know why this could be happening? - I have compared with some of the other Providers, and they have something similar to my authorizationUrl

But If I do that, to move forward I do indeed get the correct response from my Identity Provider, but next-auth doesn't handle it very well.

I end up on the following callback:
http://localhost:3000/api/auth/callback/[removed]#token_type=Bearer&access_token=eyJhbG.............&expires_in=3600&id_token=eyJhbGciOiJ...........&scope=agora%20openid&session_state=jh0KecWDjkaV1F9N%2BoseQVcU5jPbJ9F0xGgun61rxY0%3D.T0WILYQ%3D
But I recieve the following error from next-auth:

https://next-auth.js.org/errors#oauth_callback_error {
  statusCode: 400,
  data: `{"error":"unsupported_grant_type","error_description":"Invalid setting: grant type 'implicit' is not support yet, please check the appropriate settings again."}`
}

And I'm redirected twice to
http://localhost:3000/api/auth/error?error=Callback
http://localhost:3000/api/auth/signin?error=Callback

Can anyone spot any missing parts in my setup?

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• [ X ] Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[balazsorban44]

It is not recommended to use the implicit flow (and some servers prohibit this flow entirely) due to the inherent risks of returning access tokens in an HTTP redirect without any confirmation that it has been received by the client.

https://oauth.net/2/grant-types/implicit/#:~:text=The%20Implicit%20flow%20was%20a,extra%20authorization%20code%20exchange%20step.

So I would start with checking my possibilities and see if I could use authorization code with PKCE

[MadsGosvig]

I know that it is no longer recommended, but that doesn't change my question.

Is the reason why it isn't working because next-auth doesn't support it?
And is there any way to get it to work?

I'm also trying to pin point which system is giving me the following error:

https://next-auth.js.org/errors#oauth_callback_error {
  statusCode: 400,
  data: `{"error":"unsupported_grant_type","error_description":"Invalid setting: grant type 'implicit' is not support yet, please check the appropriate settings again."}`
}

I would assume it's next-auth but I haven't been able to find that error message in this repository.
Can you help me identify where this error is originating?