Access to provider error messages on next-auth side?

[ptorkko]

We are using auth0 with azure ad to log users in to internal applications.

On the azure ad and auth0 side some things like AD group memberships required for authentication are checked.

If an user lacks some authorization to even login, the errors on next-auth side become completely pointless, and it seems the only useful logs from the authentication transaction with auth0 would be to have the network logs from the users client to auth0, e.g.:

Azure ad redirects back to auth0:
?error=interaction_required&error_description=The signed in user {EmailHidden} is not assigned to a role for the application

Auth0 redirects back to the next-auth app:
/api/auth/callback/auth0?error=access_denied&error_description=The signed in user {EmailHidden} is not assigned to a role for the application&state=xyz

Next-auth callback redirects to error page:
?error=Callback

Looking at the logs of the server, it has:

[next-auth][error][oauth_get_access_token_error] 
https://next-auth.js.org/errors#oauth_get_access_token_error { statusCode: 400,
  data:
   '{"error":"invalid_request","error_description":"Missing required parameter: code"}' }
[next-auth][error][oauth_callback_error] 
https://next-auth.js.org/errors#oauth_callback_error { statusCode: 400,
  data:
   '{"error":"invalid_request","error_description":"Missing required parameter: code"}' }

So is next-auth not realizing this is an error and still tries to fetch an access token which ends up masking the actual error, that would be useful to show to the user? errorand error_description seem to be part of the standard, but with a quick glance, didn't seem to be a part of the source for the callback handler.

Is there something to be done in the app to properly provide the original errors as the error param on the error page?

[ptorkko]

So I did some more digging since this has been quiet:

In server/routes/callback.js, the code calls server/lib/oauth/callback.js#oAuthCallback(req) if the request is for an oauth type provider.

oAuthCallback(req) first checks if the oauth version is 2.x, and then has a conditional error checking block where the condition is

if (req.method === "POST")

which will never be true for oauth2? So errors are never checked and you end up with a callback error when the callback code tries to fetch an access token.

So I guess this is a bug?

[balazsorban44]

So before I read your comment, I went to the source code to link to this section in it:

next-auth/src/server/lib/oauth/callback.js

Lines 14 to 21 in b95182d

	let { code, user } = req.query // eslint-disable-line camelcase
	if (req.method === "POST") {
	try {
	const body = JSON.parse(JSON.stringify(req.body))
	if (body.error) {
	throw new Error(body.error)
	}

Which is exactly what you are describing! We don't seem to handle errors that are from GET requests (so in the query params). This could be handled properly, I can have a look!

Here, I created an issue for it: #1819

[ptorkko]

tried a trivial implementation locally:

    if (req.method === "GET") {
      const {error, error_description} = req.query.error;
      if (error){
        logger.error("OAUTH_ERROR", error, error_description);
        if (error_description) {
          throw new Error(`${error}: ${error_description}`);
        }
        throw new Error(error);
      }
    }

But having a hard time getting a nextjs project to work using master next-auth via npm link, so I guess i'll just wait for a fix.