Accessing provider credentials using database sessions

[nicksemansonos]

Hi folks! I am using Okta as a provider, and I need the access token it returns to call their REST API in my server-side API routes. I'm using database sessions to persist user sessions in MongoDB. I can see by inspecting the database that the access token for the provider is stored in the accounts collection.

I've been scouring the documentation, Google, and this discussion board for the answer to this question, so hopefully I'm not just missing something. What is the expected and "correct" way to access the information from the accounts collection? I have a few ideas but they all seem "hacky" or incorrect to me.

Persist the data from login using the jwt and session callbacks.

I can get this working, but it doesn't really apply to database sessions and I'd rather not use JWTs just for this functionality.

Call the database manually using the mongodb driver on the API route

The way I have this working is using the accessToken that I can retrieve from getSession(), and then finding an active session in the database. This active session will have the userId which I can then query the accounts collection with to find the user's account, and thus the information associated with it like the accessToken for Okta. This works, but seems like I'm missing the point of the accessToken in the session, or adding a redundant step because it takes two queries.

Add the account's accessToken in the session callback

The session callback returns the user object for database sessions, so I can use user.id with the mongodb driver to query against the user's accounts and get the Okta token that way and store it in the session object, kind of like the method above. This is the easiest to use, because that token is now accessible to the getSession() call. However, the Okta token is only going to be used on API routes on my app, so it doesn't need to be stored in the session which is going to be accessed client-side (unless I'm thinking of a session in the wrong way.) Shouldn't a session just contain the necessary minimum to display user info like name and email?

I hope my explanations are clear, I'm really just looking for some advice on which one of these approaches is considered most secure and proper for next-auth. I may also be missing another way to access this information that I just haven't been able to find. Thank you for your help in advance!

[balazsorban44]

So according to our FAQ, if you don't persist the access token in the session then you have to look it up from the database yourself. I assume this is because in serverless environments, the cookie is really the only way to persist data without accessing a database.

https://next-auth.js.org/faq#how-do-i-get-refresh-tokens-and-access-tokens-for-an-oauth-account

Hope this helps.

[giuseppeg]

hi @balazsorban44 related to this question what would be the safest way to retrieve a user for the current session in an API route? (using a database) What should be stored in the session (using the session callback) and how to get the user using the session info? I am using Prisma so for simplicity we can use that schema to discuss about this.