How to set up email passwordless authentication using gmail with OAuth2

[MarkWeberMaths]

I am trying to set up email passwordless authentication, where the email account which sends out all mails on behalf of my app is a gmail account for which OAuth2 authentication has been set up. So I have generated a client id and client secret for my app, and refresh and access tokens for the gmail api, over at the google developer console, as you would if using nodemailer. I understand how to regenerate access tokens if I need to (again, as when using nodemailer).

How do I enter these credentials in the set up for the email provider in the nextauth API? I would've thought that you'd supply them as fields of the argument to Providers.Email (in [...nextauth].ts), but the type definition of 'EmailConfig' (given in providers.d.ts) doesn't appear to allow for such fields.

[AydinChavez]

I think you need to distinguish two different use-cases:

• authentication via Google => Providers.Google
• authentication via email => Providers.Email

For the first, you'd need the client-id, secret etc since next-auth uses the user related data from google for authentication purpose based on Oauth2 (or openid connect, am not sure).

For the second, you don't need those. You only need a mail server handling sending of mails. It is irrelevant, if the mailserver is a gmail related one, or a self-hosted smtp server.

[MarkWeberMaths]

Thanks for your reply.

I do distinguish these use cases, and did notice that with auth via google, you do have the opportunity to provide the google oauth 2 credentials.

I tried setting up email passwordless login without gmail's oauth2 credentials. When I tested, it worked fine as long as I was testing from my development machine. However when I tried logging in from my phone or tablet (so I guess this would be a non-local login from the POV of my app) I got a 'connection refused' error. I guessed that this was google not allowing access to my gmail in these cases. The next auth email login uses nodemailer under the hood, the nodemailer documentation advocates using oauth2 with gmail accounts, and nodemailer's api caters to the inclusion of google oauth2 credentials when using its 'createTransport' or 'sendMail' methods. This is why it seemed natural to me to look for how to include these with nextauth's email config.

This leaves me with the questions:

1. Why the 'connection refused' error I described above? Could there be some other reason for this, not related to gmail's authentication scheme?
2. Is using gmail without oauth2 in the way you're suggesting secure enough for production (despite what's written about this in the nodemailer docs)?

[AydinChavez]

Thanks for clarification.
For the first question, from my experience "connection refused" is something related to socket connections (network layer), meaning it looks like the configured mail server is not running at all (typo in ip + port maybe?). It is not (or not really) used afaik for functional errors like authentication related ones.

[MarkWeberMaths]

You're right. The connection refused issue was a network problem -- using an IP address instead of localhost, especially with the NEXTAUTH_URL environment variable, solved that, so I could test successfully on my mobile devices. Thanks for your help. I'm still interested in learning more regarding my Qn 2 above though, if you or anyone else has anything further to say about that. Thanks again!