How to implement Okta implicit-grant flow with Next Auth

[bramvanhoutte]

Question 💬

Next auth supports configuring your grant types for the Okta provider. I have configure my program to work like this:

Providers.Okta({
    domain: process.env.OKTA_DOMAIN,
    clientId: process.env.OKTA_CLIENT_ID,
    clientSecret: process.env.OKTA_CLIENT_SECRET,
    scope: 'openid profile email groups',
    params: {
      grant_type: 'implicit',
    },
 })

When I sign in, I get the following error from next-auth:

[next-auth][error][oauth_get_access_token_error] 
https://next-auth.js.org/errors#oauth_get_access_token_error {
  statusCode: 400,
  data: '{"error":"unsupported_grant_type","error_description":"The authorization grant type is not supported by the authorization server. Configured grant types: [{0}]."}'
} okta S1eLq2LBGXcIpeiD8KiouD6rv5_O3C87wbRwdY8D_gA

I can see that the next auth request still has response_type=code parameter set. So it seems that next-auth is behaving like it would for grant type "authorization_code".

If I play around with the "authorizationUrl" parameter in the Okta provider configuration, I can get the request to return the token.

Providers.Okta({
    domain: process.env.OKTA_DOMAIN,
    clientId: process.env.OKTA_CLIENT_ID,
    clientSecret: process.env.OKTA_CLIENT_SECRET,
    scope: 'openid profile email groups',
    params: {
      grant_type: 'implicit',
    },
   authorizationUrl: 'https://dev-22012847.okta.com/oauth2/default/v1/authorize/?response_type=token&nonce=foo',
 })

But then next auth doesn't know what to do with it an give me the following error:

[next-auth][error][state_error] 
https://next-auth.js.org/errors#state_error OAuthCallbackError: Invalid state returned from OAuth provider
    at Object.handleCallback (/Users/Bram/Code/edison-admin/node_modules/next-auth/dist/server/lib/oauth/state-handler.js:42:13)
    at /Users/Bram/Code/edison-admin/node_modules/next-auth/dist/server/index.js:186:29
    at processTicksAndRejections (internal/process/task_queues.js:97:5) {
  name: 'OAuthCallbackError'
}

I am 100% certain I have enabled the implicit flow in Okta.

How to reproduce ☕️

Set grant_type to 'implicit'

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

If it's not possible already, I don't think we are going to implement it, as it is not a recommended flow anymore. See:

https://oauth.net/2/grant-types/implicit/#:~:text=The%20Implicit%20flow%20was%20a,extra%20authorization%20code%20exchange%20step.

The error you are seeing comes from Okta and not from us, so it's clear that even they don't want you to use this flow. I wonder what requirements you have that would make this flow necessary, and why the current default (authorization code) flow wouldn't work?