IdentityServer4 - signin?error=Callback :: after successful login

[wileyknight]

Question 💬

I can't figure out whats going wrong. I'm getting redirected to the identity server, I login successfully and on the redirect back to the next-auth app I get this error.

[ Try signing in with a different account. ]

with this in the url: signin?error=Callback

my redirect for the Client config in the identity server is using:
RedirectUris = { "http://localhost:3000/api/auth/callback/interactive" },

my NPM console is giving me this error:

interactive 9DA33E87F5012343202193EE8AD91F3EF0722374A419BAFFD66F857EF5313CC9
[next-auth][error][oauth_callback_error]
https://next-auth.js.org/errors#oauth_callback_error Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
    at TLSSocket.emit (events.js:315:20)
    at TLSSocket.EventEmitter.emit (domain.js:482:12)
    at TLSSocket._finishInit (_tls_wrap.js:936:8)
    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) {
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
}

I've been working on this for days and can't figure out what's wrong.

How to reproduce ☕️

Next-Auth Providers

providers: [
    Providers.IdentityServer4({
      id: 'interactive',
      name: 'JavaScript Client',
      scope: 'openid profile scope2 offline_access',
      domain: 'localhost:5001',
      clientId: 'interactive',
      clientSecret: 'secret',
      protection: 'pkce',
    }),
  ],

IdentityServer4 Client

new Client
                {
                    ClientId = "interactive",
                    ClientName = "JavaScript Client",
                    ClientSecrets = { new Secret("secret".Sha256()) }

                    AllowedGrantTypes = GrantTypes.Code,
                    AllowAccessTokensViaBrowser = true,
                    RequirePkce = true,
                    RequireClientSecret = true,
                    RequireConsent = false,

                    RedirectUris = { "http://localhost:3000/api/auth/callback/interactive" },
                    PostLogoutRedirectUris = { "http://localhost:3000/" },

                    AllowOfflineAccess = true,
                    AllowedScopes = { "openid", "profile", "scope2" },
                },

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

Might be an issue with certificates somewhere in your setup, here is something that could help debug (not fix!) the problem:

https://stackoverflow.com/a/20100521/5364135