Is next-auth the right choice for me? #2640
-
|
Im wondering if next auth is a fit for our new platform. We are currently using a cookie session based setup but are looking at porting to a jwt approach. We've made an authentication service that we would like to use. An example of a access/refresh token can be seen here: What im wondering is if its possible to use credentials and the password grant type with next-auth? I hope someone could give me some pointers on what to do and how to work around these things :) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 7 replies
-
|
you can use the |
Beta Was this translation helpful? Give feedback.
-
|
Yes token rotation :) But also how provider data in next-auth is working. What i ended up with was this and it seems to do the trick. Although im curious if this is what you mean by not sending the tokens to the client? What i end up with is this when i ask for the session through
Am i missing anything? import NextAuth from "next-auth";
import Providers from "next-auth/providers";
const ENDPOINT = "http://localhost:9090/token";
const defaultHeaders = {
Accept: "application/json",
"Content-Type": "application/x-www-form-urlencoded",
};
async function refreshAccessToken(token) {
try {
const response = await fetch(ENDPOINT, {
method: "POST",
body: new URLSearchParams({
refresh_token: token.refreshToken,
grant_type: "refresh_token",
}),
headers: { ...defaultHeaders },
});
const refreshedTokens = await response.json();
if (!response.ok) {
throw refreshedTokens;
}
return {
...token,
accessToken: refreshedTokens.access_token,
accessTokenExpires: Date.now() + refreshedTokens.expires_in * 1000,
refreshToken: refreshedTokens.refresh_token ?? token.refreshToken,
};
} catch (error) {
console.log(error);
return {
...token,
error: "RefreshAccessTokenError",
};
}
}
export default NextAuth({
providers: [
Providers.Credentials({
name: "Credentials",
credentials: {
username: { label: "Email", type: "text" },
password: { label: "Password", type: "password" },
},
async authorize(credentials, req) {
const res = await fetch(ENDPOINT, {
method: "POST",
body: new URLSearchParams({
...credentials,
grant_type: "password",
}),
headers: { ...defaultHeaders },
});
const token = await res.json();
if (res.ok && token) {
return {
...token,
name: "John Doe",
email: "[email protected]",
};
}
return null;
},
}),
],
session: {
jwt: true,
maxAge: 3600,
},
jwt: {
secret: process.env.JWT_SECRET,
encryption: true,
},
callbacks: {
async jwt(token, user) {
if (user) {
return {
accessToken: user.access_token,
accessTokenExpires: Date.now() + user.expires_in * 1000,
refreshToken: user.refresh_token,
user,
};
}
if (Date.now() < token.accessTokenExpires) {
return token;
}
return refreshAccessToken(token);
},
async session(session, token) {
if (token) {
session.user = {
name: token.user.name,
email: token.user.email,
};
session.accessToken = token.access_token;
session.error = token.error;
}
return session;
},
},
}); |
Beta Was this translation helpful? Give feedback.
-
|
and again, thank you so much for your help! |
Beta Was this translation helpful? Give feedback.
-
|
Yep, that looks good to me! One thing you might have missed is that the |
Beta Was this translation helpful? Give feedback.
-
|
Aah you're right! I missed that! Thank you so much :) This really cleared things up for me! |
Beta Was this translation helpful? Give feedback.
-
|
One last thing :) Our tokens is set to one hour, so should i set the In our "real" setup we would probably want idle sessions to die after 30 minutes. Although as long as the refresh token is still valid it should just ask our auth service for a new access token? In that case |
Beta Was this translation helpful? Give feedback.
you can use the
authorizecallback of the credentials provider to send credentials to your api and get back the result in the jwt and session callbacks:https://next-auth.js.org/providers/credentials
https://next-auth.js.org/configuration/callbacks