Can not get prefered username using Auth0 Provider

[ipko1996]

Description 🐜

Using Auth0Provider with https://auth0.com/ set up to ask a username, I can not get the username/prefered_username attribute from the data coming from the response.

I tried to get all data from the response (scope: 'openid profile email'), but the prefered username is not there.

OAuthProfile: {
    nickname: 'email',
    name: '[email protected]',
    picture: 'https://s.gravatar.com/avatar/xyz.png',
    updated_at: '2021-10-06T10:58:04.158Z',
    email: '[email protected]',
    email_verified: false,
    iss: 'https://dev-foo.eu.auth0.com/',
    sub: 'auth0|xyz',
    aud: 'xyz',
    iat: xyz,
    exp: xyz,
    user: null
  }

Expected behavior:
After login/creating a new user the username attribute suposed to be the the username what the user set up.

What happens:
The username is the beggining of the email address (the nickname attribute from Auth0).

eg.: [email protected] --> username will be email

Is this a bug in your own project?

Yes

How to reproduce ☕️

import NextAuth from "next-auth";
import Auth0Provider from "next-auth/providers/auth0";
import { MongoDBAdapter } from "@next-auth/mongodb-adapter";
import clientPromise from "@lib/mongodb";

export default async function auth(req, res) {
  return await NextAuth(req, res, {
    providers: [
      Auth0Provider({
        clientId: process.env.AUTH0_CLIENT_ID,
        clientSecret: process.env.AUTH0_CLIENT_SECRET,
        issuer: process.env.AUTH0_ISSUER,

        scope: "openid profile email",
        profile(profile) {
          console.log(profile);
          return {
            id: profile.sub,
            name: profile.nickname,
            email: profile.email,
            image: profile.picture,
            username: profile.preferred_username, //not working
          };
        },
      }),
    ],
    callbacks: {
      async session({ session, user, token }) {
        return session;
      },
    },
    adapter: MongoDBAdapter({
      db: (await clientPromise).db("user-data"),
    }),

    events: {
      async session({ session }) {
        //console.log(session);
      },
      async signIn({ user, profile }) {
        console.log(user, profile);
      },
    },
    debug: true,
  });
}

version: "next-auth": "^4.0.0-beta.4",

Screenshots / Logs 📽

[next-auth][debug][PROFILE_DATA] {
  OAuthProfile: {
    nickname: 'email',
    name: '[email protected]',
    picture: 'https://s.gravatar.com/avatar/xyz.png',
    updated_at: '2021-10-06T10:58:04.158Z',
    email: '[email protected]',
    email_verified: false,
    iss: 'https://dev-foo.eu.auth0.com/',
    sub: 'auth0|xyz',
    aud: 'xyz',
    iat: xyz,
    exp: xyz,
    user: null
  }
}
{
  nickname: 'email',
  name: '[email protected]',
  picture: 'https://s.gravatar.com/avatar/xyz.png',
  updated_at: '2021-10-06T10:58:04.158Z',
  email: '[email protected]',
  email_verified: false,
  iss: 'https://dev-foo.eu.auth0.com/',
  sub: 'auth0|xyz',
  aud: 'xyz',
  iat: xyz,
  exp: xyz,
  user: null
}
[next-auth][debug][OAUTH_CALLBACK_RESPONSE] {
  profile: {
    id: 'auth0|xyz',
    name: 'email',
    email: '[email protected]',
    image: 'https://s.gravatar.com/avatar/xyz.png',
    username: undefined
  },
  account: {
    provider: 'auth0',
    type: 'oauth',
    providerAccountId: 'auth0|xyz',
    access_token: 'xyz',
    id_token: 'xyz',
    scope: 'openid profile email',
    expires_at: xyz,
    token_type: 'Bearer'
  },
  OAuthProfile: {
    nickname: 'email',
    name: '[email protected]',
    picture: 'https://s.gravatar.com/avatar/xyz.png',
    updated_at: '2021-10-06T10:58:04.158Z',
    email: '[email protected]',
    email_verified: false,
    iss: 'https://dev-foo.eu.auth0.com/',
    sub: 'auth0|xyz',
    aud: 'xyz',
    iat: xyz,
    exp: xyz,
    user: null
  }
}
[next-auth][debug][adapter_getUserByAccount] {
  args: [
    {
      providerAccountId: 'auth0|xyz',
      provider: 'auth0'
    }
  ]
}
[next-auth][debug][adapter_getUserByAccount] {
  args: [
    {
      providerAccountId: 'auth0|xyz',
      provider: 'auth0'
    }
  ]
}
[next-auth][debug][adapter_createSession] {
  args: [
    {
      sessionToken: 'xyz',
      userId: 'xyz',
      expires: 2021-11-05T10:58:05.367Z
    }
  ]
}
{
  id: 'xyz',
  name: 'email',
  email: '[email protected]',
  image: 'https://s.gravatar.com/avatar/xyz.png',
  emailVerified: null
} {
  id: 'auth0|xyz',
  name: 'email',
  email: '[email protected]',
  image: 'https://s.gravatar.com/avatar/xyz.png',
  username: undefined
}

Environment 🖥

System:
OS: Windows 10 10.0.19043
CPU: (4) x64 Intel(R) Core(TM) i5-2500K CPU @ 3.30GHz
Memory: 11.41 GB / 15.97 GB
Binaries:
Node: 16.9.1 - C:\Program Files\nodejs\node.EXE
npm: 7.21.1 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Spartan (44.19041.1023.0), Chromium (94.0.992.38)
Internet Explorer: 11.0.19041.1202
npmPackages:
next: 11.1.2 => 11.1.2
next-auth: ^4.0.0-beta.4 => 4.0.0-beta.4
react: 17.0.2 => 17.0.2

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[balazsorban44]

The OAuthProfile is the 1:1 response from Auth0, so if something is missing there, you probably need an extra scope.

https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

Try adding the preferred_username scope

To forward it to your frontend, check out the jwt and session callbacks docs https://next-auth.js.org/configuration/callbacks

[ipko1996]

In the well-knonwn configuration there is this:

"scopes_supported":["openid","profile","offline_access","name","given_name","family_name","nickname","email","email_verified","picture","created_at","identities","phone","address"]

If I add username or preffered username it is not working. Even the response's account.scope stays just openid profile email.

Tried these:

        authorization: {
          params: {
            scope:
              "openid email profile preferred_username username read:username read:users read:user_idp_tokens",
          },
        },

I could get the username with several requests tho.
Request an API key from Auth0, and then request the username but it just does not seems to be convenient

[ipko1996]

After countless hours of research, reading documents and trying things,

I got an acceptable solution.

At Auth0.com there is Auth Pipeline -> Rules.

Added this rule:

function addAttributes(user, context, callback) {
  context.idToken['https://example.com/username'] = user.username;
  callback(null, user, context);
}

(If I only used username attribute it did not work).
https://auth0.com/docs/configure/apis/scopes/sample-use-cases-scopes-and-claims#add-custom-claims-to-a-token
https://auth0.com/docs/security/tokens/json-web-tokens/create-namespaced-custom-claims

In NextAuth I tried to override default behavior and log the profile hoping to see something new there.

    providers: [
      Auth0Provider({
        clientId: process.env.AUTH0_CLIENT_ID,
        clientSecret: process.env.AUTH0_CLIENT_SECRET,
        issuer: process.env.AUTH0_ISSUER,

        profile(profile) {
          console.log("profile is:");
          console.log(profile);
          return {
            id: profile.sub,
            name: profile["https://example.com/username"],
            email: profile.email,
            image: profile.picture,
          };
        },
      }),
    ],

https://next-auth.js.org/configuration/providers#options
Which also did not work (I'd be more then happy to know why), BUT logging the profile now, I could see the new property:

'https://example.com/username' : 'username'

So as @balazsorban44 suggested I added the property at the callbacks like this:

    callbacks: {
      async jwt({ token, profile }) {
        if (profile) {
          token.name = profile["https://example.com/username"];
        }
        return token;
      },
    },

If someone can suggest another solution, I'd be glad to read it.