User profile is missing from session in v4

[makezi]

Hello, I just upgraded to v4 (specifically 4.1.0) and I'm trying to auth via IdentityServer4 provider but for some reason it's returning the following session:

{
    "user": {
        "image": null
    },
    "expires": "2022-02-14T08:40:12.014Z"
}

I've followed the docs and setting it up with Demo IdentityServer4 but no go. Here's my [...nextauth].js file:

import NextAuth from 'next-auth';
import IdentityServer4Provider from 'next-auth/providers/identity-server4';

import { NEXTAUTH_SECRET } from '@/config/env-vars';

export default NextAuth({
  providers: [
    IdentityServer4Provider({
      id: 'demo-identity-server',
      name: 'Demo IdentityServer4',
      authorization: {
        params: { scope: 'openid profile email api offline_access' }
      },
      issuer: 'https://demo.identityserver.io/',
      clientId: 'interactive.confidential',
      clientSecret: 'secret'
    })
  ],
  secret: NEXTAUTH_SECRET,
  session: {
    strategy: 'jwt'
  },
});

And my layout.tsx file with simple useSession hook:

import { useSession, signIn, signOut } from 'next-auth/react';
import * as React from 'react';

type LayoutProps = {
  children: React.ReactNode;
};

export function Layout({ children }: LayoutProps) {
  const { data: session } = useSession();

  return (
    <div>
      {session ? (
        <>
          Signed in as {session.user.email} <br />
          <button onClick={() => signOut()}>Sign out</button>
        </>
      ) : (
        <>
          Not signed in <br />
          <button onClick={() => signIn()}>Sign in</button>
        </>
      )}
      {children}
    </div>
  );
}

Also some callbacks:

// /signin profile object
profile: {
  nbf: 1642236483,
  exp: 1642236783,
  iss: 'https://demo.identityserver.io',
  aud: 'interactive.confidential',
  iat: 1642236483,
  at_hash: 'Ee1sTSMSCGT4Q4UaCjL7jg',
  s_hash: 'CVv0sE1AHsO2JgFQFTOHpg',
  sid: '57B11D83CC3B16BAD42681C479AA24DE',
  sub: '1',
  auth_time: 1642236007,
  idp: 'local',
  amr: [ 'pwd' ]
}

// /signin user object
user: { id: '1', name: undefined, email: undefined, image: null }

// /session token obj
token: {
  picture: null,
  sub: '1',
  iat: 1642236485,
  exp: 1644828485,
  jti: 'dfb2891b-376a-420e-a869-2e19a8d732c5'
}

// /session session obj
session: {
  user: { name: undefined, email: undefined, image: null },
  expires: '2022-02-14T08:48:05.772Z'
}

Is there some new config option(s) that I must provide that I'm missing or something else? Any help is appreciated!

[makezi]

I forked the example repo and added my changes to repro here: https://github.com/makezi/next-auth-example. The only changes that was added was to add the IdentityServer4 provider to [...nextauth].js file.

[balazsorban44]

The profile you printed is the same one we receive from the Provider. The demo app doesn't seem to return all the information. You can verify by printing the returned id_token and pasting it into jwt.io

You might need extra scopes, or the Demo simply cannot return that information. I have used the IDS4 provider in production before, so I can assure you if configured correctly, it should work.

[makezi]

Hey @balazsorban44 thanks for the response! This doesn't seem to be the case though as I do indeed get the correct values in v3.

// [...nextauth].js v3

import NextAuth from "next-auth"
import Providers from "next-auth/providers"

export default NextAuth({
  providers: [
    Providers.IdentityServer4({
      id: 'demo',
      name: 'demo',
      type: 'oauth',
      version: '2.0',
      scope: 'openid profile email api offline_access',
      domain: 'demo.identityserver.io',
      clientId: 'interactive.confidential',
      clientSecret: 'secret',
      protection: 'pkce'
    })
  ],

  secret: process.env.SECRET,
  jwt: {
    secret: process.env.JWT_SECRET,
    encryption: true
  },


  callbacks: {
    jwt: async (token, user, account, profile) => {
      console.log('profile:', profile)
      console.log('account:', account)
      console.log('user:', user)
      console.log('token:', token)
      return token;
    },
    session: async (session, token) => {
      console.log('session:', session)
      console.log('token:', token)
      return session;
    }
  },
})

And the callbacks:

// /signin profile object
profile: {
  name: 'Alice Smith',
  given_name: 'Alice',
  family_name: 'Smith',
  email: '[email protected]',
  email_verified: true,
  website: 'http://alice.com',
  sub: '1'
}

// /signin user object
user: { name: 'Alice Smith', email: '[email protected]', image: null },

// /session token obj
token: {
  name: 'Alice Smith',
  email: '[email protected]',
  picture: undefined,
  sub: '1'
}

// /session session obj
session: {
  user: { name: 'Alice Smith', email: '[email protected]', image: null },
  expires: '2022-02-16T03:09:02.594Z'
}

Same server with different responses compared to v4. Am I setting up the scopes properly or perhaps they're not correctly being passed through?

This is not only happening on the demo server (I just used this as an example) but also another server I use which uses IdentityServer4 in which user is null but worked fine in v3.

[balazsorban44]

Interesting. The prod app I was talking about uses v4 so I still believe it's just our default scopes that are causing this weird behavior.

https://github.com/nextauthjs/next-auth/blob/main/src/providers/identity-server4.js#L8

I see on your v3 config you have different scopes in addition. You could try adding those in a v4 config and see if that returns differently.

[makezi]

I just tried in v4 config same scopes as my v3 config as well as the default scopes from the provider as you've linked and still same issue I'm afraid. I've got a v3 branch up on my repo as well if you want to take a peek: https://github.com/makezi/next-auth-example/tree/v3.

Could it be that some scope or claims or even options are making it through and just always setting the defaults?

[balazsorban44]

So I checked, and the reason that the Demo Identity Server 4 client is not working is because it is misconfigured. v4 is following specs better than v3 did, and if it detects an id_token returned, it will use that. The demo IDS4 client's id_token does not return those fields, but v3 did not necessarily use the id_token either, it made an extra call to the userinfo endpoint instead.

This won't be a problem in your app if you configure it correctly.

As a heads up, IDS4 is going away, so you should probably not use it anyway!

As of Oct, 1st 2020, we started a new company. All new development will happen in our new organization. The new Duende IdentityServer is free for dev/testing/personal projects and companies or individuals with less than 1M USD gross annual revenue - for all others we have various commercial licenses that also include support and updates. Contact us for more information.
IdentityServer4 will be maintained with security updates until November 2022.

https://identityserver4.readthedocs.io/en/latest/

I just added a note about this to our docs: https://next-auth.js.org/providers/identity-server4

[makezi]

Good find and that worked! Like you mentioned I just make that extra call to userinfo like so (just in case anyone else runs into this issue):

IdentityServer4Provider({
  id: 'demo-identity-server',
  name: 'Demo IdentityServer4',
  authorization: {
    params: { scope: 'openid profile email api offline_access' }
  },
  issuer: 'https://demo.identityserver.io/',
  clientId: 'interactive.confidential',
  clientSecret: 'secret',
  userinfo: {
    url: 'https://demo.identityserver.io/connect/userinfo',
    // Make the call here and do whatever you like to profile
    async request({ client, tokens }) {
      const profile = await client.userinfo(tokens)
      return profile
    },
  }
})

I'll look into moving over away from IDS4 but for now this works. Thanks so much for this, really appreciated!