Two hosts running from the same server, but urls mismatch for one of them on callback. (multitenancy?)

[scottlet]

OK so I'll start of by saying I know multitenancy is not supported yet.

However, having spent some time going through and reading a bunch of stuff about the multi-tenant issues and workarounds for next-auth I implemented something I believed would work but it seems not to and I have no idea why.

My CDN sets a header, market and using that header I'm switching out the value of the NEXTAUTH_REDIRECT env var at runtime.

I'm using Okta's OpenID for auth, but via our own domains.

Live server serves both .uk and .ie on different hostnames pointing to the same backend server.

When we authenticate, all requests go to the same .uk server on a different host

The redirect urls seem to be correctly sending the right data back to the right domains but then I get an error on the .ie domain.

NEXTAUTH_REDIRECT is set by default to .uk

Pseudocode:

async function runAuthPages(
  req: NextPageContext['req'],
  res: NextPageContext['res']
) {
  const isIE = req?.headers.market === 'IE'; // Either IE or UK.

  const redirectBase = `${
    isIE ? authRedirectUrlIre : authRedirectUrl
  }/api/auth`;
  const redirectUrl = `${redirectBase}/callback/okta`;

  const oldRedirect = process.env.NEXTAUTH_URL;

  process.env.NEXTAUTH_URL = redirectBase;
  
  const authPages = await NextAuth({
    providers: [provider],
    ...  
  });

  process.env.NEXTAUTH_URL = oldRedirect; // Reset environment variable.

  return authPages(req, res);
}

export default runAuthPages;

So the UK service authenticates correctly. The IE service however...

[hostname].ie/api/auth/callback/okta?code=5...KAwX4&state=CrMcA...tk

Okta redirects back to the above url, which then gives me the error [next-auth][error][OAUTH_CALLBACK_ERROR] https://next-auth.js.org/errors#oauth_callback_error invalid_grant (The 'redirect_uri' does not match the redirection URI used in the authorization request.)

next-auth then redirects to [hostname].uk/?callbackUrl=[hostname].uk/?error=OAuthCallback

I'm really confused as to why. Is there something internal that might be awaiting before reading the value of NEXTAUTH_URL? Is the callback code somehow skipping this specific route, leading to the NEXTAUTH_REDIRECT not being set correctly?

Secondly this code seems to be skipping the redirect callback which has specific code to allow .uk to recognise .ie redirects and allow them. That callback isn't the one forwarding the request to the .uk address, I can't see the /callback/okta?code... in the logs for that callback at all.

Does anyone have any suggestions as for what might be going on or how I could possibly fix this?

[balazsorban44]

You might need to configure the redirect callback as well: https://next-auth.js.org/configuration/callbacks#redirect-callback

[scottlet]

Hi, thanks for the advice. I'm already configuring the redirect callback to log the redirects and I don't seem to get a log for the incoming request - it's very strange.

Unless by modify you mean also set the NEXTAUTH_URL which I'm not currently doing, just at the top of the request function.

[scottlet]

...is there any way to look at the redirect_uri? I can see in the request going out that it looks correct...but I can't track down in the code where it is compared and the error comes from, I'd love to look at the comparison.