Use case for cookie-authentication #3882

ismatim · 2022-02-08T10:20:38Z

ismatim
Feb 8, 2022

Question 💬

Hi all, thank you for amazing library. First of all, I read a lot the documentation and I'm not finding what I'm looking for I have a glimpse of a solution but, not see a good fit of it. That's why I'm asking this question. The use-case is very simple. I need to implement a redirection authentication through a cookie. No credentials input, no external providers. The user clicks in another internal application, the redirection has cookies to another subdomain, (httpOnly, sameSite, Secure). I need to verify the code authenticity and retrieve user identification.
I was trying to see if Credentials could be a a solution but, that lands me in SingIn page.

Is this possible that this is not a use-case for this library?

Thank you in advance.
Ismael

How to reproduce ☕️

I came across a hacking solution using Credentials, and when the users lands in SignIn, post empty credentials after 500ms in setTimeout with the cookies. Then, in the authorize method verifies its authenticity. Hope this clarifies.

Note aside: I could help for a PR if it is needed. But, don't think this is the case. Thanks!

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

Answered by balazsorban44

Feb 8, 2022

So if I understand correctly, you have the app with NextAuth.js (A), and another one (B).

Click sign-in on B
Redirect to A that has a cookie.
Redirecting to... Homepage on A?
User clicks sign-in on A (with Credentials Provider)
Shows sign-in page on A, the user clicks again, (no credentials needed)
authorize callback verifies the cookie and returns the user.

And you want to skip 4 and 5.

It almost sounds like NextAuth.js has no place in this flow. You could create an API route that is similar to what our /api/auth/session endpoint does, basically checking the cookie, if it's valid it returns it with an updated expiry, otherwise returns nothing.

NextAuth.js manages (creates/updates/delet…

View full answer

balazsorban44 · 2022-02-08T12:11:16Z

balazsorban44
Feb 8, 2022
Maintainer

So if I understand correctly, you have the app with NextAuth.js (A), and another one (B).

Click sign-in on B
Redirect to A that has a cookie.
Redirecting to... Homepage on A?
User clicks sign-in on A (with Credentials Provider)
Shows sign-in page on A, the user clicks again, (no credentials needed)
authorize callback verifies the cookie and returns the user.

And you want to skip 4 and 5.

It almost sounds like NextAuth.js has no place in this flow. You could create an API route that is similar to what our /api/auth/session endpoint does, basically checking the cookie, if it's valid it returns it with an updated expiry, otherwise returns nothing.

NextAuth.js manages (creates/updates/deletes) its own session, created for the exact same domain.

What you could do instead is if B is also a Next.js app, you can configure the session cookie in a way that even if it's set by another subdomain, it's still available in app A. https://next-auth.js.org/configuration/options#cookies

That way, when landing on app A after the redirect, the user would already be logged in.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Use case for cookie-authentication #3882

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Uh oh!

Use case for cookie-authentication #3882

Uh oh!

ismatim Feb 8, 2022

Question 💬

How to reproduce ☕️

Contributing 🙌🏽

Replies: 1 comment

Uh oh!

Uh oh!

balazsorban44 Feb 8, 2022 Maintainer

ismatim
Feb 8, 2022

balazsorban44
Feb 8, 2022
Maintainer