Custom Provider never calls Token URL

[rametta]

Provider type

Custom provider

Environment

System:
OS: macOS 11.6.1
CPU: (16) x64 Intel(R) Core(TM) i9-9880H CPU @ 2.30GHz
Memory: 442.08 MB / 16.00 GB
Shell: 5.8 - /bin/zsh
Binaries:
Node: 14.17.3 - ~/.nvm/versions/node/v14.17.3/bin/node
Yarn: 1.22.10 - ~/.nvm/versions/node/v14.17.3/bin/yarn
npm: 6.14.13 - ~/.nvm/versions/node/v14.17.3/bin/npm
Browsers:
Chrome: 98.0.4758.102
Firefox: 96.0.3
Safari: 15.1
npmPackages:
next: 12.0.4 => 12.0.4
next-auth: ^4.2.1 => 4.2.1
react: 17.0.2 => 17.0.2

Reproduction URL

none

Describe the issue

When using custom providers, the token.url is never called to get the acesss token after a successful authorization is done.

How to reproduce

Using a config like this:

import NextAuth from 'next-auth'
import axios from 'axios'

export default NextAuth({
  debug: true,
  secret: 'redacted', // openssl rand -base64 32
  session: {
    strategy: 'jwt'
  },
  providers: [
    {
      id: 'custom-provider',
      name: 'my custom provider',
      clientId: 'redacted',
      type: 'oauth',
      issuer: 'https://redacted.com',
      authorization: {
        url: 'https://redacted/v1/oauth2/auth',
        params: {
          scope: 'redacted',
          redirect_uri: 'http://localhost:3000/api/auth/callback/redacted',
          response_type: 'code',
          code_challenge_method: 'S256'
        }
      },
      token: {
        url: 'https://redacted/v1/oauth2/token' // <--- never called
      },
      checks: ['pkce', 'state'],
    }
  ]
})

Expected behavior

when using signIn('custom-provider') I successfully get brought to the authorization url to login and i successfully get redirected back to my redirect_uri that was provided as authorization.params.redirect_uri. But after that I would expect the token.url to be called to exchange the code received by the authorization for an access token but that call is never made.

[rametta]

I figured it out. It was because I declared a custom redirect_uri in my authorization block and had a corresponding file for that redirect. Apparently that is not needed at all, you don't need a file for the callback because next-auth does magic during the callback. Just need to make sure that the actual redirect_uri that next-auth uses is whitelisted on your provider, then everything else should work.