idToken: true and wellKnown endpoint configuration - while still using userinfo endpoint

[avisra]

Question 💬

I am running Duende IdentityServer. I have configured the identity token to NOT contain all of the user profile fields in order to keep the token size low. However, I am running into an issue by doing so.

I am configuring my provider in next-auth via the wellKnown configuration variable - which works great. However, because my IdentityServer still returns an identity token, I am required to specify idToken: true (or I get id_token detected in the response, you must use client.callback() instead of client.oauthCallback()).

Unfortunately, by specifying idToken: true, then my userinfo endpoint which is automatically discovered by the wellknown endpoint is no longer being used - so none of my profile fields load.

It looks like I can manually query the profile using the profile callback... but I shouldn't really have to. This is especially strange because my userinfo endpoint (which is auto discovered) isn't available from the profile callback so I have to specify both userinfo AND wellknown endpoints.

Thoughts?

How to reproduce ☕️

export interface IdentityServerProfile {
  sub: string;
  email: string;
  given_name: string;
  family_name: string;
  picture: string;
}

export default function IdentityServer<
  P extends Record<string, any> = IdentityServerProfile
>(options: OAuthUserConfig<P>): OAuthConfig<P> {
  return {
    id: "identityserver",
    name: "IdentityServer",
    type: "oauth",
    wellKnown: `${options.issuer}/.well-known/openid-configuration`,
    checks: ["pkce", "state"],
    idToken: true,
    async profile(profile, tokens) {
      console.log(profile, tokens);
      return {
        id: profile.sub,
        name: `${profile.given_name} ${profile.family_name}`,
        email: profile.email,
        image: profile.picture,
      };
    },
    options,
  };
}

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[akashvibhute]

There is a workaround for this. You can force the userinfo call by specifying the request function in the userinfo option -

idToken: true,
userinfo: {
    async request(context){
        return await context.client.userinfo(context.tokens.access_token)
    }
},

You can verify the current implenetation for this check here -

next-auth/packages/next-auth/src/core/lib/oauth/callback.ts

Lines 125 to 139 in a72f1b6

	if (provider.userinfo?.request) {
	// @ts-expect-error
	profile = await provider.userinfo.request({
	provider,
	tokens,
	client,
	})
	} else if (provider.idToken) {
	profile = tokens.claims()
	} else {
	profile = await client.userinfo(tokens, {
	// @ts-expect-error
	params: provider.userinfo?.params,
	})
	}

[rcronin]

Ran into this issue and the above workaround worked perfectly