Most Facebook login attempts are good, but some fail because they have id_token on the response

[gustavo-maurina]

How do I tackle this problem? Most login attempts that happen with Facebook are good and there's no error, but some login attempts, from specific accounts, will fail with this error message:

id_token detected in the response, you must use client.callback() instead of client.oauthCallback()

After reading quite a good amount, I'm not sure what the best approach is here. Is there any simple configuration I'm missing? Or should I create a custom provider rather than the Facebook built-in?

[yulia-tarasenko-axon]

Facebook returns id_token if at some point for this facebook account for this app it has been requested, so even if you have requested it only once and don't request it for current request - it will also be returned. I see two scenarios where this may happen: you suddenly requested id_token in past while testing - in this case revoking access in Facebook account is enough. Or you have mobile/other platforms that have common FACEBOOK_CLIENT_ID and they request id_token. In this case, you can ask other developers to change their requests or change your provider settings so you will request id_token on each request

[gustavo-maurina]

You are right, after some investigation over the past weeks, I discovered that there is one Facebook login implementation on one of our apps that uses id_token on the response.

change your provider settings so you will request id_token on each request

Do you happen to know how to do that? Or do you know of any examples I could take a look? I have tried a couple of different implementations inspired on the NextAuth docs, and I couldn't manage to access clientId and some other informations that I'm currently getting with the provider's default configuration.

[yulia-tarasenko-axon]

At the moment of writing this comment I thought that it is possible, but sadly I haven't found any solution. We can not set dynamically idToken flag in configuration. I have tried such approaches:

• configuring via wellKnown
  However, Facebook endpoint returns much less fields than other OpenId providers(probably because while my investigation I've seen that it is not exactly OpenId). I had such error
  token_endpoint must be configured on the issuer
  However, I can not do anything with it because of inner implementation of next-auth: if wellKnown field is present, such field as token_endpoint can not be overwritten.

• without wellKnown
  I got such error
  jwks_uri must be configured on the issuer But I can not configure it directly also. Both two issues are from inner openid-client lib.
  The last solution that I see in current structure of lib is to overwrite token.request, because this is where error is thrown. But I'm afraid to mess up with security somehow, so for now I switched to Facebook SDK

[gustavo-maurina]

Thanks for the time and answer! I tried similar implementations and ended up with similar results. Even got to get access_token in one of the attempts, but that just felt like I was reinventing the wheel.

I guess for now I'll just stick to the original and default implementation and deal with the occasional client that stumble upon this problem, since I can't figure out a better approach. If you ever find a solution, would you mind replying to this discussion?

[yulia-tarasenko-axon]

Yes, sure!