Credentials provider and jwt/session callbacks

[olivier-thatch]

Hi all,

I'm trying to use next-auth with the credentials provider to authenticate with an API. The response from the API login endpoint includes an access token that I want to persist in the JWT and session to be used in further API calls.

However, I cannot seem to access the original response in the jwt and session callbacks.

My code looks like this:

import NextAuth from "next-auth"
import CredentialsProvider from "next-auth/providers/credentials"
import { ApiClient } from "../../../src/client"

export default NextAuth({
  secret: process.env.NEXTAUTH_SECRET,
  providers: [
    CredentialsProvider({
      name: "Credentials",
      credentials: {
        email: { label: "Email", type: "email", placeholder: "[email protected]" },
        password: {  label: "Password", type: "password" }
      },
      async authorize(credentials, req) {
        const client = new ApiClient({BASE: "http://127.0.0.1:8000"})
        const token = await client.login.getAccessToken({
          grant_type: "password",
          username: credentials!.email,
          password: credentials!.password,
        })
        return token
      },
    })
  ],
  callbacks: {
    async jwt({ token, account }) {
      if (account) {
        token.accessToken = account.access_token
      }
      return token
    },
    async session({ session, token, user }) {
      session.accessToken = token.accessToken
      return session
    }
  },
  debug: process.env.NODE_ENV === 'development',
})

The token returned by the API's login endpoint looks like this:

{
  access_token: 'abc123',
  token_type: 'bearer'
}

and the callbacks are basically exactly the same as the ones in the documentation. However the code is not working: in the jwt callback, the account argument is not the response from the API, rather it looks like this:

{
  providerAccountId: undefined,
  type: 'credentials',
  provider: 'credentials'
}

I cannot seem to figure out how to access the API response from the jwt callback. Any help would be much appreciated!

[olivier-thatch]

I was able to make it work by using the signIn callback, which does receive the return value of authorize, to add the property to the account object:

  callbacks: {
    async signIn({ user, account }) {
      account.access_token = user.access_token
      return true
    },
    async jwt({ token, account }) {
      if (account) {
        token.accessToken = account.access_token
      }
      return token
    },
    async session({ session, token, user }) {
      session.accessToken = token.accessToken
      return session
    }
  },

This doesn't really seem like an appropriate use of the signIn callback though. Would love to hear if there's a better approach!

[redimongo]

 user.access_token

But how does user.access_token get created as I can't see it in your code.

[olivier-thatch]

The user argument in the signIn callback is the object returned by the authorize function, i.e. the response from my external API endpoint.

[cybershang]

I was able to make it work by using the signIn callback, which does receive the return value of authorize, to add the property to the account object:

  callbacks: {
    async signIn({ user, account }) {
      account.access_token = user.access_token
      return true
    },
    async jwt({ token, account }) {
      if (account) {
        token.accessToken = account.access_token
      }
      return token
    },
    async session({ session, token, user }) {
      session.accessToken = token.accessToken
      return session
    }
  },

This doesn't really seem like an appropriate use of the signIn callback though. Would love to hear if there's a better approach!

Really appreciate!
I use CredentialsProvider too, in my codesession.user is null object😥.
Without your post, I may spend another hours 😀👍.