using next-auth for server to server authentication

[s4kh]

Your question
First of all, thanks for this amazing library, facilitates so much of the work.
We are using nextJS as our web app but it does directly access to our db. We have an API which is responsible for creating user and this API is JWT secured.
Our mobile authentication is handled like following:

1. User authorizes app to use GOOGLE/FACEBOOK
2. GOOGLE or FACEBOOK returns idToken, code
3. Send code to backend
4. Backend calls provider API with code and validates it
5. If it is valid we create user and send generate JWT
6. Mobile can use that JWT to access our API

What are you trying to do
How to achieve above logic using this cool library?

• Could not find relevant documentation

[iaincollins]

This is a great question I don't have an answer for. I think questions similar to this have come up before, but we don't really have an answer for this.

Things like the SignIn callback and JWT callbacks can come in to play here if used with JWT (e.g. if used without a database, and using it to handle writing to one) - I can think of a scenario where you could configure NextAuth.js to handle the sign in but use both those callbacks to handle storing data in some other application, without specifying a database for NextAuth.js.

It would be helpful to have a few bullet points covering things you would like NextAuth.js to do for you (e.g. sign user in with Google) and things you don't want it to do directly (e.g. save user to database) and what application would set the JWT (i.e. do you want NextAuth.js to set it, or do you want some other application set it).

[deep-c]

I have a similar question that sounds like its related. An app that i am developing would require a client credentials flow. For example if using the cognito provider https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ (Client credentials grant).

For example to give access to api routes. Another machine could request this grant flow, but the issue i see is how to identify who it is because this isnt done on behalf of a user rather an application so maybe this would require a separate model to hold?

[stunaz]

I kind of have the same question

Is it possible to create a custom adapter , but which wouldn't be a database adapter, but rest api . So instead of synchronizing with the database directly... the same method/interface from the custom adapter will actually call our custom backend rest api to achieve the same goals,

[deep-c]

Good idea, would you then support having multiple adaptors or an adaptor config specific to doing this? Generally you would want to support both the standard auth grant on behalf of a user as well as that of client at the same time.

[iaincollins]

Good idea, would you then support having multiple adaptors or an adaptor config specific to doing this? Generally you would want to support both the standard auth grant on behalf of a user as well as that of client at the same time.

I think there are probably a couple of different ways possible right now, but an adaptor config for a REST API would probably be the ideal option (maybe combined with the jwt callback if you wanted to add specific things to the JWT).

Thinking out loud:

The functions in v1 (before there were adapters) were very simple and great for this, but the there are a lot more functions in the v2+ API. (with the introduction of adapters) The change of approach in v2 onwards makes it much easier to write adapters for different databases, but the trade off is it's a bit harder to do things like this, as you have to fill in the logic for more functions.

I wonder if a hybrid approach possible - like a simpler adapter model for use cases like this (where you only have to worry about 3 or 4 different functions). If anyone wants to have a go (even just in the comments) at describing what sort of functions they would expect such an API to have (and what they don't need) happy to think about how we could do that!

[s4kh]

This is a great question I don't have an answer for. I think questions similar to this have come up before, but we don't really have an answer for this.

Things like the SignIn callback and JWT callbacks can come in to play here if used with JWT (e.g. if used without a database, and using it to handle writing to one) - I can think of a scenario where you could configure NextAuth.js to handle the sign in but use both those callbacks to handle storing data in some other application, without specifying a database for NextAuth.js.

It would be helpful to have a few bullet points covering things you would like NextAuth.js to do for you (e.g. sign user in with Google) and things you don't want it to do directly (e.g. save user to database) and what application would set the JWT (i.e. do you want NextAuth.js to set it, or do you want some other application set it).

For our case, I want nextAuth.js to:

• handle Logins of Providers(Google, FB) and
• send authorizationCodes of those providers to [...nextAuth].js some callback
• from nextAuth.js I will call my API to validate and create user in the db
• API sends back JWT nextAuth.js will set JWT
• secure protected routes

[s4kh]

is there a way to get FB authorization_code or GOOGLE idToken in any of the callbacks?

[mAAdhaTTah]

This also seems similar to #447.

[izundo-viennv]

@iaincollins I think we should have an example for that because currently in custom adapter we have to implement a lots of methods and I don't know which methods should be implemented or not. And we should allow developers to set custom payload for jwt

[izundo-viennv]

Actually I don't like we have access directly to database at this presentation layer. I found that nuxt-auth handle this so good

[mariosantosdev]

@s4kh When user is redirected to [...nextauth].js you can fetch your API to some route like /user/{email} and send a private token in header that authorization to access sensitivity data and the user sign in through this route.

Remeber you should store the private key that will be sending in header at your .env
I think as fetch will be call inside next server, the user don't has access this key.