You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is fine as a base, but in practice you really need more to be able to use this. For instance, logging out does not end your session from your auth server and you need to update it to something more like this:
exportconstauthOptions: NextAuthOptions={// https://next-auth.js.org/configuration/providers/oauthproviders: [{id: "myKey",name: "Paul's Key",type: "oauth",wellKnown: "http://localhost:3255/auth/realms/DevRealm/.well-known/openid-configuration",authorization: {params: {scope: "openid email profile recipe_management"}},idToken: true,checks: ["pkce","state"],clientId: "recipe_management.next",clientSecret: "974d6f71-d41b-4601-9a7a-a33081f82188",profile(profile){return{id: profile.sub,name: profile.name,email: profile.email,image: profile.picture,}},}],events: {asyncsignOut({token}){varrefreshToken=token.refreshTokenletheaders={"Content-Type": "application/x-www-form-urlencoded"};try{awaitaxios.post("http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/logout",querystring.stringify({refresh_token: refreshToken,client_secret: 'myguid',client_id: 'recipe_management.next',}),{ headers },);}catch(e){}},},theme: {colorScheme: "light",},callbacks: {asyncjwt({ token, user, account }){// Initial sign inif(account&&user){return{accessToken: account.access_token,accessTokenExpires: Date.now()+account.expires_at*1000,refreshToken: account.refresh_token,
user,}}// Return previous token if the access token has not expired yetif(Date.now()<token.accessTokenExpires){returntoken}// Access token has expired, try to update itreturnrefreshAccessToken(token)},asyncsession({ session, token }){session.user=token.usersession.accessToken=token.accessTokensession.error=token.errorreturnsession},},}asyncfunctionrefreshAccessToken(token){try{consturl="http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token?"+newURLSearchParams({client_secret: 'myguid',client_id: 'recipe_management.next',grant_type: "refresh_token",refresh_token: token.refreshToken,})constresponse=awaitfetch(url,{headers: {"Content-Type": "application/x-www-form-urlencoded",},method: "POST",})constrefreshedTokens=awaitresponse.json()if(!response.ok){throwrefreshedTokens}return{
...token,accessToken: refreshedTokens.access_token,accessTokenExpires: Date.now()+refreshedTokens.expires_at*1000,refreshToken: refreshedTokens.refresh_token??token.refreshToken,// Fall back to old refresh token}}catch(error){console.log(error)return{
...token,error: "RefreshAccessTokenError",}}}
I would think when using a well known provider, you could just use it to get the end_session_endpoint and call that automatically at signout without all this boilerplate.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Currently, when setting up next-auth with OIDC with a code flow using PKCE, I can to do something like this:
This is fine as a base, but in practice you really need more to be able to use this. For instance, logging out does not end your session from your auth server and you need to update it to something more like this:
I would think when using a well known provider, you could just use it to get the
end_session_endpointand call that automatically at signout without all this boilerplate.Ex well known:
{ "issuer": "http://localhost:3255/auth/realms/DevRealm", "authorization_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/auth", "token_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token", "introspection_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token/introspect", "userinfo_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/userinfo", "end_session_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/logout", "frontchannel_logout_session_supported": true, "frontchannel_logout_supported": true, "jwks_uri": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/certs", "check_session_iframe": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:ietf:params:oauth:grant-type:device_code", "urn:openid:params:grant-type:ciba" ], "response_types_supported": [ "code", "none", "id_token", "token", "id_token token", "code id_token", "code token", "code id_token token" ], "subject_types_supported": [ "public", "pairwise" ], "id_token_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "id_token_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5" ], "id_token_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "userinfo_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none" ], "request_object_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512", "none" ], "request_object_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5" ], "request_object_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "response_modes_supported": [ "query", "fragment", "form_post", "query.jwt", "fragment.jwt", "form_post.jwt", "jwt" ], "registration_endpoint": "http://localhost:3255/auth/realms/DevRealm/clients-registrations/openid-connect", "token_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "token_endpoint_auth_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "introspection_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "introspection_endpoint_auth_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "authorization_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "authorization_encryption_alg_values_supported": [ "RSA-OAEP", "RSA-OAEP-256", "RSA1_5" ], "authorization_encryption_enc_values_supported": [ "A256GCM", "A192GCM", "A128GCM", "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512" ], "claims_supported": [ "aud", "sub", "iss", "auth_time", "name", "given_name", "family_name", "preferred_username", "email", "acr" ], "claim_types_supported": [ "normal" ], "claims_parameter_supported": true, "scopes_supported": [ "openid", "profile", "address", "microprofile-jwt", "phone", "email", "recipe_management", "offline_access", "web-origins", "roles" ], "request_parameter_supported": true, "request_uri_parameter_supported": true, "require_request_uri_registration": true, "code_challenge_methods_supported": [ "plain", "S256" ], "tls_client_certificate_bound_access_tokens": true, "revocation_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/revoke", "revocation_endpoint_auth_methods_supported": [ "private_key_jwt", "client_secret_basic", "client_secret_post", "tls_client_auth", "client_secret_jwt" ], "revocation_endpoint_auth_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "HS256", "HS512", "ES256", "RS256", "HS384", "ES512", "PS256", "PS512", "RS512" ], "backchannel_logout_supported": true, "backchannel_logout_session_supported": true, "device_authorization_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/auth/device", "backchannel_token_delivery_modes_supported": [ "poll", "ping" ], "backchannel_authentication_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/ext/ciba/auth", "backchannel_authentication_request_signing_alg_values_supported": [ "PS384", "ES384", "RS384", "ES256", "RS256", "ES512", "PS256", "PS512", "RS512" ], "require_pushed_authorization_requests": false, "pushed_authorization_request_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/ext/par/request", "mtls_endpoint_aliases": { "token_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token", "revocation_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/revoke", "introspection_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/token/introspect", "device_authorization_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/auth/device", "registration_endpoint": "http://localhost:3255/auth/realms/DevRealm/clients-registrations/openid-connect", "userinfo_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/userinfo", "pushed_authorization_request_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/ext/par/request", "backchannel_authentication_endpoint": "http://localhost:3255/auth/realms/DevRealm/protocol/openid-connect/ext/ciba/auth" } }Beta Was this translation helpful? Give feedback.
All reactions