Skip to content

[Bug]V5 OAuth Provider token.request configuration not working, defaults to token.url direct request #13257

New issue
New issue
Open
#13259
Open
[Bug]V5 OAuth Provider token.request configuration not working, defaults to token.url direct request#13257
#13259
Labels
bugSomething isn't workingproviderstriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
@leonwangcn

Description

@leonwangcn
leonwangcn
opened on Sep 28, 2025

Provider type

Custom provider

Environment


  System:
    OS: macOS 26.0
    CPU: (10) arm64 Apple M4
    Memory: 85.95 MB / 16.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.19.0 - ~/.nvm/versions/node/v20.19.0/bin/node
    npm: 10.8.2 - ~/.nvm/versions/node/v20.19.0/bin/npm
  Browsers:
    Safari: 26.0
  npmPackages:
    @auth/prisma-adapter: ^2.7.2 => 2.10.0 
    next: ^15.2.3 => 15.5.4 
    next-auth: 5.0.0-beta.29 => 5.0.0-beta.29 
    react: ^19.0.0 => 19.1.1

Reproduction URL

https://github.com/leonwangcn/t3-app

Describe the issue

When customizing an OAuth Provider with a token.request function to handle special token exchange logic, the function is never called. Auth.js defaults to making a direct request using token.url, causing third-party OAuth services to return errors.

How to reproduce

  1. Create a custom OAuth Provider with token.request function configured
  2. Perform OAuth login flow
  3. Observe logs - notice that logs from token.request function never appear
  4. Receive error: OperationProcessingError: "response" is not a conform Token Endpoint response
export default function DingtalkProvider(options: OAuthUserConfig<DingtalkProfile>): OAuthConfig<DingtalkProfile> {
  return {
    id: "dingtalk",
    name: "DingTalk", 
    type: "oauth",
    authorization: {
      url: "https://login.dingtalk.com/oauth2/auth",
      params: {
        scope: 'openid corpid',
        response_type: 'code',
      }
    },
    token: {
      url: 'https://api.dingtalk.com/v1.0/oauth2/userAccessToken',
      async request(context) {
        console.log("=== Custom Token Request Started ==="); // This log never appears
        
        // DingTalk API requires special JSON format parameters
        const response = await fetch('https://api.dingtalk.com/v1.0/oauth2/userAccessToken', {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({
            clientId: options.clientId,
            clientSecret: options.clientSecret,
            code: context.params.code,
            grantType: 'authorization_code'
          }),
        });
        
        const data = await response.json();
        return {
          tokens: {
            access_token: data.accessToken,
            expires_in: data.expireIn ?? 7200,
            refresh_token: data.refreshToken ?? '',
            token_type: "Bearer",
          }
        };
      },
    },
    // ... other configurations
  };
}

Expected behavior

Actual Behavior

  • token.request function is never called
  • Auth.js directly uses default OAuth2 flow to request token.url
  • Since DingTalk API requires special JSON format parameters (camelCase), default request fails
  • Returns error: OperationProcessingError: "response" is not a conform Token Endpoint response

Expected Behavior

  • When token.request function is configured, it should be called instead of using default token exchange logic
  • Custom token request logic should be properly executed

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingproviderstriageUnseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions