Discuss NextAuth.js v5 #8487
Replies: 104 comments 204 replies
-
@balazsorban44 I got the latest version and i want to provide multi-authentication in my app(manuel one and Google provider). In middleware i use |
Beta Was this translation helpful? Give feedback.
-
@balazsorban44 is OAuth va OIDC supported on the edge runtime with v5? I've only seen credential provider and email-http provider mentioned so far. I've hit the following error when using
It looks like this has been raised before (1 2), but issues were closed without fixes. It seems logical as Have I misconfigured something or is this a known issue? |
Beta Was this translation helpful? Give feedback.
-
Just came across something - maybe - missing?! When we try to use the ExamplePath:
Did I miss something about this in the PR discussion? |
Beta Was this translation helpful? Give feedback.
-
What's the latest story with supporting lower level HTTP client options? There was a pretty length discussion #3944 about struggles folks have been running into with corporate proxies. It seemed to boil down to people having to maintain their own fork or patch the library to pass custom HTTP agents. Luckily my use case #8491 only requires a simple pass through of a https://authjs.dev/guides/corporate-proxies/corporate-proxy and the v5 migration guide should probably be updated at the very least. |
Beta Was this translation helpful? Give feedback.
-
Hi ! I face the same error as above : my package.json:
I try the override method but it doen't seem to work for me. |
Beta Was this translation helpful? Give feedback.
-
Hi! I'm quite new to Nextjs and with next-auth. I'm currently rewrite an app with Nextjs App router & i'm using Next-Auth v5. You always need to be authenticated to use the app. I'm facing two main issue with Next-auth at the moment : 1. Redirect to provider login screen instead of next-auth when user is not logged in Currently i created a 2. Logout should also log out from the provider For signout i use server actions : import { CSRF_experimental } from '@/auth'
export function SignOut(props: any) {
return (
<form action='/api/auth/signout' method='post'>
<button {...props} />
<CSRF_experimental />
</form>
)
} I think to use the |
Beta Was this translation helpful? Give feedback.
-
Been using NextAuth v5 for a while now and overall I'm super happy. However, I have one major issue with this new update, especially regarding the decision not to run the session callback. What is the recommended way to retrieve more user info in v5 now that the session callback isn't invoked on the server? Before it was trivial to return extra user / session fields from the adapter and have access to that in the session callback, but now it doesn't seem like that's the case. It doesn't matter what my adapter returns, since you cut half of it away anyways... I don't understand this decision since it seems to just make it harder to modify the default behaviors... Example usecase, I put an Can you shed some light on how to achieve this with this new update? Right now I'm patching next-auth to invoke this callback with all info, as the calls are on the server I don't have to care about leaking this to the client anyways... Auth core patch: diff --git a/lib/routes/session.js b/lib/routes/session.js
index e496d921578b735e640d1fc766582831dcbfdb1c..3ce6dcae1c2544fa4f439b551b5cecf3f561ad17 100644
--- a/lib/routes/session.js
+++ b/lib/routes/session.js
@@ -89,9 +89,8 @@ export async function session(params) {
// Pass Session through to the session callback
// @ts-expect-error
const sessionPayload = await callbacks.session({
- // By default, only exposes a limited subset of information to the client
- // as needed for presentation purposes (e.g. "you are logged in as...").
session: {
+ ...session,
user: { name: user.name, email: user.email, image: user.image },
expires: session.expires.toISOString(),
}, NextAuth patch: diff --git a/lib/index.js b/lib/index.js
index 5a75f390e1ed59db192587176cf6fabd229cdf84..d123a9aea1b4d861ae78a23951e1feecf831c57c 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -9,17 +9,7 @@ async function getSession(headers, config) {
headers: { cookie: headers.get("cookie") ?? "" },
});
config.useSecureCookies ?? (config.useSecureCookies = origin.protocol === "https:");
- return Auth(request, {
- ...config,
- callbacks: {
- ...config.callbacks,
- // Since we are server-side, we don't need to filter out the session data
- // See https://nextjs.authjs.dev/v5#authenticating-server-side
- session({ session, user, token }) {
- return { ...session, user: user ?? token };
- },
- },
- });
+ return Auth(request, config);
}
function isReqWrapper(arg) {
return typeof arg === "function"; |
Beta Was this translation helpful? Give feedback.
-
Hi, @balazsorban44, thanks for the v5! I ran into an issue when deploying it to Cloud Run (basically behind a proxy). The request origin is resolved to Now, I believe the issue isn't specific for v5. But it seems that there are options to bypass this in v4. Since v5 only exports the handlers and I haven't found a way to build a modified NextRequest myself, there probably isn't a workaround. What would you suggest as a fix? Should I create an issue/PR for v4? I'm happy to contribute, but would need some hints :) Edit: The patch below isn't needed. See the thread for a nicer fix! Here's a hacky patch that I'm currently applying and fixes the issue
|
Beta Was this translation helpful? Give feedback.
-
Did something change in the type-definition for the I'm looking to implement the HTTP-based Email provider following this doc but TypeScript is very unhappy that I do not provide the It also requires that It's not a huge deal as I can always do the following: {
id: "email",
type: "email",
name: "Email",
from: "",
server: "",
maxAge: 60 * 10,
options: {},
async sendVerificationRequest(...) { ... },
} But it feels kinda dirty 😅 |
Beta Was this translation helpful? Give feedback.
-
@balazsorban44 since solving the previous issue I've encountered another critical issue, possibly due to my set up but I cannot fathom what I'm doing wrong: Right now, the OAuth handshake is succeeding and the session is being passed to the frontend correctly ( The What's more, the I have done everything I can to ensure the versions of my packages are correct, including clearing my lock file. I currently only have
|
Beta Was this translation helpful? Give feedback.
-
Has anyone been able to successfully use v5 with a
|
Beta Was this translation helpful? Give feedback.
-
@balazsorban44 It seems that once cannot import anything into middleware that has |
Beta Was this translation helpful? Give feedback.
-
Code
Error Code
Error
|
Beta Was this translation helpful? Give feedback.
-
In order to implement a custom signin page, what is the new method to get the provider list? Before it was |
Beta Was this translation helpful? Give feedback.
-
I'm a bit confused this apparently hasn't been discussed anywhere. The new |
Beta Was this translation helpful? Give feedback.
-
Is it possible to use the Would it make sense to make another instance of |
Beta Was this translation helpful? Give feedback.
-
This has been fixed by Vercel for quite some time now.
|
Beta Was this translation helpful? Give feedback.
-
Does anyone have a client side example of the custom sign-in? We originally had our previous implementation designed with using the interception pattern in mind, and with only finding rsc as a working example makes this challenging to want to continue to support |
Beta Was this translation helpful? Give feedback.
-
NextAuth.js v5 doesn't seem to work properly with keycloak. Keycloak authenticates the user, but next-auth doesn't update or set the session. More details: #11237 |
Beta Was this translation helpful? Give feedback.
-
We really need a way to modify the token endpoint request #10728 |
Beta Was this translation helpful? Give feedback.
-
While I understand the default position that the Credentials provider should not support server sessions, there are use cases where this limitation means the whole application can't avail of server sessions when in fact there is no reason for this constraint. For example, in development we use a mock login that allows testers to quickly switch in and out of different roles without requiring management of a dozen oAuth credentials. This massively boosts productivity. Replicating this with Auth.js requires using the Credentials provider but I have to set session strategy to JWT. Could this be just a default, and support a provider option to allow server sessions? Note, while the community have some work arounds (e.g.https://nneko.branche.online/next-auth-credentials-provider-with-the-database-session-strategy/) these will no doubt break as the API changes over time so a first party solution would be best I think. |
Beta Was this translation helpful? Give feedback.
-
Please anyone help me to fix this, providers: [ This is my credential provider and working fine on dev environment , but in deployment , this gives me timeout error [note: during deployment if I gave local IP related to my LAN for a deployed app it's working fine , but when providing public IP address , issue comes] please suggest me how t o fix this issue |
Beta Was this translation helpful? Give feedback.
-
I would really like to implement the following flow: User signs in with credentialsProvider and obtains jwt token from my backend (dj-rest-auth) Is it possible to link provider accounts to one main account with the jwt strategy? |
Beta Was this translation helpful? Give feedback.
-
Could anyone help me with this issue: #11648 Works locally but not in production: Next-Auth ^5.0.0-beta.20 / Keycloak 18.0.2 / Next: ^14.2.2 full explanation and code in the post |
Beta Was this translation helpful? Give feedback.
-
Using JWT strategy and credentials provider, how do I set max token age? No refresh token just the access token? I would like the user to be logged out when the age expires. |
Beta Was this translation helpful? Give feedback.
-
As in Twitter OAuth 2.0, there is no way to get the user's email address. Twitter does not provide any Scope to get an authenticated user's email address. Even if you check "Request email from users" in the Twitter App you won't get the email address. But if you use OAuth 1.0A you can request email using "include_email=true" scope. Currently, in v5 there is only an OAuth 2.0 way in Twitter but we can't get email address. Please add OAuth 1.0A support that we have in v4 Please add legacy Twitter OAuth 1.0A provider in V5 |
Beta Was this translation helpful? Give feedback.
-
could anyone can help with this issue #11633 |
Beta Was this translation helpful? Give feedback.
-
With react 19 stable. is version 5 going to become stable anytime soon? and be compatible with react 19? |
Beta Was this translation helpful? Give feedback.
-
Hi @balazsorban44 , I wanted to share my feedback on V5: With all due respect to the time and effort you guys must have put into Auth.js, I don't think this library should be public or considered stable. I won't dive too deep into the countless issues that you'll probably know devs face nonstop when using Auth.js, but I wanted to touch on the fact that Auth.js is presented in a way that makes it seem as if it should be used as the standard auth method for modern apps, when in fact, it's the exact opposite. I mean, in all reality, the only instance where someone should use Auth.js is if they want to add OAuth authentication to their apps without saving any user-specific data in their database, handling credentials, having custom pages, handling their own redirects, handling their own errors, etc. I find it quite incredible how so many projects start using auth.js, thinking they'll set up auth in their apps effectively but then spends weeks or months basically working around all the damned "opinionated" and non-flexible aspects of it. I would strongly recommend anyone who plans to add auth to their apps to simply start from scratch, learn about JWT authentication, correctly handle redirect and auth error handling, and correctly set up their callbacks rather than implementing something that they'll end up constantly working around while there literally being 0 documentation. It baffles me how there are so many incredible libraries today, yet none for authentication. So here are my thoughts on where to go with the lib next: Instead of integrating things like custom pages, "cast" adapter connections, and "one way" auth connections that everyone keeps fight night to work around, implement:
I truly think that if the library went in this direction, it'd actually be what it advertises to be: the standard, modern authentication library for the web. |
Beta Was this translation helpful? Give feedback.
-
Let's discuss #7443 here.
Keep the PR comments to discuss actual issues/concerns about the ongoing implementation. You can ask for help specific to your project here, or if you are not sure why something isn't working.
Beta Was this translation helpful? Give feedback.
All reactions