CognitoProvider fails in Next-auth v.4 with required client_secret parameter #2708
Comments
|
closing in favor of #2524 we will need your help to fix this. See the docs https://next-auth.js.org/configuration/providers/oauth-provider#options This might help you get started. We made the provider config much more flexible and there is a big chance you can align it with Cognito. I would be happy if you commented your findings on #2524, or even open a PR with a fix 🙏 |
|
BTW our docs says you will need a secret https://next-auth.js.org/providers/cognito#example I'm actually very curious how it worked without one before. 👀 |
|
Yeah, this is the reason why I open the issue, with version 3 works fine without this secret parameter, but not with version 4. |
|
👍 I acknowledge the problem, I just don't know how Cognito was working safely without a secret in v3. Keep in mind, I have no experience with it whatsoever. Please have a look at the links I provided. 🙏 The PR description that introduced the relevant changes might also help #2411 None of the providers have been tested in v3, and in v4, we would like this to change. Since there are 50+, we will need the community to help out here. #2524 is the catch-all issue for this. |
|
@javigonz going through this tutorial on YouTube, it looks like they are also using a client secret |
|
@balazsorban44 thanks for that video, but in our system we don´t generate client secret into the userPool (AWS) for architectural decisions. It´s possible to have or not client secret param when you set a new userPool. |
|
I see. I am not an expert on Cognito, so I assume you know better what you are doing. Just wanted to make sure you have all the info. 😊👍 |
|
@balazsorban44 I was able to successfully manually test this with next-auth version |
|
I'm having this error as well I believe our Next app should just consume the tokens issued by cognito and not do any signing of its own. Setting: clientSecret: '',
client: {
token_endpoint_auth_method: 'none',
},Almost works. The first time I auth with cognito I get |
Description 🐜
Trying to upgrade Next-auth
v3.14.7to Next-authv4.0.0-beta.2.We´ve got an error message:
client_secret_basic client authentication method requires a client_secret.Into
[...nextauth].jswith version 3, we haven´t got anyclientSecretsetted, and the authorization / login with cognito works fine. But with the same configuration into version 4 the error is showed.We don´t want to have a client secret parameter into the provider.
The problem may be that you are using as dependency
"openid-client": "^4.7.4", and it set by default the auth method toclient_secret_basicwhich it sent as header theclient_secretoption that we don´t have.But related with their documentation (https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1),
"The client MAY omit the parameter if the client secret is an empty string", and this is seems that not happens because we are passing an empty string asclient_secretparameter.Is this a bug in your own project?
No
How to reproduce ☕️
1 Reproduce with Next-auth
v3.14.7:Authorization and login should works fine.
2 Reproduce with Next-auth
v4.0.0-beta.2:An error message is showed in the console:
We have to add that we have also tested without sending the parameter.
Screenshots / Logs 📽
Error message with
clientSecret: ''or without passing it:Environment 🖥
npx: instaló 1 en 2.088s
System:
OS: macOS 11.5.2
CPU: (8) x64 Intel(R) Core(TM) i7-4770HQ CPU @ 2.20GHz
Memory: 326.37 MB / 16.00 GB
Shell: 5.8 - /bin/zsh
Binaries:
Node: 12.13.0 - /usr/local/bin/node
Yarn: 1.19.1 - ~/.yarn/bin/yarn
npm: 6.9.0 - /usr/local/bin/npm
Watchman: 4.9.0 - /usr/local/bin/watchman
Browsers:
Chrome: 95.0.4628.3
Safari: 14.1.2
npmPackages:
next: ^11.1.0 => 11.1.0
next-auth: 4.0.0-beta.2 => 4.0.0-beta.2
react: ^17.0.2 => 17.0.2
Contributing 🙌🏽
No, I am afraid I cannot help regarding this
The text was updated successfully, but these errors were encountered: