Using VERCEL_URL in options appears to break redirect URL

[ryanbahan]

Describe the bug
A clear and concise description of what the defect is.

When using VERCEL_URL as the value to 'site' in options, the redirect URL appears to break and have duplicative content (pics below). If I hardcode values in, the auth flow seems to work just fine. But I'm trying to set up a staging environment where it would be useful to use VERCEL_URL for preview deploy URL's that can't be known ahead of time.

To Reproduce
Steps to reproduce the behavior.

• Use VERCEL_URL environment variable in NextAuth site value.
• Attempt to login via boilerplate sign-in

Include example code (or link to public repository) which can be used to reproduce the behaviour.

Expected behavior
A clear and concise description of what you expected to happen.

• successful login

Screenshots or error logs
If applicable, add screenshots or error logs to help explain the problem.

Using VERCEL_URL to get base URL for different branches

Console logging the VERCEL_URL to confirm it is correct

Using boilerplate signin page

Redirect URL appears to duplicate content and break.

Additional context
Add any other context about the problem here.

Documentation feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[iaincollins]

We don't currently recommend using VERCEL_URL and suggest you set the URL explicitly.

Unfortunately there is an unresolvable problem that most OAuth providers need an explicitly configured URL and do not accept wildcard URLs as callback URLs; so it's fine for E Mail or Credentials based auth, but no good for using with an OAuth provider unless you have a staging site with a fixed name.

I'm not quite sure what is going with that URL though, I guess it doesn't have the HTTPS prefix and needs to be passed as https://{process.env.VERCEL_URL}.

We are considering introducing the option to set NEXTAUTH_URL in v3 so that it can be set more easily (and automatically defaulting to VERCEL_URL if set - but it would still need to be explicitly configured to actually sign in with an OAuth provider.

[ryanbahan]

Ah, gotcha. Thanks for the quick response on this. Yeah I was planning to manually set a fixed staging URL anyways, using VERCEL_URL was more of just a workaround so that I wouldn't need extra environment setup. But that shouldn't be too much of a hassle. Sounds interesting RE: v3!

[iaincollins]

This is super annoying aspect of OAuth, and am very much thinking about ways we can make this easier!

Using an email provider sign in option works well in this scenario, but am thinking about other ways to help folks with this.

[iaincollins]

• I think in future we will conditionally auto-prefix and strip slashes from the site name to make it easier to configure.
• I'm actually considering defaulting to VERCEL_URL if the site url is not configured.
• Not sure yet what we can about making it easier to test OAuth instances on Pull Request / Test environments.

One option might be to handle it via a tutorial.

e.g. how to conditionally enable an alternative provider (e.g. Email or Credentials based) on non-production environments.

We could also provide a dedicated OAuth service for this…