fix: send /authorize params through url

nextauthjs · Feb 1, 2021 · 30c6d63 · 30c6d63
1 parent 214b22e
commit 30c6d63
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 7 deletions.
diff --git a/src/client/index.js b/src/client/index.js
@@ -236,7 +236,7 @@ const _useSessionHook = (session) => {
 // Client side method
 export const signIn = async (provider, args = {}, authorizationParams = {}) => {
   const baseUrl = _apiBaseUrl()
-  const callbackUrl = args.callbackUrl ?? window.location
+  const callbackUrl = args?.callbackUrl ?? window.location
   const providers = await getProviders()
 
   // Redirect to sign in page if no valid provider specified
@@ -256,14 +256,13 @@ export const signIn = async (provider, args = {}, authorizationParams = {}) => {
         'Content-Type': 'application/x-www-form-urlencoded'
       },
       body: _encodedForm({
-        ...args,
-        authorizationParams,
         csrfToken: await getCsrfToken(),
         callbackUrl: callbackUrl,
         json: true
       })
     }
-    const res = await fetch(signInUrl, fetchOptions)
+    const _signInUrl = `${signInUrl}?${_encodedForm(authorizationParams)}`
+    const res = await fetch(_signInUrl, fetchOptions)
     const data = await res.json()
     window.location = data.url ?? callbackUrl
   }

diff --git a/src/server/lib/signin/oauth.js b/src/server/lib/signin/oauth.js
@@ -6,10 +6,11 @@ export default async function getAuthorizationUrl (req) {
 
   const client = oAuthClient(provider)
   if (provider.version?.startsWith('2.')) {
+    delete req.query?.nextauth
     // Handle OAuth v2.x
     let url = client.getAuthorizeUrl({
       ...provider.authorizationParams,
-      ...req.body.authorizationParams,
+      ...req.query,
       redirect_uri: provider.callbackUrl,
       scope: provider.scope
     })

diff --git a/www/docs/getting-started/client.md b/www/docs/getting-started/client.md
@@ -214,7 +214,7 @@ The URL must be considered valid by the [redirect callback handler](/configurati
 
 It is also possible to pass additional parameters to the `/authorize` endpoint through the third argument of `signIn()`.
 
-See the [Authorization Request OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) for some ideas.
+See the [Authorization Request OIDC spec](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) for some ideas. (These are not the only possible ones, all parameters will be forwarded)
 
 e.g.
 
@@ -226,7 +226,7 @@ You can also set these parameters through [`provider.authorizationParams`](/conf
 :::
 
 :::note
-The following parameters are always overridden: `redirect_uri`, `scope`, `state`
+The following parameters are always overridden server-side: `redirect_uri`, `scope`, `state`
 :::
 
 ---