"Unexpected ID Token returned" using Microsoft ADFS / Custom OAuth provider

[busch]

Question 💬

Hello next-auth Community,

I use a custom OAuth provider for Microsoft Active Directory Federation Services Server (ADFS), but I cannot get it to work. I can authenticate successfully on ADFS, but as soon as I receive the authorization code from ADFS, next-auth logs the following error:

[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing {
  error: OperationProcessingError: Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing
      at Module.processAuthorizationCodeOAuth2Response (file:///Users/username/dev/sveltekit/api-routes/node_modules/oauth4webapi/build/index.js:1013:19)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async handleOAuthCallback (file:///Users/username/dev/sveltekit/api-routes/node_modules/@auth/core/lib/oauth/callback.js:84:22)
      at async Module.callback (file:///Users/username/dev/sveltekit/api-routes/node_modules/@auth/core/lib/routes/callback.js:13:80)
      at async AuthHandlerInternal (file:///Users/username/dev/sveltekit/api-routes/node_modules/@auth/core/index.js:86:38)
      at async Proxy.AuthHandler (file:///Users/username/dev/sveltekit/api-routes/node_modules/@auth/core/index.js:216:30)
      at async respond (file:///Users/username/dev/sveltekit/api-routes/node_modules/@sveltejs/kit/src/runtime/server/index.js:229:20)
      at async file:///Users/username/dev/sveltekit/api-routes/node_modules/@sveltejs/kit/src/exports/vite/dev/index.js:444:22 {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'adfs',
  message: 'Unexpected ID Token returned, use processAuthorizationCodeOpenIDResponse() for OpenID Connect callback processing'
}

My ADFS setup seems to be working: When I use Postman to send the authorize and token request, I can retrieve the access_token, refresh_token and id_token. Additionally, if I open Chrome developer tools, I can see that next-auth receives the callback:

http://localhost:5173/auth/callback/adfs?code=AAAAAAAAAAAAAAAAAAAAAA.WC2WQADi2ghlAMjNpRzxqdkDqPE.nSO0FD7sDmAa8bEm3Qx3Rvpi-_p-a8cb4Yiiyxcp58lxrYGqCzchAQtF5Q9-7Ah3hXQT96f_Yh1LtpQAtt1hIjIUJt4poiAmSB4BzvuQV8ijKdjpJ8ppXt7y1-qPmBjvcuVmzKMzH-wyhM8ur0UhgKcABiGRnyNzVUYKFQkFFMqlEWfMHV0UPCRgrLxBsba7jz6FeF7nc1TjkohQwphKo1muugjCS87Z5Syrl0KoyxO9cJk1U82LYVLOyF7VVQKk3KPAYynfhi4YSVa03ItyTu4D3J5mnJ0YMCxFvj_UUpNa1Pzd4TY-mYp8NZ99kgYeg9Xe71dW2Te1kk5Bp5Fh_Q

If it is relevant, a id_token from ADFS looks like this:

{
  "aud": "c8127e8e-43ec-4e8c-ab3e-9d4718075fd1",
  "iss": "https://sts.example.com/adfs",
  "iat": 1671476232,
  "nbf": 1671476232,
  "exp": 1671479832,
  "auth_time": 1671474797,
  "sub": "gPASKeGLBapDlSV4LiaigF8J99krljM7sj2itIJJaIU=",
  "upn": "user@example.com",
  "unique_name": "DOMAINNAME\\user",
  "sid": "S-1-5-21-5684951274-1976985762-2170326571-10803",
  "given_name": "user",
  "family_name": "lastname",
  "apptype": "Confidential",
  "appid": "c8127e8e-43ec-4e8c-ab3e-9d4718075fd1",
  "authmethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
  "ver": "1.0"
}

How do I troubleshoot this issue?
Did I miss something in the provider configuration?
Do I really need to use "processAuthorizationCodeOpenIDResponse()" as the error message suggests? If so, where is the documentation for it?

How to reproduce ☕️

1. Setup ADFS for OAuth
2. Use the following provider config:

providers: [
	{
		id: 'adfs',
		name: 'adfs',
		type: 'oauth',
		clientId: ADFS_OAUTH_CLIENT_ID,
		clientSecret: ADFS_OAUTH_CLIENT_SECRET,
		wellKnown: 'https://adfs.example.com/adfs/.well-known/openid-configuration',
		authorization: {
			url: 'https://adfs.example.com/adfs/oauth2/authorize',
			params: {
				scope: 'openid'
			}
		},
		issuer: 'https://adfs.example.com/adfs',
		token: 'https://adfs.example.com/adfs/oauth2/token',
		userinfo: 'https://adfs.example.com/adfs/userinfo',
		profile(profile) {
			return {
				id: profile.id
			};
		}
	}
]

Contributing 🙌🏽

No, I am afraid I cannot help regarding this

[busch]

Any idea somebody?
i would be happy when somebody could describe how to troubleshoot this kind of issues.

[busch]

In case anybody get into the same issue. I was able to fix it by using "type: 'oidc'" instead of "type: 'oauth'". Here is my working example:

providers: [
	{
		id: 'adfs',
		name: 'adfs',
		type: 'oidc',
		clientId: ADFS_OAUTH_CLIENT_ID,
		clientSecret: ADFS_OAUTH_CLIENT_SECRET,
		wellKnown: 'https://adfs.example.com/adfs/.well-known/openid-configuration',
		authorization: {
			url: 'https://adfs.example.com/adfs/oauth2/authorize',
			params: {
				scope: 'openid'
			}
		},
		issuer: 'https://adfs.example.com/adfs',
		token: 'https://adfs.example.com/adfs/oauth2/token',
		userinfo: 'https://adfs.example.com/adfs/userinfo',
		profile(profile) {
			return {
				id: profile.sub,
                                 upn: profile.upn
			};
		}
	}
]

[Ekkana]

Man, you are the best) Thank you!

[jsykesdev]

I thought type had to be a supported type : "Credentials, OAuth, etc " , so wouldn't simply changing that to 'oidc' hide it in the login form?

[lutfiarahmanda]

i just got the same error but with Facebook provider, using Auth.js V5, there is no setting to use "OIDC" as default type is "OAUTH"

even when i try to login Facebook with https://next-auth-example.vercel.app/server-example it not returnet the session data

[Bjornnyborg]

Experiencing a similar problem for a custom OAUTH provider. :/

[lutfiarahmanda]

i ended up downgrading and adding this one

#10330 (comment)

[yuanwen-tian]

I got a same error, after I changed provider type from 'oauth' to 'oidc', it worked, not sure if this is the same case to others.

providers: [ { ... type: 'oidc', } ]