feat: /tokens endpoint #951
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Balázs Orbán <info@balazsorban.com>
Vercel archived their now packages a while back, so you can use vercel env pull to pull in the .env
This is a simple typographical error changed accesed to accessed
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7769 reports a high-severity issue with the current version of nodemailer. This should be merged and released right away if possible.
the current routing for the Okta provider does not follow the standard set by Okta, and as such doesn't allow for custom subdomains. this update amends the routes to allow for customer subdomains, and also aligns next-auth with Okta's documentation.
* chore(deps): upgrade "standard" * style(lint): run lint fix * fix(provider): optional chain Spotify provider profile img
* chore: use stale label, instead of wontfix * chore: add link to issue explaining stalebot * chore: fix typo in stalebot comment * chore: run build GitHub Action on canary also * chore: run build GitHub Actions on canary as well * chore: add reproduction section to questions
* Fixed Reddit Authentication * updated fix for build test * updated buffer to avoid deprecation message * Updated for passing tests
* update: deps * fix: broken link * fix: search upgrade change
* Include callbackUrl in newUser page * Update src/server/routes/callback.js Co-authored-by: Iain Collins <me@iaincollins.com> * Update src/server/routes/callback.js Co-authored-by: Iain Collins <me@iaincollins.com> Co-authored-by: Iain Collins <me@iaincollins.com> Co-authored-by: Nico Domino <yo@ndo.dev>
* Add support for Fauna DB * Add integration tests Co-authored-by: Nico Domino <yo@ndo.dev>
Co-authored-by: styxlab <cws@DE01WP777.scdom.net> Co-authored-by: Balázs Orbán <info@balazsorban.com>
Bumps [next](https://github.com/vercel/next.js) from 9.5.3 to 9.5.4. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v9.5.3...v9.5.4) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Nico Domino <yo@ndo.dev>
* Add Bungie provider * Use absolute URL for images * Correct image URL and use consistent formatting Co-authored-by: Nico Domino <yo@ndo.dev>
* add provider: Microsoft * documentation * support no tenant setup * fix code style * chore: rename Microsoft provider to AzureADB2C * chore: alphabetical order in providers/index * doc: add provider to FAQ
* Update Slack to v2 authorize urls, option for additional authorize params * acessTokenGetter + documentation
Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Nico Domino <yo@ndo.dev>
Bumps [highlight.js](https://github.com/highlightjs/highlight.js) from 9.18.1 to 9.18.5. - [Release notes](https://github.com/highlightjs/highlight.js/releases) - [Changelog](https://github.com/highlightjs/highlight.js/blob/9.18.5/CHANGES.md) - [Commits](highlightjs/highlight.js@9.18.1...9.18.5) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Nico Domino <yo@ndo.dev>
This allows us to check if the user is signed in when using JWTs Part of #625
* chore: use stale label, instead of wontfix * chore: add link to issue explaining stalebot * chore: fix typo in stalebot comment * chore: run build GitHub Action on canary also * chore: run build GitHub Actions on canary as well * chore: add reproduction section to questions * feat(provider): Add Azure Active Directory B2C (#809) * add provider: Microsoft * documentation * support no tenant setup * fix code style * chore: rename Microsoft provider to AzureADB2C * chore: alphabetical order in providers/index * Revert "feat(provider): Add Azure Active Directory B2C (#809)" (#919) This reverts commit 6e6a24a. * chore: add myself to the contributors list 🙈 * docs: fix incorrect references in cypress docs * chore: add additional docs clarification Co-authored-by: Balázs Orbán <info@balazsorban.com> Co-authored-by: Vladimir Evdokimov <evdokimov.vladimir@gmail.com>
* refactor: provide raw idToken through account object * docs: clear up accessToken naming * refactor: provide raw token response to account * chore: fix grammar in comments
Forwarding expires_in as is to accessTokenExpires has shown to cause issues with Prisma, and maybe with other flows as well. Setting it back to `null` for now. We still forward `expires_in`, so users can use it if they want to. Fixes #1216
* chore: add twitter provider to dev app * feat: bind client instance to overriden methods * fix: don't add extra params to getOAuthRequestToken * chore: add twitter to env example, add secret gen instructions
Closing curly bracket where it should have been a square bracket.
…#1219) * chore: add credentials provider to dev app * feat: add redirect option to signIn, signOut * feat: set correct status codes for credentials errors * chore: add credentials page to dev app * fix: support any provider name for credentials
* chore: replace standard with ts-standard * feat(ts): add some initial types * feat(ts): import and use types * chore: allow global fetch through package.json * chore: upgrade lint scripts to use ts-standard * chore: run linter on dev app * chore(ts): satisfy dev Next.js server for TS * fix: add eslint as dev dependency * fix(lint): ignore next-env.d.ts from linting * feat(ts): improve cookies options types * fix: run linter with fix
* Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider * Adding EVEOnline provider Co-authored-by: Gerald McNicholl <gerald.mcnicholl@xero.com>
viniciuscr
reviewed
Apr 9, 2021
| const response = await fetch(provider.accessTokenUrl, { | ||
| body: new URLSearchParams({ | ||
| client_id: provider.clientId, | ||
| client_secret: provider.clientSecret, |
There was a problem hiding this comment.
pkce does not have a secret, may need some others params also
|
Going to come back to this at a later point. A lot of bigger changes are being made currently, that need to be done first. |
|
Hi @balazsorban44! I appreciate your work on this topic very much, your snippets are of great value. We are currently facing issues when logging out (using oauth/oidc with keycloak 12.0.2, next 10.2.0 and next-auth 3.23.1). The problem is, that logging out does not quit the keycloak session, so when executing signIn() again, the user is logged in without the need to provide credentials/authenticate. Considering your comment "In addition to the above mentioned access_token and refresh_token cookie, it will also save the id_token in a separate cookie, that can be used when logging out of OIDC providers. This will make it possible to do federated logout" could you advise any workaround until the new features will be merged? |
|
Thank you @frrr1 . More info about federated logout here: #836 But if you only want to force the user to prompt the user with a login screen, check out the Pass it as the Note, the previous user will still be logged in on the computer, but the new one will be forced to give their credentials. So I guess depending on your situation this should be fine, or not acceptable (if computers are shared or the users don't trust each other) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What:
The goal of this PR is to create a new
/tokensendpoint, that the users can call, and if they have a valid session, theaccess_tokenwill be returned. In the case of OpenID Connect (OIDC) compliant providers, we can also try to keep that token fresh, by doing using a refresh tokenWe can also add a new hook
useAccessToken, to provide users a nice API to retrieve an access token, without needing to configure thejwtandsessioncallbacksWhy:
One of the most popular usages of the
jwtandsessioncallbacks are to put an access_token in thesessioncookie, so the users can do client-side calls to protected APIs.How:
This will be a new/tokensendpoint. Theaccess_tokenwill be saved into its own cookie by default (along with therefresh_tokenand expiry date), to mitigate the 4096bytes limit common browser use. This way, the session cookie will free up enough space for the users to save even more stuff there about the user, if they wish.As of v4, this is irrelevant as we implement cookie chunking (if the session is larger than 4096 bytes, we split it into multiple cookies and merge them when reading.)
Checklist:
This is a continuation of #513
In addition to the above mentioned
access_tokenandrefresh_tokencookie, it will also save theid_tokenin a separate cookie, that can be used when logging out of OIDC providers. This will make it possible to do federated logout