Is "Authorization Code + PKCE" Supported?

[garnerp]

Your question
Does next-auth support "Authorization Code + PKCE"?

What are you trying to do
Trying to add a new provider using the "Authorization Code + PKCE" flow (Akamai, using a Public Client). I was able to generate a code_challenge and send that into the auth endpoint. I couldn't figure out how to send in the code_verifier though. I tried in the provider.params as it looks like that is what gets added to the postData, but its throwing an error.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[LoriKarikari]

@garnerp PKCE is currently not supported.

[iaincollins]

Yeah, sorry @garnerp.

We intend to add support for it, as I appreciate it is now required for Open ID compliance.

[IkeLutra]

@iaincollins is there any way we can get involved in helping to implement PKCE?

[TommySorensen]

@iaincollins I very much need the "Authorization Code + PKCE" on a project i am working on. I can't login with the IdentityServer4 because of "code challenge" is needed. When will this be implemented in NextAuth or does anyone know a workaround to the code challenge with a custom provider?

[creteurlouis]

Did someone successfully get nextauth + identityserver4 to work ?

[TommySorensen]

Did someone successfully get nextauth + identityserver4 to work ?

Yes works fine, but never got the PKCE to work since its not supported in this package. Basically you just need to follow the examples in the documentation and you will have something to start with.

[balazsorban44]

@IkeLutra your insights are welcome on #941!

@creteurlouis I recommend you create a separate question in the Discussions, or an issue with a public reproduction repository. This would accelerate the process of helping you! 🙂

[nick-myers-dt]

We're at a decisive juncture on our project, and PKCE support is a deciding factor for us. We'd like to use next-auth in combination with Okta, using PKCE. I wondered whether the team or community had a sense of whether the linked PR (#941) was likely to make it into a release 'soon' (weeks) or not? We'd also be happy to test and contribute in any way we can.

[balazsorban44]

@nick-myers-dt If you want to test it out right now, I think you could clone the branch feature/pkce in your projects' node_modules, cd into it, npm install, and npm build.

We are aiming for a canary (unstable) release this month, but cannot promise this PR will make it. I JUST started it, and there are some things we need to figure out. Feel free to try the above-mentioned method, and please come with feedback in the PR's comment section.

[thulstrup]

@balazsorban44 I tried cloning the next-auth-example and then replacing next-auth in nodes_modules with a version I build from the feature/pkce branch.

When I try to sign in with IdentityServer4 I'm redirected to this url (notice the [object Object]).
https://demo.identityserver.io/connect/[object%20Object]?code_challenge=d5MWEkc-lpczVadZp9YjMIHwn28fcGwzzxShhLGtS5U&code_challenge_method=S256

[balazsorban44]

Thanks @thulstrup, this is useful! I think I can see the issue. I'll hopefully be able to fix this later today, and I'll let you when you could try this again?

[thulstrup]

Sure, that would be great.

[thulstrup]

Replacing

const newParams = { ...url.searchParams, ...providerParams }
url = new URL(newParams.toString(), url);

with

for (let [key, val] of providerParams.entries()) {
  url.searchParams.append(key, val);
}

seems to fix the [object Object] issue.

[balazsorban44]

So this issue has been solved, but I hit a wall. I was too naive to think that I could create a PKCE challenge and verifier as in the PR right now. The way it is now will create new challenge and verifier on every call, so the Provider won't be able verify anything. I have an idea but I have to discuss it with @iaincollins. I'll push my changes anyway tomorrow, so you can have a look

[github-actions]

🎉 This issue has been resolved in version 3.2.0-canary.29 🎉

The release is available on:

• GitHub release
• npm package (@canary dist-tag)

Your semantic-release bot 📦🚀

[github-actions]

🎉 This issue has been resolved in version 3.3.0-canary.1 🎉

The release is available on:

• GitHub release
• npm package (@canary dist-tag)

Your semantic-release bot 📦🚀

[vtrphan]

What is the current status of PKCE support? Does NextAuth support PKCE now?

[balazsorban44]

Yes, it does. Set protection: "pkce" in your provider options, and make sure your provider supports it as well.

Tested with Auth0 and IDS4. Maybe even GitHub, but not 100%kn that one.

Also make sure you have a fairly recent version (recommend 3.5.1 as of this writing) installed.

[joovnaz]

Tried with Okta with bad results.
Debug client logs:

[next-auth][error][oauth_callback_error]
https://next-auth.js.org/errors#oauth_callback_error {
  statusCode: 400,
  data: '{"error":"invalid_grant","error_description":"The authorization code is invalid or has expired."}'
}

Clearly with client secret works fine as well described on Build a Next.js Application with TypeScript

[balazsorban44]

@joovnaz please open a bug report with a complete reproduction if you have issues.

[viniciuscr]

I've got the same error as @joovnaz, but looking at the url that okta returned there is one more clue:
PKCE code challenge is required when the token endpoint authentication method is "NONE"

What is happening is that the okta provider is not using PCKE flow.
An example of correctly URL would be:
/v1/authorize?
client_id=0oapu4btsL2xI0y8y356
&redirect_uri=http://localhost:8080/callback
&response_type=id_token token
&response_mode=fragment
&state=SU8nskju26XowSCg3bx2LeZq7MwKcwnQ7h6vQY8twd9QJECHRKs14OwXPdpNBI58
&nonce=Ypo4cVlv0spQN2KTFo3W4cgMIDn6sLcZpInyC40U5ff3iqwUGLpee7D4XcVGCVco
&scope=openid profile email

the bold params, are the problematic ones
response_type goes as "code" instead of "id_token token" and the other are missing.

Is there a way to pass this to the okta provider?
it does looks like the Okta provider ignores the
protection: "pkce" param

[0xdevalias]

For anyone who ends up on this issue from Google/other issue links, as per this discussion:

• PKCE on version 4 #3725 (comment)

protection was renamed to checks in this PR:

• feat: rename protection to checks #2255