Bug? : v5 + keycloak => redirect_uri is bad : http instead of https

[gene-git]

Versions:

├── next-auth@5.0.0-beta.20
├── next@14.2.5

Setup:

keycloak server reachable via https://keycloak.xxx.com:
nginx web server reachable via https://xxx.com

keycloak has valid redirect_uri set as https://xxx.com/api/auth/callback/keycloak

nginx is reverse proxy for nextjs app + next-auth (v5-20).
where app is running on webserver host at localhost:

nginx uses:

location / {
        limit_except GET HEAD POST { deny all; }
        proxy_pass http://localhost:$app_port;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

a) user can go to keycloak directly and login fine.
b) website works but when user tries to sign in keycloak complains with 'invalid parameter : redirect_uri'

The reason is the redirect_uri is http://xxx.com/api/auth/callback/keycloak/..... instead of https://xxx.com

---

help please!!

Very much appreciate suggestions how to solve the problem and get authjs to use https for callback ??

thank you.

[gene-git]

Env has
AUTH_TRUST_HOST=true
If I add AUTH_URL="https://xxx.com/auth/api"

then keycloak gets a good redirect_uri and offers login page which works fine.
but then the callback fails and gives 302 to

/api/auth/error?error=Configuration

server error.

[gene-git]

If I start the app in dev mode using same production keycloak server everything works fine - login works and the callback to the app is perfect. This works without setting AUTH_TRUST_HOST nor AUTH_URL.

So something about fronting the app behind nginx reverse proxy breaks something.

thanks for any guidance.

When running behind the reverse proxy:
The pm2 logs have this as last entry - perhaps its relevant somehow?

[auth][error] CallbackRouteError: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause] eQ: unexpected JWT "alg" header parameter

Nothing similar when running without proxy.

[gene-git]

For completeness I tried the workaround from here #10928 (comment)

But problem remains - perhaps not a surprise as the function simply returns req when AUTH_TRUST_HOST == 'true'

[gene-git]

This PR also did not fix it for me 3500043

[ezeparziale]

I am experiencing the same problem with the Google provider + nginx. I have set trustHost: true and redirectProxyUrl in the authConfig, but after logging in, I am redirected to an error page with error=Configuration. It seems that the fix #10928 (comment) is not working for me.

[gene-git]

Thanks for confirming @ezeparziale .

As I see things, part of the challenge is that next-auth is very high level and when it doesn't work it makes it difficult to deal with short of changing the tool itself. when it works its pretty great.

I am going to look into lucia - have started reading and added comment here: lucia-auth/lucia#1231

[ezeparziale]

@gene-git

After testing and reviewing the core code of the library, I made the following adjustments:

In authConfig set:

  trustHost: true,
  useSecureCookies: true,
  redirectProxyUrl: "https://<mi-domain>/api/auth",

in api/auth/[...nextauht]:

import { NextRequest } from "next/server"

import { handlers } from "@/auth"

const reqWithTrustedOrigin = (req: NextRequest): NextRequest => {
  req.headers.set("x-forwarded-proto", resolveHttpProtocol())

  const host = req.headers.get("x-forwarded-host")

  req.headers.set("host", host!)

  const envOrigin = `https://${host}`

  const { href, origin } = req.nextUrl
  return new NextRequest(href.replace(origin, envOrigin), req)
}

export const GET = (req: NextRequest) => {
  return handlers.GET(reqWithTrustedOrigin(req))
}

export const POST = (req: NextRequest) => {
  return handlers.POST(reqWithTrustedOrigin(req))
}

function resolveHttpProtocol() {
  return process.env.NODE_ENV === "production" ? "https" : "http"
}

And in the middleware.ts added:

   request.headers.set("x-forwarded-proto", resolveHttpProtocol())

  request.headers.forEach((value, key) => {
    response.headers.set(key, value)
  })

With these changes, I can log in with Google without any problem, but now I sometimes get a 502 Bad Gateway from Nginx. I suppose it's related to this: https://stackoverflow.com/questions/38471404/passport-js-express-google-oauth-502-bad-gateway-on-nginx/38758325#38758325