How to ensure the User ID is the same as the Provider Account ID?

[tobiasbueschel]

Hi team,

Thanks to all of you for building Auth.js - it's a fantastic library and simplifies IAM work a lot 👏

Context

I'm integrating Auth.js into a Next.js application that will only ever connect to a single identity provider via OIDC using the JWT-based session strategy.

• I would like to store the provider's Account ID (i.e. the sub of the user's JWT) into a User table in my database
• As I will never use any other accounts than the aforementioned identity provider, I would like to avoid keeping a separate Account table as a User table already suffices for my use case

The problem I ran into

However, at the moment, there seems to be no way to ensure the user.id is exactly the same as the providerAccountId or in other words the same as the JWT sub created by the provider as it's being overwritten here:

next-auth/packages/core/src/lib/actions/callback/oauth/callback.ts

Lines 305 to 313 in 3ec0684

	const userFromProfile = await provider.profile(OAuthProfile, tokens)
	const user = {
	...userFromProfile,
	// The user's id is intentionally not set based on the profile id, as
	// the user should remain independent of the provider and the profile id
	// is saved on the Account already, as `providerAccountId`.
	id: crypto.randomUUID(),
	email: userFromProfile.email?.toLowerCase(),
	} satisfies User

I've found a workaround by pulling the correct value from e.g., profile.sub or token.sub, but I wonder whether there is a better way to implement my use case, or if this something that could/should be natively supported in Auth.js? (e.g., it would be nice to use Database adapters without having to use the Database Session strategy and having the adapter directly make the update in the correct DB table without having to call createUserIfNotExists manually)

const SomeProvider: OIDCConfig<Profile> = {
  id: "some-id",
  name: "Some Provider ID",
  type: "oidc",
  issuer: "https://some.provider.id/auth/realms/r",
  checks: ["pkce", "state"],
  profile(profile) {
    return {
      // NOTE: the `profile.sub` value will be the correct user ID created by the Account Provider
      // However, it will be overwritten by Auth.js as a random UUID will be created.
      id: profile.sub!,
      name: profile.name,
      email: profile.email,
    };
  },
};

const authOptions: NextAuthConfig = {
  debug: true,
  providers: [SomeProvider],
  events: {
    async signIn(args) {
      // On each sign in, create the user in the `User` table if it does not yet exist
      // NOTE: this has the WRONG user.id because it gets overwritten by Auth.js.
      // One could use args.profile.sub here to get the correct value though!
      createUserIfNotExists(args.user.id!);
    },
  },
  callbacks: {
    async jwt({ token, user, profile }) {
      if (user) {
        // NOTE: user.id has the wrong UUID here. The correct one can be found in e.g., profile.sub
        token.id = user.id as string;
      }

        return token;
      }
    },
    async session({ session, user }) {
      if (session.user) {
        // NOTE: user.id has the wrong UUID here. The correct one can be found in e.g., token.sub
        session.user.id = user.id as string;
      }

      return session;
    },
    authorized: async ({ auth }) => {
      return !!auth;
    },
  },
};

export const { auth, handlers, signIn, signOut } = NextAuth(authOptions);