id_token not present from OAuth2 provider

[timmermike]

Hi all,

I've been experimenting with NextAuth over the last couple days, trying to set up an integration with an existing service.

My provider config is as follows:

const handler = NextAuth({
  providers: [
    {
      id: "testprovider",
      name: "TestProvider",
      type: "oauth",
      authorization: {
        url: accountUrl + "/oauth/authorize",
        params: { scope: "refresh_token" },
      },
      token: {
        url: accountUrl + "/oauth/token-request",
      },
      idToken: false,
      userinfo: accountUrl + "/oauth/userInfo",
      clientId: process.env.OAUTH_CLIENT_ID,
      clientSecret: process.env.OAUTH_CLIENT_SECRET,
      client: {
        token_endpoint_auth_method: "client_secret_post"
      },
      checks: ["pkce", "state"],
      profile(profile) { 
        // ignore, this is still TODO
        console.log(profile)
        return {
            id: profile.username,
        }
      },
    }
  ],
  secret: process.env.NEXT_AUTH_SECRET,
})

The provider does not support openid, only oauth2.0. I get as far as the token exchange, however, the token coming back from the provider has the following fields:

{
  access_token: "<<SNIP>>",
  refresh_token: "<<SNIP>>",
  token_type: "Bearer",
  username: "<<SNIP>>",
  scope: "refresh_token session:role:admin",
  accountHash: "<<snip>>",
  userHash: "<<snip>>",
  expires_at: #####,
  refresh_token_expires_in: #####,
  idpInitiated: false,
}

Which yields: error: Error [OAuthCallbackError]: id_token not present in TokenSet from NextAuth.

Is there anything I can do to make NextAuth work without the id_token field in the token response? I suspect I've missed something basic in the configuration. I tried setting idToken to false, but that didn't seem to do anything. As far as I can tell, the openid-client module that nextauth is using under the hood requires the field and there doesn't seem to be any way to make it skip the field value.

(This is with next-auth@4.24.11)

[timmermike]

I managed to work around the issue by overriding

request: async (context) => {
    // we can't have openid-client handle this because that code insists on client_id being present
    // as a field. So we do the work ourselves.
    const { params, checks, client } = context;
    const tokenset = await client.grant({
        grant_type: 'authorization_code',
        code: params.code,
        redirect_uri: '...',
        code_verifier: checks.code_verifier,
        client_id: context.provider.clientId,
        client_secret: context.provider.clientSecret,
    });
    return { tokens: tokenset };
},

It's not exactly ideal because it throws away the checks that are built into the client. So if there's a better option, I'd appreciate the pointer.