Cognito + Third party IDPs - Nonce Mismatch Error

[leonp-s]

Question 💬

I am currently trying to use AWS Cognito (setup with a third party IDP) however I am running into an issue when signing in with a third party IDP via Cognito.

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error nonce mismatch, expected undefined, got: ... {
  error: {
    message: 'nonce mismatch, expected undefined, got: ...',
    stack: 'RPError: nonce mismatch, expected undefined, got: ...

A similar question has been asked here, and has been closed however I was hoping a solution might be proposed.

How to reproduce ☕️

1. Setup Cognito
2. Configure to Cognito user pool to use a third party IDP
3. Initiate authentication through IDP via Cognito

CognitoProvider({
      clientId: process.env.COGNITO_CLIENT_ID,
      clientSecret: process.env.COGNITO_CLIENT_SECRET,
      issuer: process.env.COGNITO_ISSUER,
    }),

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[dmcd]

[leonp-s]

Hi David, thanks for your reply. Just had another look at my scopes, they all seem to match across the user pool, provider config and IDP authorised scopes. I am using Google as a 3rd party IDP for Cognito requesting 'openid profile email'. Any other ideas?

[dmcd]

Apologies, the issue is unrelated to auth scopes. Its still happening for me when first completing the oauth flow. However, if I run the flow again, it completes ok and I get a valid session. I'm using cognito with apple sign in.

[next-auth][error][OAUTH_CALLBACK_ERROR]
https://next-auth.js.org/errors#oauth_callback_error nonce mismatch, expected undefined, got: t4csJhuaMJEk3YPYCu0XmQQDsic8qwcGaSK-3fYvsuE1qRORbrA15o47PFK-fO6yG5xHWEOAmpMtHopKwjUGiQmIvmALwYMAMEArd_7voN_9vA4m_Zt43Gtj6ICs8hSmM5tTymp5tkaOF6B6wWcSSS7xCuqnBeQpqRAUcX70uwo {
  error: {
    message: 'nonce mismatch, expected undefined, got: t4csJhuaMJEk3YPYCu0XmQQDsic8qwcGaSK-3fYvsuE1qRORbrA15o47PFK-fO6yG5xHWEOAmpMtHopKwjUGiQmIvmALwYMAMEArd_7voN_9vA4m_Zt43Gtj6ICs8hSmM5tTymp5tkaOF6B6wWcSSS7xCuqnBeQpqRAUcX70uwo',
    stack: 'RPError: nonce mismatch, expected undefined, got: t4csJhuaMJEk3YPYCu0XmQQDsic8qwcGaSK-3fYvsuE1qRORbrA15o47PFK-fO6yG5xHWEOAmpMtHopKwjUGiQmIvmALwYMAMEArd_7voN_9vA4m_Zt43Gtj6ICs8hSmM5tTymp5tkaOF6B6wWcSSS7xCuqnBeQpqRAUcX70uwo\n' +
      '    at Client.validateIdToken (src/node_modules/openid-client/lib/client.js:796:13)\n' +
      '    at processTicksAndRejections (internal/process/task_queues.js:93:5)\n' +
      '    at async Client.callback (src/node_modules/openid-client/lib/client.js:484:7)\n' +
      '    at async oAuthCallback (src/node_modules/next-auth/core/lib/oauth/callback.js:112:16)\n' +
      '    at async Object.callback (src/node_modules/next-auth/core/routes/callback.js:50:11)\n' +
      '    at async NextAuthHandler (src/node_modules/next-auth/core/index.js:133:28)\n' +
      '    at async NextAuthNextHandler (src/node_modules/next-auth/next/index.js:20:19)\n' +
      '    at async src/node_modules/next-auth/next/index.js:56:32\n' +
      '    at async Object.apiResolver (src/node_modules/next/dist/server/api-utils.js:102:9)\n' +
      '    at async DevServer.handleApiRequest (src/node_modules/next/dist/server/next-server.js:1064:9)',
    name: 'RPError'
  },
  providerId: 'cognito',
  message: 'nonce mismatch, expected undefined, got: t4csJhuaMJEk3YPYCu0XmQQDsic8qwcGaSK-3fYvsuE1qRORbrA15o47PFK-fO6yG5xHWEOAmpMtHopKwjUGiQmIvmALwYMAMEArd_7voN_9vA4m_Zt43Gtj6ICs8hSmM5tTymp5tkaOF6B6wWcSSS7xCuqnBeQpqRAUcX70uwo'
}

[rmelo]

I am also facing this problem, I already check my scopes and it's ok too. I'm also using Google and I noticed that in the first auth, when Google ask me for my credentials is when its happening, but if I sign out and sign in again, Google doesn't ask me because I already authenticated to it before, so the problem doesn't occur

[MaxOrelus]

Ditto. I've been running next-auth@4.0.0-beta.3 for months now and I had my Cognito setup all working. Today I decided to upgrade to 4.0.6 and I'm getting the same errors as the individuals above. ^^

Maybe a diff between 4.0.6 and the 4.0.0-beta.3 may pin point the issue.

[domwillcode]

I too am seeing this issue with Cognito. I've rolled back to 4.0.0-beta.3 for now as the latest functional build.

4.0.0-beta-4 introduces an update to the 'openid-client' package from ^4.7.4 to ^5.0.1 (although beta-4 is broken and fixed in beta-5) and now ^5.1.0. It seems openid-client 5.0.1 forced id token validation (client.callback() instead of client.oauthCallback()) and the nonce check in openid-client.

You can trigger the same validation by setting idToken true in your next-auth config for Cognito on 4.0.0-beta.3 (becoming the default from beta-5.

providers: [
            Cognito({
                idToken: true,
                ...
            )}
]

Cognito seems to generate the nonce for the initial auth when using an IDP which triggers the error on callback.

Beyond that, I'm stumped!

[lpsinger]

I'm getting exactly the same error message in my project which uses openid-client in a Remix app. What I can't tell is if this is a bug in Cognito or a bug in openid-client.

[lpsinger]

Aha! I figured out a workaround for my code, which may work for next-auth too. Unfortunately my code isn't public (yet) so I can only provide a snippet here. In the call to client.callback, set nonce to null to skip the nonce check completely.

  const tokenSet = await client.callback(getRedirectUri(request), params, {
    code_verifier,
    nonce: null  // <-- add this
  })

[lpsinger]

I don't think PKCE is supported for the Cognito provider

I am using PKCE with Cognito. (But I am using node-openid-client directly.)

[james-bjss]

I don't think PKCE is supported for the Cognito provider

I am using PKCE with Cognito. (But I am using node-openid-client directly.)

Yeah, I amended the provider to add the PKCE checks, but then NextAuth throws the nonce mismatch error after. Effectively it does this:

    if (provider.token?.request) {
      // @ts-expect-error
      const response = await provider.token.request({
        provider,
        params,
        checks,
        client,
      })
      tokens = new TokenSet(response.tokens)
    } else if (provider.idToken) {
      tokens = await client.callback(provider.callbackUrl, params, checks)
    } else {
      tokens = await client.oauthCallback(provider.callbackUrl, params, checks)
    }

The checks value that gets passed to the open-id client can't be set externally and it never expects a nonce to be set in the reponse. ie. const checks = {}; and the only value set in checks via the function relate to the state and PKCE checks. The openid-client expects a matching value in checks.nonce.

There is no means in the lib to provide the nonce value though, so if you add it to the auth url it sets it but then the check expects undefined. If you don't set one then Cognito (helpfully?) generates it's own and that also won't match undefined.

So assuming AWS won't budge I am wondering if we add the ability to generate or set this value when calling cognito and use this value in the check. Otherwise I don't see how anyone can use NextAuth with Cognito + and external IDP.

[balazsorban44]

I don't think we currently set or use nonce correctly, PRs are welcome!

[james-bjss]

Hi @balazsorban44

I did consider raising a PR, the issue we have is if we define a nonce value in the provider config this value remains unchanged after it's initialized so assumed such a change would be rejected on security grounds (though currently no nonce is used at all so no worse off in some ways).

As a naive fix it would be easy to set the nonce value in the provider config, then in the callback do something like:
checks.nonce = options.provider.authorization.params.nonce (obviously with null checks)

This could optionally behind a config in protection if we wanted to enable disable.

Where would you suggest that the value could be generated and stored as guessing defining it statically in the config is not ideal.

[james-bjss]

@balazsorban44 - We had a go at adding this functionality last night. Hopefully this looks reasonable. This has been added as an additional check that users can optionally enable in provider config and generates a new nonce value vs using a statically configured one.

#4100

[tiyberius]

Having the exact same issue as everyone here, errors out on first attempt at login, then works the second time. I'm new to Next-auth, really want to like it but this isn't a great first impression!

[james-bjss]

No worries. Glad it's useful for others!

[EvgenKoshevoy]

Hello. I still have same issue with Cognito Adapter (with SAML Azure AD). After clicking "Sign in with Cognito" again - i have access to page.

[next-auth][error][CALLBACK_OAUTH_ERROR]
https://next-auth.js.org/errors#callback_oauth_error nonce mismatch, expected undefined, got: Ys6...Oyw RPError: nonce mismatch, expected undefined, got: Ys6...Oyw
    at Client.validateIdToken (/app/node_modules/openid-client/lib/client.js:798:13)
    at processTicksAndRejections (internal/process/task_queues.js:95:5)
    at async Client.callback (/app/node_modules/openid-client/lib/client.js:486:7)
    at async oAuthCallback (/app/node_modules/next-auth/core/lib/oauth/callback.js:112:16)
    at async Object.callback (/app/node_modules/next-auth/core/routes/callback.js:50:11)
    at async NextAuthHandler (/app/node_modules/next-auth/core/index.js:139:28)
    at async NextAuthNextHandler (/app/node_modules/next-auth/next/index.js:21:19)
    at async /app/node_modules/next-auth/next/index.js:57:32
    at async Object.apiResolver (/app/node_modules/next/dist/server/api-utils/node.js:184:9)
    at async NextNodeServer.runApi (/app/node_modules/next/dist/server/next-server.js:396:9) {
  name: 'OAuthCallbackError',
  code: undefined
}

Provider settings:

import NextAuth from 'next-auth';
import CognitoProvider from 'next-auth/providers/cognito';

export default NextAuth({
    providers: [
        CognitoProvider({
            clientId: process.env.COGNITO_CLIENT_ID,
            clientSecret: process.env.COGNITO_CLIENT_SECRET,
            issuer: process.env.COGNITO_ISSUER,
            idToken: true,
            checks: 'nonce',
        }),
    ],
    debug: true,
});

Container: node:14-alpine
next: 12.1.1
next-auth: ^4.3.1

[AntoineGerv]

Same problem here,

next: 12.1.1
next-auth: ^4.3.1

[james-bjss]

Are you using the forked version of the code with this fix in it? The PR is not yet merged and has been readied for review in the next release.
See this comment from the maintainers here for a suggestion of test this out. Or you can build locally and drop the file into your node modules just for testing.
#4100 (comment)

[EvgenKoshevoy]

Oh, i see. I thought it is already merged. I've used latest release version.

[jamesbluecrow]

Thanks for the effort @james-bjss . We are also affected by this issue, I'll try your forked version to see if it addresses the issue.

I'm mostly posting to add more interest on this fix being merged 😃

[jamesbluecrow]

Thanks for the effort @james-bjss . We are also affected by this issue, I'll try your forked version to see if it addresses the issue.

I'm mostly posting to add more interest on this fix being merged 😃

I'm must be missing something, I did checkout your branch @james-bjss and run yarn install and yarn build. Then replaced the next-auth inside the node_modules in my application with the packages/next-auth from your branch but I still see the same error. Anything you think I'm doing wrong?

[hamidbjss]

@jamesbluecrow Use this patch instead and place into patches/next-auth+4.3.3.patch: https://gist.github.com/hamidbjss/b6408e48080f247edd22ec04a3b983e3

You'll need to install this package from npm patch-package.

Finally, ensure you have the following script in your package.json scripts:

    "postinstall": "patch-package",

Next time you run npm i it will perform the postinstall step which will patch the next-auth package for you.

[AntoineGerv]

@lluia @balazsorban44 Can you help us ? PR is here : #4100
Thx

[james-bjss]

@lluia @balazsorban44 Can you help us ? PR is here : #4100 Thx

Aaand it's merged! 🎉 Thanks all.

[hamidbjss]

Created a patch for version 4.10.3 if it's of help to anyone next-auth+4.10.3.patch.

[revmischa]

I have the latest package with this fix in it at https://github.com/jetbridge/next-auth/raw/tmp/packages/next-auth/next-auth-4.10.3.tgz

Correct me if I'm wrong but I believe you also need to add this to your provider config?

      checks: 'nonce',

[james-bjss]

Correct, there are other checks so you may want to append this to the existing ones. Namely the state and pkce options (can check the source for your given provider to see the defaults).

type ChecksType = "pkce" | "state" | "none" | "nonce"

[revmischa]

What checks should be used with cognito?

[james-bjss]

What checks should be used with cognito?

pkce, state, nonce

[ronaldwh84]

Hi @james-bjss

I am using the latest version 4.10.3 but it is not working. Do I need to perform some extra steps to apply this fix?

[james-bjss]

Hi @james-bjss

I am using the latest version 4.10.3 but it is not working. Do I need to perform some extra steps to apply this fix?

The fix has been merged to main but there has been no new release since.

You would need to apply the patch package as per convos above until the next nextauth release with the fix in it.

There is a flurry of chore activity on main at the moment from the maintainers and it looks like they may be prepping for a new release? So if you can wait it out the new package should be out eventually...

[ronaldwh84]

Ah ok noted that! Thank you very much for the info, I will use the patch for now. Cheers, Ronaldwh

…

On Sat, Sep 10, 2022, 6:17 PM James ***@***.***> wrote: Hi @james-bjss <https://github.com/james-bjss> I am using the latest version 4.10.3 but it is not working. Do I need to perform some extra steps to apply this fix? The fix has veen merged to main but there has been no new release since. You would need to apply the patch package as per convos above until the next nextauth release with the fix in it. There is a flurry of chore activity on main at the mo from the maintainers and looks like they may be prepping for a new release, so if you can wait the new package should be out eventually. — Reply to this email directly, view it on GitHub <#3551 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AFS4MIILFSVIIRBZWRRZ5FDV5RN3FANCNFSM5LGUO74A> . You are receiving this because you commented.Message ID: ***@***.***>

[james-bjss]

This is now released, though seems absent form the release notes. Can confirm its working for us without the patch on the latest release.
Maybe we can resolve this convo now?

[mjdye]

I'm currently on version 4.1.2 and still receiving this issue. Is there something in particular I'm missing?

CognitoProvider({
	clientId: '**',
	clientSecret: '**',
	issuer: '**',
	idToken: true,
        checks: 'nonce',
}),

The error is:

 providerId: 'cognito',
  message: 'nonce mismatch, expected undefined, got: someNonce

To be clear, I'm currently using the Cognito Logout URL to force Google to show the account selection screen again. This occurs when I swap accounts.

[z0ph]

I'm running the same behavior with:

"next": "^13.0.5",
"next-auth": "^4.17.0",

Error:

MyProvider:

import NextAuth from "next-auth";
import CognitoProvider from "next-auth/providers/cognito";

export default NextAuth({
  providers: [
    // https://github.com/nextauthjs/next-auth/discussions/3551
    CognitoProvider({
      clientId: process.env.COGNITO_CLIENT_ID,
      clientSecret: process.env.COGNITO_CLIENT_SECRET,
      issuer: process.env.COGNITO_ISSUER,
      idToken: true,
      checks: 'nonce',
    }),
  ],
  callbacks: {
    // By default NextAuth will redirect to an url of the same hostname
    // this callback allows to change that behavior and specify a custom url
    redirect({ url }) {
      return url;
    },
    async session({ session, token }) {
      // Send properties to the client, like an access_token from a provider.
      session.customerID = token.sub;
      return session;
    },
  },

  secret: process.env.SECRET,
  debug: process.env.NODE_ENV === "development",
});

[akd-io]

Was able to fix the issue using the checks: "nonce" feature added i #4100.

My config:

CognitoProvider({
  clientId: process.env.COGNITO_CLIENT_ID,
  clientSecret: process.env.COGNITO_CLIENT_SECRET,
  issuer: process.env.COGNITO_ISSUER,
  checks: "nonce", // Necessary to fix a bug with Cognito's third-party providers. See the following issue and PR. Issue: https://github.com/nextauthjs/next-auth/discussions/3551 PR: https://github.com/nextauthjs/next-auth/pull/4100
}),

@leonp-s I spent quite a while searching through this thread to eventually find the right solution, maybe one of these comments linking to #4100 can be marked as the correct answer?

[akd-io]

Alright, I had it come back in the case where I have a NextAuth session, but not a Cognito session. I don't think my users will face this case though.

[half2me]

I'm having the same issue: #6865

[mortezaalizadeh]

I am having the same issue too, I am using version 4.22.1

[half2me]

I have @auth/core pinned to 0.5.1 and I apply this patch:

--- node_modules/@auth/core/lib/oauth/callback.js	2023-03-28 16:30:20
+++ node_modules/@auth/core/lib/oauth/callback.js	2023-04-17 14:11:07
@@ -76,7 +76,8 @@
     let profile = {};
     let tokens;
     if (provider.type === "oidc") {
-        const result = await o.processAuthorizationCodeOpenIDResponse(as, client, codeGrantResponse);
+        const result = await o.processAuthorizationCodeOpenIDResponse(as, client, codeGrantResponse, nonce?.value ??
+o.expectNoNonce);
         if (o.isOAuth2Error(result)) {
             console.log("error", result);
             throw new Error("TODO: Handle OIDC response body error");

That fixes things for me as long as I set checks: ['pkce', 'nonce'], for my Cognito provider settings.
Until this is properly fixed, that's the best I can do, but it does work quite well.

[mortezaalizadeh]

cheers @half2me I can't really patch it, so decided to go with overriding the checks to nonce only and it worked like a charm

[half2me]

cheers @half2me I can't really patch it, so decided to go with overriding the checks to nonce only and it worked like a charm

Keep it mind that will only work for normal username/password logins. If you try to use social login with cognito (login with facebook, google, etc.) it will give you an error.

[rvdende]

Should we perhaps add the fix as a default in https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/cognito.ts#LL91C10-L91C10 ?

options: { checks: "nonce", ...options }

[half2me]

it doesn't fix the problem though. If you use "social login" with cognito, it still gives you the same error

[rvdende]

works on my side for an azure active directory login...

[PorridgeBear]

This same exact nonce mismatch error with expected undefined but getting a value from Cognito is happening in NextAuth v5 beta, and no permutation of checks fixes the issue having tried ["pkce", "state"] to exclude nonce, or ["pkce", "state", "nonce"] to include it. The callback from Cognito sends a nonce, Auth.js v5 is making the comparison no matter the provider config, and the user get the Server Configuration error page. It is then possible to simply tweak the URL back to login and it works second time. I know NextAuth v4 does not have this issue anymore, so will need to revert until solved in v5.