Github provider not returning a refreshToken

[DarrenBaldwin07]

Question 💬

Not sure if this is an issue on my end -- but I referenced the Github OAuth (https://docs.github.com/en/developers/apps/building-oauth-apps/authorizing-oauth-apps) docs and found that the that NextAuth uses an endpoint that does not return a refresh_token (only an access_token). I also found that other providers (ex: Google) do return a refreshToken along with their accessToken.

Question: is this intended?

The fact that the default Account model has a refreshToken field leads me to think that the GithubProvider should not just return an access token. I need to be able to silently refresh access tokens without having to re-login with an OAuth provider each time.

Any help would be much appreciated.

How to reproduce ☕️

n/a

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR.

[ThangHuuVu]

NextAuth uses an endpoint that does not return a refresh_token (only an access_token).

For GitHub or any OAuth provider, the token endpoint will return refresh_token alongside access_token as described in https://datatracker.ietf.org/doc/html/rfc6749#section-1.5.
Learn more about enabling GitHub Refresh Token Rotation here: https://docs.github.com/en/developers/apps/building-github-apps/refreshing-user-to-server-access-tokens

While NextAuth.js does not provide refresh token rotation out of the box, you can implement it following this guide: https://next-auth.js.org/tutorials/refresh-token-rotation
Let me know if this helps 🙏

[DarrenBaldwin07]

Hey Thang, I appreciate your help. I understand that -- my question i guess is really pertaining to why nextauth doesnt seem to receive a refreshToken? In my case I am using the jwt callback (as one should) and simply wanting to return a token object with token.refreshToken but refreshToken/refresh_token is always returning undefined (token is a de-structured key that is passed in via the jwt params).

[ThangHuuVu]

Could you check if refresh_token can be found in the account object in the JWT callback?
Note that you'll need to Opt-in for refresh token here: Developer setting -> Your app -> Optional features

[kfcaio]

The same is true for the Keycloak Provider

[JangoCG]

Any news on this problem ? It is still undefined and it not included in the account object object

[ahus1]

I found this discussion here, and it seems that it is only supported for GitHub apps, and not for OAuth Apps