Feature Request: Allow Customization of nonce generation in oauth checks

[william-will-angi]

Goals

1. Allow nonce to be generated as a UUID

Non-Goals

1. Updating default behavior (uuid generation does not need to be the default).

Background

Our open id provider ( keycloak ) requires that nonces be passed in as uuids. Our current flow is throwing the error:

'nonce mismatch, expected `CVqEne3tzlU0J6fwt...`, got: afc784d4-d650-...'`

Ideally, we would be able to force next-auth to always send a uuid as the nonce parameter. But currently, it is using the generators utility from openid-client, which doesn't support that. We would like some way of overriding that generation so that we can pass values that Keycloak will treat as valid nonces. I'm open to ideas and willing to contribute if appropriate here.

Thanks!

Proposal

It would be cool if you could pass in a generators function or something similar to your Oauth provider configuration to customize it. Something like:

import KeycloakProvider from "next-auth/providers/keycloak";
import { v4 as uuidV4 } from 'uuid'
...
providers: [
  KeycloakProvider({
    clientId: process.env.KEYCLOAK_ID,
    clientSecret: process.env.KEYCLOAK_SECRET,
    issuer: process.env.KEYCLOAK_ISSUER,
    generators: {
      nonce: () => {
        return uuidV4()
      }
    }
  })
]

I am open to other approaches to accomplish this and I am willing to contribute if this change is appropriate.

[panva]

I don't think your issue stems from keycloak requiring uuids to be used as nonce (because that's a rather silly thing to begin with and I have a hard time believing it actually does).

It's that keycloak doesn't return you the expected nonce value (not format!) which is a problem that would persist regardless of what you're proposing here.

First order of business for you is to find out why an unexpected nonce is returned by keycloak.

[william-will-angi]

There is a related issue here: p2-inc/keycloak-magic-link#33

Basically Keycloak tries to cast the incoming nonce as a UUID, but if it can't, it just generates a brand new one (and throws away the incoming nonce value). There is a solution in the above link, however we are trying to avoid it for now, because upgrading to their latest version is a pretty big shift (it would require us to upgrade our Keycloak version & Java version for our entire project.

I used the patch-package to verify that if we pass a properly formatted UUID to Keycloak, it properly uses it and the nonce check is completed successfully.

For context, this is the patch I am currently using with success:

diff --git a/node_modules/openid-client/lib/helpers/generators.js b/node_modules/openid-client/lib/helpers/generators.js
index aa1cfca..040ae9a 100644
--- a/node_modules/openid-client/lib/helpers/generators.js
+++ b/node_modules/openid-client/lib/helpers/generators.js
@@ -1,13 +1,17 @@
 const { createHash, randomBytes } = require('crypto');
 
+const { v4: uuidv4 } = require('uuid')
 const base64url = require('./base64url');
 
 const random = (bytes = 32) => base64url.encode(randomBytes(bytes));
 
+const newUuid = () => {
+  return uuidv4()
+}
 module.exports = {
   random,
   state: random,
-  nonce: random,
+  nonce: newUuid,
   codeVerifier: random,
   codeChallenge: (codeVerifier) =>
     base64url.encode(createHash('sha256').update(codeVerifier).digest()),

[william-will-angi]

For more context, here is where Keycloak proper constructs action keys from a UUID.

And here is where the library tries to cast it to a UUID.