Auth-module: Option to not send code_challenge_method for oauth2 schemes
Google does not allow code_challenge_method as a param for its oauth scheme, and errors if it receives it.
If I understand the source code correctly, there is currently no way to not send it?
That means Google Oauth is unusable for now?
Happy to be shown where I'm not doing something right. Otherwise I'm happy to add a delete statement somewhere in the right area.
My provider setup is:
google: {
endpoints: {
userInfo: '/api/auth/user',
logout: { url: '/api/auth/logout', method: 'get', withCredentials: true },
},
redirectUri: `${FULL_URL}/api/oauth/google/callback`,
clientId: process.env.GOOGLE_CLIENT_ID,
},
VesterDe
All 15 comments
Unfortunately I had experienced the same on my end. Which version of @nuxtjs/auth or @nuxtjs/auth-next do you use?
p3t3r67x0
on 22 Oct 2020
@p3t3r67x0 @nuxt/auth-next latest.
VesterDe
on 22 Oct 2020
@VesterDe it seems when setting codeChallengeMethod to an empty string it works, did you tried that?
auth: {
strategies: {
google: {
responseType: 'code',
codeChallengeMethod: '',
grantType: 'authorization_code',
clientSecret: process.env.CLIENT_SECRET,
clientId: process.env.CLIENT_ID
}
}
}
I'm also using auth-next and have Google working fine. These are the options I have set:
responseType: 'code',
accessType: 'offline',
grantType: 'authorization_code',
codeChallengeMethod: 'S256'
bmulholland
on 22 Oct 2020
Thanks for the input, I'm going to try and figure out what I'm doing wrong. I'll close the issue if I do.
VesterDe
on 3 Nov 2020
Anyone with a reproducible repo?
vinayakkulkarni
on 8 Nov 2020
Just hit the same issue with latest nuxt and @nuxtjs/auth-next. Adding codeChallengeMethod: '', made it work:
auth: {
strategies: {
google: {
clientId: process.env.GOOGLE_CLIENT_ID,
codeChallengeMethod: '',
},
},
},
Thanks p3t3r67x0 鉂わ笍
This issue did not happen for me with @nuxtjs/auth.
@vinayakkulkarni here is how to reproduce:
- default
npx create-nuxt-app - add
@nuxtjs/auth-next, enable it in nuxt.config.jsrouter: { middleware: ['auth'] },and use the snippet above withoutcodeChallengeMethod - you got Google complaining like in the screenshot of this issue
- add
codeChallengeMethod: ''and it works again 馃
Just in case some nuxt config has an impact (which I doubt, but who knows), here is mine:
create-nuxt-app v3.4.0
Programming language: TypeScript
Package manager: Yarn
UI framework: Tailwind CSS
Nuxt.js modules: Axios
Linting tools: ESLint, Prettier, StyleLint
Testing framework: Jest
Rendering mode: Universal (SSR / SSG)
Deployment target: Static (Static/JAMStack hosting)
Development tools: None
Continuous integration: None
Version control system: Git
clorichel
on 15 Nov 2020
@clorichel : Thanks for the revert. I actually managed to solve it using old @nuxtjs/auth module itself!
https://github.com/vinayakkulkarni/map-my-google-photos/blob/main/nuxt.config.ts#L111-L128
The thing is, @nuxtjs/auth uses snake case (_) whereas, the new @nuxtjs/auth-next uses camelCasing.
There'll probably be a migration guide when new major version is released of @nuxtjs/auth :)
vinayakkulkarni
on 17 Nov 2020
@clorichel Did you try with codeChallengeMethod: 'S256'? It seems like leaving that blank might use a less secure challenge method.
bmulholland
on 8 Dec 2020
No I didn't @bmulholland. Seems like a good point though: would you have any documentation link for me to know more about what Google is implementing on their end and what it actually stands for in term of security? 馃
clorichel
on 8 Dec 2020
@clorichel Anything on Google's end is up to them to document, so you'll have to check on that side :)
bmulholland
on 8 Dec 2020
My recommendation is to use the config I posted above, including the S256 option. I've created https://github.com/nuxt-community/auth-module/issues/908 to improve the code and/or docs. For this specific request, if you really want to avoid it, the workaround of a blank string seems to provide the option to not send that parameter. Let me know if I've missed anything, but closing this out for now.
bmulholland
on 8 Dec 2020
I'm having trouble using the auth code I get back to exchange for a token from Google. I'm using config:
google: {
clientId: process.env.GOOGLE_OAUTH_CLIENT_ID,
codeChallengeMethod: 'S256', // Required because the default causes google to throw invalid request
responseType: 'code', // Required because the default 'token' includes rejected nonce arg
accessType: 'offline', // Required to ensure we get a long lived refresh token
grantType: 'authorization_code',
endpoints: {
token: '/api/v1/auth/google-code',
},
},
This seems to be working, and my google-code api is getting called with a payload that includes: code, client_id, redirect_uri, response_type, audience (an empty string), grant_type, and code_verifier.
I understand that I need to use this to ask Google for a token, so I post to https://oauth2.googleapis.com/token with a payload that includes: code, client_id, client_secret, redirect_uri and grant_type (authorization_code). Google just responds with a 400 error which it says is an "invalid_grant" and "bad request".
Could this be because of something in the auth system not requesting the authentication correctly, or am I calling Google incorrectly.
goldengecko
on 3 Apr 2021
Same problem with @goldengecko 馃憤
TranBaVinhSon
on 10 Apr 2021
i have this same problem with AWS Cognito as well and set codeChallengeMethod to empty string does not help either. i think this parameter should not be sent by default or at least has an option to exclude it.
kekhuay
on 1 May 2021
Related issues
yuwacker
路
3Comments
nikkanetiya
路
3Comments
weijinnx
路
3Comments
DiegoGallegos4
路
3Comments
amjadkhan896
路
3Comments
Most helpful comment
@clorichel : Thanks for the revert. I actually managed to solve it using old
@nuxtjs/authmodule itself!https://github.com/vinayakkulkarni/map-my-google-photos/blob/main/nuxt.config.ts#L111-L128
The thing is,
@nuxtjs/authuses snake case (_) whereas, the new@nuxtjs/auth-nextuses camelCasing.There'll probably be a migration guide when new major version is released of
@nuxtjs/auth:)