Next-auth: How to get Google provider ID token and not access token

Created on 6 Jul 2020  路  13Comments  路  Source: nextauthjs/next-auth

When using the Google provider I want to be able to authenticate with a backend server and for this I need to send the ID token to that API and get back the access token. Further info about this flow can be found here.

This extra request I plan to do in the JWT callback, but in there I cannot access ID token. Only accessToken is given back in token.account.

This is what I get in the JWT callback:
token (first argument):

{
  user: {
    name: <name>,
    email: <email>,
    image: <image>
  },
  account: {
    provider: 'google',
    type: 'oauth',
    id: <id>,
    refreshToken: undefined,
    accessToken: <accessToken>,
    accessTokenExpires: null
  },
  isNewUser: undefined
}

profile (second argument):

{
  id: <id>,
  email: <email>,
  verified_email: true,
  name: <name>,
  given_name: <given_name>,
  family_name: <family_name>,
  picture: <picture>,
  locale: 'en'
}
  • [ ] Found the documentation helpful
  • [ ] Found documentation but was incomplete
  • [ ] Could not find relevant documentation
  • [ ] Found the example project helpful
  • [X] Did not find the example project helpful
question
Source
picture vladfulgeanu
👍1

Most helpful comment

Yeah Google is unusual and this has come up before, we should really cover this in the docs.

tl;dr Google only returns a RefreshToken on first sign in and should to be used with a database. You can force it to issue a new one every time using access_type=offline and prompt=consent but that is intended for mobile and desktop applications and changes the sort of prompt a user sees when they sign in (and isn't as seamless).

More info in #269

picture iaincollins on 6 Jul 2020
👍2

All 13 comments

Yeah Google is unusual and this has come up before, we should really cover this in the docs.

tl;dr Google only returns a RefreshToken on first sign in and should to be used with a database. You can force it to issue a new one every time using access_type=offline and prompt=consent but that is intended for mobile and desktop applications and changes the sort of prompt a user sees when they sign in (and isn't as seamless).

More info in #269

iaincollins picture iaincollins on 6 Jul 2020
👍2

If I were to use react-google-login library, _in the responseGoogle(response) {...} callback function, I should get back a standard JWT located at response.tokenId or res.getAuthResponse().id_token_ (from here)
That is the only thing that I need in order to send the request to the backend server. I'm not sure how RefreshToken can help me in this case.

vladfulgeanu picture vladfulgeanu on 6 Jul 2020

You can try setting idToken: true as a provider option - it works on quite a few providers, but I'm not sure about Google - and then using the JWT callback (assuming you are using JSON Web Tokens) to handle saving data from the profile in your JWT to use in subsequent calls.

iaincollins picture iaincollins on 8 Jul 2020

I did try exactly this as I saw it possible on the Okta provider, but 2 things happen:

  • I get this error:
[next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR] [
  Error: Missing or invalid provider account
      at /home/vlad/work/node_modules/next-auth/dist/server/lib/callback-handler.js:32:15
      at Generator.next (<anonymous>)
      at asyncGeneratorStep (/home/vlad/work/node_modules/next-auth/dist/server/lib/callback-handler.js:20:103)
      at _next (/home/vlad/work/node_modules/next-auth/dist/server/lib/callback-handler.js:22:194)
      at /home/vlad/work/node_modules/next-auth/dist/server/lib/callback-handler.js:22:364
      at new Promise (<anonymous>)
      at /home/vlad/work/node_modules/next-auth/dist/server/lib/callback-handler.js:22:97
      at /home/vlad/work/node_modules/next-auth/dist/server/lib/callback-handler.js:185:17
      at /home/vlad/work/node_modules/next-auth/dist/server/routes/callback.js:91:54
      at Generator.next (<anonymous>)
      at asyncGeneratorStep (/home/vlad/work/node_modules/next-auth/dist/server/routes/callback.js:26:103)
      at _next (/home/vlad/work/node_modules/next-auth/dist/server/routes/callback.js:28:194)
      at processTicksAndRejections (internal/process/task_queues.js:93:5)
]

The JWT callback is not reached in this case, only the signin callback

  • I do get properties of the ID token in the signin callback (iss, sub, iat, exp...), but what I need is the exact ID token string that encodes all these. Is there a method to go from the ID token object, with the iss, sub, iat, exp properties to the ID token string, like base 64 encoding? Best thing would be to be able to access the ID token string directly though.
vladfulgeanu picture vladfulgeanu on 8 Jul 2020

Thanks for trying that and reporting what you saw.

I think at the moment the answer is this is not possible, but it seems like a reasonable feature request.

iaincollins picture iaincollins on 8 Jul 2020
👍1

Any update on this?

The Google provider isn't really complete without it since most front ends will be calling services that need to verify a user's id_token.

Dreched picture Dreched on 1 Dec 2020
👍1

I need this too, thanks

MaryJJ picture MaryJJ on 2 Dec 2020

Yeah, any updates? I also really need this.

theapplefolks picture theapplefolks on 5 Dec 2020

So if I understand correctly, #837 would help here, right? Can anyone confirm this? (@vladfulgeanu @Dreched @MaryJJ @theapplefolks)

It basically sends the id_token to the jwt callback if it is provided by the IdP at sign-in.

balazsorban44 picture balazsorban44 on 5 Dec 2020

So if I understand correctly, #837 would help here, right? Can anyone confirm this? (@vladfulgeanu @Dreched @MaryJJ @theapplefolks)

It basically sends the id_token to the jwt callback if it is provided by the IdP at sign-in.

I think #837 will help. To clarify, /api/auth/session will also get id_token set from signIn?

Dreched picture Dreched on 7 Dec 2020

What ends up in your session is up to you. If you want the id_token available in your session, you can look at the jwt and聽session callbacks: https://next-auth.js.org/configuration/callbacks

balazsorban44 picture balazsorban44 on 7 Dec 2020

const getIdToken = async (refreshToken) => {
var requestOptions = {
method: 'POST',
redirect: 'follow'
};

const response = await fetch(`https://oauth2.googleapis.com/token?refresh_token=${refreshToken}&client_id=955818486406-snr4kuu25v16keu169sc1kbm6ofv7lfj.apps.googleusercontent.com&client_secret=yBPnCGw81u_OEHCRHLX8tbO4&grant_type=refresh_token&Content-Type=application/x-www-form-urlencoded`, requestOptions);
let result= await response.json();

return result.id_token;

}

fedeberon picture fedeberon on 12 Dec 2020
1

@fedeberon so when using a refresh token, you will actually receive a new ID token as well? It never occurred to me, I'll check this out, thanks!

Update:

Hmm a quick search in the OIDC spec: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

It says

Upon successful validation of the Refresh Token, the response body is the Token Response of聽Section聽3.1.3.3聽except that it might not contain an聽id_token.

So getting an id_token is not given. 馃様

balazsorban44 picture balazsorban44 on 12 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

simonbbyrne picture simonbbyrne  路  3Comments
bscaspar picture bscaspar  路  3Comments
readywater picture readywater  路  3Comments
eatrocks picture eatrocks  路  3Comments
iaincollins picture iaincollins  路  3Comments