providers/oauth
OAuth2Configβ
TODO: Document
Type parametersβ
Profile
Propertiesβ
idβ
id:
string
Identifies the provider when you want to sign in to a specific provider.
Exampleβ
signIn("github"); // "github" is the provider ID
Overridesβ
nameβ
name:
string
The name of the provider. shown on the default sign in page.
Overridesβ
account?β
account:
AccountCallback
Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.
You need to adjust your database's Account model to match the returned properties. Check out the documentation of your database adapter for more information.
Defaults to: access_token, id_token, refresh_token, expires_at, scope, token_type, session_state
Exampleβ
import GitHub from "@auth/core/providers/github";
// ...
GitHub({
account(account) {
// https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
const refresh_token_expires_at =
Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in);
return {
access_token: account.access_token,
expires_at: account.expires_at,
refresh_token: account.refresh_token,
refresh_token_expires_at,
};
},
});
Seeβ
- Database Adapter: Account model
- https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
- https://www.ietf.org/rfc/rfc6749.html#section-5.1
allowDangerousEmailAccountLinking?β
allowDangerousEmailAccountLinking:
boolean
Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.
Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.
However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address
associated with the account. Set allowDangerousEmailAccountLinking: true
to enable automatic account linking.
authorization?β
authorization:
string|AuthorizationEndpointHandler
The login process will be initiated by sending the user to this URL.
checks?β
checks: ("none" | "state" | "pkce")[]
The CSRF protection performed on the callback endpoint.
Defaultβ
["pkce"];
Noteβ
When redirectProxyUrl or AuthConfig.redirectProxyUrl is set,
"state" will be added to checks automatically.
RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE) | RFC 6749 - The OAuth 2.0 Authorization Framework | OpenID Connect Core 1.0 |
client?β
client:
Partial<Client>
Pass overrides to the underlying OAuth library.
See oauth4webapi client for details.
profile?β
profile:
ProfileCallback<Profile>
Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.
Defaults to: id, email, name, image
Seeβ
wellKnown?β
wellKnown:
string
OpenID Connect (OIDC) compliant providers can configure
this instead of authorize/token/userinfo options
without further configuration needed in most cases.
You can still use the authorize/token/userinfo
options for advanced control.
OIDCConfigβ
Extension of the OAuth2Config.
Seeβ
https://openid.net/specs/openid-connect-core-1_0.html
Type parametersβ
Profile
Propertiesβ
idβ
id:
string
Identifies the provider when you want to sign in to a specific provider.
Exampleβ
signIn("github"); // "github" is the provider ID
Inherited fromβ
Omit.id
nameβ
name:
string
The name of the provider. shown on the default sign in page.
Inherited fromβ
Omit.name
account?β
account:
AccountCallback
Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.
You need to adjust your database's Account model to match the returned properties. Check out the documentation of your database adapter for more information.
Defaults to: access_token, id_token, refresh_token, expires_at, scope, token_type, session_state
Exampleβ
import GitHub from "@auth/core/providers/github";
// ...
GitHub({
account(account) {
// https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
const refresh_token_expires_at =
Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in);
return {
access_token: account.access_token,
expires_at: account.expires_at,
refresh_token: account.refresh_token,
refresh_token_expires_at,
};
},
});
Seeβ
- Database Adapter: Account model
- https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
- https://www.ietf.org/rfc/rfc6749.html#section-5.1
Inherited fromβ
Omit.account
allowDangerousEmailAccountLinking?β
allowDangerousEmailAccountLinking:
boolean
Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.
Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.
However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address
associated with the account. Set allowDangerousEmailAccountLinking: true
to enable automatic account linking.
Inherited fromβ
Omit.allowDangerousEmailAccountLinking
authorization?β
authorization:
string|AuthorizationEndpointHandler
The login process will be initiated by sending the user to this URL.
Inherited fromβ
Omit.authorization
client?β
client:
Partial<Client>
Pass overrides to the underlying OAuth library.
See oauth4webapi client for details.
Inherited fromβ
Omit.client
profile?β
profile:
ProfileCallback<Profile>
Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.
Defaults to: id, email, name, image
Seeβ
Inherited fromβ
Omit.profile
wellKnown?β
wellKnown:
string
OpenID Connect (OIDC) compliant providers can configure
this instead of authorize/token/userinfo options
without further configuration needed in most cases.
You can still use the authorize/token/userinfo
options for advanced control.
Inherited fromβ
Omit.wellKnown