Skip to main content

providers/oauth

OAuth2Config​

TODO: Document

Type parameters​

Parameter
Profile

Properties​

id​

id: string

Identifies the provider when you want to sign in to a specific provider.

Example​
signIn("github") // "github" is the provider ID
Overrides​

CommonProviderOptions.id

name​

name: string

The name of the provider. shown on the default sign in page.

Overrides​

CommonProviderOptions.name

account​

optional account: AccountCallback

Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.

note

You need to adjust your database's Account model to match the returned properties. Check out the documentation of your database adapter for more information.

Defaults to: access_token, id_token, refresh_token, expires_at, scope, token_type, session_state

Example​
import GitHub from "@auth/core/providers/github"
// ...
GitHub({
  account(account) {
    // https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
    const refresh_token_expires_at =
      Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
    return {
      access_token: account.access_token,
      expires_at: account.expires_at,
      refresh_token: account.refresh_token,
      refresh_token_expires_at
    }
  }
})
See​

allowDangerousEmailAccountLinking​

optional allowDangerousEmailAccountLinking: boolean

Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.

Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.

However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address associated with the account. Set allowDangerousEmailAccountLinking: true to enable automatic account linking.

authorization​

optional authorization: string | AuthorizationEndpointHandler

The login process will be initiated by sending the user to this URL.

Authorization endpoint

checks​

optional checks: ("pkce" | "state" | "none")[]

The CSRF protection performed on the callback endpoint.

Default​
;["pkce"]
Note​

When redirectProxyUrl or redirectProxyUrl is set, "state" will be added to checks automatically.

RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE) | RFC 6749 - The OAuth 2.0 Authorization Framework | OpenID Connect Core 1.0 |

client​

optional client: Partial< Client >

Pass overrides to the underlying OAuth library. See oauth4webapi client for details.

profile​

optional profile: ProfileCallback< Profile >

Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.

Defaults to: id, email, name, image

See​

Database Adapter: User model

wellKnown​

optional wellKnown: string

OpenID Connect (OIDC) compliant providers can configure this instead of authorize/token/userinfo options without further configuration needed in most cases. You can still use the authorize/token/userinfo options for advanced control.

Authorization Server Metadata

OIDCConfig​

Extension of the OAuth2Config.

See​

https://openid.net/specs/openid-connect-core-1_0.html

Type parameters​

Parameter
Profile

Properties​

id​

id: string

Identifies the provider when you want to sign in to a specific provider.

Example​
signIn("github") // "github" is the provider ID
Inherited from​

Omit.id

name​

name: string

The name of the provider. shown on the default sign in page.

Inherited from​

Omit.name

account​

optional account: AccountCallback

Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.

note

You need to adjust your database's Account model to match the returned properties. Check out the documentation of your database adapter for more information.

Defaults to: access_token, id_token, refresh_token, expires_at, scope, token_type, session_state

Example​
import GitHub from "@auth/core/providers/github"
// ...
GitHub({
  account(account) {
    // https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
    const refresh_token_expires_at =
      Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
    return {
      access_token: account.access_token,
      expires_at: account.expires_at,
      refresh_token: account.refresh_token,
      refresh_token_expires_at
    }
  }
})
See​
Inherited from​

Omit.account

allowDangerousEmailAccountLinking​

optional allowDangerousEmailAccountLinking: boolean

Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.

Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.

However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address associated with the account. Set allowDangerousEmailAccountLinking: true to enable automatic account linking.

Inherited from​

Omit.allowDangerousEmailAccountLinking

authorization​

optional authorization: string | AuthorizationEndpointHandler

The login process will be initiated by sending the user to this URL.

Authorization endpoint

Inherited from​

Omit.authorization

client​

optional client: Partial< Client >

Pass overrides to the underlying OAuth library. See oauth4webapi client for details.

Inherited from​

Omit.client

profile​

optional profile: ProfileCallback< Profile >

Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.

Defaults to: id, email, name, image

See​

Database Adapter: User model

Inherited from​

Omit.profile

wellKnown​

optional wellKnown: string

OpenID Connect (OIDC) compliant providers can configure this instead of authorize/token/userinfo options without further configuration needed in most cases. You can still use the authorize/token/userinfo options for advanced control.

Authorization Server Metadata

Inherited from​

Omit.wellKnown