Apple provider broken - blowing up when not finding userinfo endpoint #6788
Comments
kyllerss
added
providers
triage
kyllerss
changed the title
|
I'm running into this too. @kyllerss did you find a workaround? |
|
I've put this task aside for now, so I haven't had a chance to do a workaround. |
|
@kyllerss @jschlesser The debug message here is a bit unclear. If you provide a token endpoint, a userinfo endpoint is not necessary. Additionally the authorization endpoint returns the relevant data only in the body of the response, instead of the query, like Auth.js would expect it. Therefor you have to use response_mode: 'query' for the authorization config. This comes with the downside, that you cannot request the email, or name of the user. I'm currently working on a fix to this. For now, if you still want to use Sign in with Apple using Auth.js you can use this Apple provider configuration example to get it working: Apple({
clientId: APPLE_ID,
clientSecret: APPLE_SECRET,
wellKnown: "https://appleid.apple.com/.well-known/openid-configuration",
checks: ["pkce"],
token: {
url: `https://appleid.apple.com/auth/token`,
},
authorization: {
url: 'https://appleid.apple.com/auth/authorize',
params: {
scope: '',
response_type: 'code',
response_mode: 'query',
state: crypto.randomUUID()
},
},
client: {
token_endpoint_auth_method: "client_secret_post",
},
})In addition you'll need to set the secret for jwt encoding and the pkceCodeVerifier cookie on the top level of the auth configuration: cookies: {
pkceCodeVerifier: {
name: "next-auth.pkce.code_verifier",
options: {
httpOnly: true,
sameSite: "none",
path: "/",
secure: true,
},
},
},
secret: AUTH_SECRETI hope this helps :) |
|
Any news on this? @ChrGrb configuration doesn't work for me :( |
|
@ChrGrb it sort of works, but it doesn't return email/name and setting There is no point using it if you get this: |
|
so do I understand that it is impossible to get the email and name from apple sign in? |
|
Any updates? How can I get other values defined in the name or scope? The problem seems to be quite old. Are there any plans to resolve this issue? I like using next-auth and it has been very helpful, so I would like to continue using it. Thank you for creating such a great package. |
|
I'm also curious about the state of this issue. I added 5.0.0-beta.16 with the GitHub provider for proof-of-concept and all went well. But with Apple sign-in I ran into the current issue. Is there any working example of Apple sign-in using next-auth v4 or v5? |
|
I am also watching this closely, I am only able to use Sign in with Apple for my application, so this is key for me. I have tried the configuration above from @ChrGrb but am getting a 'checks.state argument is missing', I suspect I am missing something dumb. |
|
I've been watching this for a year to see if anyone came up with anything. I gave up on trying to get email from Apple via AuthJS. It's not impossible but in my estimation it looks like it would take a lot of work that's beyond my desire. These notes are for anyone else who is feeling ambitious. In a nutshell, the valid way that Apple is providing the email scope is only through using the response_mode of 'form_post'. Search for response_mode and response_type in the Apple docs. AuthJS on the other hand only supports 'query' mode. Implementing 'form_post' in AuthJS looks non trivial. If you want to push for this, I would start a discussion with one of the core contributors like @balazsorban44 or @ThangHuuVu . I'm neither an expert in OAuth nor deeply familiar with all of the nuances that are going on in Otherwise the default Apple provider config should be replaced with the one that @ChrGrb has provided above and in the Apple provider docs clearly let everyone know that they won't be getting the email scope from Apple when using AuthJS. Note for @balazsorban44 , the docs say that you test 20 or so of the providers and we can try out the sample app. When I click on Sign In on the Apple button (the first one at the top) and try to create an account, it fails no matter which options I choose. The basis for my findings. Search for 'form_post' in the entire repo. It only shows up in the default Apple provider source file and if you have read through this thread, you will know that the provided Apple default config doesn't work. The workaround that @ChrGrb provided will get you logged in but not an account with the email scope. Note that the response mode is 'query' in that workaround config. Now go back to the Apple docs in the link above and read the section about getting the identity_token and you will see that it's only provided in the modes of 'fragment' or 'form_post'. If you search for 'fragment' in the codebase you will not see it show up in any provider code. The user section and identity_token of the response are the only ways to get email, and they must be requested in the scope and that cant be done with 'query' mode with Apple. In the back of my mind I can hear a security guy at Apple telling the authentication team to not put email in the url, because it seems like the right call. On the other hand it seems like Apple is the only player not using 'query'. Does anyone see any other way? |
|
Hey @jschlesser I believe your details with regards to the Sign in with Apple are correct, I have a working implementation in Python FastAPI, and my experience there is consistent with your comments. The only other thing I would add (or call out explicitly) is that userInfo is only returned from the first Sign in with Apple request. In order to get the userInfo details again, you must go to https://appleid.apple.com/ and remove the app in 'Sign in with Apple' section. Question, are the changes from #8189 (or equivalent) in the latest build or beta build?
|
|
Until the apple provider is fixed I was able to get this working by adding an override route to handle the apple callback. // app/api/auth/[...nextauth]/route.ts
import { handlers } from 'auth'
export const { GET, POST } = handlers// app/api/auth/callback/apple/route.ts
import { NextRequest, NextResponse } from 'next/server'
import { GET as NextAuthGET } from '../../[...nextauth]/route'
// re-export the next-auth GET handler for this endpoint.
export { NextAuthGET as GET }
export async function POST(req: NextRequest) {
// contains user name and email if you need to process anything.
const data = await req.formData()
const queryParams: { [key: string]: string } = {}
data.forEach((value, key) => {
queryParams[key] = value.toString()
})
const searchParams = new URLSearchParams(queryParams)
const cookie = req.headers.get('cookie') || ''
// redirect to the next-auth handler which expects GET with query params.
return NextResponse.redirect(
`https://${req.headers.get('host')}/api/auth/callback/apple?` +
searchParams.toString(),
{
status: 302,
headers: {
cookie,
},
},
)
} |
I tried this route handler, but the authentication process seems still to be missing the email address from the Apple account. Here's the error log from the related Vercel function:
|
|
@glencoden as @gordonturner mentioned the user's email will only be delivered the first time they sign in. Subsequent sign ins will deliver the apple sub which is used to retrieve an account by id along with the associated user. After signing in with apple are you prompted to share or mask your email address? I'm not sure what your adapter looks like but the PrismaAdapter is working fine out of the box for me with 5.0.0-beta.17 |
|
Hey everyone, thanks for discussing about this issue. I want to summarize the findings & workaround so far to track it better. I believe there are some separate issues that are happening at once, and we can deal with them one by one before getting the Apple provider working. Issue 1:
|
ThangHuuVu
added
bug
|
To everyone facing issues with the Apple provider not providing a Configuration for Apple Provider in NextAuth.js
Override the Apple Callback RouteTo handle the Apple callback correctly, create an override route for the Apple callback:
Explanation:
By following these steps, you should be able to implement a workaround for the Apple provider issue in NextAuth.js until a permanent fix is merged into the library. |
|
Any idea when this will be updated to work by default? |
|
Thanks to all for workarounds here. |
|
@sl45sms your working configuration works great, thank you! |
|
@sl45sms thx, saved my day! |
|
I am getting this error, I believe because I am using the AUTH_REDIRECT_PROXY documented here. https://authjs.dev/getting-started/deployment#securing-a-preview-deployment
Also, getting this error in production where the redirect proxy should be used
I am using https://github.com/t3-oss/create-t3-turbo as a starter. I need to implement apple auth before I can publish to the app store so this is a major blocker, I believe for all of the project using this template. Is there another workaround? |
|
|
@sl45sms I have update my config to include this, in both the proxy and the nextjs route Still seeing the same errors In production, without the proxy And Thank you for taking a look into this |
|
@kiikoh are you sure you have set the correct clientId? I had some strange problems because of this, which didn't seem to be related at all. |
|
@kiikoh apple call this as "serviceID" and you can found it under https://developer.apple.com/account/resources/identifiers/list/serviceId |
@sl45sms right, I was just saying that since that text appeared, and I didn't manually enter that in it must have picked it up correctly. Everything works up until the redirect back to my app.
In my env I have, |
Got a new type of error in /api/aut/callback/apple AccessDenied: AccessDenied. Read more at https://errors.authjs.dev#accessdenied Using NextAuth V5 beta .20 so I didn't overwrite the /api/aut/callback/apple |
|
@sl45sms thank you! that works just fine 👍 |
Found the issue and fixed. It is not related to Apple provider directly. It is related to email and id pass back process. |
|
I'm using this config. Can anyone assist me on this? |
I get the 'no authorization code in "callbackParameters"' error mentioned above with this setup (which seems to be working for some people?) |
I'm getting the same error on 5.0.0-beta.20 for Apple login I know that the redirect URL is set to Because I can see that url flash in the navigation bar before the error is thrown and the browser is redirected to
This is my auth.ts file copied the Apple section from the workarounds posted above. Google and Github logins work great tho 😂 If anyone can offer any help on this issue it'd be much appreciated, I might need to switch to a different auth library if Apple auth simply doesn't work with AuthJS. |
|
@JamesWalkerGit you should try @ChrGrb solution #6788 (comment) thats what worked for me. |
Hey thanks for the tip @maiconcarraro, I setup my auth.ts to mirror @ChrGrb 's config as far as I can tell, I successfully get thru the apple login and password authentication, and then when I am redirected back to the callback url on my end unfortunately I get these errors: 
auth.ts |
|
@JamesWalkerGit the I'm using: const cookiePrefix = useSecureCookies ? "__Secure-" : "";
...
return {
...
pkceCodeVerifier: {
name: `${cookiePrefix}authjs.pkce.code_verifier`,
options: {
httpOnly: true,
sameSite: "lax",
path: "/",
secure: useSecureCookies,
maxAge: COOKIES_LIFE_TIME,
},
},and sameSite lax worked for me, you might try both, lax should be securer. |
|
Thanks for the heads up @maiconcarraro I tried that but unfortunately it seems I get the same errors. Here is a link to a deployed repository that is a nextjs boilerplate from Vercel with implemented AuthJS following the documentation and then with the workaround suggested here for Apple login. Github login works ✅, Apple login does not ❌. Default Setup following documentation - [31m[auth][cause]�[0m: TypeError: TODO: Authorization server did not provide a userinfo endpoint. 
After Workaround - [31m[auth][cause]�[0m: Error: TODO: Handle OIDC response body error 
Hopefully a reproducible link to a boilerplate project helps? Not sure where to go from here as I'm not sure if it's still something I'm doing wrong or if it's a bug that won't work no matter what I try here. |
|
@JamesWalkerGit comparing to my project the differences are:
|
|
@maiconcarraro Removed the edge runtime and added the full cookie spec based on that link, but unfortunately still seeing the same errors. 🫡 Github login works ✅, Apple login does not ❌. auth.ts - with workaround and full cookie spec [31m[auth][cause]�[0m: Error: TODO: Handle OIDC response body error 
|
|
I tried @sl45sms's solution with NextAuth v5 beta 20, but I am facing this issue:
|
|
Thanks for this fix @balazsorban44 , no more workarounds needed for me anymore as of next-auth The only minor issue, as mentioned in the comments of that commit, is that redirect proxies for |
|
Thanks all for the hard work, and feedback, I know this is closed, but is not clear what is the final solution, I'm still having the error id_token not present in token set, and with all these comments the final solution is not clear. I'm using next-auth v4 and prisma adapter, all the others providers works, except apple, even in the next-auth example webpage, apple login doesn't work. Sorry I'm confused, does apple provider works on v4 or only on v5? What is the final auth config code?, is supposed to be working with the defaults configuration but it doesn't. Thanks in advanced, please, help, is been a week trying this to work |
and others
Provider type
Apple
Environment
System:
OS: Linux 5.19 KDE neon 5.27 5.27
CPU: (16) x64 11th Gen Intel(R) Core(TM) i7-11800H @ 2.30GHz
Memory: 6.74 GB / 15.34 GB
Container: Yes
Shell: 5.1.16 - /bin/bash
Binaries:
Node: 16.18.0 - ~/apps/node-v16.18.0-linux-x64/bin/node
npm: 9.3.0 - ~/apps/node-v16.18.0-linux-x64/bin/npm
Browsers:
Brave Browser: 110.1.48.164
Chrome: 110.0.5481.100
Firefox: 110.0
Reproduction URL
Needed?
Describe the issue
Seems as if Apple another one of those providers that does not provide user info.
When the redirect endpoint is invoked I get the following error:
The line in question is here.
I found a relevant issue that had a specific work-around, but pertained to Todoist.
Doesn't seem to me that requiring a user-info endpoint is part of the OAuth spec, but I could be wrong. I would rather have this restriction be a configuration option or handled explicitly by some callback. I wouldn't be surprised if the push for privacy is going to push additional partners to follow a similar pattern.
How to reproduce
Try to do a sign-in using Apple.
Expected behavior
For it to work and have the client specify how to handle the missing information.
The text was updated successfully, but these errors were encountered: