double quote

apps/dev/nextjs/pages/api/auth/[...nextauth].ts

@@ -5,6 +5,7 @@ import Apple from "@auth/core/providers/apple"
 import Auth0 from "@auth/core/providers/auth0"
 import AzureAD from "@auth/core/providers/azure-ad"
 import AzureB2C from "@auth/core/providers/azure-ad-b2c"
+import BankIDNorway from "@auth/core/providers/bankid-no"
 import BoxyHQSAML from "@auth/core/providers/boxyhq-saml"
 // import Cognito from "@auth/core/providers/cognito"
 import Credentials from "@auth/core/providers/credentials"
@@ -89,6 +90,7 @@ export const authConfig: AuthConfig = {
       tenantId: process.env.AZURE_AD_TENANT_ID,
     }),
     AzureB2C({ clientId: process.env.AZURE_B2C_ID, clientSecret: process.env.AZURE_B2C_SECRET, issuer: process.env.AZURE_B2C_ISSUER }),
+    BankIDNorway({ clientId: process.env.BANKID_NO_ID, clientSecret: process.env.BANKID_NO_SECRET }),
     BoxyHQSAML({ issuer: "https://jackson-demo.boxyhq.com", clientId: "tenant=boxyhq.com&product=saml-demo.boxyhq.com", clientSecret: "dummy" }),
     // Cognito({ clientId: process.env.COGNITO_ID, clientSecret: process.env.COGNITO_SECRET, issuer: process.env.COGNITO_ISSUER }),
     Discord({ clientId: process.env.DISCORD_ID, clientSecret: process.env.DISCORD_SECRET }),

docs/static/img/providers/bankid-no.svg

@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 22.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="-1.5 -7 36 36" style="enable-background:new 0 0 36 36;" xml:space="preserve">
+<style type="text/css">
+	.st1{fill:#fff;}
+</style>
+<g>
+	<g>
+		<path class="st1" d="M7.5,3h-6C0.7,3,0,2.3,0,1.5v0C0,0.7,0.7,0,1.5,0l6,0C8.3,0,9,0.7,9,1.5v0C9,2.3,8.3,3,7.5,3z"/>
+		<path class="st1" d="M7.5,15h-6C0.7,15,0,14.3,0,13.5v0C0,12.7,0.7,12,1.5,12h6C8.3,12,9,12.7,9,13.5v0C9,14.3,8.3,15,7.5,15z"/>
+		<path class="st1" d="M7.5,21h-6C0.7,21,0,20.3,0,19.5v0C0,18.7,0.7,18,1.5,18h6C8.3,18,9,18.7,9,19.5v0C9,20.3,8.3,21,7.5,21z"/>
+		<path class="st1" d="M19.5,9h-6C12.7,9,12,8.3,12,7.5v0C12,6.7,12.7,6,13.5,6h6C20.3,6,21,6.7,21,7.5v0C21,8.3,20.3,9,19.5,9z"/>
+		<path class="st1" d="M19.5,15h-6c-0.8,0-1.5-0.7-1.5-1.5v0c0-0.8,0.7-1.5,1.5-1.5h6c0.8,0,1.5,0.7,1.5,1.5v0
+			C21,14.3,20.3,15,19.5,15z"/>
+		<path class="st1" d="M31.5,3h-6C24.7,3,24,2.3,24,1.5v0C24,0.7,24.7,0,25.5,0l6,0C32.3,0,33,0.7,33,1.5v0C33,2.3,32.3,3,31.5,3z"
+			/>
+		<path class="st1" d="M31.5,9h-6C24.7,9,24,8.3,24,7.5v0C24,6.7,24.7,6,25.5,6h6C32.3,6,33,6.7,33,7.5v0C33,8.3,32.3,9,31.5,9z"/>
+		<path class="st1" d="M31.5,21h-6c-0.8,0-1.5-0.7-1.5-1.5v0c0-0.8,0.7-1.5,1.5-1.5h6c0.8,0,1.5,0.7,1.5,1.5v0
+			C33,20.3,32.3,21,31.5,21z"/>
+	</g>
+</g>
+</svg>

packages/core/src/lib/oauth/callback.ts

@@ -135,8 +135,13 @@ export async function handleOAuth(
       throw new Error("TODO: Handle OIDC response body error")
     }
 
-    profile = o.getValidatedIdTokenClaims(result)
     tokens = result
+
+    if (provider.userinfo?.request) {
+      profile = await provider.userinfo.request({ tokens, provider })
+    } else {
+      profile = o.getValidatedIdTokenClaims(result)
+    }
   } else {
     tokens = await o.processAuthorizationCodeOAuth2Response(
       as,

packages/core/src/providers/bankid-no.ts

@@ -0,0 +1,185 @@
+/**
+ * <div style={{backgroundColor: "#39134c", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
+ * <span>Built-in <b>BankID Norway</b> integration.</span>
+ * <a href="https://www.bankid.no/en">
+ *   <img style={{display: "block"}} src="https://raw.githubusercontent.com/nextauthjs/next-auth/b2b0c05da8e2f61435d14fbce6afa6e8b607e971/docs/static/img/providers/bankid-no.svg" height="48" width="48"/>
+ * </a>
+ * </div>
+ *
+ * ---
+ * @module providers/bankid-no
+ */
+
+import { decodeJwt } from "jose"
+import type { OAuthUserConfig, OIDCConfig } from "./index.js"
+
+/**
+ * @see [Core conepts - ID Token](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/core-concepts/id-token)
+ * @see [userinfo](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/userinfo)
+ */
+export interface BankIDNorwayProfile {
+  exp: number
+  iat: number
+  /** Epoc time */
+  auth_time: number
+  jti: string
+  iss: string
+  /** Always client_id */
+  aud: string
+  sub: string
+  typ: "ID"
+  /** Equals client_id */
+  azp: string
+  session_state: string
+  at_hash: string
+  name: string
+  given_name: string
+  family_name: string
+  birthdate: string
+  updated_at: number
+  /**
+   * Uniform Resource Name for [IDP option](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/core-concepts/identity-providers) being used,
+   * including Level of Assurance (LoA).
+   * @example
+   * ```
+   * urn:bankid:bid;LOA=4
+   * ```
+   */
+  acr: string
+  sid: string
+  /**
+   * Name of [IDP option](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/core-concepts/identity-providers) being used to authenticate the end-user.
+   * If the end-user is subject to authentication step-up,
+   * note that this value may differ from any `amr` value specified
+   * in the `login_hint` parameter of the [authorize](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/authorize) endpoint.
+   */
+  amr: "BID" | "BIM" | "BIS"
+  /** Personal Identifier (PID) / Serial Number) from associated BankID certificate. */
+  bankid_altsub: string
+  /**
+   * In case of BID or BIM, the issuer of the end user certificate is returned.
+   * @example
+   * ```
+   * CN=BankID Bankenes ID-tjeneste Bank CA 2,
+   * OU=988477052,
+   * O=Bankenes ID-tjeneste AS,*
+   * C=NO;OrginatorId=9775;OriginatorName=Gjensidige Bank RA 1
+   * ```
+   */
+  originator: string
+  additionalCertInfo: {
+    certValidFrom: number
+    serialNumber: string
+    keyAlgorithm: string
+    keySize: string
+    policyOid: string
+    certQualified: boolean
+    certValidTo: number
+    versionNumber: string
+    subjectName: string
+  }
+  /** Currently used as an input parameter for the [securityData](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/securitydata) endpoint of the [Fraud Data](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/advanced-topics/fraud-data) service */
+  tid: string
+  /** Only returned from the `userinfo_endpoint` */
+  email?: string
+  /**
+   * [Norwegian National Identity Number (fødselsnummer)](https://www.skatteetaten.no/en/person/foreign/norwegian-identification-number/national-identity-number). It can be an alternative to `sub`.
+   * Requires `nnin_altsub` scope at the [authorize](https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/authorize) endpoint.
+   * @example
+   * ```
+   * 181266*****
+   * ```
+   */
+  nnin_altsub?: string
+}
+
+/**
+ * Add BankID Norge login to your page.
+ *
+ * ## Example
+ *
+ * ```ts
+ * import { Auth } from "@auth/core"
+ * import BankIDNorway from "@auth/core/providers/bankid-no"
+ *
+ * const request = new Request("https://example.com")
+ * const resposne = await Auth(request, {
+ *   providers: [BankIDNorway({ clientId: "", clientSecret: "", issuer: "" })],
+ * })
+ * ```
+ *
+ * ---
+ *
+ * ## Resources
+ *
+ * - [OpenID Connect Provider from BankID](https://confluence.bankidnorge.no/confluence/pdoidcl)
+ *
+ * ---
+ *
+ * ## Notes
+ *
+ * By default, Auth.js assumes that the BankIDNorway provider is
+ * based on the [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) specification.
+ *
+ * :::tip
+ *
+ * The BankIDNorway provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/bankid-no.ts).
+ * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/providers/custom-provider#override-default-options).
+ *
+ * :::
+ *
+ * :::info **Disclaimer**
+ *
+ * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
+ *
+ * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
+ * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
+ * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
+ *
+ * :::
+ */
+export default function BankIDNorway<P extends BankIDNorwayProfile>(
+  config: OAuthUserConfig<P>
+): OIDCConfig<P> {
+  config.issuer ??= "https://auth.current.bankid.no/auth/realms/current"
+  return {
+    id: "bankid-no",
+    name: "BankID Norge",
+    type: "oidc",
+    style: {
+      text: "#fff",
+      textDark: "#fff",
+      bg: "#39134c",
+      bgDark: "#39134c",
+      logo: "/bankid-no.svg",
+      logoDark: "/bankid-no-dark.svg",
+    },
+    client: { token_endpoint_auth_method: "client_secret_post" },
+    authorization: { params: { ui_locales: "no" } },
+    userinfo: {
+      // BankID Norway does not return the email in id_token, only from the userinfo endpoint
+      // https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/core-concepts/scopes-and-claims#:~:text=is%20not%20optimal.-,email,-Used%20to%20request
+      async request({ tokens }) {
+        const res = await fetch(
+          `${config.issuer}/.well-known/openid-configuration`
+        )
+        const meta = await res.json()
+        const response = await fetch(meta.userinfo_endpoint, {
+          headers: { Authorization: `Bearer ${tokens.access_token}` },
+        })
+        const token = await response.text()
+        // https://confluence.bankidnorge.no/confluence/pdoidcl/technical-documentation/api/userinfo#apiuserinfo-response-paramsResponseelements
+        return decodeJwt(token)
+      },
+    },
+    profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email ?? null,
+        image: null,
+      }
+    },
+    options: config,
+  }
+}