apply suggestion

.github/ISSUE_TEMPLATE/2_bug_provider.yml

@@ -25,7 +25,6 @@ body:
         - "Custom provider"
         - "42 School"
         - "Apple"
-        - "Asgardeo"
         - "Atlassian"
         - "Auth0"
         - "Authentik"

.github/actions/issue-validator/src/index.mjs

@@ -41,7 +41,13 @@ async function run() {
       label: { name: newLabel },
     } = payload
 
-    if (pull_request || !issue?.body || !process.env.GITHUB_TOKEN) return
+    if (
+      pull_request ||
+      !issue?.body ||
+      !process.env.GITHUB_TOKEN ||
+      !process.env.GITHUB_ACTION_PATH
+    )
+      return
 
     const labels = issue.labels.map((l) => l.name)
     // const isBugReport =
@@ -72,9 +78,7 @@ async function run() {
         client.issues.createComment({
           ...issueCommon,
           body: readFileSync(
-            join(
-              "/home/runner/work/next-auth/next-auth/.github/actions/issue-validator/repro.md"
-            ),
+            join(process.env.GITHUB_ACTION_PATH, "repro.md"),
             "utf8"
           ),
         }),

.github/sync.yml

@@ -7,12 +7,15 @@ nextauthjs/sveltekit-auth-example:
   - .github/FUNDING.yml
   - LICENSE
 
-nextauthjs/solid-start-auth-example:
-  - source: "apps/examples/solid-start"
-    dest: .
-    deleteOrphaned: true
-  - .github/FUNDING.yml
-  - LICENSE
+# FIXME: Should re-enable, but currently fails:
+# https://github.com/nextauthjs/next-auth/actions/runs/3811709391/jobs/6484533340
+# (issue seems to be the name of the target repo)
+# nextauthjs/solid-start-auth-example:
+#   - source: "apps/examples/solid-start"
+#     dest: .
+#     deleteOrphaned: true
+#   - .github/FUNDING.yml
+#   - LICENSE
 
 nextauthjs/next-auth-gatsby-example:
   - source: apps/playgrounds/gatsby

.github/workflows/release.yml

@@ -35,22 +35,6 @@ jobs:
           UPSTASH_REDIS_KEY: ${{ secrets.UPSTASH_REDIS_KEY }}
           TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
           TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
-      # - name: Run E2E tests
-      #   if: github.repository == 'nextauthjs/next-auth'
-      #   run: pnpm e2e
-      #   timeout-minutes: 15
-      #   env:
-      #     AUTH0_USERNAME: ${{ secrets.AUTH0_USERNAME }}
-      #     AUTH0_PASSWORD: ${{ secrets.AUTH0_PASSWORD }}
-      #     TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
-      #     TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
-      # - name: Upload E2E artifacts
-      #   if: github.repository == 'nextauthjs/next-auth'
-      #   uses: actions/upload-artifact@v3
-      #   with:
-      #     name: playwright-report
-      #     path: apps/dev/nextjs/playwright-report/
-      #     retention-days: 30
       # - name: Coverage
       #   uses: codecov/codecov-action@v1
       #   with:

.github/workflows/sync-examples.yml

@@ -11,9 +11,9 @@ jobs:
       - name: Checkout Repository
         uses: actions/checkout@v3
       - name: Run GitHub File Sync
-        uses: balazsorban44/repo-file-sync-action@master
+        # Can update to v1 when https://github.com/BetaHuhn/repo-file-sync-action/issues/168 is resolved
+        uses: BetaHuhn/repo-file-sync-action@v1.16.5
         with:
-          GH_PAT: ${{ secrets.GH_PAT }}
-          IS_FINE_GRAINED: true
+          GH_PAT: ${{ secrets.GH_PAT_CLASSIC }}
           SKIP_PR: true
           ORIGINAL_MESSAGE: true

.prettierrc.js

@@ -7,7 +7,7 @@ module.exports = {
   overrides: [
     {
       files: [
-        "apps/dev/nextjs/pages/api/auth/[...nextauth].ts",
+        "apps/dev/pages/api/auth/[...nextauth].ts",
         "docs/{sidebars,docusaurus.config}.js",
       ],
       options: { printWidth: 150 },

apps/dev/nextjs/.env.local.example

@@ -9,10 +9,6 @@ NEXTAUTH_URL=http://localhost:3000
 # and/or verification tokens.
 NEXTAUTH_SECRET=secret
 
-ASGARDEO_CLIENT_ID=
-ASGARDEO_CLIENT_SECRET=
-ASGARDEO_ISSUER=
-
 AUTH0_ID=
 AUTH0_SECRET=
 AUTH0_ISSUER=

apps/dev/nextjs/.gitignore

@@ -1,4 +0,0 @@
-node_modules/
-/test-results/
-/playwright-report/
-/playwright/.cache/

apps/dev/nextjs/components/header.js

@@ -1,5 +1,5 @@
 import Link from "next/link"
-import { useSession } from "next-auth/react"
+import { signIn, signOut, useSession } from "next-auth/react"
 import styles from "./header.module.css"
 
 // The approach used in this component shows how to built a sign in and sign out
@@ -24,7 +24,14 @@ export default function Header() {
               <span className={styles.notSignedInText}>
                 You are not signed in
               </span>
-              <a href="/api/auth/signin" className={styles.buttonPrimary}>
+              <a
+                href="/api/auth/signin"
+                className={styles.buttonPrimary}
+                onClick={(e) => {
+                  e.preventDefault()
+                  signIn()
+                }}
+              >
                 Sign in
               </a>
             </>
@@ -40,7 +47,14 @@ export default function Header() {
                 <strong>{session.user.email} </strong>
                 {session.user.name ? `(${session.user.name})` : null}
               </span>
-              <a href="/api/auth/signout" className={styles.button}>
+              <a
+                href="/api/auth/signout"
+                className={styles.button}
+                onClick={(e) => {
+                  e.preventDefault()
+                  signOut()
+                }}
+              >
                 Sign out
               </a>
             </>

apps/dev/nextjs/package.json

@@ -9,12 +9,10 @@
     "build": "next build",
     "start": "next start",
     "email": "fake-smtp-server",
-    "start:email": "pnpm email",
-    "e2e": "pnpm dlx playwright test"
+    "start:email": "pnpm email"
   },
   "license": "ISC",
   "dependencies": {
-    "@auth/core": "workspace:*",
     "@next-auth/fauna-adapter": "workspace:*",
     "@next-auth/prisma-adapter": "workspace:*",
     "@next-auth/supabase-adapter": "workspace:*",
@@ -24,16 +22,15 @@
     "faunadb": "^4",
     "next": "13.1.1",
     "next-auth": "workspace:*",
+    "@auth/core": "workspace:*",
     "nodemailer": "^6",
     "react": "^18",
     "react-dom": "^18"
   },
   "devDependencies": {
-    "@playwright/test": "1.29.2",
     "@types/jsonwebtoken": "^8.5.5",
     "@types/react": "^18.0.15",
     "@types/react-dom": "^18.0.6",
-    "dotenv": "^16.0.3",
     "fake-smtp-server": "^0.8.0",
     "pg": "^8.7.3",
     "prisma": "^3",

apps/dev/nextjs/pages/api/auth/[...nextauth].ts

@@ -2,7 +2,6 @@ import { Auth, type AuthConfig } from "@auth/core"
 
 // Providers
 import Apple from "@auth/core/providers/apple"
-import Asgardeo from "@auth/core/providers/asgardeo"
 import Auth0 from "@auth/core/providers/auth0"
 import AzureAD from "@auth/core/providers/azure-ad"
 import AzureB2C from "@auth/core/providers/azure-ad-b2c"
@@ -83,7 +82,6 @@ export const authConfig: AuthConfig = {
       },
     }),
     Apple({ clientId: process.env.APPLE_ID, clientSecret: process.env.APPLE_SECRET }),
-    Asgardeo({ clientId: process.env.ASGARDEO_CLIENT_ID, clientSecret: process.env.ASGARDEO_CLIENT_SECRET, issuer: process.env.ASGARDEO_ISSUER }),
     Auth0({ clientId: process.env.AUTH0_ID, clientSecret: process.env.AUTH0_SECRET, issuer: process.env.AUTH0_ISSUER }),
     AzureAD({
       clientId: process.env.AZURE_AD_CLIENT_ID,

apps/dev/nextjs/playwright.config.ts

@@ -1,107 +0,0 @@
-import type { PlaywrightTestConfig } from '@playwright/test';
-import { devices } from '@playwright/test';
-
-/**
- * Read environment variables from file.
- * https://github.com/motdotla/dotenv
- */
-require('dotenv').config();
-
-/**
- * See https://playwright.dev/docs/test-configuration.
- */
-const config: PlaywrightTestConfig = {
-  testDir: './tests',
-  /* Maximum time one test can run for. */
-  timeout: 30 * 1000,
-  expect: {
-    /**
-     * Maximum time expect() should wait for the condition to be met.
-     * For example in `await expect(locator).toHaveText();`
-     */
-    timeout: 5000
-  },
-  /* Run tests in files in parallel */
-  fullyParallel: true,
-  /* Fail the build on CI if you accidentally left test.only in the source code. */
-  forbidOnly: !!process.env.CI,
-  /* Retry on CI only */
-  retries: process.env.CI ? 2 : 0,
-  /* Opt out of parallel tests on CI. */
-  workers: process.env.CI ? 1 : undefined,
-  /* Reporter to use. See https://playwright.dev/docs/test-reporters */
-  reporter: 'html',
-  /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
-  use: {
-    /* Maximum time each action such as `click()` can take. Defaults to 0 (no limit). */
-    actionTimeout: 0,
-    /* Base URL to use in actions like `await page.goto('/')`. */
-    // baseURL: 'http://localhost:3000',
-
-    /* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
-    trace: 'on-first-retry',
-  },
-
-  /* Configure projects for major browsers */
-  projects: [
-    {
-      name: 'chromium',
-      use: {
-        ...devices['Desktop Chrome'],
-      },
-    },
-
-    {
-      name: 'firefox',
-      use: {
-        ...devices['Desktop Firefox'],
-      },
-    },
-
-    {
-      name: 'webkit',
-      use: {
-        ...devices['Desktop Safari'],
-      },
-    },
-
-    /* Test against mobile viewports. */
-    // {
-    //   name: 'Mobile Chrome',
-    //   use: {
-    //     ...devices['Pixel 5'],
-    //   },
-    // },
-    // {
-    //   name: 'Mobile Safari',
-    //   use: {
-    //     ...devices['iPhone 12'],
-    //   },
-    // },
-
-    /* Test against branded browsers. */
-    // {
-    //   name: 'Microsoft Edge',
-    //   use: {
-    //     channel: 'msedge',
-    //   },
-    // },
-    // {
-    //   name: 'Google Chrome',
-    //   use: {
-    //     channel: 'chrome',
-    //   },
-    // },
-  ],
-
-  /* Folder for test artifacts such as screenshots, videos, traces, etc. */
-  // outputDir: 'test-results/',
-
-  /* Run your local dev server before starting the tests */
-  // webServer: {
-  //   command: 'npm run start',
-  //   port: 3000,
-  // },
-};
-
-export default config;

apps/dev/nextjs/tests/signin.spec.ts

@@ -1,39 +0,0 @@
-import { test, expect } from "@playwright/test"
-
-test("Sign in with Auth0", async ({ page }) => {
-  // Go to NextAuth example app
-  await page.goto("https://next-auth-example.vercel.app")
-
-  // Click 'Sign In'
-  await page.click("#__next > header > div > p > a")
-
-  // Auth0 Login Provider
-  await page.click('body > div > div form[action*="auth0"] > button')
-
-  // Enter Credentials (Username/Password Login) on Auth0 Widget
-  await page.type("#username", process.env.AUTH0_USERNAME!)
-  await page.type("#password", process.env.AUTH0_PASSWORD!)
-
-  // Snap a screenshot
-  // await page.screenshot({ path: "1-auth0-login.png", fullPage: true })
-
-  // Press submit on Auth0 form
-  await page.click('body > div > main > section > div button[type="submit"]')
-
-  // Wait for next-auth example page login status header to appear
-  await page.waitForTimeout(2000)
-
-  // Snap a screenshot
-  // await page.screenshot({
-  //   path: "2-next-auth-redirect-result.png",
-  //   fullPage: false,
-  // })
-
-  // Check session object after successful login
-  const response = await page.goto(
-    "https://next-auth-example.vercel.app/api/auth/session"
-  )
-  const session = await response?.json()
-  expect(session?.user?.email).toBe(process.env.AUTH0_USERNAME)
-  // TODO: Check whole object with .toEqual()
-})

apps/dev/sveltekit/package.json

@@ -19,8 +19,8 @@
     "vite": "4.0.1"
   },
   "dependencies": {
-    "@auth/core": "0.2.5",
-    "@auth/sveltekit": "0.1.12"
+    "@auth/core": "latest",
+    "@auth/sveltekit": "latest"
   },
   "type": "module"
 }

apps/examples/nextjs/README.md

@@ -1,14 +1,9 @@
-> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/examples/nextjs). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
+> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/example-nextjs). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
 
 <p align="center">
    <br/>
-   <a href="https://authjs.dev" target="_blank">
-   <img height="64" src="https://authjs.dev/img/logo/logo-sm.png" />
-   </a>
-   <a href="https://nextjs.org" target="_blank">
-   <img height="64" src="https://nextjs.org/static/favicon/android-chrome-192x192.png" />
-   </a>
-   <h3 align="center"><b>NextAuth.js</b> - Example App</h3>
+   <a href="https://next-auth.js.org" target="_blank"><img width="150px" src="https://next-auth.js.org/img/logo/logo-sm.png" /></a>
+   <h3 align="center">NextAuth.js Example App</h3>
    <p align="center">
    Open Source. Full Stack. Own Your Data.
    </p>
@@ -30,14 +25,20 @@
 
 ## Overview
 
-NextAuth.js is a complete open-source authentication solution.
+NextAuth.js is a complete open source authentication solution.
 
 This is an example application that shows how `next-auth` is applied to a basic Next.js app.
 
 The deployed version can be found at [`next-auth-example.vercel.app`](https://next-auth-example.vercel.app)
 
+### About NextAuth.js
+
+NextAuth.js is an easy to implement, full-stack (client/server) open source authentication library originally designed for [Next.js](https://nextjs.org) and [Serverless](https://vercel.com). Our goal is to [support even more frameworks](https://github.com/nextauthjs/next-auth/issues/2294) in the future.
+
 Go to [next-auth.js.org](https://next-auth.js.org) for more information and documentation.
 
+> _NextAuth.js is not officially associated with Vercel or Next.js._
+
 ## Getting Started
 
 ### 1. Clone the repository and install dependencies
@@ -97,13 +98,15 @@ npm run start
 
 ### 5. Preparing for Production
 
-Follow the [Deployment documentation](https://authjs.dev/guides/basics/deployment) or deploy the example instantly using [Vercel](https://vercel.com?utm_source=github&utm_medium=readme&utm_campaign=next-auth-example)
-
-[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/git/external?repository-url=https://github.com/nextauthjs/next-auth-example&project-name=next-auth-example&repository-name=next-auth-example)
+Follow the [Deployment documentation](https://next-auth.js.org/deployment)
 
 ## Acknowledgements
 
 <a href="https://vercel.com?utm_source=nextauthjs&utm_campaign=oss">
-<img width="170px" src="https://raw.githubusercontent.com/nextauthjs/next-auth/main/docs/static/img/powered-by-vercel.svg" alt="Powered By Vercel" />
+<img width="170px" src="https://raw.githubusercontent.com/nextauthjs/next-auth/canary/www/static/img/powered-by-vercel.svg" alt="Powered By Vercel" />
 </a>
-<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire Auth.js Team</p>
+<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire NextAuth.js Team</p>
+
+## License
+
+ISC

apps/examples/nextjs/pages/server.tsx

@@ -3,10 +3,9 @@ import { authOptions } from "./api/auth/[...nextauth]"
 import Layout from "../components/layout"
 
 import type { GetServerSidePropsContext } from "next"
-import { useSession } from "next-auth/react"
+import type { Session } from "next-auth"
 
-export default function ServerSidePage() {
-  const { data: session } = useSession()
+export default function ServerSidePage({ session }: { session: Session }) {
   // As this page uses Server Side Rendering, the `session` will be already
   // populated on render without needing to go through a loading stage.
   return (

apps/examples/solid-start/README.MD

@@ -0,0 +1,37 @@
+# Create JD App
+
+This project was created using [Create JD App](https://github.com/OrJDev/create-jd-app)
+
+## Deploying To Vercel
+
+### Installing
+
+```bash
+npm install solid-start-vercel@latest -D
+```
+
+### Adding to vite config
+
+```ts
+import solid from "solid-start/vite";
+import dotenv from "dotenv";
+import { defineConfig } from "vite";
+// @ts-expect-error no typing
+import vercel from "solid-start-vercel";
+  
+export default defineConfig(() => {
+  dotenv.config();
+  return {
+    plugins: [solid({ ssr: true, adapter: vercel({ edge: false }) })],
+  };
+});
+  
+```
+
+### Enviroment Variables
+
+- `ENABLE_VC_BUILD`=`1` .
+
+### You Are Done
+
+Create a github repo and push your code to it, then deploy it to vercel (:

apps/examples/solid-start/README.md

@@ -1,85 +0,0 @@
-> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/examples/solid-start). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
-
-<p align="center">
-   <br/>
-   <a href="https://authjs.dev" target="_blank">
-   <img height="64" src="https://authjs.dev/img/logo/logo-sm.png" />
-   </a>
-   <a href="https://start.solidjs.com" target="_blank">
-   <img height="64" src="https://www.solidjs.com/assets/logo-123b04bc.svg" />
-   </a>
-   <h3 align="center"><b>SolidStart Auth</b> - Example App</h3>
-   <p align="center">
-   Open Source. Full Stack. Own Your Data.
-   </p>
-   <p align="center" style="align: center;">
-      <a href="https://npm.im/@auth/solid-start">
-        <img alt="npm" src="https://img.shields.io/npm/v/@auth/solid-start?color=green&label=@auth/solid-start&style=flat-square">
-      </a>
-      <a href="https://bundlephobia.com/result?p=@auth/solid-start">
-        <img src="https://img.shields.io/bundlephobia/minzip/@auth/solid-start?label=size&style=flat-square" alt="Bundle Size"/>
-      </a>
-      <a href="https://www.npmtrends.com/@auth/solid-start">
-        <img src="https://img.shields.io/npm/dm/@auth/solid-start?label=downloads&style=flat-square" alt="Downloads" />
-      </a>
-      <a href="https://npm.im/@auth/solid-start">
-        <img src="https://img.shields.io/badge/TypeScript-blue?style=flat-square" alt="TypeScript" />
-      </a>
-   </p>
-</p>
-
-## Overview
-
-This is the official SolidStart Auth example for [Auth.js](https://authjs.dev).
-
-
-## Getting started
-
-You can follow the guide below, or click the following button to deploy this example to [Vercel](https://vercel.com?utm_source=github&utm_medium=readme&utm_campaign=solid-start-auth-example).
-
-[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/git/external?repository-url=https://github.com/nextauthjs/solid-start-auth-example&project-name=solid-start-auth-example&repository-name=solid-start-auth-example)
-
-### Installing
-
-```sh
-pnpm add -D solid-start-vercel
-```
-```sh
-npm i -D solid-start-vercel
-```
-```sh
-yarn add -D solid-start-vercel
-```
-
-### Adding to Vite config
-
-```ts
-import solid from "solid-start/vite";
-import dotenv from "dotenv";
-import { defineConfig } from "vite";
-// @ts-expect-error no typing
-import vercel from "solid-start-vercel";
-  
-export default defineConfig(() => {
-  dotenv.config();
-  return {
-    plugins: [solid({ ssr: true, adapter: vercel({ edge: false }) })],
-  };
-});
-  
-```
-
-### Environment Variables
-
-- `ENABLE_VC_BUILD`=`1` .
-
-### Finishing up
-
-Create a GitHub repo and push the code to it, then deploy it to Vercel.
-
-## Acknowledgements
-
-<a href="https://vercel.com?utm_source=nextauthjs&utm_campaign=oss">
-<img width="170px" src="https://raw.githubusercontent.com/nextauthjs/next-auth/main/docs/static/img/powered-by-vercel.svg" alt="Powered By Vercel" />
-</a>
-<p align="left">Thanks to Vercel sponsoring this project by allowing it to be deployed for free for the entire Auth.js Team</p>

apps/examples/solid-start/package.json

@@ -17,7 +17,7 @@
     "vite": "^3.1.0"
   },
   "dependencies": {
-    "@auth/core": "latest",
+    "@auth/core": "^0.1.4",
     "@solid-auth/next": "^0.0.19",
     "@solidjs/meta": "^0.28.0",
     "@solidjs/router": "^0.6.0",

apps/examples/sveltekit/README.md

@@ -1,14 +1,9 @@
-> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/examples/sveltekit). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
+> The example repository is maintained from a [monorepo](https://github.com/nextauthjs/next-auth/tree/main/apps/example-sveltekit). Pull Requests should be opened against [`nextauthjs/next-auth`](https://github.com/nextauthjs/next-auth).
 
 <p align="center">
    <br/>
-   <a href="https://authjs.dev" target="_blank">
-   <img height="64" src="https://authjs.dev/img/logo/logo-sm.png" />
-   </a>
-   <a href="https://kit.svelte.dev" target="_blank">
-   <img height="64" src="https://upload.wikimedia.org/wikipedia/commons/1/1b/Svelte_Logo.svg" />
-   </a>
-   <h3 align="center"><b>SvelteKit Auth</b> - Example App</h3>
+   <a href="https://authjs.dev" target="_blank"><img width="150px" src="https://authjs.dev/img/logo/logo-sm.png" /></a>
+   <h3 align="center">Auth.js Example App with <a href="https://kit.svelte.dev">SvelteKit</a></h3>
    <p align="center">
    Open Source. Full Stack. Own Your Data.
    </p>
@@ -16,24 +11,18 @@
       <a href="https://npm.im/@auth/sveltekit">
         <img alt="npm" src="https://img.shields.io/npm/v/@auth/sveltekit?color=green&label=@auth/sveltekit&style=flat-square">
       </a>
-      <a href="https://bundlephobia.com/result?p=@auth/sveltekit">
+      <a href="https://bundlephobia.com/result?p=sveltekit-auth-example">
         <img src="https://img.shields.io/bundlephobia/minzip/@auth/sveltekit?label=size&style=flat-square" alt="Bundle Size"/>
       </a>
       <a href="https://www.npmtrends.com/@auth/sveltekit">
-        <img src="https://img.shields.io/npm/dm/@auth/sveltekit?label=downloads&style=flat-square" alt="Downloads" />
+        <img src="https://img.shields.io/npm/dm/@auth/sveltekit?label=%20downloads&style=flat-square" alt="Downloads" />
       </a>
-      <a href="https://npm.im/@auth/sveltekit">
+      <a href="https://npm.im/next-auth">
         <img src="https://img.shields.io/badge/TypeScript-blue?style=flat-square" alt="TypeScript" />
       </a>
    </p>
 </p>
 
-## Overview
+# Documentation
 
-This is the official SvelteKit Auth example for [Auth.js](https://sveltekit.authjs.dev).
-
-## Getting started
-
-You can instantly deploy this example to [Vercel](https://vercel.com?utm_source=github&utm_medium=readme&utm_campaign=sveltekit-auth-example) by clicking the following button.
-
-[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/git/external?repository-url=https://github.com/nextauthjs/sveltekit-auth-example&project-name=sveltekit-auth-example&repository-name=sveltekit-auth-example)
+- [sveltekit.authjs.dev](https://sveltekit.authjs.dev)

apps/examples/sveltekit/src/routes/+layout.svelte

@@ -20,10 +20,10 @@
                 $page.data.session.user?.name}</strong
             >
           </span>
-          <a href="/auth/signout" class="button" data-sveltekit-preload-data="off">Sign out</a>
+          <a href="/auth/signout" class="button">Sign out</a>
         {:else}
           <span class="notSignedInText">You are not signed in</span>
-          <a href="/auth/signin" class="buttonPrimary" data-sveltekit-preload-data="off">Sign in</a>
+          <a href="/auth/signin" class="buttonPrimary">Sign in</a>
         {/if}
       </p>
     </div>

apps/playgrounds/gatsby/README.md

@@ -22,7 +22,7 @@
 
 ## Overview
 
-Auth.js is a complete open-source authentication solution.
+Auth.js is a complete open source authentication solution.
 
 This is an example application that shows how `@auth/core` is applied to a basic Gatsby app. We are showing how to configure the backend both as a [Vercel Function](https://vercel.com/docs/concepts/functions/introduction) for deployment to Vercel, and also for [Gatsby Functions](https://www.gatsbyjs.com/docs/reference/functions) for other platforms.
 
@@ -30,7 +30,7 @@ The deployed version can be found at [`next-auth-gatsby-example.vercel.app`](htt
 
 ### About Auth.js
 
-Auth.js is an easy-to-implement, full-stack (client/server) open-source authentication library originally designed for [Next.js](https://nextjs.org) and [Serverless](https://vercel.com), but this example shows how to use it in a Gatsby project. Our goal is to [support even more frameworks](https://github.com/nextauthjs/next-auth/issues/2294) in the future.
+Auth.js is an easy to implement, full-stack (client/server) open source authentication library originally designed for [Next.js](https://nextjs.org) and [Serverless](https://vercel.com), but this example shows how to use it in a Gatsby project. Our goal is to [support even more frameworks](https://github.com/nextauthjs/next-auth/issues/2294) in the future.
 
 Go to [authjs.dev](https://authjs.dev) for more information and documentation.
 

apps/playgrounds/gatsby/package.json

@@ -12,7 +12,7 @@
   "dependencies": {
     "dotenv": "^16.0.0",
     "gatsby": "next",
-    "next-auth": "workspace:*",
+    "next-auth": "latest",
     "react": "^18",
     "react-dom": "^18"
   },

docs/docs/getting-started/02-oauth-tutorial.mdx

@@ -70,7 +70,7 @@ Auth.js is extremely customizable, [our guides section](/guides/overview) will t
 
 To be able to use `useSession` first you'll need to expose the session context, [`<SessionProvider />`](/reference/react/#sessionprovider), at the top level of your application:
 
-```ts title="pages/_app.tsx"
+```ts title="pages/_app.ts"
 import { SessionProvider } from "next-auth/react"
 
 export default function App({
@@ -186,14 +186,14 @@ http://localhost:3000/api/auth/callback/github
 Auth.js will already magically create this API endpoint for you when we start the application later. Note that because we're using Next.js, locally it starts our server on the port `3000`, hence the origin is `http://localhost:3000`.
 :::
 
-Next you'll be presented with the following screen which presents all the configuration for your new OAuth app. For now, we need two things from it: the **Client ID** and **Client Secret** for our new OAuth app:
+Next you'll be presented with the following screen which presents all the configuration for your new OAuth app. For now, let's we need two things from it: the **Client ID** and **Client Secret** for our new OAuth app:
 
 <img src={gettingClientIdSecretImg} />
 
 The Client ID is always there, a public identifier of your OAuth application within Github. Click on the **Generate a new client Secret** button and should be presented with a new string (which is just a randomized string).
 
 :::warning
-🔥 Keep both your Client ID and Client Secret secure and never expose them to the public or shared with people outside your organization. With them, a malicious actor could hijack your application and cause you and your user serious problems!
+🔥 Keep both your Client ID and Client Secret secure and never expose them to the public or shared with people outside your organization. With tem a malicious actor could hijack your application and cause you and your user serious problems!
 :::
 
 Now let's copy both the Client ID and Client Secret and paste them in an environment file in the root of your project like so:

docs/docs/getting-started/03-email-tutorial.mdx

@@ -37,7 +37,7 @@ npm install -D nodemailer
 Next we need a [SMTP service](https://sendgrid.com/blog/what-is-an-smtp-server/) which will be in charge of sending emails from our application. There's a number of services available for this, however [here are the ones](http://nodemailer.com/smtp/well-known/) known to work with `nodemailer`.
 
 :::info
-For this tutorial, we're going to be using [Sendgrid](https://sendgrid.com/), but any of the services linked above should work the same
+For this tutorial, we're gonna be using [Sendgrid](https://sendgrid.com/), but any of the services linked above should work the same
 :::
 
 First create an account in and then login to the dashboard, then navigate to "Settings → API Keys" and create an API key:
@@ -60,7 +60,7 @@ SMTP_PORT=587
 EMAIL_FROM={SENDER_EMAIL}
 ```
 
-Note that we're also specifying from which domain email are going to be sent from. You're going to need to verify [a sender identity](https://docs.sendgrid.com/for-developers/sending-email/sender-identity) so that Sendgrid can send emails from your domain.
+Note that we're also specifying from which domain email are going to be sent from. You're gonna need to verify [a sender identity](https://docs.sendgrid.com/for-developers/sending-email/sender-identity) so that Sendgrid can send emails from your domain.
 
 Nice! We're getting there. Now we need to read supply this values as the configuration for our Email Provider. Open `pages/api/auth/[...nextauth].ts` and do the following:
 
@@ -170,7 +170,7 @@ Now that everything is properly configured, let's try to sign in via email on ou
 
 Let's start by running a Next.js application with NextAuth, making sure the **EmailProvider** and a Database Adapter are properly configured as per the instructions above.
 
-For this tutorial we're going to be using NextAuth example app. Launch the app and click on "Sign in", we're redirected to the Sign In page:
+For this tutorial we're gonna be using NextAuth example app. Launch the app and click on "Sign in", we're redirected to the Sign In page:
 
 <img src={startPageImg} alt="Screenshot of sign in page" />
 

docs/docs/getting-started/05-typescript.md

@@ -5,7 +5,7 @@ title: TypeScript
 Auth.js has its own type definitions to use in your TypeScript projects safely. Even if you don't use TypeScript, IDEs like VSCode will pick this up to provide you with a better developer experience. While you are typing, you will get suggestions about what certain objects/functions look like, and sometimes links to documentation, examples, and other valuable resources.
 
 Check out the example repository showcasing how to use `next-auth` on a Next.js application with TypeScript:  
-https://github.com/nextauthjs/next-auth-example
+https://github.com/nextauthjs/next-auth-typescript-example
 
 ---
 

docs/docs/guides/03-basics/pages.md

@@ -60,7 +60,7 @@ Example: `/auth/signin?error=Default`
 
 By default, the built-in pages will follow the system theme, utilizing the [`prefer-color-scheme`](https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme) Media Query. You can override this to always use a dark or light theme, through the [`theme.colorScheme` option](/reference/configuration/auth-config#theme).
 
-In addition, you can define the background color and text color of the button with the `theme.brandColor` and `theme.buttonText` options. You can also define a URL to a logo in `theme.logo` which will be rendered at the top of the card.
+In addition, you can define a `theme.brandColor` to define a custom accent color for these built-in pages. You can also define a URL to a logo in `theme.logo` which will be rendered above the primary card in these pages.
 
 #### Sign In
 

docs/docs/guides/03-basics/refresh-token-rotation.md

@@ -2,203 +2,119 @@
 title: Refresh token rotation
 ---
 
-Refresh token rotation is the practice of updating an `access_token` on behalf of the user, without requiring interaction (eg.: re-sign in). `access_token`s are usually issued for a limited time. After they expire, the service verifying them will ignore the value. Instead of asking the user to sign in again to obtain a new `access_token`, certain providers support exchanging a `refresh_token` for a new `access_token`, renewing the expiry time. Let's see how this can be achieved.
+While Auth.js doesn't automatically handle access token rotation for [OAuth providers](/reference/providers/oauth-builtin) yet, this functionality can be implemented using [callbacks](/guides/basics/callbacks).
 
-:::note
-Our goal is to add zero-config support for built-in providers eventually. Let us know if you would like to help.
-:::
+## Source Code
+
+A working example can be accessed [here](https://github.com/nextauthjs/next-auth-refresh-token-example).
 
 ## Implementation
 
-First, make sure that the provider you want to use supports `refresh_token`'s. Check out [The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-6) spec for more details.
-
 ### Server Side
 
-Depending on the session strategy, `refresh_token` can be persisted either in a database, or in a cookie, in an encrypted JWT.
-
-:::info
-Using a JWT to store the `refresh_token` is less secure than saving it in a database, and you need to evaluate based on your requirements which strategy you choose.
-:::
-
-#### JWT strategy
-
-Using the [jwt](../../reference/03-core/interfaces/types.CallbacksOptions.md#jwt) and [session](../../reference/03-core/interfaces/types.CallbacksOptions.md#session) callbacks, we can persist OAuth tokens and refresh them when they expire.
+Using a [JWT callback](https://authjs.dev/guides/basics/callbacks#jwt-callback) and a [session callback](https://authjs.dev/guides/basics/callbacks#session-callback), we can persist OAuth tokens and refresh them when they expire.
 
 Below is a sample implementation using Google's Identity Provider. Please note that the OAuth 2.0 request in the `refreshAccessToken()` function will vary between different providers, but the core logic should remain similar.
 
-```ts
-import { Auth } from "@auth/core"
-import { type TokenSet } from "@auth/core/types"
-import Google from "@auth/core/providers/google"
+```js title="pages/api/auth/[...nextauth].js"
+import NextAuth from "next-auth"
+import GoogleProvider from "next-auth/providers/google"
 
-export default Auth(new Request("https://example.com"), {
+const GOOGLE_AUTHORIZATION_URL =
+  "https://accounts.google.com/o/oauth2/v2/auth?" +
+  new URLSearchParams({
+    prompt: "consent",
+    access_type: "offline",
+    response_type: "code",
+  })
+
+/**
+ * Takes a token, and returns a new token with updated
+ * `accessToken` and `accessTokenExpires`. If an error occurs,
+ * returns the old token and an error property
+ */
+async function refreshAccessToken(token) {
+  try {
+    const url =
+      "https://oauth2.googleapis.com/token?" +
+      new URLSearchParams({
+        client_id: process.env.GOOGLE_CLIENT_ID,
+        client_secret: process.env.GOOGLE_CLIENT_SECRET,
+        grant_type: "refresh_token",
+        refresh_token: token.refreshToken,
+      })
+
+    const response = await fetch(url, {
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      method: "POST",
+    })
+
+    const refreshedTokens = await response.json()
+
+    if (!response.ok) {
+      throw refreshedTokens
+    }
+
+    return {
+      ...token,
+      accessToken: refreshedTokens.access_token,
+      accessTokenExpires: Date.now() + refreshedTokens.expires_at * 1000,
+      refreshToken: refreshedTokens.refresh_token ?? token.refreshToken, // Fall back to old refresh token
+    }
+  } catch (error) {
+    console.log(error)
+
+    return {
+      ...token,
+      error: "RefreshAccessTokenError",
+    }
+  }
+}
+
+export default NextAuth({
   providers: [
-    Google({
-      clientId: process.env.GOOGLE_ID,
-      clientSecret: process.env.GOOGLE_SECRET,
-      authorization: { params: { access_type: "offline", prompt: "consent" } },
+    GoogleProvider({
+      clientId: process.env.GOOGLE_CLIENT_ID,
+      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+      authorization: GOOGLE_AUTHORIZATION_URL,
     }),
   ],
   callbacks: {
-    async jwt({ token, account }) {
-      if (account) {
-        // Save the access token and refresh token in the JWT on the initial login
+    async jwt({ token, user, account }) {
+      // Initial sign in
+      if (account && user) {
         return {
-          access_token: account.access_token,
-          expires_at: Date.now() + account.expires_in * 1000,
-          refresh_token: account.refresh_token,
-        }
-      } else if (Date.now() < token.expires_at) {
-        // If the access token has not expired yet, return it
-        return token
-      } else {
-        // If the access token has expired, try to refresh it
-        try {
-          // https://accounts.google.com/.well-known/openid-configuration
-          // We need the `token_endpoint`.
-          const response = await fetch("https://oauth2.googleapis.com/token", {
-            headers: { "Content-Type": "application/x-www-form-urlencoded" },
-            body: new URLSearchParams({
-              client_id: process.env.GOOGLE_ID,
-              client_secret: process.env.GOOGLE_SECRET,
-              grant_type: "refresh_token",
-              refresh_token: token.refresh_token,
-            }),
-            method: "POST",
-          })
-
-          const tokens: TokenSet = await response.json()
-
-          if (!response.ok) throw tokens
-
-          return {
-            ...token, // Keep the previous token properties
-            access_token: tokens.access_token,
-            expires_at: Date.now() + tokens.expires_in * 1000,
-            // Fall back to old refresh token, but note that
-            // many providers may only allow using a refresh token once.
-            refresh_token: tokens.refresh_token ?? token.refresh_token,
-          }
-        } catch (error) {
-          console.error("Error refreshing access token", error)
-          // The error property will be used client-side to handle the refresh token error
-          return { ...token, error: "RefreshAccessTokenError" as const }
+          accessToken: account.access_token,
+          accessTokenExpires: Date.now() + account.expires_at * 1000,
+          refreshToken: account.refresh_token,
+          user,
         }
       }
+
+      // Return previous token if the access token has not expired yet
+      if (Date.now() < token.accessTokenExpires) {
+        return token
+      }
+
+      // Access token has expired, try to update it
+      return refreshAccessToken(token)
     },
     async session({ session, token }) {
+      session.user = token.user
+      session.accessToken = token.accessToken
       session.error = token.error
+
       return session
     },
   },
 })
-
-declare module "@auth/core/types" {
-  interface Session {
-    error?: "RefreshAccessTokenError"
-  }
-}
-
-declare module "@auth/core/jwt" {
-  interface JWT {
-    access_token: string
-    expires_at: number
-    refresh_token: string
-    error?: "RefreshAccessTokenError"
-  }
-}
-```
-
-#### Database strategy
-
-Using the database strategy is very similar, but instead of preserving the `access_token` and `refresh_token`, we save it, well, in the database.
-
-```ts
-import { Auth } from "@auth/core"
-import { type TokenSet } from "@auth/core/types"
-import Google from "@auth/core/providers/google"
-import { PrismaAdapter } from "@next-auth/prisma-adapter"
-import { PrismaClient } from "@prisma/client"
-
-const prisma = new PrismaClient()
-
-export default Auth(new Request("https://example.com"), {
-  adapter: PrismaAdapter(prisma),
-  providers: [
-    Google({
-      clientId: process.env.GOOGLE_ID,
-      clientSecret: process.env.GOOGLE_SECRET,
-      authorization: { params: { access_type: "offline", prompt: "consent" } },
-    }),
-  ],
-  callbacks: {
-    async session({ session, user }) {
-      const [google] = await prisma.account.findMany({
-        where: { userId: user.id, provider: "google" },
-      })
-      if (google.expires_at < Date.now()) {
-        // If the access token has expired, try to refresh it
-        try {
-          // https://accounts.google.com/.well-known/openid-configuration
-          // We need the `token_endpoint`.
-          const response = await fetch("https://oauth2.googleapis.com/token", {
-            headers: { "Content-Type": "application/x-www-form-urlencoded" },
-            body: new URLSearchParams({
-              client_id: process.env.GOOGLE_ID,
-              client_secret: process.env.GOOGLE_SECRET,
-              grant_type: "refresh_token",
-              refresh_token: google.refresh_token,
-            }),
-            method: "POST",
-          })
-
-          const tokens: TokenSet = await response.json()
-
-          if (!response.ok) throw tokens
-
-          await prisma.account.update({
-            data: {
-              access_token: tokens.access_token,
-              expires_at: Date.now() + tokens.expires_in * 1000,
-              refresh_token: tokens.refresh_token ?? google.refresh_token,
-            },
-            where: {
-              provider_providerAccountId: {
-                provider: "google",
-                providerAccountId: google.providerAccountId,
-              },
-            },
-          })
-        } catch (error) {
-          console.error("Error refreshing access token", error)
-          // The error property will be used client-side to handle the refresh token error
-          session.error = "RefreshAccessTokenError"
-        }
-      }
-      return session
-    },
-  },
-})
-
-declare module "@auth/core/types" {
-  interface Session {
-    error?: "RefreshAccessTokenError"
-  }
-}
-
-declare module "@auth/core/jwt" {
-  interface JWT {
-    access_token: string
-    expires_at: number
-    refresh_token: string
-    error?: "RefreshAccessTokenError"
-  }
-}
 ```
 
 ### Client Side
 
-The `RefreshAccessTokenError` error that is caught in the `refreshAccessToken()` method is passed to the client. This means that you can direct the user to the sign-in flow if we cannot refresh their token.
+The `RefreshAccessTokenError` error that is caught in the `refreshAccessToken()` method is passed all the way to the client. This means that you can direct the user to the sign in flow if we cannot refresh their token.
 
 We can handle this functionality as a side effect:
 
@@ -218,8 +134,3 @@ const HomePage() {
 return (...)
 }
 ```
-
-## Source Code
-
-A working example can be accessed [here](https://github.com/nextauthjs/next-auth-refresh-token-example).
-

docs/docs/guides/03-basics/role-based-authentication.md

@@ -1,153 +0,0 @@
----
-title: Role-based authentication
----
-
-There are two ways to add role-based authentication (RBAC) to your application, based on the [session strategy](/concepts/session-strategies) you choose. Let's see an example for each of these.
-
-## Getting the role
-
-We are going to start by adding a `profile()` callback to the providers' config to determine the user role:
-
-```ts title="/pages/api/auth/[...nextauth].ts"
-import NextAuth from "next-auth"
-import Google from "next-auth/providers/google"
-
-export default NextAuth({
-  providers: [
-    Google({
-      profile(profile) {
-        return { role: profile.role ?? "user", ... }
-      },
-      ...
-    })  
-  ],
-})
-```
-
-:::tip
-To determine the user's role, you can either add your logic or if your provider assigns roles already, use that instead.
-:::
-
-## Persisting the role
-### With JWT
-
-When you don't have a database configured, the role will be persisted in a cookie, by using the `jwt()` callback. On sign-in, the `role` property is exposed from the `profile` callback on the `user` object. Persist the `user.role` value by assigning it to `token.role`. That's it!
-
-If you also want to use the role on the client, you can expose it via the `session` callback.
-
-```ts title="/pages/api/auth/[...nextauth].ts"
-import NextAuth from "next-auth"
-import Google from "next-auth/providers/google"
-
-export default NextAuth({
-  providers: [
-    Google({
-      profile(profile) {
-        return { role: profile.role ?? "user", ... }
-      },
-      ...
-    })  
-  ],
-  // highlight-start
-  callbacks: {
-    jwt({ token, user }) {
-      if(user) token.role = user.role
-      return token
-    },
-    session({ session, token }) {
-      session.user.role = token.role
-      return session
-    }
-  }
-  // highlight-end
-})
-```
-
-:::info
-With this strategy, if you want to update the role, the user needs to be forced to sign in again.
-:::
-
-### With Database
-
-When you have a database, you can save the user role on the [User model](/reference/adapters/models#user). The below example is showing you how to do this with Prisma, but the idea is the same for all adapters.
-
-First, add a `role` column to the User model.
-
-```ts title="/prisma/schema.prisma"
-model User {
-  id            String    @id @default(cuid())
-  name          String?
-  email         String?   @unique
-  emailVerified DateTime?
-  image         String?
-  role          String?  // New column
-  accounts      Account[]
-  sessions      Session[]
-}
-```
-
-The `profile()` callback's return value is used to create users in the database. That's it! Your newly created users will now have an assigned role.
-
-If you also want to use the role on the client, you can expose it via the `session` callback.
-
-```ts title="/pages/api/auth/[...nextauth].ts"
-import NextAuth from "next-auth"
-import Google from "next-auth/providers/google"
-  // highlight-next-line
-import prisma from "lib/prisma"
-
-export default NextAuth({
-  // highlight-next-line
-  adapter: PrismaAdapter(prisma),
-  providers: [
-    Google({
-      profile(profile) {
-        return { role: profile.role ?? "user", ... }
-      }
-      ...
-    })  
-  ],
-  // highlight-start
-  callbacks: {
-    session({ session, user }) {
-      session.user.role = user.role
-      return session
-    }
-  }
-  // highlight-end
-})
-```
-
-:::info
-It is up to you how you want to manage to update the roles, either through direct database access or building your role update API.
-:::
-
-## Using the role
-
-If you want to use the role in the client, for both cases above, when using the `useSession` hook, `session.user.role` will have the required role if you exposed it via the `session` callback. You can use this to render a different UI for different users.
-
-```ts title="/pages/admin.tsx"
-import { useSession } from "next-auth/react"
-
-export default function Page() {
-  const session = await useSession()
-
-  if (session?.user.role === "admin") {
-    return <p>You are an admin, welcome!</p>
-  }
-
-  return <p>You are not authorized to view this page!</p>
-}
-```
-
-:::tip
-When using Next.js and JWT, you can alternatively also use [Middleware](https://next-auth.js.org/configuration/nextjs#wrap-middleware) to redirect the user based on their role, even before rendering the page.
-:::
-
-## Resources
-
-- [Concepts: Session strategies](/concepts/session-strategies)
-- [Next.js: Middleware](https://next-auth.js.org/configuration/nextjs#wrap-middleware)
-- [Adapters: User model](/reference/adapters/models#user)
-- [Adapters: Prisma adapter](/reference/adapters/prisma)
-- [TypeScript](/getting-started/typescript)

docs/docs/guides/03-basics/role-based-login-strategy.md

@@ -0,0 +1,64 @@
+---
+title: Role based logins
+---
+
+To add role based authentication to your application, you must do three things.
+
+1. Update your database schema
+2. Add the `role` to the session object
+3. Check for `role` in your pages/components
+
+First modify the `user` table and add a `role` column with the type of `String?`.
+
+Below is an example Prisma schema file.
+
+```javascript title="/prisma/schema.prisma"
+model User {
+  id            String    @id @default(cuid())
+  name          String?
+  email         String?   @unique
+  emailVerified DateTime?
+  image         String?
+  role          String?  // New Column
+  accounts      Account[]
+  sessions      Session[]
+}
+
+```
+
+Next, implement a custom session callback in the `[...nextauth].js` file, as shown below.
+
+```javascript title="/pages/api/auth/[...nextauth].js"
+callbacks: {
+  async session({ session, token, user }) {
+    session.user.role = user.role; // Add role value to user object so it is passed along with session
+    return session;
+},
+```
+
+Going forward, when using the `getSession` hook, check that `session.user.role` matches the required role. The example below assumes the role `'admin'` is required.
+
+```javascript title="/pages/admin.js"
+import { getSession } from "next-auth/react"
+
+export default function Page() {
+  const session = await getSession({ req })
+
+  if (session && session.user.role === "admin") {
+    return (
+      <div>
+        <h1>Admin</h1>
+        <p>Welcome to the Admin Portal!</p>
+      </div>
+    )
+  } else {
+    return (
+      <div>
+        <h1>You are not authorized to view this page!</h1>
+      </div>
+    )
+  }
+}
+```
+
+Then it is up to you how you manage your roles, either through direct database access or building your own role update API.

docs/docs/reference/04-providers/02-oauth-builtin.mdx

@@ -1,14 +1,14 @@
 ---
 title: Available OAuth providers
-sidebar_label: OAuth providers
+sidebar_label: Oauth providers
 ---
 
-Authentication Providers in **Auth.js** are services that can be used to sign a user in.
+Authentication Providers in **Auth.js** are services that can be used to sign in a user.
 
 Auth.js comes with a set of built-in providers. You can find them [here](https://github.com/nextauthjs/next-auth/tree/main/packages/core/src/providers). Each built-in provider has its own documentation page:
 
 :::note
-Auth.js supports any **2.x** and **OpenID Connect (OIDC)** compliant providers and has built-in support for the most popular services.
+Auth.js is designed to work with any OAuth service, it supports **OAuth 1.0**, **1.0A**, **2.0** and **OpenID Connect (OIDC)** and has built-in support for most popular sign-in services.
 :::
 
 <ul>

docs/docs/reference/04-providers/04-email.md

@@ -16,4 +16,4 @@ sidebar_label: Email options
 See our guides on magic links authentication for further tips on how to customize this provider:
 
 - [Tutorial](/getting-started/email-tutorial)
-- [Guide deep-dive](/guides/providers/email)
+- [Guide deep-dive](guides/providers/email)

docs/docs/reference/04-solidstart/protected.md

@@ -70,7 +70,7 @@ export default Page;
 
 ## When Using CSR
 
-When using CSR, the `Protected` component will not work as expected and will cause the screen to flash, so I had to come up with a tricky solution, we will use a Solid-Start middleware:
+When using CSR, the `Protected` component will not work as expected and will cause the screen to flash, so I had to come up with a tricky solution, we will use a Solid-Start middleare:
 
 ```tsx
 // entry-server.tsx
@@ -116,4 +116,4 @@ export default () => {
 };
 ```
 
-**Note: the CSR method should also work when using SSR, the SSR method shouldn't work when using CSR**
+**Note: the CSR method should also work when using SSR, the SSR method shouldn't work when using CSR**

docs/docs/reference/05-oauth-providers/battlenet.md

@@ -15,7 +15,7 @@ https://develop.battle.net/access/clients
 
 The **Battle.net Provider** comes with a set of default options:
 
-- [Battle.net Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/battlenet.ts)
+- [Battle.net Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/battlenet.js)
 
 You can override any of the options to suit your own use case.
 

docs/docs/reference/05-oauth-providers/github.md

@@ -19,7 +19,7 @@ https://github.com/settings/apps
 
 The **GitHub Provider** comes with a set of default options:
 
-- [GitHub Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/github.ts)
+- [GitHub Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/github.js)
 
 You can override any of the options to suit your own use case.
 

docs/docs/reference/05-oauth-providers/gitlab.md

@@ -15,7 +15,7 @@ https://gitlab.com/-/profile/applications
 
 The **Gitlab Provider** comes with a set of default options:
 
-- [Gitlab Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/gitlab.ts)
+- [Gitlab Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/gitlab.js)
 
 You can override any of the options to suit your own use case.
 

docs/docs/reference/05-oauth-providers/kakao.md

@@ -15,7 +15,7 @@ https://developers.kakao.com/docs/latest/en/kakaologin/common
 
 The **Kakao Provider** comes with a set of default options:
 
-- [Kakao Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/kakao.ts)
+- [Kakao Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/kakao.js)
 
 You can override any of the options to suit your own use case.
 

docs/docs/reference/05-oauth-providers/mattermost.md

@@ -1,36 +0,0 @@
----
-id: mattermost
-title: Mattermost
----
-
-## Documentation
-
-https://developers.mattermost.com/integrate/apps/authentication/oauth2
-
-## Configuration
-
-http://my-cool-server.cloud.mattermost.com/mycoolteam/integrations/oauth2-apps
-
-## Options
-
-The **Mattermost provider** comes with a set of default options:
-
-- [Mattermost Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/mattermost.ts)
-
-You can override any of the options to suit your own use case.
-
-## Example
-
-```ts
-import Mattermost from "@auth/core/providers/mattermost";
-...
-providers: [
-  Mattermost({
-    // The base url of your Mattermost instance. e.g https://my-cool-server.cloud.mattermost.com
-    clientId: env.MATTERMOST_ID,
-    clientSecret: env.MATTERMOST_SECRET,
-    issuer: env.MATTERMOST_ISSUER,
-  })
-]
-...
-```

docs/docs/reference/05-oauth-providers/salesforce.md

@@ -11,7 +11,7 @@ https://help.salesforce.com/articleView?id=remoteaccess_authenticate.htm&type=5
 
 The **Salesforce Provider** comes with a set of default options:
 
-- [Salesforce Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/salesforce.ts)
+- [Salesforce Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/salesforce.js)
 
 You can override any of the options to suit your own use case.
 

docs/docs/reference/05-oauth-providers/strava.md

@@ -11,7 +11,7 @@ http://developers.strava.com/docs/reference/
 
 The **Strava Provider** comes with a set of default options:
 
-- [Strava Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/strava.ts)
+- [Strava Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/strava.js)
 
 You can override any of the options to suit your own use case.
 

docs/docs/reference/05-oauth-providers/vk.md

@@ -15,7 +15,7 @@ https://vk.com/apps?act=manage
 
 The **VK Provider** comes with a set of default options:
 
-- [VK Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/vk.ts)
+- [VK Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/vk.js)
 
 You can override any of the options to suit your own use case.
 

docs/docs/reference/06-adapters/xata.md

@@ -32,6 +32,7 @@ Now that we're ready, let's create a new Xata project using our next-auth schema
 
 ```json title="schema.json"
 {
+  "formatVersion": "",
   "tables": [
     {
       "name": "nextauth_users",

docs/docs/reference/09-warnings.md

@@ -3,13 +3,57 @@ id: warnings
 title: Warnings
 ---
 
-A list of warnings from Auth.js that need your attention.
+This is a list of warning output from Auth.js.
 
+All warnings indicate things which you should take a look at, but do not inhibit normal operation.
 
-## Debug enabled
+---
 
-The `debug` option was evaluated to `true`. It adds extra logs in the terminal which is useful in development, but since it can print sensitive information about users, make sure to set this to `false` in production. In Node.js environments, you can for example set `debug: process.env.NODE_ENV !== "production"`. Consult with your runtime/framework on how to set this value correctly.
+## Client
 
-## CSRF disabled
+#### NEXTAUTH_URL
 
-You were trying to get a CSRF response from Auth.js (eg.: by calling a `/csrf` endpoint), but in this setup, CSRF protection via Auth.js was turned off. This is likely if you are not directly using `@auth/core` but a framework library (like `@auth/sveltekit`) that already has CSRF protection built-in. You likely won't need the CSRF response.
+Environment variable `NEXTAUTH_URL` missing. Please set it in your `.env` file.
+
+:::note
+On [Vercel](https://vercel.com) deployments, we will read the `VERCEL_URL` environment variable, so you won't need to define `NEXTAUTH_URL`.
+:::
+
+---
+
+## Server
+
+These warnings are displayed on the terminal.
+
+#### NO_SECRET
+
+In development, we generate a `secret` based on your configuration for convenience. This is volatile and will throw an error in production. [Read more](https://authjs.dev/reference/configuration/auth-config/#secret)
+
+#### TWITTER_OAUTH_2_BETA
+
+Twitter OAuth 2.0 is currently in beta as certain changes might still be necessary. This is not covered by semver. See the docs https://authjs.dev/reference/providers/twitter#oauth-2
+
+#### EXPERIMENTAL_API
+
+Some APIs are still experimental; they may be changed or removed in the future. Use at your own risk.
+
+## Adapter
+
+### ADAPTER_TYPEORM_UPDATING_ENTITIES
+
+This warning occurs when typeorm finds that the provided entities differ from the database entities. By default while not in `production` the typeorm adapter will always synchronize changes made to the entities codefiles.
+
+Disable this warning by setting `synchronize: false` in your typeorm config
+
+Example:
+
+```js title="/pages/api/auth/[...nextauth].js"
+adapter: TypeORMLegacyAdapter({
+  type: 'mysql',
+  username: process.env.DATABASE_USERNAME,
+  password: process.env.DATABASE_PASSWORD,
+  host: process.env.DATABASE_HOST,
+  database: process.env.DATABASE_DB,
+  synchronize: false
+}),
+```

docs/snippets/oauth-docs.md

@@ -2,9 +2,11 @@ Add $1 login to your page.
 
 ## Example
 
-```ts
-import { Auth } from "@auth/core"
-import $1 from "@auth/core/providers/$2"
+@example
+
+```js
+import Auth from "@auth/core"
+import { $1 } from "@auth/core/providers/$2"
 
 const request = new Request("https://example.com")
 const resposne = await AuthHandler(request, {
@@ -16,7 +18,7 @@ const resposne = await AuthHandler(request, {
 
 ## Resources
 
-- [Link 1](https://example.com)
+@see [Link 1](https://example.com)
 
 ---
 

docs/src/components/ProviderMarquee.js

@@ -4,16 +4,17 @@ import Marquee, { Motion, randomIntFromInterval } from "react-marquee-slider"
 import styles from "./ProviderMarqueeStyle.module.css"
 
 const icons = [
-  "/img/providers/apple.svg",
+  "/img/providers/apple-black.svg",
   "/img/providers/auth0.svg",
-  "/img/providers/cognito.svg",
-  "/img/providers/battlenet.svg",
+  "/img/providers/aws-cognito.svg",
+  "/img/providers/battle.net.svg",
   "/img/providers/box.svg",
-  "/img/providers/facebook.svg",
-  "/img/providers/github.svg",
+  "/img/providers/facebook-2.svg",
+  "/img/providers/github-1.svg",
   "/img/providers/gitlab.svg",
-  "/img/providers/google.svg",
-  "/img/providers/okta.svg",
+  "/img/providers/google-icon.svg",
+  "/img/providers/okta-3.svg",
+  "/img/providers/openid.svg",
   "/img/providers/slack.svg",
   "/img/providers/spotify.svg",
   "/img/providers/twitter.svg",

docs/static/img/providers/apple-black.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="2036" height="2500" viewBox="0 0 456.008 560.035" fill="#3c5a9a"><path d="M380.844 297.529c.787 84.752 74.349 112.955 75.164 113.314-.622 1.988-11.754 40.191-38.756 79.652-23.343 34.117-47.568 68.107-85.731 68.811-37.499.691-49.557-22.236-92.429-22.236-42.859 0-56.256 21.533-91.753 22.928-36.837 1.395-64.889-36.891-88.424-70.883-48.093-69.53-84.846-196.475-35.496-282.165 24.516-42.554 68.328-69.501 115.882-70.192 36.173-.69 70.315 24.336 92.429 24.336 22.1 0 63.59-30.096 107.208-25.676 18.26.76 69.517 7.376 102.429 55.552-2.652 1.644-61.159 35.704-60.523 106.559M310.369 89.418C329.926 65.745 343.089 32.79 339.498 0 311.308 1.133 277.22 18.785 257 42.445c-18.121 20.952-33.991 54.487-29.709 86.628 31.421 2.431 63.52-15.967 83.078-39.655"/></svg>

docs/static/img/providers/asgardeo-dark.svg

@@ -1,7 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 99.881 86.449">
-  <g id="asgardeo-trifactor-logo-dark-16x40" transform="translate(-553.024 -388.98)">
-    <path id="Path_264" data-name="Path 264" d="M743.533,388.98l9.161,15.892-10.153,17.6h20.306l9.209,15.892H714.97Z" transform="translate(-119.151 0)" fill="#ff7300"/>
-    <path id="Path_265" data-name="Path 265" d="M705.95,438.364l9.209-15.892h20.306l-10.153-17.6,9.162-15.892,28.6,49.393Z" transform="translate(-152.926 0.009)" fill="#ff7300"/>
-    <path id="Path_266" data-name="Path 266" d="M749.175,446.183l-10.153-17.6-10.2,17.6H710.46l28.6-49.393,28.515,49.393Z" transform="translate(-136.043 29.246)"/>
-  </g>
-</svg>

docs/static/img/providers/asgardeo.svg

@@ -1,7 +0,0 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 99.881 86.449">
-  <g id="asgardeo-trifactor-logo-light-16x40" transform="translate(-553.024 -388.98)">
-    <path id="Path_264" data-name="Path 264" d="M743.533,388.98l9.161,15.892-10.153,17.6h20.306l9.209,15.892H714.97Z" transform="translate(-119.151)" fill="#ff7300"/>
-    <path id="Path_265" data-name="Path 265" d="M705.95,438.364l9.209-15.892h20.306l-10.153-17.6,9.162-15.892,28.6,49.393Z" transform="translate(-152.926 0.009)" fill="#ff7300"/>
-    <path id="Path_266" data-name="Path 266" d="M749.175,446.183l-10.153-17.6-10.2,17.6H710.46l28.6-49.393,28.515,49.393Z" transform="translate(-136.043 29.246)" fill="#fff"/>
-  </g>
-</svg>

docs/static/img/providers/auth0.svg

@@ -1,3 +1 @@
-<svg width="32" height="32" viewBox="0 0 256 287" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet">
-  <path d="M203.24 231.531l-28.73-88.434 75.208-54.64h-92.966L128.019.025l-.009-.024h92.98l28.74 88.446.002-.002.024-.013c16.69 51.31-.5 109.67-46.516 143.098zm-150.45 0l-.023.017 75.228 54.655 75.245-54.67-75.221-54.656-75.228 54.654zM6.295 88.434c-17.57 54.088 2.825 111.4 46.481 143.108l.007-.028 28.735-88.429-75.192-54.63h92.944L128.004.024 128.01 0H35.025L6.294 88.434z" fill="#EB5424"/>
-</svg>
+<svg width="2230" height="2500" viewBox="0 0 256 287" xmlns="http://www.w3.org/2000/svg"><path d="M203.24 231.531l-28.73-88.434 75.208-54.64h-92.966L128.019.025l-.009-.024h92.98l28.74 88.446.002-.002.024-.013c16.69 51.31-.5 109.67-46.516 143.098zm-150.45 0l-.023.017 75.228 54.655 75.245-54.67-75.221-54.656-75.228 54.654zM6.295 88.434c-17.57 54.088 2.825 111.4 46.481 143.108l.007-.028 28.735-88.429-75.192-54.63h92.944L128.004.024 128.01 0H35.025L6.294 88.434z" fill="#EB5424"/></svg>

docs/static/img/providers/aws-cognito.svg

@@ -0,0 +1 @@
+<svg width="2140" height="2500" viewBox="0 0 256 299" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M208.752 58.061l25.771-6.636.192.283.651 155.607-.843.846-5.31.227-20.159-3.138-.302-.794V58.061M59.705 218.971l.095.007 68.027 19.767.173.133.296.236-.096 59.232-.2.252-68.295-33.178v-46.449" fill="#7A3E65"/><path d="M208.752 204.456l-80.64 19.312-40.488-9.773-27.919 4.976L128 238.878l105.405-28.537 1.118-2.18-25.771-3.705" fill="#CFB2C1"/><path d="M196.295 79.626l-.657-.749-66.904-19.44-.734.283-.672-.343L22.052 89.734l-.575.703.845.463 24.075 3.53.851-.289 80.64-19.311 40.488 9.773 27.919-4.977" fill="#512843"/><path d="M47.248 240.537l-25.771 6.221-.045-.149-1.015-155.026 1.06-1.146 25.771 3.704v146.396" fill="#C17B9E"/><path d="M82.04 180.403l45.96 5.391.345-.515.187-71.887-.532-.589-45.96 5.392v62.208" fill="#7A3E65"/><path d="M173.96 180.403L128 185.794v-72.991l45.96 5.392v62.208M196.295 79.626L128 59.72V0l68.295 33.177v46.449" fill="#C17B9E"/><path d="M128 0L0 61.793v175.011l21.477 9.954V90.437L128 59.72V0" fill="#7A3E65"/><path d="M234.523 51.425v156.736L128 238.878v59.72l128-61.794V61.793l-21.477-10.368" fill="#C17B9E"/></svg>

docs/static/img/providers/battle.net.svg

@@ -0,0 +1 @@
+<svg fill="#000000" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 50 50" width="50px" height="50px"><path d="M 43.113281 22.152344 C 43.113281 22.152344 47.058594 22.351563 47.058594 20.03125 C 47.058594 16.996094 41.804688 14.261719 41.804688 14.261719 C 41.804688 14.261719 42.628906 12.515625 43.140625 11.539063 C 43.65625 10.5625 45.101563 6.753906 45.230469 5.886719 C 45.394531 4.792969 45.144531 4.449219 45.144531 4.449219 C 44.789063 6.792969 40.972656 13.539063 40.671875 13.769531 C 36.949219 12.023438 31.835938 11.539063 31.835938 11.539063 C 31.835938 11.539063 26.832031 1 22.125 1 C 17.457031 1 17.480469 10.023438 17.480469 10.023438 C 17.480469 10.023438 16.160156 7.464844 14.507813 7.464844 C 12.085938 7.464844 11.292969 11.128906 11.292969 15.097656 C 6.511719 15.097656 2.492188 16.164063 2.132813 16.265625 C 1.773438 16.371094 0.644531 17.191406 1.15625 17.089844 C 2.203125 16.753906 7.113281 15.992188 11.410156 16.367188 C 11.648438 20.140625 13.851563 25.054688 13.851563 25.054688 C 13.851563 25.054688 9.128906 31.894531 9.128906 36.78125 C 9.128906 38.066406 9.6875 40.417969 13.078125 40.417969 C 15.917969 40.417969 19.105469 38.710938 19.707031 38.363281 C 19.183594 39.113281 18.796875 40.535156 18.796875 41.191406 C 18.796875 41.726563 19.113281 43.246094 21.304688 43.246094 C 24.117188 43.246094 27.257813 41.089844 27.257813 41.089844 C 27.257813 41.089844 30.222656 46.019531 32.761719 48.28125 C 33.445313 48.890625 34.097656 49 34.097656 49 C 34.097656 49 31.578125 46.574219 28.257813 40.324219 C 31.34375 38.417969 34.554688 33.921875 34.554688 33.921875 C 34.554688 33.921875 34.933594 33.933594 37.863281 33.933594 C 42.453125 33.933594 48.972656 32.96875 48.972656 29.320313 C 48.972656 25.554688 43.113281 22.152344 43.113281 22.152344 Z M 43.625 19.886719 C 43.625 21.21875 42.359375 21.199219 42.359375 21.199219 L 41.394531 21.265625 C 41.394531 21.265625 39.566406 20.304688 38.460938 19.855469 C 38.460938 19.855469 40.175781 17.207031 40.578125 16.46875 C 40.882813 16.644531 43.625 18.363281 43.625 19.886719 Z M 24.421875 6.308594 C 26.578125 6.308594 29.65625 11.402344 29.65625 11.402344 C 29.65625 11.402344 24.851563 10.972656 20.898438 13.296875 C 21.003906 9.628906 22.238281 6.308594 24.421875 6.308594 Z M 15.871094 10.4375 C 16.558594 10.4375 17.230469 11.269531 17.507813 11.976563 C 17.507813 12.445313 17.75 15.171875 17.75 15.171875 L 13.789063 15.023438 C 13.789063 11.449219 15.1875 10.4375 15.871094 10.4375 Z M 15.464844 35.246094 C 13.300781 35.246094 12.851563 34.039063 12.851563 32.953125 C 12.851563 30.496094 14.8125 27.058594 14.8125 27.058594 C 14.8125 27.058594 17.011719 31.683594 20.851563 33.636719 C 18.945313 34.753906 17.375 35.246094 15.464844 35.246094 Z M 22.492188 40.089844 C 20.972656 40.089844 20.789063 39.105469 20.789063 38.878906 C 20.789063 38.171875 21.339844 37.335938 21.339844 37.335938 C 21.339844 37.335938 23.890625 35.613281 24.054688 35.429688 L 25.9375 38.945313 C 25.9375 38.945313 24.007813 40.089844 22.492188 40.089844 Z M 27.226563 38.171875 C 26.300781 36.554688 25.621094 34.867188 25.621094 34.867188 C 25.621094 34.867188 29.414063 35.113281 31.453125 33.007813 C 30.183594 33.578125 28.15625 34.300781 25.800781 34.082031 C 30.726563 29.742188 33.601563 26.597656 36.03125 23.34375 C 35.824219 23.09375 34.710938 22.316406 34.4375 22.1875 C 32.972656 23.953125 27.265625 30.054688 21.984375 33.074219 C 15.292969 29.425781 13.890625 18.691406 13.746094 16.460938 L 17.402344 16.8125 C 17.402344 16.8125 16.027344 19.246094 16.027344 21.039063 C 16.027344 22.828125 16.242188 22.925781 16.242188 22.925781 C 16.242188 22.925781 16.195313 19.800781 18.125 17.390625 C 19.59375 25.210938 21.125 29.21875 22.320313 31.605469 C 22.925781 31.355469 24.058594 30.851563 24.058594 30.851563 C 24.058594 30.851563 20.683594 21.121094 20.871094 14.535156 C 22.402344 13.71875 24.667969 12.875 27.226563 12.875 C 33.957031 12.875 39.367188 15.773438 39.367188 15.773438 L 37.25 18.730469 C 37.25 18.730469 35.363281 15.3125 32.699219 14.703125 C 34.105469 15.753906 35.679688 17.136719 36.496094 19.128906 C 30.917969 16.949219 24.1875 15.796875 22.027344 15.542969 C 21.839844 16.339844 21.863281 17.480469 21.863281 17.480469 C 21.863281 17.480469 30.890625 19.144531 37.460938 22.90625 C 37.414063 31.125 28.460938 37.4375 27.226563 38.171875 Z M 35.777344 32.027344 C 35.777344 32.027344 38.578125 28.347656 38.535156 23.476563 C 38.535156 23.476563 43.0625 26.28125 43.0625 29.015625 C 43.0625 32.074219 35.777344 32.027344 35.777344 32.027344 Z"/></svg>

docs/static/img/providers/box.svg

@@ -1,6 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="32" height="32" viewBox="0 0 444.893 245.414">
-  <g fill="#0075C9">
-    <path d="M239.038 72.43c-33.081 0-61.806 18.6-76.322 45.904-14.516-27.305-43.24-45.902-76.32-45.902-19.443 0-37.385 6.424-51.821 17.266V16.925h-.008C34.365 7.547 26.713 0 17.286 0 7.858 0 .208 7.547.008 16.925H0v143.333h.036c.768 47.051 39.125 84.967 86.359 84.967 33.08 0 61.805-18.603 76.32-45.908 14.517 27.307 43.241 45.906 76.321 45.906 47.715 0 86.396-38.684 86.396-86.396.001-47.718-38.682-86.397-86.394-86.397zM86.395 210.648c-28.621 0-51.821-23.201-51.821-51.82 0-28.623 23.201-51.823 51.821-51.823 28.621 0 51.822 23.2 51.822 51.823 0 28.619-23.201 51.82-51.822 51.82zm152.643 0c-28.622 0-51.821-23.201-51.821-51.822 0-28.623 23.2-51.821 51.821-51.821 28.619 0 51.822 23.198 51.822 51.821-.001 28.621-23.203 51.822-51.822 51.822z"/>
-    <path d="M441.651 218.033l-44.246-59.143 44.246-59.144-.008-.007c5.473-7.62 3.887-18.249-3.652-23.913-7.537-5.658-18.187-4.221-23.98 3.157l-.004-.002-38.188 51.047-38.188-51.047-.006.009c-5.793-7.385-16.441-8.822-23.981-3.16-7.539 5.664-9.125 16.293-3.649 23.911l-.008.005 44.245 59.144-44.245 59.143.008.005c-5.477 7.62-3.89 18.247 3.649 23.909 7.54 5.664 18.188 4.225 23.981-3.155l.006.007 38.188-51.049 38.188 51.049.004-.002c5.794 7.377 16.443 8.814 23.98 3.154 7.539-5.662 9.125-16.291 3.652-23.91l.008-.008z"/>
-  </g>
-</svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="2500" height="1379" viewBox="0 0 444.893 245.414"><g fill="#0075C9"><path d="M239.038 72.43c-33.081 0-61.806 18.6-76.322 45.904-14.516-27.305-43.24-45.902-76.32-45.902-19.443 0-37.385 6.424-51.821 17.266V16.925h-.008C34.365 7.547 26.713 0 17.286 0 7.858 0 .208 7.547.008 16.925H0v143.333h.036c.768 47.051 39.125 84.967 86.359 84.967 33.08 0 61.805-18.603 76.32-45.908 14.517 27.307 43.241 45.906 76.321 45.906 47.715 0 86.396-38.684 86.396-86.396.001-47.718-38.682-86.397-86.394-86.397zM86.395 210.648c-28.621 0-51.821-23.201-51.821-51.82 0-28.623 23.201-51.823 51.821-51.823 28.621 0 51.822 23.2 51.822 51.823 0 28.619-23.201 51.82-51.822 51.82zm152.643 0c-28.622 0-51.821-23.201-51.821-51.822 0-28.623 23.2-51.821 51.821-51.821 28.619 0 51.822 23.198 51.822 51.821-.001 28.621-23.203 51.822-51.822 51.822z"/><path d="M441.651 218.033l-44.246-59.143 44.246-59.144-.008-.007c5.473-7.62 3.887-18.249-3.652-23.913-7.537-5.658-18.187-4.221-23.98 3.157l-.004-.002-38.188 51.047-38.188-51.047-.006.009c-5.793-7.385-16.441-8.822-23.981-3.16-7.539 5.664-9.125 16.293-3.649 23.911l-.008.005 44.245 59.144-44.245 59.143.008.005c-5.477 7.62-3.89 18.247 3.649 23.909 7.54 5.664 18.188 4.225 23.981-3.155l.006.007 38.188-51.049 38.188 51.049.004-.002c5.794 7.377 16.443 8.814 23.98 3.154 7.539-5.662 9.125-16.291 3.652-23.91l.008-.008z"/></g></svg>

docs/static/img/providers/discord.svg

@@ -1,3 +1 @@
-<svg width="32" height="32" viewBox="0 0 256 293" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid">
-  <path d="M226.011 0H29.99C13.459 0 0 13.458 0 30.135v197.778c0 16.677 13.458 30.135 29.989 30.135h165.888l-7.754-27.063 18.725 17.408 17.7 16.384L256 292.571V30.135C256 13.458 242.542 0 226.011 0zm-56.466 191.05s-5.266-6.291-9.655-11.85c19.164-5.413 26.478-17.408 26.478-17.408-5.998 3.95-11.703 6.73-16.823 8.63-7.314 3.073-14.336 5.12-21.211 6.291-14.044 2.633-26.917 1.902-37.888-.146-8.339-1.61-15.507-3.95-21.504-6.29-3.365-1.317-7.022-2.926-10.68-4.974-.438-.293-.877-.439-1.316-.732-.292-.146-.439-.292-.585-.438-2.633-1.463-4.096-2.487-4.096-2.487s7.022 11.703 25.6 17.261c-4.388 5.56-9.801 12.142-9.801 12.142-32.33-1.024-44.617-22.235-44.617-22.235 0-47.104 21.065-85.285 21.065-85.285 21.065-15.799 41.106-15.36 41.106-15.36l1.463 1.756C80.75 77.53 68.608 89.088 68.608 89.088s3.218-1.755 8.63-4.242c15.653-6.876 28.088-8.777 33.208-9.216.877-.147 1.609-.293 2.487-.293a123.776 123.776 0 0 1 29.55-.292c13.896 1.609 28.818 5.705 44.031 14.043 0 0-11.556-10.971-36.425-18.578l2.048-2.34s20.041-.44 41.106 15.36c0 0 21.066 38.18 21.066 85.284 0 0-12.435 21.211-44.764 22.235zm-68.023-68.316c-8.338 0-14.92 7.314-14.92 16.237 0 8.924 6.728 16.238 14.92 16.238 8.339 0 14.921-7.314 14.921-16.238.147-8.923-6.582-16.237-14.92-16.237m53.394 0c-8.339 0-14.922 7.314-14.922 16.237 0 8.924 6.73 16.238 14.922 16.238 8.338 0 14.92-7.314 14.92-16.238 0-8.923-6.582-16.237-14.92-16.237" fill="#7289DA"/>
-</svg>
+<svg width="2184" height="2500" viewBox="0 0 256 293" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M226.011 0H29.99C13.459 0 0 13.458 0 30.135v197.778c0 16.677 13.458 30.135 29.989 30.135h165.888l-7.754-27.063 18.725 17.408 17.7 16.384L256 292.571V30.135C256 13.458 242.542 0 226.011 0zm-56.466 191.05s-5.266-6.291-9.655-11.85c19.164-5.413 26.478-17.408 26.478-17.408-5.998 3.95-11.703 6.73-16.823 8.63-7.314 3.073-14.336 5.12-21.211 6.291-14.044 2.633-26.917 1.902-37.888-.146-8.339-1.61-15.507-3.95-21.504-6.29-3.365-1.317-7.022-2.926-10.68-4.974-.438-.293-.877-.439-1.316-.732-.292-.146-.439-.292-.585-.438-2.633-1.463-4.096-2.487-4.096-2.487s7.022 11.703 25.6 17.261c-4.388 5.56-9.801 12.142-9.801 12.142-32.33-1.024-44.617-22.235-44.617-22.235 0-47.104 21.065-85.285 21.065-85.285 21.065-15.799 41.106-15.36 41.106-15.36l1.463 1.756C80.75 77.53 68.608 89.088 68.608 89.088s3.218-1.755 8.63-4.242c15.653-6.876 28.088-8.777 33.208-9.216.877-.147 1.609-.293 2.487-.293a123.776 123.776 0 0 1 29.55-.292c13.896 1.609 28.818 5.705 44.031 14.043 0 0-11.556-10.971-36.425-18.578l2.048-2.34s20.041-.44 41.106 15.36c0 0 21.066 38.18 21.066 85.284 0 0-12.435 21.211-44.764 22.235zm-68.023-68.316c-8.338 0-14.92 7.314-14.92 16.237 0 8.924 6.728 16.238 14.92 16.238 8.339 0 14.921-7.314 14.921-16.238.147-8.923-6.582-16.237-14.92-16.237m53.394 0c-8.339 0-14.922 7.314-14.922 16.237 0 8.924 6.73 16.238 14.922 16.238 8.338 0 14.92-7.314 14.92-16.238 0-8.923-6.582-16.237-14.92-16.237" fill="#7289DA"/></svg>

docs/static/img/providers/facebook-2.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="1298" height="2500" viewBox="88.428 12.828 107.543 207.085"><path d="M158.232 219.912v-94.461h31.707l4.747-36.813h-36.454V65.134c0-10.658 2.96-17.922 18.245-17.922l19.494-.009V14.278c-3.373-.447-14.944-1.449-28.406-1.449-28.106 0-47.348 17.155-47.348 48.661v27.149H88.428v36.813h31.788v94.461l38.016-.001z" fill="#3c5a9a"/></svg>

docs/static/img/providers/github-1.svg

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 22.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.2" baseProfile="tiny" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
+	 x="0px" y="0px" viewBox="0 0 2350 2314.8" xml:space="preserve" fill="#3c5a9a">
+<path d="M1175,0C525.8,0,0,525.8,0,1175c0,552.2,378.9,1010.5,890.1,1139.7c-5.9-14.7-8.8-35.3-8.8-55.8v-199.8H734.4
+	c-79.3,0-152.8-35.2-185.1-99.9c-38.2-70.5-44.1-179.2-141-246.8c-29.4-23.5-5.9-47,26.4-44.1c61.7,17.6,111.6,58.8,158.6,120.4
+	c47,61.7,67.6,76.4,155.7,76.4c41.1,0,105.7-2.9,164.5-11.8c32.3-82.3,88.1-155.7,155.7-190.9c-393.6-47-581.6-240.9-581.6-505.3
+	c0-114.6,49.9-223.3,132.2-317.3c-26.4-91.1-61.7-279.1,11.8-352.5c176.3,0,282,114.6,308.4,143.9c88.1-29.4,185.1-47,284.9-47
+	c102.8,0,196.8,17.6,284.9,47c26.4-29.4,132.2-143.9,308.4-143.9c70.5,70.5,38.2,261.4,8.8,352.5c82.3,91.1,129.3,202.7,129.3,317.3
+	c0,264.4-185.1,458.3-575.7,499.4c108.7,55.8,185.1,214.4,185.1,331.9V2256c0,8.8-2.9,17.6-2.9,26.4
+	C2021,2123.8,2350,1689.1,2350,1175C2350,525.8,1824.2,0,1175,0L1175,0z"/>
+</svg>

docs/static/img/providers/gitlab.svg

@@ -1,11 +1 @@
-<svg width="32" height="32" xmlns="http://www.w3.org/2000/svg" viewBox="93.97 97.52 192.05 184.99">
-  <defs>
-    <style>.cls-1{fill:#e24329;}.cls-2{fill:#fc6d26;}.cls-3{fill:#fca326;}</style>
-  </defs>
-  <g>
-    <path class="cls-1" d="M282.83,170.73l-.27-.69-26.14-68.22a6.81,6.81,0,0,0-2.69-3.24,7,7,0,0,0-8,.43,7,7,0,0,0-2.32,3.52l-17.65,54H154.29l-17.65-54A6.86,6.86,0,0,0,134.32,99a7,7,0,0,0-8-.43,6.87,6.87,0,0,0-2.69,3.24L97.44,170l-.26.69a48.54,48.54,0,0,0,16.1,56.1l.09.07.24.17,39.82,29.82,19.7,14.91,12,9.06a8.07,8.07,0,0,0,9.76,0l12-9.06,19.7-14.91,40.06-30,.1-.08A48.56,48.56,0,0,0,282.83,170.73Z"/>
-    <path class="cls-2" d="M282.83,170.73l-.27-.69a88.3,88.3,0,0,0-35.15,15.8L190,229.25c19.55,14.79,36.57,27.64,36.57,27.64l40.06-30,.1-.08A48.56,48.56,0,0,0,282.83,170.73Z"/>
-    <path class="cls-3" d="M153.43,256.89l19.7,14.91,12,9.06a8.07,8.07,0,0,0,9.76,0l12-9.06,19.7-14.91S209.55,244,190,229.25C170.45,244,153.43,256.89,153.43,256.89Z"/>
-    <path class="cls-2" d="M132.58,185.84A88.19,88.19,0,0,0,97.44,170l-.26.69a48.54,48.54,0,0,0,16.1,56.1l.09.07.24.17,39.82,29.82s17-12.85,36.57-27.64Z"/>
-  </g>
-</svg>
+<svg width="2500" height="2305" viewBox="0 0 256 236" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMinYMin meet"><path d="M128.075 236.075l47.104-144.97H80.97l47.104 144.97z" fill="#E24329"/><path d="M128.075 236.074L80.97 91.104H14.956l113.119 144.97z" fill="#FC6D26"/><path d="M14.956 91.104L.642 135.16a9.752 9.752 0 0 0 3.542 10.903l123.891 90.012-113.12-144.97z" fill="#FCA326"/><path d="M14.956 91.105H80.97L52.601 3.79c-1.46-4.493-7.816-4.492-9.275 0l-28.37 87.315z" fill="#E24329"/><path d="M128.075 236.074l47.104-144.97h66.015l-113.12 144.97z" fill="#FC6D26"/><path d="M241.194 91.104l14.314 44.056a9.752 9.752 0 0 1-3.543 10.903l-123.89 90.012 113.119-144.97z" fill="#FCA326"/><path d="M241.194 91.105h-66.015l28.37-87.315c1.46-4.493 7.816-4.492 9.275 0l28.37 87.315z" fill="#E24329"/></svg>

docs/static/img/providers/google-icon.svg

@@ -0,0 +1 @@
+<svg width="2443" height="2500" viewBox="0 0 256 262" xmlns="http://www.w3.org/2000/svg" preserveAspectRatio="xMidYMid"><path d="M255.878 133.451c0-10.734-.871-18.567-2.756-26.69H130.55v48.448h71.947c-1.45 12.04-9.283 30.172-26.69 42.356l-.244 1.622 38.755 30.023 2.685.268c24.659-22.774 38.875-56.282 38.875-96.027" fill="#4285F4"/><path d="M130.55 261.1c35.248 0 64.839-11.605 86.453-31.622l-41.196-31.913c-11.024 7.688-25.82 13.055-45.257 13.055-34.523 0-63.824-22.773-74.269-54.25l-1.531.13-40.298 31.187-.527 1.465C35.393 231.798 79.49 261.1 130.55 261.1" fill="#34A853"/><path d="M56.281 156.37c-2.756-8.123-4.351-16.827-4.351-25.82 0-8.994 1.595-17.697 4.206-25.82l-.073-1.73L15.26 71.312l-1.335.635C5.077 89.644 0 109.517 0 130.55s5.077 40.905 13.925 58.602l42.356-32.782" fill="#FBBC05"/><path d="M130.55 50.479c24.514 0 41.05 10.589 50.479 19.438l36.844-35.974C195.245 12.91 165.798 0 130.55 0 79.49 0 35.393 29.301 13.925 71.947l42.211 32.783c10.59-31.477 39.891-54.251 74.414-54.251" fill="#EB4335"/></svg>

docs/static/img/providers/mattermost-dark.svg

@@ -1,4 +0,0 @@
-<svg width="700" height="700" viewBox="0 0 700 700" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path fill-rule="evenodd" clip-rule="evenodd" d="M496.909 147.716L499.54 200.779C542.559 248.303 559.539 315.609 538.125 378.865C506.159 473.292 400.753 522.93 302.694 489.735C204.635 456.54 151.057 353.081 183.023 258.653C204.508 195.186 259.171 151.953 322.48 140.505L356.685 100.091C249.969 97.2018 149.288 163.442 113.265 269.853C69.0048 400.598 139.114 542.468 269.859 586.729C400.604 630.99 542.474 560.88 586.735 430.135C622.7 323.895 583.148 210.308 496.909 147.716Z" fill="#dddddd"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M435.623 304.289L433.812 230.109L432.359 187.424L431.376 150.444C431.376 150.444 431.581 132.612 430.959 128.422C430.828 127.54 430.551 126.822 430.221 126.196C430.18 126.108 430.141 126.02 430.096 125.934C430.049 125.854 430.003 125.78 429.954 125.705C429.27 124.528 428.195 123.572 426.804 123.101C425.381 122.619 423.909 122.738 422.631 123.29C422.604 123.3 422.579 123.309 422.552 123.32C422.4 123.388 422.255 123.465 422.109 123.546C421.503 123.841 420.887 124.223 420.284 124.808C417.244 127.758 406.575 142.048 406.575 142.048L383.331 170.826L356.248 203.851L309.749 261.677C309.749 261.677 288.411 288.308 293.126 321.088C297.841 353.868 322.211 369.837 341.117 376.238C360.023 382.638 389.082 384.756 412.74 361.581C436.396 338.405 435.623 304.289 435.623 304.289Z" fill="#dddddd"/>
-</svg>

docs/static/img/providers/mattermost.svg

@@ -1,4 +0,0 @@
-<svg width="700" height="700" viewBox="0 0 700 700" fill="none" xmlns="http://www.w3.org/2000/svg">
-<path fill-rule="evenodd" clip-rule="evenodd" d="M496.909 147.716L499.54 200.779C542.559 248.303 559.539 315.609 538.125 378.865C506.159 473.292 400.753 522.93 302.694 489.735C204.635 456.54 151.057 353.081 183.023 258.653C204.508 195.186 259.171 151.953 322.48 140.505L356.685 100.091C249.969 97.2018 149.288 163.442 113.265 269.853C69.0048 400.598 139.114 542.468 269.859 586.729C400.604 630.99 542.474 560.88 586.735 430.135C622.7 323.895 583.148 210.308 496.909 147.716Z" fill="#222222"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M435.623 304.289L433.812 230.109L432.359 187.424L431.376 150.444C431.376 150.444 431.581 132.612 430.959 128.422C430.828 127.54 430.551 126.822 430.221 126.196C430.18 126.108 430.141 126.02 430.096 125.934C430.049 125.854 430.003 125.78 429.954 125.705C429.27 124.528 428.195 123.572 426.804 123.101C425.381 122.619 423.909 122.738 422.631 123.29C422.604 123.3 422.579 123.309 422.552 123.32C422.4 123.388 422.255 123.465 422.109 123.546C421.503 123.841 420.887 124.223 420.284 124.808C417.244 127.758 406.575 142.048 406.575 142.048L383.331 170.826L356.248 203.851L309.749 261.677C309.749 261.677 288.411 288.308 293.126 321.088C297.841 353.868 322.211 369.837 341.117 376.238C360.023 382.638 389.082 384.756 412.74 361.581C436.396 338.405 435.623 304.289 435.623 304.289Z" fill="#222222"/>
-</svg>

docs/static/img/providers/okta-3.svg

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 22.1.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.2" baseProfile="tiny" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"
+	 x="0px" y="0px" viewBox="0 0 2490.6 839.8" xml:space="preserve">
+<path fill="#007DC1" d="M704.3,418c0-129.5,0.2-259.1-0.3-388.5c0-18,11.9-29.2,29.9-29.2c33.3-0.2,66.8-0.3,100.1,0
+	c18.9,0.2,29.9,11.7,29.7,29.4c-0.5,114.6-0.3,229.4-0.3,344v6.3c0.2,12.7,5.8,22,17.5,27c11.3,4.8,21.9,2.3,31.1-7.5
+	c33.6-36,67.1-72.1,100.5-108.2c20.5-22.2,41.3-44.1,61.6-66.4c7.7-8.4,16.6-12.4,28.1-12.2c41.9,0.3,84,0.3,125.9,0
+	c12.4,0,22.2,3.8,27.4,15.3c5.3,11.9,2.8,22.5-6.1,32.2c-62.9,69.6-125.6,139.3-188.4,208.9c-5,5.6-9.9,11.4-13.8,17.8
+	c-7,11.3-7,22.4-0.5,33.9c7,12.4,16.9,22.4,26.7,32.5c76.1,78.2,152.4,156.4,228.7,234.4c9.2,9.5,11.9,19.9,7.3,32.1
+	c-4.4,11.4-13.1,16.6-27.4,16.6c-46.6,0-93.3-0.2-139.9,0c-10.5,0-18.6-3.3-26.1-11.3c-67.7-71.1-135.9-141.8-203.9-212.6
+	c-9.7-10.2-20.5-12.8-31.7-8.1c-11.3,4.5-17.2,14.1-17.2,28v174.3c0,18.8-9.5,28.5-28.1,28.6H732.7c-20.5,0-28.5-8.1-28.5-28.3
+	L704.3,418z M1339.7,287.7c0-85.7,0.3-171.5-0.3-257.2c-0.2-19.4,11.1-30.5,30.8-30.5c32.4,0.2,64.6,0,96.9,0
+	c18.9,0,29.7,10.6,29.7,29.4c0.2,50,0.2,100.1,0.3,150.1c0,21.6,11.1,32.8,32.5,32.8h134.5c14.2,0,23.5,7.7,26.3,21.6
+	c1.4,6.7,0.9,13.4,1.1,20.3v82.9c0,21.7-9.7,31.4-31.4,31.4c-43,0-86-0.2-129-0.2c-22,0-33.3,11.1-33.5,32.8
+	c-0.2,44.1-0.9,88-0.3,132.1c0.9,67.2,52.4,129.1,119.3,144.9c19.7,4.7,39.7,5.5,59.7,2.7c16.3-2.3,28.1,6.4,30,22.8
+	c4.1,34.9,7.8,69.9,11.4,104.8c1.4,13.3-8.3,25.5-22,27.7c-36.9,6.3-73.8,4.1-110.1-4.1C1456,803,1360.8,699.4,1342.2,568.1
+	c-1.9-13-2.5-26-2.5-38.9L1339.7,287.7z M2490.4,697.2c0-11.9-9.1-20.2-21-20.8c-8.1-0.3-16.1-0.6-24.2-1.3
+	c-41.4-3.1-62.7-22.5-70.2-63.3c-5.8-31.1-5.6-62.7-5.8-94.3c-0.3-90.7-0.2-181.4-0.2-272.1c0-2.7,0-5.2-0.2-7.8
+	c-1.1-14.7-11.7-25.2-26.6-25.2c-34.9-0.2-69.9-0.2-104.8,0c-15.8,0-27,11.3-27.7,26.9c-0.2,3.8,0,7.7,0,12.2
+	c-3-1.6-5.3-2.7-7.5-3.8c-63-33.1-129.8-43.8-200-32.1c-178.7,30-295.2,209-250.8,384.6c56.4,222.8,323.5,311.5,502.2,166.5
+	c4.2-3.4,5.9-3.3,9.2,1.3c18.4,26.3,42.7,45.3,72.9,56.8c33.3,12.7,68,14.4,103.2,11.9c12.5-0.9,24.9-2.7,36.3-8.4
+	c8.1-4.1,14.7-10.2,14.9-19.5C2490.8,771.6,2490.6,734.4,2490.4,697.2L2490.4,697.2z M2055.6,681.1c-86.9-0.3-156-71-155.7-159.6
+	c0.3-83.8,71.3-153.4,156.5-153.2c87.4,0.2,156.4,70.4,156.2,159.2C2212.3,611.2,2140.8,681.2,2055.6,681.1z M314,211.1
+	C148,211.4,3.8,339.6,0.1,517.7c-3.8,184.2,142.1,316,305,320.1c174.2,4.4,318.5-133.1,321.5-306.8C629.5,354.2,491,213.1,314,211.1
+	L314,211.1z M312.9,681.1c-85.7,0-156-70.4-156.2-156.4c-0.2-86.1,70-156.4,156.5-156.7c86.3-0.2,156.2,69.9,156.2,156.5
+	S399.5,681.1,312.9,681.1L312.9,681.1z"/>
+</svg>

docs/static/img/providers/openid.svg

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- Generator: Adobe Illustrator 18.1.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Capa_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 25.573 25.573" style="enable-background:new 0 0 25.573 25.573;" xml:space="preserve">
+<g>
+	<g>
+		<polygon style="fill:#030104;" points="12.036,24.589 12.036,3.296 15.391,0.983 15.391,22.74 		"/>
+		<path style="fill:#030104;" d="M11.11,7.926v2.893c0,0-6.632,0.521-7.058,5.556c0,0-0.93,4.396,7.058,5.785v2.43
+			c0,0-11.226-1.155-11.109-8.331C0.001,16.258-0.115,8.968,11.11,7.926z"/>
+		<path style="fill:#030104;" d="M16.2,7.926v2.702c0,0,2.142-0.029,3.934,1.463l-1.964,0.807l7.403,1.855V8.967l-2.527,1.43
+			C23.046,10.397,20.889,8.13,16.2,7.926z"/>
+	</g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+</svg>

docs/static/img/providers/slack.svg

@@ -1,8 +1 @@
-<svg enable-background="new 0 0 2447.6 2452.5" viewBox="0 0 2447.6 2452.5" xmlns="http://www.w3.org/2000/svg" width="32" height="32">
-  <g clip-rule="evenodd" fill-rule="evenodd">
-    <path d="m897.4 0c-135.3.1-244.8 109.9-244.7 245.2-.1 135.3 109.5 245.1 244.8 245.2h244.8v-245.1c.1-135.3-109.5-245.1-244.9-245.3.1 0 .1 0 0 0m0 654h-652.6c-135.3.1-244.9 109.9-244.8 245.2-.2 135.3 109.4 245.1 244.7 245.3h652.7c135.3-.1 244.9-109.9 244.8-245.2.1-135.4-109.5-245.2-244.8-245.3z" fill="#36c5f0"/>
-    <path d="m2447.6 899.2c.1-135.3-109.5-245.1-244.8-245.2-135.3.1-244.9 109.9-244.8 245.2v245.3h244.8c135.3-.1 244.9-109.9 244.8-245.3zm-652.7 0v-654c.1-135.2-109.4-245-244.7-245.2-135.3.1-244.9 109.9-244.8 245.2v654c-.2 135.3 109.4 245.1 244.7 245.3 135.3-.1 244.9-109.9 244.8-245.3z" fill="#2eb67d"/>
-    <path d="m1550.1 2452.5c135.3-.1 244.9-109.9 244.8-245.2.1-135.3-109.5-245.1-244.8-245.2h-244.8v245.2c-.1 135.2 109.5 245 244.8 245.2zm0-654.1h652.7c135.3-.1 244.9-109.9 244.8-245.2.2-135.3-109.4-245.1-244.7-245.3h-652.7c-135.3.1-244.9 109.9-244.8 245.2-.1 135.4 109.4 245.2 244.7 245.3z" fill="#ecb22e"/>
-    <path d="m0 1553.2c-.1 135.3 109.5 245.1 244.8 245.2 135.3-.1 244.9-109.9 244.8-245.2v-245.2h-244.8c-135.3.1-244.9 109.9-244.8 245.2zm652.7 0v654c-.2 135.3 109.4 245.1 244.7 245.3 135.3-.1 244.9-109.9 244.8-245.2v-653.9c.2-135.3-109.4-245.1-244.7-245.3-135.4 0-244.9 109.8-244.8 245.1 0 0 0 .1 0 0" fill="#e01e5a"/>
-  </g>
-</svg>
+<svg enable-background="new 0 0 2447.6 2452.5" viewBox="0 0 2447.6 2452.5" xmlns="http://www.w3.org/2000/svg"><g clip-rule="evenodd" fill-rule="evenodd"><path d="m897.4 0c-135.3.1-244.8 109.9-244.7 245.2-.1 135.3 109.5 245.1 244.8 245.2h244.8v-245.1c.1-135.3-109.5-245.1-244.9-245.3.1 0 .1 0 0 0m0 654h-652.6c-135.3.1-244.9 109.9-244.8 245.2-.2 135.3 109.4 245.1 244.7 245.3h652.7c135.3-.1 244.9-109.9 244.8-245.2.1-135.4-109.5-245.2-244.8-245.3z" fill="#36c5f0"/><path d="m2447.6 899.2c.1-135.3-109.5-245.1-244.8-245.2-135.3.1-244.9 109.9-244.8 245.2v245.3h244.8c135.3-.1 244.9-109.9 244.8-245.3zm-652.7 0v-654c.1-135.2-109.4-245-244.7-245.2-135.3.1-244.9 109.9-244.8 245.2v654c-.2 135.3 109.4 245.1 244.7 245.3 135.3-.1 244.9-109.9 244.8-245.3z" fill="#2eb67d"/><path d="m1550.1 2452.5c135.3-.1 244.9-109.9 244.8-245.2.1-135.3-109.5-245.1-244.8-245.2h-244.8v245.2c-.1 135.2 109.5 245 244.8 245.2zm0-654.1h652.7c135.3-.1 244.9-109.9 244.8-245.2.2-135.3-109.4-245.1-244.7-245.3h-652.7c-135.3.1-244.9 109.9-244.8 245.2-.1 135.4 109.4 245.2 244.7 245.3z" fill="#ecb22e"/><path d="m0 1553.2c-.1 135.3 109.5 245.1 244.8 245.2 135.3-.1 244.9-109.9 244.8-245.2v-245.2h-244.8c-135.3.1-244.9 109.9-244.8 245.2zm652.7 0v654c-.2 135.3 109.4 245.1 244.7 245.3 135.3-.1 244.9-109.9 244.8-245.2v-653.9c.2-135.3-109.4-245.1-244.7-245.3-135.4 0-244.9 109.8-244.8 245.1 0 0 0 .1 0 0" fill="#e01e5a"/></g></svg>

docs/static/img/providers/spotify.svg

@@ -1,4 +1,4 @@
-<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2931 2931" width="32" height="32">
-  <style>.st0{fill:#2ebd59} </style>
-  <path class="st0" d="M1465.5 0C656.1 0 0 656.1 0 1465.5S656.1 2931 1465.5 2931 2931 2274.9 2931 1465.5C2931 656.2 2274.9.1 1465.5 0zm672.1 2113.6c-26.3 43.2-82.6 56.7-125.6 30.4-344.1-210.3-777.3-257.8-1287.4-141.3-49.2 11.3-98.2-19.5-109.4-68.7-11.3-49.2 19.4-98.2 68.7-109.4C1242.1 1697.1 1721 1752 2107.3 1988c43 26.5 56.7 82.6 30.3 125.6zm179.3-398.9c-33.1 53.8-103.5 70.6-157.2 37.6-393.8-242.1-994.4-312.2-1460.3-170.8-60.4 18.3-124.2-15.8-142.6-76.1-18.2-60.4 15.9-124.1 76.2-142.5 532.2-161.5 1193.9-83.3 1646.2 194.7 53.8 33.1 70.8 103.4 37.7 157.1zm15.4-415.6c-472.4-280.5-1251.6-306.3-1702.6-169.5-72.4 22-149-18.9-170.9-91.3-21.9-72.4 18.9-149 91.4-171 517.7-157.1 1378.2-126.8 1922 196 65.1 38.7 86.5 122.8 47.9 187.8-38.5 65.2-122.8 86.7-187.8 48z"/>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg xmlns="http://www.w3.org/2000/svg" height="168px" width="168px" version="1.1" viewBox="0 0 168 168">
+ <path fill="#1ED760" d="m83.996 0.277c-46.249 0-83.743 37.493-83.743 83.742 0 46.251 37.494 83.741 83.743 83.741 46.254 0 83.744-37.49 83.744-83.741 0-46.246-37.49-83.738-83.745-83.738l0.001-0.004zm38.404 120.78c-1.5 2.46-4.72 3.24-7.18 1.73-19.662-12.01-44.414-14.73-73.564-8.07-2.809 0.64-5.609-1.12-6.249-3.93-0.643-2.81 1.11-5.61 3.926-6.25 31.9-7.291 59.263-4.15 81.337 9.34 2.46 1.51 3.24 4.72 1.73 7.18zm10.25-22.805c-1.89 3.075-5.91 4.045-8.98 2.155-22.51-13.839-56.823-17.846-83.448-9.764-3.453 1.043-7.1-0.903-8.148-4.35-1.04-3.453 0.907-7.093 4.354-8.143 30.413-9.228 68.222-4.758 94.072 11.127 3.07 1.89 4.04 5.91 2.15 8.976v-0.001zm0.88-23.744c-26.99-16.031-71.52-17.505-97.289-9.684-4.138 1.255-8.514-1.081-9.768-5.219-1.254-4.14 1.08-8.513 5.221-9.771 29.581-8.98 78.756-7.245 109.83 11.202 3.73 2.209 4.95 7.016 2.74 10.733-2.2 3.722-7.02 4.949-10.73 2.739z"/>
 </svg>

docs/static/img/providers/twitter.svg

@@ -1,3 +1,6 @@
-<svg width="32" height="32" viewBox="117.806 161.288 464.388 377.424" xmlns="http://www.w3.org/2000/svg">
-  <path d="m582.194 205.976c-17.078 7.567-35.424 12.68-54.71 14.991 19.675-11.78 34.769-30.474 41.886-52.726-18.407 10.922-38.798 18.857-60.497 23.111-17.385-18.488-42.132-30.064-69.538-30.064-52.603 0-95.266 42.663-95.266 95.307a97.3 97.3 0 0 0 2.454 21.68c-79.211-3.989-149.383-41.928-196.382-99.562-8.18 14.112-12.885 30.474-12.885 47.899 0 33.05 16.833 62.236 42.377 79.314a95.051 95.051 0 0 1 -43.154-11.924v1.227c0 46.16 32.826 84.672 76.43 93.426a95.97 95.97 0 0 1 -25.095 3.313 95.929 95.929 0 0 1 -17.936-1.677c12.128 37.836 47.306 65.406 89.008 66.142-32.622 25.565-73.71 40.802-118.337 40.802-7.69 0-15.278-.45-22.743-1.33 42.173 27.06 92.24 42.807 146.029 42.807 175.275 0 271.094-145.17 271.094-271.073 0-4.09-.103-8.222-.287-12.312 18.612-13.458 34.769-30.208 47.51-49.29z" fill="#1da1f2"/>
-</svg>
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="256px" height="209px" viewBox="0 0 256 209" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" preserveAspectRatio="xMidYMid">
+    <g>
+        <path d="M256,25.4500259 C246.580841,29.6272672 236.458451,32.4504868 225.834156,33.7202333 C236.678503,27.2198053 245.00583,16.9269929 248.927437,4.66307685 C238.779765,10.6812633 227.539325,15.0523376 215.57599,17.408298 C205.994835,7.2006971 192.34506,0.822 177.239197,0.822 C148.232605,0.822 124.716076,24.3375931 124.716076,53.3423116 C124.716076,57.4586875 125.181462,61.4673784 126.076652,65.3112644 C82.4258385,63.1210453 43.7257252,42.211429 17.821398,10.4359288 C13.3005011,18.1929938 10.710443,27.2151234 10.710443,36.8402889 C10.710443,55.061526 19.9835254,71.1374907 34.0762135,80.5557137 C25.4660961,80.2832239 17.3681846,77.9207088 10.2862577,73.9869292 C10.2825122,74.2060448 10.2825122,74.4260967 10.2825122,74.647085 C10.2825122,100.094453 28.3867003,121.322443 52.413563,126.14673 C48.0059695,127.347184 43.3661509,127.988612 38.5755734,127.988612 C35.1914554,127.988612 31.9009766,127.659938 28.694773,127.046602 C35.3777973,147.913145 54.7742053,163.097665 77.7569918,163.52185 C59.7820257,177.607983 37.1354036,186.004604 12.5289147,186.004604 C8.28987161,186.004604 4.10888474,185.75646 0,185.271409 C23.2431033,200.173139 50.8507261,208.867532 80.5109185,208.867532 C177.116529,208.867532 229.943977,128.836982 229.943977,59.4326002 C229.943977,57.1552968 229.893412,54.8901664 229.792282,52.6381454 C240.053257,45.2331635 248.958338,35.9825545 256,25.4500259" fill="#55acee"></path>
+    </g>
+</svg>

package.json

@@ -13,13 +13,12 @@
     "dev": "turbo run dev --parallel --continue --filter=next-auth-app... --filter=!./packages/adapter-*",
     "dev:kit": "turbo run dev --parallel --continue --filter=sveltekit-auth-app...",
     "dev:docs": "turbo run dev --filter=docs",
-    "email": "cd apps/dev/nextjs && pnpm email",
+    "email": "cd apps/dev && pnpm email",
     "eslint": "eslint --cache .",
     "lint": "prettier --check .",
     "format": "prettier --write .",
     "release": "release",
-    "version:pr": "node ./config/version-pr",
-    "e2e": "turbo run e2e --filter=next-auth-app"
+    "version:pr": "node ./config/version-pr"
   },
   "devDependencies": {
     "@actions/core": "^1.10.0",
@@ -48,7 +47,7 @@
   "engines": {
     "node": "^16.13.0 || ^18.12.0"
   },
-  "packageManager": "pnpm@7.23.0",
+  "packageManager": "pnpm@7.19.0",
   "funding": [
     {
       "type": "github",

packages/adapter-dynamodb/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@next-auth/dynamodb-adapter",
   "repository": "https://github.com/nextauthjs/next-auth",
-  "version": "1.2.0",
+  "version": "1.0.5",
   "description": "AWS DynamoDB adapter for next-auth.",
   "keywords": [
     "next-auth",
@@ -44,4 +44,4 @@
     "jest": "^27.4.3",
     "next-auth": "workspace:*"
   }
-}
+}

packages/adapter-dynamodb/src/index.ts

@@ -16,25 +16,11 @@ import { format, generateUpdateExpression } from "./utils"
 
 export { format, generateUpdateExpression }
 
-export interface DynamoDBAdapterOptions {
-  tableName?: string,
-  partitionKey?: string,
-  sortKey?: string,
-  indexName?: string,
-  indexPartitionKey?: string,
-  indexSortKey?: string
-}
-
 export function DynamoDBAdapter(
   client: DynamoDBDocument,
-  options?: DynamoDBAdapterOptions
+  options?: { tableName: string }
 ): Adapter {
   const TableName = options?.tableName ?? "next-auth"
-  const pk = options?.partitionKey ?? 'pk'
-  const sk = options?.sortKey ?? 'sk'
-  const IndexName = options?.indexName ?? 'GSI1'
-  const GSI1PK = options?.indexPartitionKey ?? 'GSI1PK'
-  const GSI1SK = options?.indexSortKey ?? 'GSI1SK'
 
   return {
     async createUser(data) {
@@ -47,11 +33,11 @@ export function DynamoDBAdapter(
         TableName,
         Item: format.to({
           ...user,
-          [pk]: `USER#${user.id}`,
-          [sk]: `USER#${user.id}`,
+          pk: `USER#${user.id}`,
+          sk: `USER#${user.id}`,
           type: "USER",
-          [GSI1PK]: `USER#${user.email as string}`,
-          [GSI1SK]: `USER#${user.email as string}`,
+          GSI1PK: `USER#${user.email as string}`,
+          GSI1SK: `USER#${user.email as string}`,
         }),
       })
 
@@ -61,8 +47,8 @@ export function DynamoDBAdapter(
       const data = await client.get({
         TableName,
         Key: {
-          [pk]: `USER#${userId}`,
-          [sk]: `USER#${userId}`,
+          pk: `USER#${userId}`,
+          sk: `USER#${userId}`,
         },
       })
       return format.from<AdapterUser>(data.Item)
@@ -70,11 +56,11 @@ export function DynamoDBAdapter(
     async getUserByEmail(email) {
       const data = await client.query({
         TableName,
-        IndexName,
+        IndexName: "GSI1",
         KeyConditionExpression: "#gsi1pk = :gsi1pk AND #gsi1sk = :gsi1sk",
         ExpressionAttributeNames: {
-          "#gsi1pk": GSI1PK,
-          "#gsi1sk": GSI1SK,
+          "#gsi1pk": "GSI1PK",
+          "#gsi1sk": "GSI1SK",
         },
         ExpressionAttributeValues: {
           ":gsi1pk": `USER#${email}`,
@@ -87,11 +73,11 @@ export function DynamoDBAdapter(
     async getUserByAccount({ provider, providerAccountId }) {
       const data = await client.query({
         TableName,
-        IndexName,
+        IndexName: "GSI1",
         KeyConditionExpression: "#gsi1pk = :gsi1pk AND #gsi1sk = :gsi1sk",
         ExpressionAttributeNames: {
-          "#gsi1pk": GSI1PK,
-          "#gsi1sk": GSI1SK,
+          "#gsi1pk": "GSI1PK",
+          "#gsi1sk": "GSI1SK",
         },
         ExpressionAttributeValues: {
           ":gsi1pk": `ACCOUNT#${provider}`,
@@ -104,8 +90,8 @@ export function DynamoDBAdapter(
       const res = await client.get({
         TableName,
         Key: {
-          [pk]: `USER#${accounts.userId}`,
-          [sk]: `USER#${accounts.userId}`,
+          pk: `USER#${accounts.userId}`,
+          sk: `USER#${accounts.userId}`,
         },
       })
       return format.from<AdapterUser>(res.Item)
@@ -120,8 +106,8 @@ export function DynamoDBAdapter(
         TableName,
         Key: {
           // next-auth type is incorrect it should be Partial<AdapterUser> & {id: string} instead of just Partial<AdapterUser>
-          [pk]: `USER#${user.id as string}`,
-          [sk]: `USER#${user.id as string}`,
+          pk: `USER#${user.id as string}`,
+          sk: `USER#${user.id as string}`,
         },
         UpdateExpression,
         ExpressionAttributeNames,
@@ -137,7 +123,7 @@ export function DynamoDBAdapter(
       const res = await client.query({
         TableName,
         KeyConditionExpression: "#pk = :pk",
-        ExpressionAttributeNames: { "#pk": pk },
+        ExpressionAttributeNames: { "#pk": "pk" },
         ExpressionAttributeValues: { ":pk": `USER#${userId}` },
       })
       if (!res.Items) return null
@@ -148,8 +134,8 @@ export function DynamoDBAdapter(
         return {
           DeleteRequest: {
             Key: {
-              [sk]: item.sk,
-              [pk]: item.pk,
+              sk: item.sk,
+              pk: item.pk,
             },
           },
         }
@@ -166,10 +152,10 @@ export function DynamoDBAdapter(
       const item = {
         ...data,
         id: randomBytes(16).toString("hex"),
-        [pk]: `USER#${data.userId}`,
-        [sk]: `ACCOUNT#${data.provider}#${data.providerAccountId}`,
-        [GSI1PK]: `ACCOUNT#${data.provider}`,
-        [GSI1SK]: `ACCOUNT#${data.providerAccountId}`,
+        pk: `USER#${data.userId}`,
+        sk: `ACCOUNT#${data.provider}#${data.providerAccountId}`,
+        GSI1PK: `ACCOUNT#${data.provider}`,
+        GSI1SK: `ACCOUNT#${data.providerAccountId}`,
       }
       await client.put({ TableName, Item: format.to(item) })
       return data
@@ -177,11 +163,11 @@ export function DynamoDBAdapter(
     async unlinkAccount({ provider, providerAccountId }) {
       const data = await client.query({
         TableName,
-        IndexName,
+        IndexName: "GSI1",
         KeyConditionExpression: "#gsi1pk = :gsi1pk AND #gsi1sk = :gsi1sk",
         ExpressionAttributeNames: {
-          "#gsi1pk": GSI1PK,
-          "#gsi1sk": GSI1SK,
+          "#gsi1pk": "GSI1PK",
+          "#gsi1sk": "GSI1SK",
         },
         ExpressionAttributeValues: {
           ":gsi1pk": `ACCOUNT#${provider}`,
@@ -193,8 +179,8 @@ export function DynamoDBAdapter(
       await client.delete({
         TableName,
         Key: {
-          [pk]: `USER#${account.userId}`,
-          [sk]: `ACCOUNT#${provider}#${providerAccountId}`,
+          pk: `USER#${account.userId}`,
+          sk: `ACCOUNT#${provider}#${providerAccountId}`,
         },
         ReturnValues: "ALL_OLD",
       })
@@ -203,11 +189,11 @@ export function DynamoDBAdapter(
     async getSessionAndUser(sessionToken) {
       const data = await client.query({
         TableName,
-        IndexName,
+        IndexName: "GSI1",
         KeyConditionExpression: "#gsi1pk = :gsi1pk AND #gsi1sk = :gsi1sk",
         ExpressionAttributeNames: {
-          "#gsi1pk": GSI1PK,
-          "#gsi1sk": GSI1SK,
+          "#gsi1pk": "GSI1PK",
+          "#gsi1sk": "GSI1SK",
         },
         ExpressionAttributeValues: {
           ":gsi1pk": `SESSION#${sessionToken}`,
@@ -219,8 +205,8 @@ export function DynamoDBAdapter(
       const res = await client.get({
         TableName,
         Key: {
-          [pk]: `USER#${session.userId}`,
-          [sk]: `USER#${session.userId}`,
+          pk: `USER#${session.userId}`,
+          sk: `USER#${session.userId}`,
         },
       })
       const user = format.from<AdapterUser>(res.Item)
@@ -235,10 +221,10 @@ export function DynamoDBAdapter(
       await client.put({
         TableName,
         Item: format.to({
-          [pk]: `USER#${data.userId}`,
-          [sk]: `SESSION#${data.sessionToken}`,
-          [GSI1SK]: `SESSION#${data.sessionToken}`,
-          [GSI1PK]: `SESSION#${data.sessionToken}`,
+          pk: `USER#${data.userId}`,
+          sk: `SESSION#${data.sessionToken}`,
+          GSI1SK: `SESSION#${data.sessionToken}`,
+          GSI1PK: `SESSION#${data.sessionToken}`,
           type: "SESSION",
           ...data,
         }),
@@ -249,11 +235,11 @@ export function DynamoDBAdapter(
       const { sessionToken } = session
       const data = await client.query({
         TableName,
-        IndexName,
+        IndexName: "GSI1",
         KeyConditionExpression: "#gsi1pk = :gsi1pk AND #gsi1sk = :gsi1sk",
         ExpressionAttributeNames: {
-          "#gsi1pk": GSI1PK,
-          "#gsi1sk": GSI1SK,
+          "#gsi1pk": "GSI1PK",
+          "#gsi1sk": "GSI1SK",
         },
         ExpressionAttributeValues: {
           ":gsi1pk": `SESSION#${sessionToken}`,
@@ -280,11 +266,11 @@ export function DynamoDBAdapter(
     async deleteSession(sessionToken) {
       const data = await client.query({
         TableName,
-        IndexName,
+        IndexName: "GSI1",
         KeyConditionExpression: "#gsi1pk = :gsi1pk AND #gsi1sk = :gsi1sk",
         ExpressionAttributeNames: {
-          "#gsi1pk": GSI1PK,
-          "#gsi1sk": GSI1SK,
+          "#gsi1pk": "GSI1PK",
+          "#gsi1sk": "GSI1SK",
         },
         ExpressionAttributeValues: {
           ":gsi1pk": `SESSION#${sessionToken}`,
@@ -306,8 +292,8 @@ export function DynamoDBAdapter(
       await client.put({
         TableName,
         Item: format.to({
-          [pk]: `VT#${data.identifier}`,
-          [sk]: `VT#${data.token}`,
+          pk: `VT#${data.identifier}`,
+          sk: `VT#${data.token}`,
           type: "VT",
           ...data,
         }),
@@ -318,8 +304,8 @@ export function DynamoDBAdapter(
       const data = await client.delete({
         TableName,
         Key: {
-          [pk]: `VT#${identifier}`,
-          [sk]: `VT#${token}`,
+          pk: `VT#${identifier}`,
+          sk: `VT#${token}`,
         },
         ReturnValues: "ALL_OLD",
       })

packages/adapter-xata/README.md

@@ -41,6 +41,7 @@ Now that we're ready, let's create a new Xata project using our next-auth schema
 
 ```json title="schema.json"
 {
+  "formatVersion": "",
   "tables": [
     {
       "name": "nextauth_users",

packages/adapter-xata/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@next-auth/xata-adapter",
-  "version": "0.2.2",
+  "version": "0.2.0",
   "description": "Xata adapter for next-auth.",
   "homepage": "https://authjs.dev",
   "repository": "https://github.com/nextauthjs/next-auth",
@@ -43,4 +43,4 @@
   "jest": {
     "preset": "@next-auth/adapter-test/jest"
   }
-}
+}

packages/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@auth/core",
-  "version": "0.3.0",
+  "version": "0.2.4",
   "description": "Authentication for the Web.",
   "keywords": [
     "authentication",
@@ -41,8 +41,8 @@
       "types": "./adapters.d.ts"
     },
     "./errors": {
-      "types": "./errors.d.ts",
-      "import": "./errors.js"
+      "import": "./errors.js",
+      "types": "./errors.d.ts"
     },
     "./jwt": {
       "types": "./jwt.d.ts",

packages/core/src/index.ts

@@ -61,7 +61,7 @@ import { JWTOptions } from "./jwt.js"
  * import Auth from "@auth/core"
  *
  * const request = new Request("https://example.com")
- * const response = await AuthHandler(request, {
+ * const resposne = await AuthHandler(request, {
  *   providers: [...],
  *   secret: "...",
  *   trustHost: true,
@@ -157,7 +157,7 @@ export async function Auth(
  * export const authConfig: AuthConfig = {...}
  *
  * const request = new Request("https://example.com")
- * const response = await AuthHandler(request, authConfig)
+ * const resposne = await AuthHandler(request, authConfig)
  * ```
  *
  * @see [Initiailzation](https://authjs.dev/reference/configuration/auth-options)
@@ -296,16 +296,4 @@ export interface AuthConfig {
   cookies?: Partial<CookiesOptions>
   /** @todo */
   trustHost?: boolean
-  skipCSRFCheck?: typeof skipCSRFCheck
 }
-
-/**
- * :::danger
- * This option is inteded for framework authors.
- * :::
- *
- * Auth.js comes with built-in {@link https://authjs.dev/concepts/security#csrf CSRF} protection, but
- * if you are implementing a framework that is already protected against CSRF attacks, you can skip this check by
- * passing this value to {@link AuthConfig.skipCSRFCheck}.
- */
-export const skipCSRFCheck = Symbol("skip-csrf-check")

packages/core/src/lib/assert.ts

@@ -45,7 +45,7 @@ export function assertConfig(
   const { url } = request
   const warnings: WarningCode[] = []
 
-  if (!warned && options.debug) warnings.push("debug-enabled")
+  if (!warned && options.debug) warnings.push("debug_enabled")
 
   if (!options.trustHost) {
     return new UntrustedHost(`Host must be trusted. URL was: ${request.url}`)

packages/core/src/lib/index.ts

@@ -1,15 +1,14 @@
-import { UnknownAction } from "../errors.js"
-import { skipCSRFCheck } from "../index.js"
 import { SessionStore } from "./cookie.js"
+import { UnknownAction } from "../errors.js"
 import { init } from "./init.js"
 import renderPage from "./pages/index.js"
 import * as routes from "./routes/index.js"
 
 import type {
-  AuthConfig,
-  ErrorPageParam,
   RequestInternal,
   ResponseInternal,
+  AuthConfig,
+  ErrorPageParam,
 } from "../types.js"
 
 export async function AuthInternal<
@@ -20,8 +19,6 @@ export async function AuthInternal<
 ): Promise<ResponseInternal<Body>> {
   const { action, providerId, error, method } = request
 
-  const csrfDisabled = authOptions.skipCSRFCheck === skipCSRFCheck
-
   const { options, cookies } = await init({
     authOptions,
     action,
@@ -31,7 +28,6 @@ export async function AuthInternal<
     csrfToken: request.body?.csrfToken,
     cookies: request.cookies,
     isPost: method === "POST",
-    csrfDisabled,
   })
 
   const sessionStore = new SessionStore(
@@ -52,22 +48,12 @@ export async function AuthInternal<
         // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
         return { ...session, cookies } as any
       }
-      case "csrf": {
-        if (csrfDisabled) {
-          options.logger.warn("csrf-disabled")
-          cookies.push({
-            name: options.cookies.csrfToken.name,
-            value: "",
-            options: { ...options.cookies.csrfToken.options, maxAge: 0 },
-          })
-          return { status: 404, cookies }
-        }
+      case "csrf":
         return {
           headers: { "Content-Type": "application/json" },
           body: { csrfToken: options.csrfToken } as any,
           cookies,
         }
-      }
       case "signin":
         if (pages.signIn) {
           let signinUrl = `${pages.signIn}${
@@ -139,7 +125,8 @@ export async function AuthInternal<
   } else {
     switch (action) {
       case "signin":
-        if ((csrfDisabled || options.csrfTokenVerified) && options.provider) {
+        // Verified CSRF Token required for all sign in routes
+        if (options.csrfTokenVerified && options.provider) {
           const signin = await routes.signin(
             request.query,
             request.body,
@@ -151,7 +138,8 @@ export async function AuthInternal<
 
         return { redirect: `${options.url}/signin?csrf=true`, cookies }
       case "signout":
-        if (csrfDisabled || options.csrfTokenVerified) {
+        // Verified CSRF Token required for signout
+        if (options.csrfTokenVerified) {
           const signout = await routes.signout(sessionStore, options)
           if (signout.cookies) cookies.push(...signout.cookies)
           return { ...signout, cookies }
@@ -162,7 +150,6 @@ export async function AuthInternal<
           // Verified CSRF Token required for credentials providers only
           if (
             options.provider.type === "credentials" &&
-            !csrfDisabled &&
             !options.csrfTokenVerified
           ) {
             return { redirect: `${options.url}/signin?csrf=true`, cookies }

packages/core/src/lib/init.ts

@@ -25,7 +25,6 @@ interface InitParams {
   /** CSRF token value extracted from the incoming request. From body if POST, from query if GET */
   csrfToken?: string
   /** Is the incoming request a POST request? */
-  csrfDisabled: boolean
   isPost: boolean
   cookies: RequestInternal["cookies"]
 }
@@ -39,7 +38,6 @@ export async function init({
   cookies: reqCookies,
   callbackUrl: reqCallbackUrl,
   csrfToken: reqCsrfToken,
-  csrfDisabled,
   isPost,
 }: InitParams): Promise<{
   options: InternalOptions
@@ -93,7 +91,7 @@ export async function init({
       strategy: authOptions.adapter ? "database" : "jwt",
       maxAge,
       updateAge: 24 * 60 * 60,
-      generateSessionToken: () => crypto.randomUUID(),
+      generateSessionToken: crypto.randomUUID,
       ...authOptions.session,
     },
     // JWT options
@@ -119,28 +117,26 @@ export async function init({
 
   const cookies: cookie.Cookie[] = []
 
-  if (!csrfDisabled) {
-    const {
-      csrfToken,
-      cookie: csrfCookie,
-      csrfTokenVerified,
-    } = await createCSRFToken({
-      options,
-      cookieValue: reqCookies?.[options.cookies.csrfToken.name],
-      isPost,
-      bodyValue: reqCsrfToken,
+  const {
+    csrfToken,
+    cookie: csrfCookie,
+    csrfTokenVerified,
+  } = await createCSRFToken({
+    options,
+    cookieValue: reqCookies?.[options.cookies.csrfToken.name],
+    isPost,
+    bodyValue: reqCsrfToken,
+  })
+
+  options.csrfToken = csrfToken
+  options.csrfTokenVerified = csrfTokenVerified
+
+  if (csrfCookie) {
+    cookies.push({
+      name: options.cookies.csrfToken.name,
+      value: csrfCookie,
+      options: options.cookies.csrfToken.options,
     })
-
-    options.csrfToken = csrfToken
-    options.csrfTokenVerified = csrfTokenVerified
-
-    if (csrfCookie) {
-      cookies.push({
-        name: options.cookies.csrfToken.name,
-        value: csrfCookie,
-        options: options.cookies.csrfToken.options,
-      })
-    }
   }
 
   const { callbackUrl, callbackUrlCookie } = await createCallbackUrl({

packages/core/src/lib/oauth/authorization-url.ts

@@ -1,7 +1,7 @@
-import * as checks from "./checks.js"
 import * as o from "oauth4webapi"
 
 import type {
+  CookiesOptions,
   InternalOptions,
   RequestInternal,
   ResponseInternal,
@@ -22,8 +22,7 @@ export async function getAuthorizationUrl(
   let url = provider.authorization?.url
   let as: o.AuthorizationServer | undefined
 
-  // Falls back to authjs.dev if the user only passed params
-  if (!url || url.host === "authjs.dev") {
+  if (!url) {
     // If url is undefined, we assume that issuer is always defined
     // We check this in assert.ts
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
@@ -49,19 +48,19 @@ export async function getAuthorizationUrl(
       redirect_uri: provider.callbackUrl,
       // @ts-expect-error TODO:
       ...provider.authorization?.params,
-    },
-    Object.fromEntries(provider.authorization?.url.searchParams ?? []),
-    query
+    }, // Defaults
+    Object.fromEntries(authParams), // From provider config
+    query // From `signIn` call
   )
 
   for (const k in params) authParams.set(k, params[k])
 
   const cookies: Cookie[] = []
 
-  const state = await checks.state.create(options)
-  if (state) {
-    authParams.set("state", state.value)
-    cookies.push(state.cookie)
+  if (provider.checks?.includes("state")) {
+    const { value, raw } = await createState(options)
+    authParams.set("state", raw)
+    cookies.push(value)
   }
 
   if (provider.checks?.includes("pkce")) {
@@ -70,17 +69,17 @@ export async function getAuthorizationUrl(
       // a random `nonce` must be used for CSRF protection.
       provider.checks = ["nonce"]
     } else {
-      const { value, cookie } = await checks.pkce.create(options)
-      authParams.set("code_challenge", value)
+      const { code_challenge, pkce } = await createPKCE(options)
+      authParams.set("code_challenge", code_challenge)
       authParams.set("code_challenge_method", "S256")
-      cookies.push(cookie)
+      cookies.push(pkce)
     }
   }
 
-  const nonce = await checks.nonce.create(options)
-  if (nonce) {
+  if (provider.checks?.includes("nonce")) {
+    const nonce = await createNonce(options)
     authParams.set("nonce", nonce.value)
-    cookies.push(nonce.cookie)
+    cookies.push(nonce)
   }
 
   // TODO: This does not work in normalizeOAuth because authorization endpoint can come from discovery
@@ -92,3 +91,52 @@ export async function getAuthorizationUrl(
   logger.debug("authorization url is ready", { url, cookies, provider })
   return { redirect: url, cookies }
 }
+
+/** Returns a signed cookie. */
+export async function signCookie(
+  type: keyof CookiesOptions,
+  value: string,
+  maxAge: number,
+  options: InternalOptions<"oauth">
+): Promise<Cookie> {
+  const { cookies, jwt, logger } = options
+
+  logger.debug(`CREATE_${type.toUpperCase()}`, { value, maxAge })
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + maxAge * 1000)
+  return {
+    name: cookies[type].name,
+    value: await jwt.encode({ ...jwt, maxAge, token: { value } }),
+    options: { ...cookies[type].options, expires },
+  }
+}
+
+const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+async function createState(options: InternalOptions<"oauth">) {
+  const raw = o.generateRandomState()
+  const maxAge = STATE_MAX_AGE
+  const value = await signCookie("state", raw, maxAge, options)
+  return { value, raw }
+}
+
+const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+async function createPKCE(options: InternalOptions<"oauth">) {
+  const code_verifier = o.generateRandomCodeVerifier()
+  const code_challenge = await o.calculatePKCECodeChallenge(code_verifier)
+  const maxAge = PKCE_MAX_AGE
+  const pkce = await signCookie(
+    "pkceCodeVerifier",
+    code_verifier,
+    maxAge,
+    options
+  )
+  return { code_challenge, pkce }
+}
+
+const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+async function createNonce(options: InternalOptions<"oauth">) {
+  const raw = o.generateRandomNonce()
+  const maxAge = NONCE_MAX_AGE
+  return await signCookie("nonce", raw, maxAge, options)
+}

packages/core/src/lib/oauth/callback.ts

@@ -1,6 +1,8 @@
-import * as checks from "./checks.js"
 import * as o from "oauth4webapi"
 import { OAuthCallbackError, OAuthProfileParseError } from "../../errors.js"
+import { useNonce } from "./nonce-handler.js"
+import { usePKCECodeVerifier } from "./pkce-handler.js"
+import { useState } from "./state-handler.js"
 
 import type {
   InternalOptions,
@@ -29,12 +31,7 @@ export async function handleOAuth(
   const { logger, provider } = options
   let as: o.AuthorizationServer
 
-  const { token, userinfo } = provider
-  // Falls back to authjs.dev if the user only passed params
-  if (
-    (!token?.url || token.url.host === "authjs.dev") &&
-    (!userinfo?.url || userinfo.url.host === "authjs.dev")
-  ) {
+  if (!provider.token?.url && !provider.userinfo?.url) {
     // We assume that issuer is always defined as this has been asserted earlier
     // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
     const issuer = new URL(provider.issuer!)
@@ -57,9 +54,9 @@ export async function handleOAuth(
     as = discoveredAs
   } else {
     as = {
-      issuer: provider.issuer ?? "https://authjs.dev", // TODO: review fallback issuer
-      token_endpoint: token?.url.toString(),
-      userinfo_endpoint: userinfo?.url.toString(),
+      issuer: provider.issuer ?? "https://a", // TODO: review fallback issuer
+      token_endpoint: provider.token?.url.toString(),
+      userinfo_endpoint: provider.userinfo?.url.toString(),
     }
   }
 
@@ -71,7 +68,7 @@ export async function handleOAuth(
 
   const resCookies: Cookie[] = []
 
-  const state = await checks.state.use(cookies, resCookies, options)
+  const state = await useState(cookies, resCookies, options)
 
   const parameters = o.validateAuthResponse(
     as,
@@ -89,7 +86,7 @@ export async function handleOAuth(
     throw new OAuthCallbackError(parameters.error)
   }
 
-  const codeVerifier = await checks.pkce.use(
+  const codeVerifier = await usePKCECodeVerifier(
     cookies?.[options.cookies.pkceCodeVerifier.name],
     options
   )
@@ -97,15 +94,12 @@ export async function handleOAuth(
   if (codeVerifier) resCookies.push(codeVerifier.cookie)
 
   // TODO:
-  const nonce = await checks.nonce.use(
-    cookies?.[options.cookies.nonce.name],
-    options
-  )
+  const nonce = await useNonce(cookies?.[options.cookies.nonce.name], options)
   if (nonce && provider.type === "oidc") {
     resCookies.push(nonce.cookie)
   }
 
-  let codeGrantResponse = await o.authorizationCodeGrantRequest(
+  const codeGrantResponse = await o.authorizationCodeGrantRequest(
     as,
     client,
     parameters,
@@ -113,12 +107,6 @@ export async function handleOAuth(
     codeVerifier?.codeVerifier ?? "auth" // TODO: review fallback code verifier
   )
 
-  if (provider.token?.conform) {
-    codeGrantResponse =
-      (await provider.token.conform(codeGrantResponse.clone())) ??
-      codeGrantResponse
-  }
-
   let challenges: o.WWWAuthenticateChallenge[] | undefined
   if ((challenges = o.parseWwwAuthenticateChallenges(codeGrantResponse))) {
     for (const challenge of challenges) {
@@ -155,9 +143,9 @@ export async function handleOAuth(
       throw new Error("TODO: Handle OAuth 2.0 response body error")
     }
 
-    if (userinfo?.request) {
-      profile = await userinfo.request({ tokens, provider })
-    } else if (userinfo?.url) {
+    if (provider.userinfo?.request) {
+      profile = await provider.userinfo.request({ tokens, provider })
+    } else if (provider.userinfo?.url) {
       const userinfoResponse = await o.userInfoRequest(
         as,
         client,

packages/core/src/lib/oauth/checks.ts

@@ -1,155 +0,0 @@
-import * as o from "oauth4webapi"
-import * as jwt from "../../jwt.js"
-
-import type {
-  InternalOptions,
-  RequestInternal,
-  CookiesOptions,
-} from "../../types.js"
-import type { Cookie } from "../cookie.js"
-
-import { InvalidState } from "../../errors.js"
-
-/** Returns a signed cookie. */
-export async function signCookie(
-  type: keyof CookiesOptions,
-  value: string,
-  maxAge: number,
-  options: InternalOptions<"oauth">
-): Promise<Cookie> {
-  const { cookies, logger } = options
-
-  logger.debug(`CREATE_${type.toUpperCase()}`, { value, maxAge })
-
-  const expires = new Date()
-  expires.setTime(expires.getTime() + maxAge * 1000)
-  return {
-    name: cookies[type].name,
-    value: await jwt.encode({ ...options.jwt, maxAge, token: { value } }),
-    options: { ...cookies[type].options, expires },
-  }
-}
-
-const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-export const pkce = {
-  async create(options: InternalOptions<"oauth">) {
-    const code_verifier = o.generateRandomCodeVerifier()
-    const value = await o.calculatePKCECodeChallenge(code_verifier)
-    const maxAge = PKCE_MAX_AGE
-    const cookie = await signCookie(
-      "pkceCodeVerifier",
-      code_verifier,
-      maxAge,
-      options
-    )
-    return { cookie, value }
-  },
-
-  /**
-   * Returns code_verifier if provider uses PKCE,
-   * and clears the container cookie afterwards.
-   */
-  async use(
-    codeVerifier: string | undefined,
-    options: InternalOptions<"oauth">
-  ): Promise<{ codeVerifier: string; cookie: Cookie } | undefined> {
-    const { cookies, provider } = options
-
-    if (!provider?.checks?.includes("pkce") || !codeVerifier) {
-      return
-    }
-
-    const pkce = (await jwt.decode({
-      ...options.jwt,
-      token: codeVerifier,
-    })) as any
-
-    return {
-      codeVerifier: pkce?.value ?? undefined,
-      cookie: {
-        name: cookies.pkceCodeVerifier.name,
-        value: "",
-        options: { ...cookies.pkceCodeVerifier.options, maxAge: 0 },
-      },
-    }
-  },
-}
-
-const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-export const state = {
-  async create(options: InternalOptions<"oauth">) {
-    if (!options.provider.checks.includes("state")) return
-    // TODO: support customizing the state
-    const value = o.generateRandomState()
-    const maxAge = STATE_MAX_AGE
-    const cookie = await signCookie("state", value, maxAge, options)
-    return { cookie, value }
-  },
-  /**
-   * Returns state from the saved cookie
-   * if the provider supports states,
-   * and clears the container cookie afterwards.
-   */
-  async use(
-    cookies: RequestInternal["cookies"],
-    resCookies: Cookie[],
-    options: InternalOptions<"oauth">
-  ): Promise<string | undefined> {
-    const { provider, jwt } = options
-    if (!provider.checks.includes("state")) return
-
-    const state = cookies?.[options.cookies.state.name]
-
-    if (!state) throw new InvalidState("State was missing from the cookies.")
-
-    // IDEA: Let the user do something with the returned state
-    const value = (await jwt.decode({ ...options.jwt, token: state })) as any
-
-    if (!value?.value) throw new InvalidState("Could not parse state cookie.")
-
-    // Clear the state cookie after use
-    resCookies.push({
-      name: options.cookies.state.name,
-      value: "",
-      options: { ...options.cookies.state.options, maxAge: 0 },
-    })
-
-    return value.value
-  },
-}
-
-const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
-export const nonce = {
-  async create(options: InternalOptions<"oauth">) {
-    if (!options.provider.checks.includes("nonce")) return
-    const value = o.generateRandomNonce()
-    const maxAge = NONCE_MAX_AGE
-    const cookie = await signCookie("nonce", value, maxAge, options)
-    return { cookie, value }
-  },
-  /**
-   * Returns nonce from if the provider supports nonce,
-   * and clears the container cookie afterwards.
-   */
-  async use(
-    nonce: string | undefined,
-    options: InternalOptions<"oauth">
-  ): Promise<{ value: string; cookie: Cookie } | undefined> {
-    const { cookies, provider } = options
-
-    if (!provider?.checks?.includes("nonce") || !nonce) {
-      return
-    }
-
-    const value = (await jwt.decode({ ...options.jwt, token: nonce })) as any
-
-    return {
-      value: value?.value ?? undefined,
-      cookie: {
-        name: cookies.nonce.name,
-        value: "",
-        options: { ...cookies.nonce.options, maxAge: 0 },
-      },
-    }
-  },
-}

packages/core/src/lib/oauth/nonce-handler.ts

@@ -0,0 +1,77 @@
+import * as o from "oauth4webapi"
+import * as jwt from "../../jwt.js"
+
+import type { InternalOptions } from "../../types.js"
+import type { Cookie } from "../cookie.js"
+
+const NONCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+
+/**
+ * Returns nonce if the provider supports it
+ * and saves it in a cookie
+ */
+export async function createNonce(options: InternalOptions<"oauth">): Promise<
+  | undefined
+  | {
+      value: string
+      cookie: Cookie
+    }
+> {
+  const { cookies, logger, provider } = options
+  if (!provider.checks?.includes("nonce")) {
+    // Provider does not support nonce, return nothing.
+    return
+  }
+
+  const nonce = o.generateRandomNonce()
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + NONCE_MAX_AGE * 1000)
+
+  // Encrypt nonce and save it to an encrypted cookie
+  const encryptedNonce = await jwt.encode({
+    ...options.jwt,
+    maxAge: NONCE_MAX_AGE,
+    token: { nonce },
+  })
+
+  logger.debug("CREATE_ENCRYPTED_NONCE", {
+    nonce,
+    maxAge: NONCE_MAX_AGE,
+  })
+
+  return {
+    cookie: {
+      name: cookies.nonce.name,
+      value: encryptedNonce,
+      options: { ...cookies.nonce.options, expires },
+    },
+    value: nonce,
+  }
+}
+
+/**
+ * Returns nonce from if the provider supports nonce,
+ * and clears the container cookie afterwards.
+ */
+export async function useNonce(
+  nonce: string | undefined,
+  options: InternalOptions<"oauth">
+): Promise<{ value: string; cookie: Cookie } | undefined> {
+  const { cookies, provider } = options
+
+  if (!provider?.checks?.includes("nonce") || !nonce) {
+    return
+  }
+
+  const value = (await jwt.decode({ ...options.jwt, token: nonce })) as any
+
+  return {
+    value: value?.value ?? undefined,
+    cookie: {
+      name: cookies.nonce.name,
+      value: "",
+      options: { ...cookies.nonce.options, maxAge: 0 },
+    },
+  }
+}

packages/core/src/lib/oauth/pkce-handler.ts

@@ -0,0 +1,87 @@
+import * as o from "oauth4webapi"
+import * as jwt from "../../jwt.js"
+
+import type { InternalOptions } from "../../types.js"
+import type { Cookie } from "../cookie.js"
+
+const PKCE_CODE_CHALLENGE_METHOD = "S256"
+const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+
+/**
+ * Returns `code_challenge` and `code_challenge_method`
+ * and saves them in a cookie.
+ */
+export async function createPKCE(options: InternalOptions<"oauth">): Promise<
+  | undefined
+  | {
+      code_challenge: string
+      code_challenge_method: "S256"
+      cookie: Cookie
+    }
+> {
+  const { cookies, logger, provider } = options
+  if (!provider.checks?.includes("pkce")) {
+    // Provider does not support PKCE, return nothing.
+    return
+  }
+  const code_verifier = o.generateRandomCodeVerifier()
+  const code_challenge = await o.calculatePKCECodeChallenge(code_verifier)
+
+  const maxAge = cookies.pkceCodeVerifier.options.maxAge ?? PKCE_MAX_AGE
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + maxAge * 1000)
+
+  // Encrypt code_verifier and save it to an encrypted cookie
+  const encryptedCodeVerifier = await jwt.encode({
+    ...options.jwt,
+    maxAge,
+    token: { code_verifier },
+  })
+
+  logger.debug("CREATE_PKCE_CHALLENGE_VERIFIER", {
+    code_challenge,
+    code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
+    code_verifier,
+    maxAge,
+  })
+
+  return {
+    code_challenge,
+    code_challenge_method: PKCE_CODE_CHALLENGE_METHOD,
+    cookie: {
+      name: cookies.pkceCodeVerifier.name,
+      value: encryptedCodeVerifier,
+      options: { ...cookies.pkceCodeVerifier.options, expires },
+    },
+  }
+}
+
+/**
+ * Returns code_verifier if provider uses PKCE,
+ * and clears the container cookie afterwards.
+ */
+export async function usePKCECodeVerifier(
+  codeVerifier: string | undefined,
+  options: InternalOptions<"oauth">
+): Promise<{ codeVerifier: string; cookie: Cookie } | undefined> {
+  const { cookies, provider } = options
+
+  if (!provider?.checks?.includes("pkce") || !codeVerifier) {
+    return
+  }
+
+  const pkce = (await jwt.decode({
+    ...options.jwt,
+    token: codeVerifier,
+  })) as any
+
+  return {
+    codeVerifier: pkce?.value ?? undefined,
+    cookie: {
+      name: cookies.pkceCodeVerifier.name,
+      value: "",
+      options: { ...cookies.pkceCodeVerifier.options, maxAge: 0 },
+    },
+  }
+}

packages/core/src/lib/oauth/state-handler.ts

@@ -0,0 +1,72 @@
+import * as o from "oauth4webapi"
+import type { InternalOptions, RequestInternal } from "../../types.js"
+import type { Cookie } from "../cookie.js"
+import { InvalidState } from "../../errors.js"
+
+const STATE_MAX_AGE = 60 * 15 // 15 minutes in seconds
+
+/** Returns state if the provider supports it */
+export async function createState(
+  options: InternalOptions<"oauth">
+): Promise<{ cookie: Cookie; value: string } | undefined> {
+  const { logger, provider, jwt, cookies } = options
+
+  if (!provider.checks?.includes("state")) {
+    // Provider does not support state, return nothing
+    return
+  }
+
+  const state = o.generateRandomState()
+  const maxAge = cookies.state.options.maxAge ?? STATE_MAX_AGE
+
+  const encodedState = await jwt.encode({
+    ...jwt,
+    maxAge,
+    token: { state },
+  })
+
+  logger.debug("CREATE_STATE", { state, maxAge })
+
+  const expires = new Date()
+  expires.setTime(expires.getTime() + maxAge * 1000)
+  return {
+    value: state,
+    cookie: {
+      name: cookies.state.name,
+      value: encodedState,
+      options: { ...cookies.state.options, expires },
+    },
+  }
+}
+
+/**
+ * Returns state from the saved cookie
+ * if the provider supports states,
+ * and clears the container cookie afterwards.
+ */
+export async function useState(
+  cookies: RequestInternal["cookies"],
+  resCookies: Cookie[],
+  options: InternalOptions<"oauth">
+): Promise<string | undefined> {
+  const { provider, jwt } = options
+  if (!provider.checks.includes("state")) return
+
+  const state = cookies?.[options.cookies.state.name]
+
+  if (!state) throw new InvalidState("State was missing from the cookies.")
+
+  // IDEA: Let the user do something with the returned state
+  const value = (await jwt.decode({ ...options.jwt, token: state })) as any
+
+  if (!value?.value) throw new InvalidState("Could not parse state cookie.")
+
+  // Clear the state cookie after use
+  resCookies.push({
+    name: options.cookies.state.name,
+    value: "",
+    options: { ...options.cookies.state.options, maxAge: 0 },
+  })
+
+  return value.value
+}

packages/core/src/lib/pages/error.tsx

@@ -97,8 +97,8 @@ export default function ErrorPage(props: ErrorProps) {
             }}
           />
         )}
+        {theme?.logo && <img src={theme.logo} alt="Logo" className="logo" />}
         <div className="card">
-          {theme?.logo && <img src={theme?.logo} alt="Logo" className="logo" />}
           <h1>{heading}</h1>
           <div className="message">{message}</div>
           {signin}

packages/core/src/lib/pages/signin.tsx

@@ -47,19 +47,14 @@ export default function SigninPage(props: {
     )
   }
 
-  if (typeof document !== "undefined" && theme.buttonText) {
-    document.documentElement.style.setProperty(
-      "--button-text-color",
-      theme.buttonText
-    )
-  }
-
   const error =
     errorType &&
     (signinErrors[errorType.toLowerCase() as Lowercase<SignInPageErrorParam>] ??
       signinErrors.default)
 
-  const logos = "https://authjs.dev/img/providers"
+  // TODO: move logos
+  const logos =
+    "https://raw.githubusercontent.com/nextauthjs/next-auth/main/packages/next-auth/provider-logos"
   return (
     <div className="signin">
       {theme.brandColor && (
@@ -69,17 +64,7 @@ export default function SigninPage(props: {
           }}
         />
       )}
-      {theme.buttonText && (
-        <style
-          dangerouslySetInnerHTML={{
-            __html: `
-        :root {
-          --button-text-color: ${theme.buttonText}
-        }
-      `,
-          }}
-        />
-      )}
+      {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
       <div className="card">
         {error && (
           <div className="error">
@@ -102,14 +87,10 @@ export default function SigninPage(props: {
                     "--provider-dark-bg": provider.style?.bgDark ?? "",
                     "--provider-color": provider.style?.text ?? "",
                     "--provider-dark-color": provider.style?.textDark ?? "",
-                    gap: 8,
                   }}
                 >
                   {provider.style?.logo && (
                     <img
-                      loading="lazy"
-                      height={24}
-                      width={24}
                       id="provider-logo"
                       src={`${
                         provider.style.logo.startsWith("/") ? logos : ""
@@ -118,9 +99,6 @@ export default function SigninPage(props: {
                   )}
                   {provider.style?.logoDark && (
                     <img
-                      loading="lazy"
-                      height={24}
-                      width={24}
                       id="provider-logo-dark"
                       src={`${
                         provider.style.logo.startsWith("/") ? logos : ""
@@ -180,9 +158,7 @@ export default function SigninPage(props: {
                     </div>
                   )
                 })}
-                <button id="submitButton" type="submit">
-                  Sign in with {provider.name}
-                </button>
+                <button type="submit">Sign in with {provider.name}</button>
               </form>
             )}
             {(provider.type === "email" || provider.type === "credentials") &&

packages/core/src/lib/pages/signout.tsx

@@ -22,26 +22,13 @@ export default function SignoutPage(props: SignoutProps) {
           }}
         />
       )}
-      {theme.buttonText && (
-        <style
-          dangerouslySetInnerHTML={{
-            __html: `
-        :root {
-          --button-text-color: ${theme.buttonText}
-        }
-      `,
-          }}
-        />
-      )}
+      {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
       <div className="card">
-        {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
         <h1>Signout</h1>
         <p>Are you sure you want to sign out?</p>
         <form action={`${url}/signout`} method="POST">
           <input type="hidden" name="csrfToken" value={csrfToken} />
-          <button id="submitButton" type="submit">
-            Sign out
-          </button>
+          <button type="submit">Sign out</button>
         </form>
       </div>
     </div>

packages/core/src/lib/pages/styles.css

@@ -8,8 +8,7 @@
 
 .__next-auth-theme-auto,
 .__next-auth-theme-light {
-  --color-background: #ececec;
-  --color-background-card: #fff;
+  --color-background: #fff;
   --color-text: #000;
   --color-primary: #444;
   --color-control-border: #bbb;
@@ -19,8 +18,7 @@
 }
 
 .__next-auth-theme-dark {
-  --color-background: #161b22;
-  --color-background-card: #0d1117;
+  --color-background: #000;
   --color-text: #fff;
   --color-primary: #ccc;
   --color-control-border: #555;
@@ -31,8 +29,7 @@
 
 @media (prefers-color-scheme: dark) {
   .__next-auth-theme-auto {
-    --color-background: #161b22;
-    --color-background-card: #0d1117;
+    --color-background: #000;
     --color-text: #fff;
     --color-primary: #ccc;
     --color-control-border: #555;
@@ -81,9 +78,10 @@ input[type] {
   width: 100%;
   padding: 0.5rem 1rem;
   border: var(--border-width) solid var(--color-control-border);
-  background: var(--color-background-card);
+  background: var(--color-background);
   font-size: 1rem;
   border-radius: var(--border-radius);
+  box-shadow: inset 0 0.1rem 0.2rem rgba(0, 0, 0, 0.2);
   color: var(--color-text);
 
   &:focus {
@@ -109,39 +107,41 @@ a.button {
   }
 }
 
-button span {
-  flex-grow: 1;
-}
-
 button,
 a.button {
   margin: 0 0 0.75rem 0;
   padding: 0.75rem 1rem;
   color: var(--provider-color, var(--color-primary));
-  background-color: var(--provider-bg, var(--color-background-card));
+  background-color: var(--provider-bg, var(--color-background));
   font-size: 1.1rem;
   min-height: 62px;
   border-color: rgba(0, 0, 0, 0.1);
   border-radius: var(--border-radius);
   transition: all 0.1s ease-in-out;
+  box-shadow: #000 0px 0px 0px 0px, #000 0px 0px 0px 0px,
+    rgba(0, 0, 0, 0.2) 0px 10px 15px -3px, rgba(0, 0, 0, 0.1) 0px 4px 6px -4px;
   font-weight: 500;
   position: relative;
   display: flex;
   align-items: center;
   justify-content: center;
 
-  @media (max-width: 450px) {
-    font-size: 0.9rem;
+  &:has(img) {
+    justify-content: unset;
+    span {
+      flex-grow: 1;
+    }
   }
-
   &:hover {
     cursor: pointer;
   }
   &:active {
+    box-shadow: 0 0.15rem 0.3rem rgba(0, 0, 0, 0.15),
+      inset 0 0.1rem 0.2rem var(--color-background),
+      inset 0 -0.1rem 0.1rem rgba(0, 0, 0, 0.1);
     cursor: pointer;
   }
   #provider-logo {
-    width: 25px;
     display: block;
   }
   #provider-logo-dark {
@@ -149,23 +149,20 @@ a.button {
   }
 }
 
-#submitButton {
-  color: var(--button-text-color, var(--color-info-text));
-  background-color: var(--brand-color, var(--color-info));
-  width: 100%;
-}
-
 @media (prefers-color-scheme: dark) {
   button,
   a.button {
     color: var(--provider-dark-color, var(--color-primary));
     background-color: var(--provider-dark-bg, var(--color-background));
+    border: 1px solid #0d0d0d;
+    box-shadow: #000 0px 0px 0px 0px, #ccc 0px 0px 0px 0px,
+      rgba(255, 255, 255, 0.01) 0px 5px 5px -3px,
+      rgba(255, 255, 255, 0.05) 0px 4px 6px -4px;
   }
   #provider-logo {
     display: none !important;
   }
   #provider-logo-dark {
-    width: 25px;
     display: block !important;
   }
 }
@@ -192,6 +189,7 @@ a.site {
 
   > div {
     text-align: center;
+    padding: 0.5rem;
   }
 }
 
@@ -219,16 +217,16 @@ a.site {
     display: block;
     border: 0;
     border-top: 1px solid var(--color-seperator);
-    margin: 2rem auto 1rem auto;
+    margin: 1.5em auto 0 auto;
     overflow: visible;
 
     &::before {
       content: "or";
-      background: var(--color-background-card);
+      background: var(--color-background);
       color: #888;
       padding: 0 0.4rem;
       position: relative;
-      top: -0.7rem;
+      top: -0.6rem;
     }
   }
 
@@ -236,7 +234,7 @@ a.site {
     background: #f5f5f5;
     font-weight: 500;
     border-radius: 0.3rem;
-    background: var(--color-error);
+    background: var(--color-info);
 
     p {
       text-align: left;
@@ -262,26 +260,25 @@ a.site {
     max-width: 300px;
   }
 }
+.signout {
+  .message {
+    margin-bottom: 1.5rem;
+  }
+}
 
 .logo {
   display: inline-block;
-  max-width: 150px;
-  margin-top: 20px;
-  margin-bottom: 25px;
-  max-height: 70px;
+  margin-top: 100px;
+  max-width: 300px;
+  max-height: 150px;
 }
 
 .card {
-  @media screen and (min-width: 450px) {
-    width: 350px;
-  }
-  @media screen and (max-width: 450px) {
-    width: 200px;
-  }
-  margin: 20px 0 20px 0;
-  background-color: var(--color-background-card);
-  border-radius: 30px;
+  max-width: max-content;
+  border: 1px solid var(--color-control-border);
+  border-radius: 5px;
   padding: 20px 50px;
+  margin: 50px auto;
 
   .header {
     color: var(--color-primary);
@@ -289,5 +286,5 @@ a.site {
 }
 
 .section-header {
-  color: var(--color-text);
+  color: var(--brand-color, var(--color-text));
 }

packages/core/src/lib/pages/verify-request.tsx

@@ -21,8 +21,8 @@ export default function VerifyRequestPage(props: VerifyRequestPageProps) {
           }}
         />
       )}
+      {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
       <div className="card">
-        {theme.logo && <img src={theme.logo} alt="Logo" className="logo" />}
         <h1>Check your email</h1>
         <p>A sign in link has been sent to your email address.</p>
         <p>

packages/core/src/lib/providers.ts

@@ -45,11 +45,11 @@ export default function parseProviders(params: {
   }
 }
 
-// TODO: Also add discovery here, if some endpoints/config are missing.
-// We should return both a client and authorization server config.
 function normalizeOAuth(
-  c: OAuthConfig<any> | OAuthUserConfig<any>
+  c?: OAuthConfig<any> | OAuthUserConfig<any>
 ): OAuthConfigInternal<any> | {} {
+  if (!c) return {}
+
   if (c.issuer) c.wellKnown ??= `${c.issuer}/.well-known/openid-configuration`
 
   const authorization = normalizeEndpoint(c.authorization, c.issuer)
@@ -84,21 +84,18 @@ function normalizeEndpoint(
   e?: OAuthConfig<any>[OAuthEndpointType],
   issuer?: string
 ): OAuthConfigInternal<any>[OAuthEndpointType] {
-  if (!e && issuer) return
+  if (!e || issuer) return
   if (typeof e === "string") {
     return { url: new URL(e) }
   }
-  // If e.url is undefined, it's because the provider config
+  // If v.url is undefined, it's because the provider config
   // assumes that we will use the issuer endpoint.
-  // The existence of either e.url or provider.issuer is checked in
-  // assert.ts. We fallback to "https://authjs.dev" to be able to pass around
-  // a valid URL even if the user only provided params.
-  // NOTE: This need to be checked when constructing the URL
-  // for the authorization, token and userinfo endpoints.
-  const url = new URL(e?.url ?? "https://authjs.dev")
-  for (const k in e?.params) {
-    if (e?.params && k === "claims") e.params[k] = JSON.stringify(e.params[k])
-    url.searchParams.set(k, e?.params[k])
-  }
-  return { url, request: e?.request, conform: e?.conform }
+  // The existence of either v.url or provider.issuer is checked in
+  // assert.ts
+  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+  const url = new URL(e.url!)
+  // eslint-disable-next-line @typescript-eslint/no-unnecessary-type-assertion
+  for (const k in e.params) url.searchParams.set(k, e.params[k] as any)
+
+  return { ...e, url }
 }

packages/core/src/lib/routes/callback.ts

@@ -2,14 +2,13 @@ import { handleLogin } from "../callback-handler.js"
 import { CallbackRouteError, Verification } from "../../errors.js"
 import { handleOAuth } from "../oauth/callback.js"
 import { createHash } from "../web.js"
-import { getAdapterUserFromEmail, handleAuthorized } from "./shared.js"
+import { handleAuthorized } from "./shared.js"
 
 import type { AdapterSession } from "../../adapters.js"
 import type {
   RequestInternal,
   ResponseInternal,
   InternalOptions,
-  Account,
 } from "../../types.js"
 import type { Cookie, SessionStore } from "../cookie.js"
 
@@ -111,22 +110,17 @@ export async function callback(params: {
           isNewUser,
         })
 
-        // Clear cookies if token is null
-        if (token === null) {
-          cookies.push(...sessionStore.clean())
-        } else {
-          // Encode token
-          const newToken = await jwt.encode({ ...jwt, token })
+        // Encode token
+        const newToken = await jwt.encode({ ...jwt, token })
 
-          // Set cookie expiry date
-          const cookieExpires = new Date()
-          cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
+        // Set cookie expiry date
+        const cookieExpires = new Date()
+        cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
 
-          const sessionCookies = sessionStore.chunk(newToken, {
-            expires: cookieExpires,
-          })
-          cookies.push(...sessionCookies)
-        }
+        const sessionCookies = sessionStore.chunk(newToken, {
+          expires: cookieExpires,
+        })
+        cookies.push(...sessionCookies)
       } else {
         // Save Session Token in cookie
         cookies.push({
@@ -181,60 +175,55 @@ export async function callback(params: {
       if (invalidInvite) throw new Verification({ hasInvite, expired })
 
       // @ts-expect-error -- Verified in `assertConfig`.
-      const user = await getAdapterUserFromEmail(identifier, adapter)
+      const profile = await getAdapterUserFromEmail(identifier, adapter)
 
-      const account: Account = {
-        providerAccountId: user.email,
-        userId: user.id,
+      const account = {
+        providerAccountId: profile.email,
         type: "email" as const,
         provider: provider.id,
       }
 
       // Check if user is allowed to sign in
       const unauthorizedOrError = await handleAuthorized(
-        { user, account },
+        { user: profile, account },
         options
       )
 
       if (unauthorizedOrError) return { ...unauthorizedOrError, cookies }
 
       // Sign user in
-      const {
-        user: loggedInUser,
-        session,
-        isNewUser,
-      } = await handleLogin(sessionStore.value, user, account, options)
+      const { user, session, isNewUser } = await handleLogin(
+        sessionStore.value,
+        profile,
+        account,
+        options
+      )
 
       if (useJwtSession) {
         const defaultToken = {
-          name: loggedInUser.name,
-          email: loggedInUser.email,
-          picture: loggedInUser.image,
-          sub: loggedInUser.id?.toString(),
+          name: user.name,
+          email: user.email,
+          picture: user.image,
+          sub: user.id?.toString(),
         }
         const token = await callbacks.jwt({
           token: defaultToken,
-          user: loggedInUser,
+          user,
           account,
           isNewUser,
         })
 
-        // Clear cookies if token is null
-        if (token === null) {
-          cookies.push(...sessionStore.clean())
-        } else {
-          // Encode token
-          const newToken = await jwt.encode({ ...jwt, token })
+        // Encode token
+        const newToken = await jwt.encode({ ...jwt, token })
 
-          // Set cookie expiry date
-          const cookieExpires = new Date()
-          cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
+        // Set cookie expiry date
+        const cookieExpires = new Date()
+        cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
 
-          const sessionCookies = sessionStore.chunk(newToken, {
-            expires: cookieExpires,
-          })
-          cookies.push(...sessionCookies)
-        }
+        const sessionCookies = sessionStore.chunk(newToken, {
+          expires: cookieExpires,
+        })
+        cookies.push(...sessionCookies)
       } else {
         // Save Session Token in cookie
         cookies.push({
@@ -247,7 +236,7 @@ export async function callback(params: {
         })
       }
 
-      await events.signIn?.({ user: loggedInUser, account, isNewUser })
+      await events.signIn?.({ user, account, isNewUser })
 
       // Handle first logins on new accounts
       // e.g. option to send users to a new account landing page on initial login
@@ -315,23 +304,18 @@ export async function callback(params: {
         isNewUser: false,
       })
 
-      // Clear cookies if token is null
-      if (token === null) {
-        cookies.push(...sessionStore.clean())
-      } else {
-        // Encode token
-        const newToken = await jwt.encode({ ...jwt, token })
+      // Encode token
+      const newToken = await jwt.encode({ ...jwt, token })
 
-        // Set cookie expiry date
-        const cookieExpires = new Date()
-        cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
+      // Set cookie expiry date
+      const cookieExpires = new Date()
+      cookieExpires.setTime(cookieExpires.getTime() + sessionMaxAge * 1000)
 
-        const sessionCookies = sessionStore.chunk(newToken, {
-          expires: cookieExpires,
-        })
+      const sessionCookies = sessionStore.chunk(newToken, {
+        expires: cookieExpires,
+      })
 
-        cookies.push(...sessionCookies)
-      }
+      cookies.push(...sessionCookies)
 
       // @ts-expect-error
       await events.signIn?.({ user, account })

packages/core/src/lib/routes/session.ts

@@ -48,32 +48,27 @@ export async function session(
 
       // @ts-expect-error
       const token = await callbacks.jwt({ token: decodedToken })
+      // @ts-expect-error
+      const newSession = await callbacks.session({ session, token })
 
-      if (token !== null) {
-        // @ts-expect-error
-        const newSession = await callbacks.session({ session, token })
+      // Return session payload as response
+      response.body = newSession
 
-        // Return session payload as response
-        response.body = newSession
+      // Refresh JWT expiry by re-signing it, with an updated expiry date
+      const newToken = await jwt.encode({
+        ...jwt,
+        token,
+        maxAge: options.session.maxAge,
+      })
 
-        // Refresh JWT expiry by re-signing it, with an updated expiry date
-        const newToken = await jwt.encode({
-          ...jwt,
-          token,
-          maxAge: options.session.maxAge,
-        })
+      // Set cookie, to also update expiry date on cookie
+      const sessionCookies = sessionStore.chunk(newToken, {
+        expires: newExpires,
+      })
 
-        // Set cookie, to also update expiry date on cookie
-        const sessionCookies = sessionStore.chunk(newToken, {
-          expires: newExpires,
-        })
+      response.cookies?.push(...sessionCookies)
 
-        response.cookies?.push(...sessionCookies)
-
-        await events.session?.({ session: newSession, token })
-      } else {
-        response.cookies?.push(...sessionStore.clean())
-      } 
+      await events.session?.({ session: newSession, token })
     } catch (e) {
       logger.error(new JWTSessionError(e as Error))
       // If the JWT is not verifiable remove the broken session cookie(s).

packages/core/src/lib/routes/signin.ts

@@ -33,7 +33,7 @@ export async function signin(
 
       const account: Account = {
         providerAccountId: email,
-        userId: user.id,
+        userId: email,
         type: "email",
         provider: provider.id,
       }

packages/core/src/lib/utils/logger.ts

@@ -1,6 +1,6 @@
 import { AuthError } from "../../errors.js"
 
-export type WarningCode = "debug-enabled" | "csrf-disabled"
+export type WarningCode = "debug_enabled"
 
 /**
  * Override any of the methods, and the rest will use the default logger.
@@ -38,7 +38,7 @@ export const logger: LoggerInstance = {
     }
   },
   warn(code) {
-    const url = `https://warnings.authjs.dev#${code}`
+    const url = `https://errors.authjs.dev#${code}`
     console.warn(`${yellow}[auth][warn][${code}]${reset}`, `Read more: ${url}`)
   },
   debug(message, metadata) {

packages/core/src/providers/apple.ts

@@ -1,15 +1,3 @@
-/**
- * <div style={{backgroundColor: "#000", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
- * <span>Built-in <b>Apple</b> integration.</span>
- * <a href="https://apple.com">
- *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/apple-dark.svg" height="48" width="48"/>
- * </a>
- * </div>
- *
- * ---
- * @module providers/apple
- */
-
 import type { OAuthConfig, OAuthUserConfig } from "./index.js"
 
 /**

packages/core/src/providers/asgardeo.ts

@@ -1,112 +0,0 @@
-/**
- * <div style={{backgroundColor: "#24292f", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
- * <span>Built-in <b>Asgardeo</b> integration.</span>
- * <a href="https://wso2.com/asgardeo/">
- *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/asgardeo-dark.svg" height="48" width="48"/>
- * </a>
- * </div>
- *
- * ---
- * @module providers/asgardeo
- */
-
-import type { OIDCConfig, OIDCUserConfig } from "./index.js"
-
-export interface AsgardeoProfile {
-  sub: string
-  given_name: string
-  email: string
-  picture: string
-}
-
-/**
- * Add Asgardeo login to your page.
- * ## Documentation
- *
- * https://wso2.com/asgardeo/docs/guides/authentication
- *
- *
- * ## Instructions
- *
- * - Log into https://console.asgardeo.io.
- * - Next, go to "Application" tab (More info: https://wso2.com/asgardeo/docs/guides/applications/register-oidc-web-app/).
- * - Register standard based - Open id connect, application.
- * - Add callback URL: http://localhost:3000/api/auth/callback/asgardeo and https://your-domain.com/api/auth/callback/asgardeo
- * - After registering the application, go to protocol tab.
- * - Check `code` grant type.
- * - Add Authorized redirect URLs & Allowed origins fields.
- * - Make Email, First Name, Photo URL user attributes mandatory from the console.
- *
- * Create a `.env` file in the project root add the following entries:
- *
- * These values can be collected from the application created.
- *
- * ```
- * ASGARDEO_CLIENT_ID=<Copy client ID from protocol tab here>
- * ASGARDEO_CLIENT_SECRET=<Copy client from protocol tab here>
- * ASGARDEO_ISSUER=<Copy the issuer url from the info tab here>
- * ```
- *
- * In `pages/api/auth/[...nextauth].js` find or add the `Asgardeo` entries:
- *
- * ```js
- * import Asgardeo from "next-auth/providers/asgardeo";
- * ...
- * providers: [
- *   Asgardeo({
- *     clientId: process.env.ASGARDEO_CLIENT_ID,
- *     clientSecret: process.env.ASGARDEO_CLIENT_SECRET,
- *     issuer: process.env.ASGARDEO_ISSUER
- *   }),
- * ],
- *
- * ...
- * ```
- *
- * ## Resources
- *
- * @see [Asgardeo - Authentication Guide](https://wso2.com/asgardeo/docs/guides/authentication)
- * @see [Learn more about OAuth](https://authjs.dev/concepts/oauth)
- * @see [Source code](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/asgardeo.ts)
- *
- * ## Notes
- *
- * By default, Auth.js assumes that the Asgardeo provider is
- * based on the [OAuth 2](https://www.rfc-editor.org/rfc/rfc6749.html) specification.
- *
- * :::tip
- *
- * The Asgardeo provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/asgardeo.ts).
- * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/providers/custom-provider#override-default-options).
- *
- * :::
- *
- * :::info **Disclaimer**
- *
- * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
- *
- * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
- * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
- * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
- *
- * :::
- */
-export default function Asgardeo(
-  config: OIDCUserConfig<AsgardeoProfile>
-): OIDCConfig<AsgardeoProfile> {
-  return {
-    id: "asgardeo",
-    name: "Asgardeo",
-    type: "oidc",
-    wellKnown: `${config?.issuer}/oauth2/token/.well-known/openid-configuration`,
-    style: {
-      logo: "/asgardeo.svg",
-      logoDark: "/asgardeo-dark.svg",
-      bg: "#fff",
-      text: "#000",
-      bgDark: "#000",
-      textDark: "#fff",
-    },
-    options: config,
-  }
-}

packages/core/src/providers/auth0.ts

@@ -1,128 +1,15 @@
-/**
- * <div style={{backgroundColor: "#EB5424", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
- * <span>Built-in <b>Auth0</b> integration.</span>
- * <a href="https://auth0.com">
- *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/auth0-dark.svg" height="48" width="48"/>
- * </a>
- * </div>
- *
- * ---
- * @module providers/auth0
- */
+import type { OAuthConfig, OAuthUserConfig } from "./index.js"
 
-import type { OIDCConfig, OIDCUserConfig } from "./index.js"
-
-/** @see [User Profile Structure](https://auth0.com/docs/manage-users/user-accounts/user-profiles/user-profile-structure) */
-export interface Auth0Profile {
-  /** The user's unique identifier. */
+export interface Auth0Profile extends Record<string, any> {
   sub: string
-  /** Custom fields that store info about a user that influences the user's access, such as support plan, security roles (if not using the Authorization Core feature set), or access control groups. To learn more, read Metadata Overview. */
-  app_metadata: object
-  /** Indicates whether the user has been blocked. Importing enables subscribers to ensure that users remain blocked when migrating to Auth0. */
-  blocked: boolean
-  /** Timestamp indicating when the user profile was first created. */
-  created_at: Date
-  /** (unique) The user's email address. */
-  email: string
-  /** Indicates whether the user has verified their email address. */
-  email_verified: boolean
-  /** The user's family name. */
-  family_name: string
-  /** The user's given name. */
-  given_name: string
-  /** Custom fields that store info about a user that does not impact what they can or cannot access, such as work address, home address, or user preferences. To learn more, read Metadata Overview. */
-  user_metadata: object
-  /** (unique) The user's username. */
-  username: string
-  /** Contains info retrieved from the identity provider with which the user originally authenticates. Users may also link their profile to multiple identity providers; those identities will then also appear in this array. The contents of an individual identity provider object varies by provider. In some cases, it will also include an API Access Token to be used with the provider. */
-  identities: Array<{
-    /** Name of the Auth0 connection used to authenticate the user. */
-    connection: string
-    /** Indicates whether the connection is a social one. */
-    isSocial: boolean
-    /** Name of the entity that is authenticating the user, such as Facebook, Google, SAML, or your own provider. */
-    provider: string
-    /** User's unique identifier for this connection/provider. */
-    user_id: string
-    /** User info associated with the connection. When profiles are linked, it is populated with the associated user info for secondary accounts. */
-    profileData: object
-    [key: string]: any
-  }>
-  /** IP address associated with the user's last login. */
-  last_ip: string
-  /** Timestamp indicating when the user last logged in. If a user is blocked and logs in, the blocked session updates last_login. If you are using this property from inside a Rule using the user< object, its value will be associated with the login that triggered the rule; this is because rules execute after login. */
-  last_login: Date
-  /** Timestamp indicating the last time the user's password was reset/changed. At user creation, this field does not exist. This property is only available for Database connections. */
-  last_password_reset: Date
-  /** Number of times the user has logged in. If a user is blocked and logs in, the blocked session is counted in logins_count. */
-  logins_count: number
-  /** List of multi-factor providers with which the user is enrolled. */
-  multifactor: string
-  /** The user's full name. */
-  name: string
-  /** The user's nickname. */
   nickname: string
-  /** The user's phone number. Only valid for users with SMS connections. */
-  phone_number: string
-  /** Indicates whether the user has been verified their phone number. Only valid for users with SMS connections. */
-  phone_verified: boolean
-  /** URL pointing to the user's profile picture. */
+  email: string
   picture: string
-  /** Timestamp indicating when the user's profile was last updated/modified. Changes to last_login are considered updates, so most of the time, updated_at will match last_login. */
-  updated_at: Date
-  /** (unique) The user's identifier. Importing allows user records to be synchronized across multiple systems without using mapping tables. */
-  user_id: string
 }
 
-/**
- * Add Auth0 login to your page.
- *
- * ## Example
- *
- * ```ts
- * import { Auth } from "@auth/core"
- * import Auth0 from "@auth/core/providers/auth0"
- *
- * const request = new Request("https://example.com")
- * const resposne = await Auth(request, {
- *   providers: [Auth0({ clientId: "", clientSecret: "", issuer: "" })],
- * })
- * ```
- *
- * ---
- *
- * ## Resources
- *
- * - [Authenticate - Auth0 docs](https://auth0.com/docs/authenticate)
- *
- * ---
- *
- * ## Notes
- *
- * By default, Auth.js assumes that the Auth0 provider is
- * based on the [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) specification.
- *
- * :::tip
- *
- * The Auth0 provider comes with a [default configuration](https://github.com/nextauthjs/next-auth/blob/main/packages/core/src/providers/auth0.ts).
- * To override the defaults for your use case, check out [customizing a built-in OAuth provider](https://authjs.dev/guides/providers/custom-provider#override-default-options).
- *
- * :::
- *
- * :::info **Disclaimer**
- *
- * If you think you found a bug in the default configuration, you can [open an issue](https://authjs.dev/new/provider-issue).
- *
- * Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from
- * the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec,
- * we might not pursue a resolution. You can ask for more help in [Discussions](https://authjs.dev/new/github-discussions).
- *
- * :::
- */
-
-export default function Auth0(
-  config: OIDCUserConfig<Auth0Profile>
-): OIDCConfig<Auth0Profile> {
+export default function Auth0<P extends Auth0Profile>(
+  options: OAuthUserConfig<P>
+): OAuthConfig<P> {
   return {
     id: "auth0",
     name: "Auth0",
@@ -135,6 +22,6 @@ export default function Auth0(
       bgDark: "#EB5424",
       textDark: "#fff",
     },
-    options: config,
+    options,
   }
 }

packages/core/src/providers/azure-ad.ts

@@ -34,21 +34,22 @@ export default function AzureAD<P extends AzureADProfile>(
       )
 
       // Confirm that profile photo was returned
-      let image
-      // TODO: Do this without Buffer
-      if (response.ok && typeof Buffer !== "undefined") {
-        try {
-          const pictureBuffer = await response.arrayBuffer()
-          const pictureBase64 = Buffer.from(pictureBuffer).toString("base64")
-          image = `data:image/jpeg;base64, ${pictureBase64}`
-        } catch {}
-      }
-
-      return {
-        id: profile.sub,
-        name: profile.name,
-        email: profile.email,
-        image: image ?? null,
+      if (response.ok) {
+        const pictureBuffer = await response.arrayBuffer()
+        const pictureBase64 = Buffer.from(pictureBuffer).toString("base64")
+        return {
+          id: profile.sub,
+          name: profile.name,
+          email: profile.email,
+          image: `data:image/jpeg;base64, ${pictureBase64}`,
+        }
+      } else {
+        return {
+          id: profile.sub,
+          name: profile.name,
+          email: profile.email,
+          image: null,
+        }
       }
     },
     style: {

packages/core/src/providers/github.ts

@@ -1,18 +1,6 @@
-/**
- * <div style={{backgroundColor: "#24292f", display: "flex", justifyContent: "space-between", color: "#fff", padding: 16}}>
- * <span>Built-in <b>GitHub</b> integration.</span>
- * <a href="https://github.com">
- *   <img style={{display: "block"}} src="https://authjs.dev/img/providers/github-dark.svg" height="48" width="48"/>
- * </a>
- * </div>
- *
- * ---
- * @module providers/github
- */
-
 import type { OAuthConfig, OAuthUserConfig } from "./index.js"
 
-export interface GitHubEmail {
+export interface GithubEmail extends Record<string, any> {
   email: string
   primary: boolean
   verified: boolean
@@ -20,7 +8,7 @@ export interface GitHubEmail {
 }
 
 /** @see [Get the authenticated user](https://docs.github.com/en/rest/users/users#get-the-authenticated-user) */
-export interface GitHubProfile {
+export interface GithubProfile extends Record<string, any> {
   login: string
   id: number
   node_id: string
@@ -73,12 +61,14 @@ export interface GitHubProfile {
  *
  * ## Example
  *
+ * @example
+ *
  * ```ts
- * import { Auth } from "@auth/core"
- * import GitHub from "@auth/core/providers/github"
+ * import Auth from "@auth/core"
+ * import { GitHub } from "@auth/core/providers/github"
  *
  * const request = new Request("https://example.com")
- * const resposne = await Auth(request, {
+ * const resposne = await AuthHandler(request, {
  *   providers: [GitHub({ clientId: "", clientSecret: "" })],
  * })
  * ```
@@ -113,9 +103,9 @@ export interface GitHubProfile {
  *
  * :::
  */
-export default function GitHub(
-  config: OAuthUserConfig<GitHubProfile>
-): OAuthConfig<GitHubProfile> {
+export default function GitHub<Profile extends GithubProfile>(
+  options: OAuthUserConfig<Profile>
+): OAuthConfig<Profile> {
   return {
     id: "github",
     name: "GitHub",
@@ -140,7 +130,7 @@ export default function GitHub(
           })
 
           if (res.ok) {
-            const emails: GitHubEmail[] = await res.json()
+            const emails: GithubEmail[] = await res.json()
             profile.email = (emails.find((e) => e.primary) ?? emails[0]).email
           }
         }
@@ -160,10 +150,10 @@ export default function GitHub(
       logo: "/github.svg",
       logoDark: "/github-dark.svg",
       bg: "#fff",
-      bgDark: "#24292f",
+      bgDark: "#000",
       text: "#000",
       textDark: "#fff",
     },
-    options: config,
+    options,
   }
 }

packages/core/src/providers/mattermost.ts

@@ -1,114 +0,0 @@
-import type { OAuthConfig, OAuthUserConfig } from "./oauth"
-
-/** @see [Get a user](https://api.mattermost.com/#tag/users/operation/GetUser) */
-export interface MattermostProfile {
-  id: string
-  /** The time in milliseconds a user was created */
-  create_at: number
-  /** The time in milliseconds a user was last updated */
-  update_at: number
-  /** The time in milliseconds a user was deleted */
-  delete_at: number
-  username: string
-  auth_data: string
-  auth_service: string
-  email: string
-  email_verified: boolean
-  nickname: string
-  first_name: string
-  last_name: string
-  position: string
-  roles: string
-  notify_props: {
-    /** Set to "true" to enable channel-wide notifications (@channel, @all, etc.), "false" to disable. Defaults to "true". */
-    channel: string
-    comments: string
-    /** Set to "all" to receive desktop notifications for all activity, "mention" for mentions and direct messages only, and "none" to disable. Defaults to "all". */
-    desktop: string
-    /** Set to "true" to enable sound on desktop notifications, "false" to disable. Defaults to "true". */
-    desktop_sound: string
-    desktop_threads: string
-    /** Set to "true" to enable email notifications, "false" to disable. Defaults to "true". */
-    email: string
-    email_threads: string
-    /** Set to "true" to enable mentions for first name. Defaults to "true" if a first name is set, "false" otherwise. */
-    first_name: string
-    /** A comma-separated list of words to count as mentions. Defaults to username and @username. */
-    mention_keys: string
-    /** Set to "all" to receive push notifications for all activity, "mention" for mentions and direct messages only, and "none" to disable. Defaults to "mention". */
-    push: string
-    push_status: string
-    push_threads: string
-  }
-  last_password_update: number
-  locale: string
-  timezone: {
-    /** This value is set automatically when the "useAutomaticTimezone" is set to "true". */
-    automaticTimezone: string
-    /** Value when setting manually the timezone, i.e. "Europe/Berlin". */
-    manualTimezone: string
-    /** Set to "true" to use the browser/system timezone, "false" to set manually. Defaults to "true". */
-    useAutomaticTimezone: string
-  }
-  disable_welcome_email: boolean
-  /** ID of accepted terms of service, if any. This field is not present if empty. */
-  terms_of_service_id?: string
-  /** The time in milliseconds the user accepted the terms of service */
-  terms_of_service_create_at?: number
-}
-
-/**
- * To create your Mattermost OAuth2 app visit http://`<your Mattermost instance url>`/`<your team>`/integrations/oauth2-apps
- *
- * ## Example
- *
- * ```ts
- * import Mattermost from "@auth/core/providers/mattermost";
- * ...
- * providers: [
- *   Mattermost({
- *     clientId: env.MATTERMOST_ID,
- *     clientSecret: env.MATTERMOST_SECRET,
- *     // The base url of your Mattermost instance. e.g https://my-cool-server.cloud.mattermost.com
- *     issuer: env.MATTERMOST_ISSUER,
- *   })
- * ]
- * ...
- * ```
- *
- * :::warning
- * The Mattermost provider requires the `issuer` option to be set. This is the base url of your Mattermost instance. e.g https://my-cool-server.cloud.mattermost.com
- * :::
- */
-export default function Mattermost<P extends MattermostProfile>(
-  config: OAuthUserConfig<P> & { issuer: string }
-): OAuthConfig<P> {
-  const { issuer, ...rest } = config
-
-  return {
-    id: "mattermost",
-    name: "Mattermost",
-    type: "oauth",
-    client: { token_endpoint_auth_method: "client_secret_post" },
-    token: `${issuer}/oauth/access_token`,
-    authorization: `${issuer}/oauth/authorize`,
-    userinfo: `${issuer}/api/v4/users/me`,
-    profile(profile) {
-      return {
-        id: profile.id,
-        name: profile.username ?? `${profile.first_name} ${profile.last_name}`,
-        email: profile.email,
-        image: null,
-      }
-    },
-    style: {
-      logo: "/mattermost.svg",
-      logoDark: "/mattermost-dark.svg",
-      bg: "#fff",
-      text: "#000",
-      bgDark: "#000",
-      textDark: "#fff",
-    },
-    options: rest,
-  }
-}

packages/core/src/providers/oauth.ts

@@ -42,8 +42,6 @@ interface AdvancedEndpointHandler<P extends UrlParams, C, R> {
    * You should **try to avoid using advanced options** unless you are very comfortable using them.
    */
   request?: EndpointRequest<C, R, P>
-  /** @internal */
-  conform?: (response: Response) => Awaitable<Response | undefined>
 }
 
 /** Either an URL (containing all the parameters) or an object with more granular control. */
@@ -81,8 +79,8 @@ export type UserinfoEndpointHandler = EndpointHandler<
   Profile
 >
 
-export type ProfileCallback<Profile> = (
-  profile: Profile,
+export type ProfileCallback<P> = (
+  profile: P,
   tokens: TokenSet
 ) => Awaitable<User>
 
@@ -96,9 +94,7 @@ export interface OAuthProviderButtonStyles {
 }
 
 /** TODO: */
-export interface OAuth2Config<Profile>
-  extends CommonProviderOptions,
-    PartialIssuer {
+export interface OAuth2Config<P> extends CommonProviderOptions, PartialIssuer {
   /**
    * Identifies the provider when you want to sign in to
    * a specific provider.
@@ -138,7 +134,7 @@ export interface OAuth2Config<Profile>
    *
    * [Documentation](https://authjs.dev/reference/adapters/models#user)
    */
-  profile?: ProfileCallback<Profile>
+  profile?: ProfileCallback<P>
   /**
    * The CSRF protection performed on the callback endpoint.
    * @default ["pkce"]
@@ -163,45 +159,30 @@ export interface OAuth2Config<Profile>
    *
    * @internal
    */
-  options?: OAuthUserConfig<Profile>
+  options?: OAuthUserConfig<P>
 }
 
 /** TODO: */
-export interface OIDCConfig<Profile>
-  extends Omit<OAuth2Config<Profile>, "type"> {
+export interface OIDCConfig<P> extends Omit<OAuth2Config<P>, "type"> {
   type: "oidc"
 }
 
-export type OAuthConfig<Profile> = OIDCConfig<Profile> | OAuth2Config<Profile>
+export type OAuthConfig<P> = OIDCConfig<P> | OAuth2Config<P>
 
 export type OAuthEndpointType = "authorization" | "token" | "userinfo"
 
 /**
- * We parsed `authorization`, `token` and `userinfo`
+ * We parsesd `authorization`, `token` and `userinfo`
  * to always contain a valid `URL`, with the params
- * @internal
  */
-export type OAuthConfigInternal<Profile> = Omit<
-  OAuthConfig<Profile>,
-  OAuthEndpointType
-> & {
+export type OAuthConfigInternal<P> = Omit<OAuthConfig<P>, OAuthEndpointType> & {
   authorization?: { url: URL }
-  token?: {
-    url: URL
-    request?: TokenEndpointHandler["request"]
-    conform?: TokenEndpointHandler["conform"]
-  }
+  token?: { url: URL; request?: TokenEndpointHandler["request"] }
   userinfo?: { url: URL; request?: UserinfoEndpointHandler["request"] }
-} & Pick<Required<OAuthConfig<Profile>>, "clientId" | "checks" | "profile">
+} & Pick<Required<OAuthConfig<P>>, "clientId" | "checks" | "profile">
 
-export type OAuthUserConfig<Profile> = Omit<
-  Partial<OAuthConfig<Profile>>,
+export type OAuthUserConfig<P> = Omit<
+  Partial<OAuthConfig<P>>,
   "options" | "type"
 > &
-  Required<Pick<OAuthConfig<Profile>, "clientId" | "clientSecret">>
-
-export type OIDCUserConfig<Profile> = Omit<
-  Partial<OIDCConfig<Profile>>,
-  "options" | "type"
-> &
-  Required<Pick<OIDCConfig<Profile>, "clientId" | "clientSecret">>
+  Required<Pick<OAuthConfig<P>, "clientId" | "clientSecret">>