fix(providers): use openid scopes by default (#3651 )

fix: pass csrf & callbackUrl cookies in session api (#3607 )
fix(ts): match GoogleProfile interface with Google docs (#3643 )
2026-05-01 10:55:20 +00:00 · 2022-01-17 04:28:15 +01:00 · 2022-01-17 00:41:16 +01:00 · 2022-01-17 00:40:23 +01:00 · 2022-01-17 00:37:30 +01:00 · 2022-01-15 04:44:31 +01:00
8 changed files with 34 additions and 12 deletions
--- a/README.md
+++ b/README.md
@@ -54,7 +54,7 @@ See [next-auth.js.org](https://next-auth.js.org) for more information and docume
 ### Flexible and easy to use

 - Designed to work with any OAuth service, it supports OAuth 1.0, 1.0A and 2.0
- Built-in support for [many popular sign-in services](https://next-auth.js.org/configuration/providers)
+- Built-in support for [many popular sign-in services](https://next-auth.js.org/providers/overview)
 - Supports email / passwordless authentication
 - Supports stateless authentication with any backend (Active Directory, LDAP, etc)
 - Supports both JSON Web Tokens and database sessions
--- a/src/core/index.ts
+++ b/src/core/index.ts
@@ -92,8 +92,11 @@ export async function NextAuthHandler<
    switch (action) {
      case "providers":
        return (await routes.providers(options.providers)) as any
-      case "session":
-        return (await routes.session({ options, sessionStore })) as any
+      case "session": {
+        const session = await routes.session({ options, sessionStore })
+        if (session.cookies) cookies.push(...session.cookies)
+        return { ...session, cookies } as any
+      }
      case "csrf":
        return {
          headers: [{ key: "Content-Type", value: "application/json" }],
--- a/src/jwt/index.ts
+++ b/src/jwt/index.ts
@@ -71,7 +71,7 @@ export async function getToken<R extends boolean = false>(
  const {
    req,
    secureCookie = process.env.NEXTAUTH_URL?.startsWith("https://") ??
-      !!process.env.VERCEL_URL,
+      !!process.env.VERCEL,
    cookieName = secureCookie
      ? "__Secure-next-auth.session-token"
      : "next-auth.session-token",
--- a/src/lib/types.ts
+++ b/src/lib/types.ts
@@ -50,7 +50,7 @@ export type NextAuthAction =
 export interface InternalOptions<T extends ProviderType = any> {
  providers: InternalProvider[]
  /**
-   * Parsed from `NEXTAUTH_URL` or `VERCEL_URL`.
+   * Parsed from `NEXTAUTH_URL` or `x-forwarded-host` on Vercel.
   * @default "http://localhost:3000/api/auth"
   */
  url: InternalUrl
--- a/src/next/index.ts
+++ b/src/next/index.ts
@@ -1,5 +1,5 @@
 import { NextAuthHandler } from "../core"
-import { setCookie } from "./cookie"
+import { setCookie, detectHost } from "./utils"

 import type {
  GetServerSidePropsContext,
@@ -21,7 +21,7 @@ async function NextAuthNextHandler(
  const { nextauth, ...query } = req.query
  const handler = await NextAuthHandler({
    req: {
-      host: process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL,
+      host: detectHost(req.headers["x-forwarded-host"]),
      body: req.body,
      query,
      cookies: req.cookies,
@@ -87,7 +87,7 @@ export async function getServerSession(
  const session = await NextAuthHandler<Session | {}>({
    options,
    req: {
-      host: process.env.NEXTAUTH_URL ?? process.env.VERCEL_URL,
+      host: detectHost(context.req.headers["x-forwarded-host"]),
      action: "session",
      method: "GET",
      cookies: context.req.cookies,
@@ -108,7 +108,7 @@ declare global {
  namespace NodeJS {
    interface ProcessEnv {
      NEXTAUTH_URL?: string
-      VERCEL_URL?: string
+      VERCEL?: "1"
    }
  }
 }
--- a/src/next/cookie.ts
+++ b/src/next/cookie.ts
@@ -13,3 +13,11 @@ export function setCookie(res, cookie: Cookie) {
  setCookieHeader.push(cookieHeader)
  res.setHeader("Set-Cookie", setCookieHeader)
 }
+
+/** Extract the host from the environment */
+export function detectHost(forwardedHost: any) {
+  // If we detect a Vercel environment, we can trust the host
+  if (process.env.VERCEL) return forwardedHost
+  // If `NEXTAUTH_URL` is `undefined` we fall back to "http://localhost:3000"
+  return process.env.NEXTAUTH_URL
+}
--- a/src/providers/azure-ad.ts
+++ b/src/providers/azure-ad.ts
@@ -28,7 +28,7 @@ export default function AzureAD<P extends Record<string, any> = AzureADProfile>(
    wellKnown: `https://login.microsoftonline.com/${tenant}/v2.0/.well-known/openid-configuration`,
    authorization: {
      params: {
-        scope: "User.Read",
+        scope: "openid profile email",
      },
    },
    async profile(profile, tokens) {
--- a/src/providers/google.ts
+++ b/src/providers/google.ts
@@ -1,10 +1,21 @@
 import type { OAuthConfig, OAuthUserConfig } from "."

 export interface GoogleProfile {
-  sub: string
-  name: string
+  aud: string
+  azp: string
  email: string
+  email_verified: boolean
+  exp: number
+  family_name: string
+  given_name: string
+  hd: string
+  iat: number
+  iss: string
+  jti: string
+  name: string
+  nbf: number
  picture: string
+  sub: string
 }

 export default function Google<P extends Record<string, any> = GoogleProfile>(
Author	SHA1	Message	Date
David Chalifoux	59985264a2	fix(providers): use openid scopes by default (#3651 )	2022-01-17 04:28:15 +01:00
Iftekhar Rifat	c844296982	fix: pass csrf & callbackUrl cookies in session api (#3607 )	2022-01-17 00:41:16 +01:00
Jon Bellah	d1aa2a1a8e	fix(ts): match `GoogleProfile` interface with Google docs (#3643 )	2022-01-17 00:40:23 +01:00
Balázs Orbán	8139126f29	fix(core): detect Vercel without `NEXTAUTH_URL` (#3649 ) * fix(core): detect Vercel without `NEXTAUTH_URL` * chore(ts): use `any` * chore: use `process.env.VERCEL` to detect Vercel	2022-01-17 00:37:30 +01:00
Laxmikanta Nayak	aa0e8200b3	docs: Updated the wrong link to providers list in readme (#3616 ) The link to providers list was 404 so updated to the correct link in document.	2022-01-15 04:44:31 +01:00