Replies: 21 comments 26 replies
-
To resolve this issue locally, i'm now using patch-package. I'm applying this patch: diff --git a/node_modules/next-auth/dist/server/lib/oauth/client.js b/node_modules/next-auth/dist/server/lib/oauth/client.js
index e35acd0..5b666ec 100644
--- a/node_modules/next-auth/dist/server/lib/oauth/client.js
+++ b/node_modules/next-auth/dist/server/lib/oauth/client.js
@@ -9,6 +9,10 @@ exports.default = oAuthClient;
var _oauth = require("oauth");
+var UrlLib = require("url");
+
+var HttpsProxyAgent = require("https-proxy-agent");
+
var _querystring = _interopRequireDefault(require("querystring"));
var _logger = _interopRequireDefault(require("../../../lib/logger"));
@@ -150,6 +154,12 @@ async function getOAuth2AccessToken(code, provider, codeVerifier) {
const postData = _querystring.default.stringify(params);
return new Promise((resolve, reject) => {
+ let parsedUrl = UrlLib.parse(url, true);
+ if (parsedUrl.protocol == "https:" && process.env.http_proxy) {
+ let agent = new HttpsProxyAgent(process.env.http_proxy);
+ this.setAgent(agent);
+ }
+
this._request('POST', url, headers, postData, null, (error, data, response) => {
if (error) {
_logger.default.error('OAUTH_GET_ACCESS_TOKEN_ERROR', error, data, response);
@@ -228,6 +238,12 @@ async function getOAuth2(provider, accessToken, results) {
}
return new Promise((resolve, reject) => {
+ let parsedUrl = UrlLib.parse(url, true);
+ if (parsedUrl.protocol == "https:" && process.env.http_proxy) {
+ let agent = new HttpsProxyAgent(process.env.http_proxy);
+ this.setAgent(agent);
+ }
+
this._request(httpMethod, url, headers, null, accessToken, (error, profileData) => {
if (error) {
return reject(error); It would be great if this issue could be resolved in future versions! Thanks in advance. |
Beta Was this translation helpful? Give feedback.
-
@raphaelpc we released a beta for the new NextAuth v4 version today which uses the newer They use Notes:
Thinking out loud here based off the info in the above links.. but maybe here (https://github.com/nextauthjs/next-auth/blob/beta/src/server/lib/oauth/client.js), adding something along these lines? const { custom } = require('openid-client');
const { HttpsProxyAgent } = require('hpagent');
custom.setHttpOptionsDefaults({
agent: {
https: new HttpsProxyAgent({
keepAlive: true,
keepAliveMsecs: 1000,
maxSockets: 256,
maxFreeSockets: 256,
scheduling: 'lifo',
proxy: 'https://localhost:8080'
})
}
}); |
Beta Was this translation helpful? Give feedback.
-
I've had this same issue I think. I have a site (wecodeni.com) that uses next-auth.js. Every now and then I'll have a customer get in touch saying they can't sign up when using the email login. I can never work out exactly what is causing it, but it's always from larger corporate customers. I can see from my database that a user is created in these cases, but the user is presented with the I'm pretty sure what's happening is their email server is scanning links in emails, and by requesting the link in the signin email, they are claiming it, and so the user can't then signin. |
Beta Was this translation helpful? Give feedback.
-
@ThePaulMcBride looks like this might be a result of the invites being expired. See: next-auth/packages/next-auth/src/core/routes/callback.ts Lines 213 to 216 in a72f1b6 EDIT: Sorry just reread your email. We had an issue like this before with Office365, for example, like you suggested - it'll "check" the link to make sure its not a phishing site or whatever, thereby "using" up the invitation link. Let me see if I can find the issue / discussion again. There was a way to disable it in office365 and some other discussion. EDIT 2: Yeah here it is! #1840 |
Beta Was this translation helpful? Give feedback.
-
Behind corporate proxy Next Auth unfortunately won't work with our
adjustments.
I've been trying to update NextAuth to the latest release on my
application, but I did not yet discover what patch should I create in order
for it to work, like I did in the older version. Did anyone find a solution?
Thanks.
Em qua., 9 de fev. de 2022 às 18:21, Nico Domino ***@***.***>
escreveu:
… @ThePaulMcBride <https://github.com/ThePaulMcBride> looks like this might
be a result of the invites being expires.
See:
https://github.com/nextauthjs/next-auth/blob/a72f1b6d21da89b4223542006c865862635c027b/packages/next-auth/src/core/routes/callback.ts#L213-L216
—
Reply to this email directly, view it on GitHub
<#2509 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHGXJF2PMLRIWSQTXHMCJHDU2LLD5ANCNFSM5B2N23GQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
As mentioned in @balazsorban44's final reply in that issue, you could modify the This should satisfy most URL checking / SafeLink behavior, and not allow the email invitation tokens to be used up. Something like: import type { NextApiRequest, NextApiResponse } from "next"
import NextAuth from "next-auth"
export default async function auth(req: NextApiRequest, res: NextApiResponse) {
if(req.method === "HEAD") {
return res.status(200)
}
...
} See NextAuth.js - Advanced Initialization for more details, as well as the issue #1840 as previously mentioned. |
Beta Was this translation helpful? Give feedback.
-
Hello Nico!
Thanks for the answer! But I did not understand how this could be applied
to this situation, since the problem is that the methods used internally by
NextAuth don't work behind a corporate proxy. That is why a had to create a
patch-package for v3 in the first place. The thing is that I did not yet
discover what patch I should apply on v4 since all the internal methods
used for making requests changed from v3 to v4, like you mentioned in your
first reply to this thread. I checked all references you posted but was not
able to identify exactly what would need to be done for the methods to
start checking on proxy environment info when making the requests to
external services (for example, to the Google or Facebook auth endpoints).
If that could be resolved only using advanced inicialialization that would
be great, but I really did not identify how that could be used in this case.
Em qua., 9 de fev. de 2022 às 18:29, Nico Domino ***@***.***>
escreveu:
… As mentioned in @balazsorban44 <https://github.com/balazsorban44>'s final
reply in that issue, you could modify the [...nextauth].js config file
(which is a "normal" catch-all API route at the end of the day), to just
return a 200 immediately upon receiving a HEAD request.
This should satisfy most URL checking / SafeLink behavior, and not allow
the email invitation tokens to be used up.
Something like:
import type { NextApiRequest, NextApiResponse } from "next"import NextAuth from "next-auth"
export default async function auth(req: NextApiRequest, res: NextApiResponse) {
if(req.method === "HEAD") {
return res.status(200)
}
...}
See NextAuth.js - Advanced Initialization
<https://next-auth.js.org/configuration/initialization#advanced-initialization>
for more details, as well as the issue #1840
<#1840> as previously
mentioned.
—
Reply to this email directly, view it on GitHub
<#2509 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHGXJF5J36AISKLNAHIE3I3U2LME5ANCNFSM5B2N23GQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Important to clarify that Paul's error isn't necessarily the same as mine,
but the situation that I described on this thread is related to corporate
proxy, I don't even use the mail functionalities from NextAuth.
Em qui., 10 de fev. de 2022 às 09:09, Raphael Cavalcanti ***@***.***>
escreveu:
… Hello Nico!
Thanks for the answer! But I did not understand how this could be applied
to this situation, since the problem is that the methods used internally by
NextAuth don't work behind a corporate proxy. That is why a had to create a
patch-package for v3 in the first place. The thing is that I did not yet
discover what patch I should apply on v4 since all the internal methods
used for making requests changed from v3 to v4, like you mentioned in your
first reply to this thread. I checked all references you posted but was not
able to identify exactly what would need to be done for the methods to
start checking on proxy environment info when making the requests to
external services (for example, to the Google or Facebook auth endpoints).
If that could be resolved only using advanced inicialialization that would
be great, but I really did not identify how that could be used in this case.
Em qua., 9 de fev. de 2022 às 18:29, Nico Domino ***@***.***>
escreveu:
> As mentioned in @balazsorban44 <https://github.com/balazsorban44>'s
> final reply in that issue, you could modify the [...nextauth].js config
> file (which is a "normal" catch-all API route at the end of the day), to
> just return a 200 immediately upon receiving a HEAD request.
>
> This should satisfy most URL checking / SafeLink behavior, and not allow
> the email invitation tokens to be used up.
>
> Something like:
>
> import type { NextApiRequest, NextApiResponse } from "next"import NextAuth from "next-auth"
> export default async function auth(req: NextApiRequest, res: NextApiResponse) {
>
> if(req.method === "HEAD") {
> return res.status(200)
> }
>
> ...}
>
> See NextAuth.js - Advanced Initialization
> <https://next-auth.js.org/configuration/initialization#advanced-initialization>
> for more details, as well as the issue #1840
> <#1840> as previously
> mentioned.
>
> —
> Reply to this email directly, view it on GitHub
> <#2509 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AHGXJF5J36AISKLNAHIE3I3U2LME5ANCNFSM5B2N23GQ>
> .
> Triage notifications on the go with GitHub Mobile for iOS
> <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
> or Android
> <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
>
> You are receiving this because you were mentioned.Message ID:
> ***@***.***>
>
|
Beta Was this translation helpful? Give feedback.
-
Sorry for jumping on your thread Rapheal, I initially had thought we were seeing the same thing! |
Beta Was this translation helpful? Give feedback.
-
@raphaelpc ah right, okay my bad. The suggestion I made/wrote a tutorial for in the docs was strictly for the issue of corporate email clients / email services sending In terms of corporate proxy in general, we're now using Therefore, you'll have to either fork and modify With |
Beta Was this translation helpful? Give feedback.
-
Regarding fixing with a patch, We let all |
Beta Was this translation helpful? Give feedback.
-
Thanks for the tip. I have now been able to patch NextAuth v4 to be able to use it behind corporate proxy. This is what i did:
To do so, i first updated my Provider at [...nextauth].ts:
Doing like that it unfortunately didn't work. I got this error:
Probably because the way the "agent" is being received by the openidClient function makes it stop being a Agent-like Object.
I'm applying this patch: diff --git a/node_modules/next-auth/core/lib/oauth/client.js b/node_modules/next-auth/core/lib/oauth/client.js
index 77161bd..1082fba 100644
--- a/node_modules/next-auth/core/lib/oauth/client.js
+++ b/node_modules/next-auth/core/lib/oauth/client.js
@@ -7,11 +7,19 @@ exports.openidClient = openidClient;
var _openidClient = require("openid-client");
+var HttpsProxyAgent = require("https-proxy-agent");
+
async function openidClient(options) {
const provider = options.provider;
- if (provider.httpOptions) _openidClient.custom.setHttpOptionsDefaults(provider.httpOptions);
- let issuer;
+ let httpOptions = {};
+ if (provider.httpOptions) httpOptions = { ...provider.httpOptions };
+ if (process.env.http_proxy) {
+ let agent = new HttpsProxyAgent(process.env.http_proxy);
+ httpOptions.agent = agent;
+ }
+ _openidClient.custom.setHttpOptionsDefaults(httpOptions);
+ let issuer;
if (provider.wellKnown) {
issuer = await _openidClient.Issuer.discover(provider.wellKnown);
} else {
It would be great if this issue could be resolved in future versions! Anyway, in case anyone else has the same problem as i, i hope the patch can help! :) Thanks! |
Beta Was this translation helpful? Give feedback.
-
Yeah. Unfortunately, this is not a priority right now as the use case seems to be uncommon enough, but I'm happy to keep this issue open as long as it doesn't get stale. |
Beta Was this translation helpful? Give feedback.
-
Happens for one of my user as well: https://cln.sh/F3pA8x |
Beta Was this translation helpful? Give feedback.
-
Hi @balazsorban44 I am wondering why the code from the patch simply not used in the codebase? I was considering making a PR but then found this discussion and am quite confused by recommendation to use a patch instead of implementing this fix in the framework. |
Beta Was this translation helpful? Give feedback.
-
As a work around, I just replace the auth link that uses the OTP and instead send them to a /auth page and applies the OTP has the url of the button on the page. That way it does not expire and they can click it even behind a proxy. This solved our problems. it was a bit annoying.
|
Beta Was this translation helpful? Give feedback.
-
I have the same problem that sign in times out when behind a corporate firewall. I had to patch it per the instructions above. Please fix this for all your corporate users. |
Beta Was this translation helpful? Give feedback.
-
I have used the patch suggested above for version 4.22.1 but unfortunately I'm receiving the following message when I try to action the sign in: [next-auth][error][SIGNIN_OAUTH_ERROR]
https://next-auth.js.org/errors#signin_oauth_error HttpsProxyAgent is not a constructor {
error: {
message: 'HttpsProxyAgent is not a constructor',
stack: 'TypeError: HttpsProxyAgent is not a constructor\n' +
' at openidClient (...\\node_modules\\next-auth\\core\\lib\\oauth\\client.js:17:17) "use strict";
Object.defineProperty(exports, "__esModule", {
value: true
});
exports.openidClient = openidClient;
var _openidClient = require("openid-client");
var HttpsProxyAgent = require("https-proxy-agent");
async function openidClient(options) {
const provider = options.provider;
let httpOptions = {};
if (provider.httpOptions) httpOptions = { ...provider.httpOptions };
if (process.env.http_proxy) {
let agent = new HttpsProxyAgent(process.env.http_proxy);
httpOptions.agent = agent;
}
_openidClient.custom.setHttpOptionsDefaults(httpOptions);
let issuer;
if (provider.wellKnown) {
issuer = await _openidClient.Issuer.discover(provider.wellKnown);
} else {
var _provider$authorizati, _provider$token, _provider$userinfo;
issuer = new _openidClient.Issuer({
issuer: provider.issuer,
authorization_endpoint: (_provider$authorizati = provider.authorization) === null || _provider$authorizati === void 0 ? void 0 : _provider$authorizati.url,
token_endpoint: (_provider$token = provider.token) === null || _provider$token === void 0 ? void 0 : _provider$token.url,
userinfo_endpoint: (_provider$userinfo = provider.userinfo) === null || _provider$userinfo === void 0 ? void 0 : _provider$userinfo.url,
jwks_uri: provider.jwks_endpoint
});
}
const client = new issuer.Client({
client_id: provider.clientId,
client_secret: provider.clientSecret,
redirect_uris: [provider.callbackUrl],
...provider.client
}, provider.jwks);
client[_openidClient.custom.clock_tolerance] = 10;
return client;
} |
Beta Was this translation helpful? Give feedback.
-
The issue here is that some email scanners consume the activation code with their probing request. Its also typically a GET and not a HEAD request which makes that the often recommended code (below) does not work
A solution that works nicely (by @balazsorban44) can be found here |
Beta Was this translation helpful? Give feedback.
-
I am very confused as to why this works in development but not in production. I am deploying Next.js to an openshift Kubernetes cluster and all is well until it is deployed to the cluster. All this working on the same machines that are behind the corporate proxy in development but production shuts it down immediately. Is there nothing coming to fix this? |
Beta Was this translation helpful? Give feedback.
-
Hi, guys. I also encountered this problem and opened a PR (#9675) to try to fix it. Thanks @Stephen-Ma-2023's comment (#3944 (reply in thread)), I also think this is the core reason for this problem. |
Beta Was this translation helpful? Give feedback.
-
Description 🐜
NextAuth is not working behind corporate proxy.
I studied the current NextAuth implementation and found that this error happens because NextAuth makes use of the "node-auth" library (npm package "oauth") in it's "oAuthClient" (src/server/lib/oauth/client.js), which requires manually setting up an agent to be used by the "https" library.
I created a PR with the solution of the problem:
#2493
Related discussion: #676
Related StackOverflow: https://stackoverflow.com/questions/32130471/node-js-https-not-working-behind-corporate-proxy
If the PR is not going to be accepted, i believe it is important do register the issue here for other people facing the same problems that i'm facing right now (which are quite time consuming to debug).
Is this a bug in your own project?
No
How to reproduce ☕️
Just run any application with NextAuth behind a corporate proxy and try to log in with a Provider (like Google or GitHub).
Screenshots / Logs 📽
Environment 🖥
System:
OS: Windows 10 10.0.19042
CPU: (12) x64 Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
Memory: 6.80 GB / 15.78 GB
Binaries:
Node: 14.16.1 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.5 - C:\Program Files (x86)\Yarn\bin\yarn.CMD
npm: 6.14.12 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: 44.19041.423.0
Internet Explorer: 11.0.19041.1
npmPackages:
react: ^17.0.2 => 17.0.2
Contributing 🙌🏽
Yes, I am willing to help solve this bug in a PR
Beta Was this translation helpful? Give feedback.
All reactions