next-auth: Cognito callback fails when using social idp

Provider type

Cognito

Environment

System: OS: macOS 13.2.1 CPU: (10) arm64 Apple M1 Max Memory: 2.95 GB / 32.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 19.7.0 - /opt/homebrew/bin/node npm: 9.5.0 - /opt/homebrew/bin/npm Browsers: Chrome: 110.0.5481.177 Firefox: 101.0 Safari: 16.3

Reproduction URL

https://sveltekit-authjs-houdini.pages.dev/

Describe the issue

I’m using SvelteKit and cognito login. Everything works as expected when I login using cognito with a regular email/pw combination. But, if I enable social login on cognito, and try to login with that, when it redirects me to my oauth callback, I get the following error from auth.js on the server:

[auth][error][CallbackRouteError]: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: OperationProcessingError: unexpected ID Token "nonce" claim value
    at Module.processAuthorizationCodeOpenIDResponse (file:///.../node_modules/oauth4webapi/build/index.js:1016:23)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async handleOAuth (file:///.../node_modules/@auth/sveltekit/node_modules/@auth/core/lib/oauth/callback.js:79:24)
    at async Module.callback (file:///.../node_modules/@auth/sveltekit/node_modules/@auth/core/lib/routes/callback.js:14:41)
    at async AuthInternal (file:///.../node_modules/@auth/sveltekit/node_modules/@auth/core/lib/index.js:64:38)
    at async Proxy.Auth (file:///.../node_modules/@auth/sveltekit/node_modules/@auth/core/index.js:100:30)
    at async Module.respond (/node_modules/@sveltejs/kit/src/runtime/server/respond.js:248:20)
    at async file:///.../node_modules/@sveltejs/kit/src/exports/vite/dev/index.js:501:22
[auth][details]: {
  "provider": "cognito"
}
Screenshot 2023-03-03 at 00 18 55 After selecting a social login, I get redirected to: `http://localhost:5173/auth/error?error=CallbackRouteError` Screenshot 2023-03-03 at 00 19 19

How to reproduce

The source is available here: https://github.com/half2me/sveltekit-authjs-houdini If you login/register with a normal username and password, it works. If you try to login with social, it fails.

Expected behavior

It should work just like username/password

About this issue

  • Original URL
  • State: closed
  • Created a year ago
  • Comments: 15 (15 by maintainers)

Most upvoted comments

If you do not provide a nonce value in your request, Amazon Cognito automatically generates and validates a nonce when you authenticate through a third-party identity provider, then adds it as a nonce claim to the ID token

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-id-token.html

So apparently Cognito returns this nonce value even if it’s not configured. This is not an Auth.js bug, just Cognito being a bit too eager.

You can add checks: ["nonce", "pkce"] to your provider config to force a matching nonce value.

https://authjs.dev/reference/core/providers#checks

+1
balazsorban44 on Mar 13, 2023

Sorry, didn’t see the source code link. <picture data-single-emoji=":facepalm:" title=":facepalm:">:facepalm:</picture> Thanks!

+1
balazsorban44 on Mar 6, 2023
Read more comments on GitHub
← next-auth: CLIENT_FETCH_ERROR - Unexpected token E in JSON at position 0
next-auth: Crash on AWS Amplify build: "Building SSR... can't find mongodb" →