next-auth: How to get Google provider ID token and not access token

When using the Google provider I want to be able to authenticate with a backend server and for this I need to send the ID token to that API and get back the access token. Further info about this flow can be found here.

This extra request I plan to do in the JWT callback, but in there I cannot access ID token. Only accessToken is given back in token.account.

This is what I get in the JWT callback: token (first argument):

{
  user: {
    name: <name>,
    email: <email>,
    image: <image>
  },
  account: {
    provider: 'google',
    type: 'oauth',
    id: <id>,
    refreshToken: undefined,
    accessToken: <accessToken>,
    accessTokenExpires: null
  },
  isNewUser: undefined
}

profile (second argument):

{
  id: <id>,
  email: <email>,
  verified_email: true,
  name: <name>,
  given_name: <given_name>,
  family_name: <family_name>,
  picture: <picture>,
  locale: 'en'
}
  • Found the documentation helpful
  • Found documentation but was incomplete
  • Could not find relevant documentation
  • Found the example project helpful
  • Did not find the example project helpful

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 1
  • Comments: 15 (6 by maintainers)

Most upvoted comments

Any update on this?

The Google provider isn’t really complete without it since most front ends will be calling services that need to verify a user’s id_token.

+2
Dreched on Dec 1, 2020

Yeah Google is unusual and this has come up before, we should really cover this in the docs.

tl;dr Google only returns a RefreshToken on first sign in and should to be used with a database. You can force it to issue a new one every time using access_type=offline and prompt=consent but that is intended for mobile and desktop applications and changes the sort of prompt a user sees when they sign in (and isn’t as seamless).

More info in #269

+2
iaincollins on Jul 6, 2020

const getIdToken = async (refreshToken) => { var requestOptions = { method: ‘POST’, redirect: ‘follow’ };

const response = await fetch(`https://oauth2.googleapis.com/token?refresh_token=${refreshToken}&client_id=955818486406-snr4kuu25v16keu169sc1kbm6ofv7lfj.apps.googleusercontent.com&client_secret=yBPnCGw81u_OEHCRHLX8tbO4&grant_type=refresh_token&Content-Type=application/x-www-form-urlencoded`, requestOptions);
let result= await response.json();

return result.id_token;

}

+1
fedeberon on Dec 11, 2020

Thanks for trying that and reporting what you saw.

I think at the moment the answer is this is not possible, but it seems like a reasonable feature request.

+1
iaincollins on Jul 8, 2020
Read more comments on GitHub
← next-auth: Google Provider TODO: Handle OIDC response body error
next-auth: HTTP-based email provider: type `"email"` is not assignable to type `"oauth" | "credentials"` →