auth-module: Option to not send code_challenge_method for oauth2 schemes

Google does not allow code_challenge_method as a param for its oauth scheme, and errors if it receives it.

If I understand the source code correctly, there is currently no way to not send it?

That means Google Oauth is unusable for now?

Happy to be shown where I’m not doing something right. Otherwise I’m happy to add a delete statement somewhere in the right area.

My provider setup is:

      google: {
        endpoints: {
          userInfo: '/api/auth/user',
          logout: { url: '/api/auth/logout', method: 'get', withCredentials: true },
        },
        redirectUri: `${FULL_URL}/api/oauth/google/callback`,
        clientId: process.env.GOOGLE_CLIENT_ID,
      },

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 4
Comments: 18 (6 by maintainers)

Most upvoted comments

i have this same problem with AWS Cognito as well and set codeChallengeMethod to empty string does not help either. i think this parameter should not be sent by default or at least has an option to exclude it.

kekhuai on May 1, 2021

@clorichel : Thanks for the revert. I actually managed to solve it using old @nuxtjs/auth module itself!

https://github.com/vinayakkulkarni/map-my-google-photos/blob/main/nuxt.config.ts#L111-L128

The thing is, @nuxtjs/auth uses snake case (_) whereas, the new @nuxtjs/auth-next uses camelCasing.

There’ll probably be a migration guide when new major version is released of @nuxtjs/auth 😃

vinayakkulkarni on Nov 17, 2020

I’m also using auth-next and have Google working fine. These are the options I have set:

        responseType: 'code',
        accessType: 'offline',
        grantType: 'authorization_code',
        codeChallengeMethod: 'S256'

bmulholland on Oct 22, 2020

Same problem with @goldengecko 👍

TranBaVinhSon on Apr 10, 2021

I’m having trouble using the auth code I get back to exchange for a token from Google. I’m using config:

      google: {
        clientId: process.env.GOOGLE_OAUTH_CLIENT_ID,
        codeChallengeMethod: 'S256', // Required because the default causes google to throw invalid request
        responseType: 'code', // Required because the default 'token' includes rejected nonce arg
        accessType: 'offline', // Required to ensure we get a long lived refresh token
        grantType: 'authorization_code',
        endpoints: {
          token: '/api/v1/auth/google-code',
        },
      },

This seems to be working, and my google-code api is getting called with a payload that includes: code, client_id, redirect_uri, response_type, audience (an empty string), grant_type, and code_verifier.

I understand that I need to use this to ask Google for a token, so I post to https://oauth2.googleapis.com/token with a payload that includes: code, client_id, client_secret, redirect_uri and grant_type (authorization_code). Google just responds with a 400 error which it says is an “invalid_grant” and “bad request”.

Could this be because of something in the auth system not requesting the authentication correctly, or am I calling Google incorrectly.

Edit: Found the solution:

The token endpoint can be called in two circumstances which are identified by the grant_type field.

The first scenario is with the grant_type set to authorization_code. If this happens, then you need to call https://oauth2.googleapis.com/token with the following fields: client_id, client_secret, grant_type, code, redirect_uri, code_verifier.

The second scenario is when the grant_type is set to refresh_token in which case you need to call the same URL with the following fields: client_id, client_secret, grant_type, refresh_token.

From there you can grab the id_token from the response and decode it to get at the user data.

goldengecko on May 31, 2021