How to get OAuth2 Access Token in API request using custom provider configuration

[ChuckJonas]

Your question

How do I get the OAuth2 access_token in API request for custom provider configuration?

What are you trying to do

I have an app that is authenticating users with an oAuth2 service (Salesforce) and then will make requests on there behave.

I have configured next-auth so that I am successfully able to login using the "custom provider"

import NextAuth, { InitOptions } from 'next-auth';
import Providers from 'next-auth/providers';

const options: InitOptions = {
  providers: [
    {
      id: 'salesforce',
      name: 'Salesforce',
      type: 'oauth',
      version: '2.0',
      scope: 'api',
      params: { grant_type: 'authorization_code' },
      accessTokenUrl: 'https://test.salesforce.com/services/oauth2/token',
      requestTokenUrl: 'https://test.salesforce.com/services/oauth2/authorize',
      authorizationUrl: 'https://test.salesforce.com/services/oauth2/authorize?response_type=code',
      profileUrl: 'https://test.salesforce.com/services/oauth2/userinfo',
      profile: (profile, token) => {
        console.log('profile!', profile, token);
        return {
          id: profile.user_id,
          name: profile.name,
          email: profile.email,
          image: profile.picture,
        };
      },
      clientId: process.env.CLIENT_ID,
      clientSecret: process.env.CLIENT_SECRET,
    },
  ],
};

export default (req, res) => NextAuth(req, res, options);

Now I need to pull data from the salesforce REST API using the access token which is returned by the oAuth request. However, it's unclear how I can get the access token in my API service.

// pages/api/getData

import { NextApiRequest, NextApiResponse } from 'next';
import { Rest } from 'ts-force';
import { getSession } from 'next-auth/client';
export default async (req: NextApiRequest, res: NextApiResponse) => {
  const session = await getSession({ req });
  console.log('Session', JSON.stringify(session, null, 2)); //does not contain access token
  try {
    console.log(req.query['sobject']);
    const r = new SFRestClient({
      instanceUrl: ???,
      accessToken: ???,
    });
    res.statusCode = 200;
    res.json(await (await r.request('/services/data/v49.0/sobjects/')).data);
  } catch (e) {
    throw new Error('Failed to load SObjects!');
  }
};

Seems like maybe JWT needs to be setup so the token can securely be stored on the client side? Unfortunately I'm not finding any clear documentation or examples of this.

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[balazsorban44]

This is how you can do token rotation if you don't use a database.

UPDATE: This has been updated, assuming that you use [email protected] or newer.

Hi.

You should probably check out the jwt and session callbacks.

Our identity provider sent an access token in the jwt callback's third argument, called account in the first call. Returning a new token in jwt and returning the second argument in session made the access_token available through get|useSession

Here is how I do it

//...
callbacks: {
  async jwt(prevToken, account, profile) {
    // Signing in
    if (account && profile) {
      return {
        accessToken: account.access_token,
        accessTokenExpires: Date.now() + account.expires_in * 1000,
        refreshToken: account.refresh_token,
        user: profile,
      }
    }
  
    // Subsequent use of JWT, the user has been logged in before
    // access token has not expired yet
    if (Date.now() < prevToken.accessTokenExpires) {
      return prevToken
    }
    // access token has expired, try to update it
    return refreshAccessToken(prevToken)
  },
  async session(session, token) {
    if (token) {
      session.user = token.user
      session.accessToken = token.accessToken
    }
    return session
  }
}
//...

/**
 * Takes a token, and returns a new token with updated
 * `accessToken` and `accessTokenExpires`. If an error occurs,
 * returns the old token and an error property
 */
async function refreshAccessToken(token) {
  try {
    const url = `https://${process.env.IDS_DOMAIN}/connect/token`

    const response = await fetch(url, {
      body: new URLSearchParams({
        client_id: process.env.IDS_CLIENT_ID,
        client_secret: process.env.IDS_CLIENT_SECRET,
        grant_type: "refresh_token",
        refresh_token: token.refreshToken,
      }),
      headers: {
        "Content-Type": "application/x-www-form-urlencoded",
      },
      method: "POST",
    })
    const tokens = await response.json()

    if (!response.ok) {
      throw tokens
    }

    return {
      ...token,
      accessToken: tokens.access_token,
      accessTokenExpires: Date.now() + refreshToken.expires_in * 1000,
      refreshToken: tokens.refresh_token,
    }
  } catch (error) {
    console.error(error)
    return {
      ...token,
      error: "RefreshAccessTokenError",
    }
  }
}

#951 is the most up-to-date PR that should solve this issue without needing a user-land solution, but we would like to give a feature that solves token rotation to everyone, (both db and non-db, single and multiple provider users), which needs some thinking first.