providers
Provider<P>β
type Provider<P>:
| OIDCConfig< P >
| OAuth2Config< P >
| EmailConfig
| CredentialsConfig
| WebAuthnConfig & InternalProviderOptions | (...args) =>
| OAuth2Config< P >
| OIDCConfig< P >
| EmailConfig
| CredentialsConfig
| WebAuthnConfig & InternalProviderOptions & InternalProviderOptions;
Must be a supported authentication provider config:
- [OAuthConfig]([object Object])
- EmailConfigInternal
- CredentialsConfigInternal
For more information, see the guides:
Seeβ
Type parametersβ
βͺ P extends Profile
= any
ProviderTypeβ
type ProviderType:
| "oidc"
| "oauth"
| "email"
| "credentials"
| WebAuthnProviderType;
Providers passed to Auth.js must define one of these types.
Seeβ
- RFC 6749 - The OAuth 2.0 Authorization Framework
- OpenID Connect Core 1.0
- Email or Passwordless Authentication
- Credentials-based Authentication
CommonProviderOptionsβ
Shared across all ProviderType
Extended Byβ
Propertiesβ
idβ
id: string;
Uniquely identifies the provider in AuthConfig.providers It's also part of the URL
nameβ
name: string;
The provider name used on the default sign-in page's sign-in button. For example if it's "Google", the corresponding button will say: "Sign in with Google"
typeβ
type: ProviderType;
See ProviderType
OAuth2Config<Profile>β
TODO: Document
Extendsβ
CommonProviderOptions
.PartialIssuer
Type parametersβ
βͺ Profile
Propertiesβ
idβ
id: string;
Identifies the provider when you want to sign in to a specific provider.
Exampleβ
signIn('github') // "github" is the provider ID
Overridesβ
providers.CommonProviderOptions.id
nameβ
name: string;
The name of the provider. shown on the default sign in page.
Overridesβ
providers.CommonProviderOptions.name
accountβ
account?: AccountCallback;
Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.
You need to adjust your database's Account model to match the returned properties. Check out the documentation of your database adapter for more information.
Defaults to: access_token
, id_token
, refresh_token
, expires_at
, scope
, token_type
, session_state
Exampleβ
import GitHub from "@auth/core/providers/github"
// ...
GitHub({
account(account) {
// https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
const refresh_token_expires_at =
Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
return {
access_token: account.access_token,
expires_at: account.expires_at,
refresh_token: account.refresh_token,
refresh_token_expires_at
}
}
})
Seeβ
- Database Adapter: Account model
- https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
- https://www.ietf.org/rfc/rfc6749.html#section-5.1
allowDangerousEmailAccountLinkingβ
allowDangerousEmailAccountLinking?: boolean;
Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.
Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.
However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address
associated with the account. Set allowDangerousEmailAccountLinking: true
to enable automatic account linking.
authorizationβ
authorization?: string | AuthorizationEndpointHandler;
The login process will be initiated by sending the user to this URL.
checksβ
checks?: ("pkce" | "state" | "none")[];
The CSRF protection performed on the callback endpoint.
Defaultβ
["pkce"]
Noteβ
When redirectProxyUrl
or AuthConfig.redirectProxyUrl is set,
"state"
will be added to checks automatically.
RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE) | RFC 6749 - The OAuth 2.0 Authorization Framework | OpenID Connect Core 1.0 |
clientβ
client?: Partial< Client >;
Pass overrides to the underlying OAuth library.
See oauth4webapi
client for details.
profileβ
profile?: ProfileCallback< Profile >;
Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.
Defaults to: id
, email
, name
, image
Seeβ
wellKnownβ
wellKnown?: string;
OpenID Connect (OIDC) compliant providers can configure
this instead of authorize
/token
/userinfo
options
without further configuration needed in most cases.
You can still use the authorize
/token
/userinfo
options for advanced control.
OIDCConfig<Profile>β
Extension of the OAuth2Config.
Seeβ
https://openid.net/specs/openid-connect-core-1_0.html
Extendsβ
Omit
<OAuth2Config
<Profile
>,"type"
|"checks"
>
Type parametersβ
βͺ Profile
Propertiesβ
idβ
id: string;
Identifies the provider when you want to sign in to a specific provider.
Exampleβ
signIn('github') // "github" is the provider ID
Inherited fromβ
Omit.id
nameβ
name: string;
The name of the provider. shown on the default sign in page.
Inherited fromβ
Omit.name
accountβ
account?: AccountCallback;
Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.
You need to adjust your database's Account model to match the returned properties. Check out the documentation of your database adapter for more information.
Defaults to: access_token
, id_token
, refresh_token
, expires_at
, scope
, token_type
, session_state
Exampleβ
import GitHub from "@auth/core/providers/github"
// ...
GitHub({
account(account) {
// https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
const refresh_token_expires_at =
Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
return {
access_token: account.access_token,
expires_at: account.expires_at,
refresh_token: account.refresh_token,
refresh_token_expires_at
}
}
})
Seeβ
- Database Adapter: Account model
- https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
- https://www.ietf.org/rfc/rfc6749.html#section-5.1
Inherited fromβ
Omit.account
allowDangerousEmailAccountLinkingβ
allowDangerousEmailAccountLinking?: boolean;
Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.
Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.
However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address
associated with the account. Set allowDangerousEmailAccountLinking: true
to enable automatic account linking.
Inherited fromβ
Omit.allowDangerousEmailAccountLinking
authorizationβ
authorization?: string | AuthorizationEndpointHandler;
The login process will be initiated by sending the user to this URL.
Inherited fromβ
Omit.authorization