Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linked accounts does not include scope as set by the user #12391

Open
dlbnco opened this issue Dec 16, 2024 · 0 comments
Open

Linked accounts does not include scope as set by the user #12391

dlbnco opened this issue Dec 16, 2024 · 0 comments
Labels
bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@dlbnco
Copy link

dlbnco commented Dec 16, 2024

Environment

  System:
    OS: macOS 15.1.1
    CPU: (10) arm64 Apple M1 Pro
    Memory: 228.02 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 18.17.1 - ~/.nvm/versions/node/v18.17.1/bin/node
    Yarn: 3.6.4 - /usr/local/bin/yarn
    npm: 9.6.7 - ~/.nvm/versions/node/v18.17.1/bin/npm
    bun: 1.1.30 - ~/.bun/bin/bun
    Watchman: 2024.11.04.00 - /opt/homebrew/bin/watchman
  Browsers:
    Brave Browser: 120.1.61.116
    Chrome: 131.0.6778.110
    Safari: 18.1.1
  npmPackages:
    @auth/prisma-adapter: ^2.1.0 => 2.1.0
    next: 14.2.13 => 14.2.13
    next-auth: 4.24.8 => 4.24.8
    react: ^18 => 18.2.0

Reproduction URL

https://github.com/dlbnco/next-auth-example

Describe the issue

I have next-auth with a Strava provider and Prisma adapter. My Prisma schema has an Account model as suggested in the docs, including the scope parameter.

I set the scope required for my app as following:

const REQUIRED_SCOPES = [
  'read',
  'read_all',
  'activity:read_all',
  'profile:read_all',
];

authorization: {
  url: 'https://www.strava.com/api/v3/oauth/authorize',
  params: {
    scope: REQUIRED_SCOPES.join(),
    approval_prompt: 'auto',
    response_type: 'code',
  },
},

The scopes are correctly built into the authorization URL. After authenticating with the provider, it calls back the app including the scope parameter that was actually set during authentication, e.g.:

/api/auth/callback/strava?state=...&code=...&scope=read,read_all,activity:read_all,profile:read_all

I would like to access this either before account creation (in some callback/event) but also it seems like it is supposed to be stored as well, however, nothing gets stored and I cannot access it on handlers like token.request, userinfo.request.

Some relevant files:

https://github.com/nextauthjs/next-auth/blob/v4/packages/next-auth/src/core/lib/oauth/callback.ts
https://github.com/nextauthjs/next-auth/blob/v4/packages/next-auth/src/core/lib/oauth/client.ts

How to reproduce

Set up a oAuth provider using some specific scope
Authenticate
Try to access the scope actually set during the authentication (might be different from required scope)

Expected behavior

scope is accessible/stored along with Account

@dlbnco dlbnco added bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. labels Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Development

No branches or pull requests

1 participant