Skip to main content

providers

EndpointHandler​

EndpointHandler: <P, C, R> AdvancedEndpointHandler<P, C, R>

Either an URL (containing all the parameters) or an object with more granular control.

Type parameters​

  • P extends UrlParams
  • C = any
  • R = any

OAuthConfigInternal​

OAuthConfigInternal: <Profile> Omit<OAuthConfig<Profile>, OAuthEndpointType | "redirectProxyUrl"> & {authorization?: {url: URL;}; redirectProxyUrl?: OAuth2Config<Profile>["redirectProxyUrl"]; token?: {url: URL; request?: TokenEndpointHandler["request"];}; userinfo?: {url: URL; request?: UserinfoEndpointHandler["request"];};} & Pick<Required<OAuthConfig<Profile>>, "clientId" | "checks" | "profile">

We parsed authorization, token and userinfo to always contain a valid URL, with the params

Type parameters​

  • Profile

Provider​

Provider: <P> OIDCConfig<P> | OAuth2Config<P> | EmailConfig | CredentialsConfig & InternalProviderOptions | (...args: any) => OAuth2Config<P> | OIDCConfig<P> | EmailConfig | CredentialsConfig & InternalProviderOptions & InternalProviderOptions

Must be a supported authentication provider config:

  • OAuthConfig
  • EmailConfigInternal
  • CredentialsConfigInternal

For more information, see the guides:

See​

Type parameters​

ProviderType​

ProviderType: "oidc" | "oauth" | "email" | "credentials"

Providers passed to Auth.js must define one of these types.

See​

CommonProviderOptions​

Shared across all ProviderType

Properties​

id​

id: string

Uniquely identifies the provider in AuthConfig.providers It's also part of the URL

name​

name: string

The provider name used on the default sign-in page's sign-in button. For example if it's "Google", the corresponding button will say: "Sign in with Google"

type​

type: ProviderType

See ProviderType

OAuth2Config​

TODO: Document

Type parameters​

  • Profile

Properties​

id​

id: string

Identifies the provider when you want to sign in to a specific provider.

Example​
signIn("github"); // "github" is the provider ID
Overrides​

CommonProviderOptions.id

name​

name: string

The name of the provider. shown on the default sign in page.

Overrides​

CommonProviderOptions.name

allowDangerousEmailAccountLinking?​

allowDangerousEmailAccountLinking: boolean

Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.

Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.

However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address associated with the account. Set allowDangerousEmailAccountLinking: true to enable automatic account linking.

authorization?​

authorization: string | AuthorizationEndpointHandler

The login process will be initiated by sending the user to this URL.

Authorization endpoint

checks?​

checks: ("none" | "state" | "pkce")[]

The CSRF protection performed on the callback endpoint.

Default​
["pkce"];
Note​

When redirectProxyUrl or AuthConfig.redirectProxyUrl is set, "state" will be added to checks automatically.

RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE) | RFC 6749 - The OAuth 2.0 Authorization Framework | OpenID Connect Core 1.0 |

client?​

client: Partial<Client>

Pass overrides to the underlying OAuth library. See oauth4webapi client for details.

profile?​

profile: ProfileCallback<Profile>

Receives the profile object returned by the OAuth provider, and returns the user object. This will be used to create the user in the database. Defaults to: id, email, name, image

Documentation

wellKnown?​

wellKnown: string

OpenID Connect (OIDC) compliant providers can configure this instead of authorize/token/userinfo options without further configuration needed in most cases. You can still use the authorize/token/userinfo options for advanced control.

Authorization Server Metadata

OIDCConfig​

TODO: Document

Type parameters​

  • Profile

Properties​

id​

id: string

Identifies the provider when you want to sign in to a specific provider.

Example​
signIn("github"); // "github" is the provider ID
Inherited from​

Omit.id

name​

name: string

The name of the provider. shown on the default sign in page.

Inherited from​

Omit.name

allowDangerousEmailAccountLinking?​

allowDangerousEmailAccountLinking: boolean

Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.

Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.

However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address associated with the account. Set allowDangerousEmailAccountLinking: true to enable automatic account linking.

Inherited from​

Omit.allowDangerousEmailAccountLinking

authorization?​

authorization: string | AuthorizationEndpointHandler

The login process will be initiated by sending the user to this URL.

Authorization endpoint

Inherited from​

Omit.authorization

client?​

client: Partial<Client>

Pass overrides to the underlying OAuth library. See oauth4webapi client for details.

Inherited from​

Omit.client

profile?​

profile: ProfileCallback<Profile>

Receives the profile object returned by the OAuth provider, and returns the user object. This will be used to create the user in the database. Defaults to: id, email, name, image

Documentation

Inherited from​

Omit.profile

wellKnown?​

wellKnown: string

OpenID Connect (OIDC) compliant providers can configure this instead of authorize/token/userinfo options without further configuration needed in most cases. You can still use the authorize/token/userinfo options for advanced control.

Authorization Server Metadata

Inherited from​

Omit.wellKnown