[V4] Setting Google provider access type to offline for refresh token causes JWT session error

[agusterodin]

Question 💬

I am attempting to use the V4 beta with Google as a provider and with refresh token rotation. I had to improvise since it appears that https://next-auth.js.org/tutorials/refresh-token-rotation is outdated. Logging in with Google works fine but I get this error the next time I reach out to next auth (through use of getSession):

[next-auth][error][JWT_SESSION_ERROR] 
https://next-auth.js.org/errors#jwt_session_error signature verification failed {
  message: 'signature verification failed',
  stack: 'JWSVerificationFailed: signature verification failed\n' +
    '    at jwsVerify (/Users/Jeff/Documents/Pixelboard/pixelboard/ui/node_modules/jose/lib/jws/verify.js:159:13)\n' +
    '    at Object.module.exports [as verify] (/Users/Jeff/Documents/Pixelboard/pixelboard/ui/node_modules/jose/lib/jwt/verify.js:235:5)\n' +
    '    at Object.decode (/Users/Jeff/Documents/Pixelboard/pixelboard/ui/node_modules/next-auth/jwt/index.js:100:28)\n' +
    '    at Object.session (/Users/Jeff/Documents/Pixelboard/pixelboard/ui/node_modules/next-auth/server/routes/session.js:39:38)\n' +
    '    at NextAuthHandler (/Users/Jeff/Documents/Pixelboard/pixelboard/ui/node_modules/next-auth/server/index.js:145:29)\n' +
    '    at runMicrotasks (<anonymous>)\n' +
    '    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n' +
    '    at async /Users/Jeff/Documents/Pixelboard/pixelboard/ui/node_modules/next-auth/server/index.js:251:32\n' +
    '    at async Object.apiResolver (/Users/Jeff/Documents/Pixelboard/pixelboard/ui/node_modules/next/dist/server/api-utils.js:101:9)\n' +
    '    at async DevServer.handleApiRequest (/Users/Jeff/Documents/Pixelboard/pixelboard/ui/node_modules/next/dist/server/next-server.js:770:9)',
  name: 'JWSVerificationFailed'
}

How to reproduce ☕️

I have tried this

export default NextAuth({
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID as string,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
      authorization: {
        params: { scope: 'openid email profile', access_type: 'offline' }
      }
    })
  ]
})

and this

export default NextAuth({
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID as string,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
      authorization:
        'https://accounts.google.com/o/oauth2/v2/auth?' +
        new URLSearchParams({
          prompt: 'consent',
          access_type: 'offline',
          response_type: 'code'
        })
    })
  ]})

And both yield the error.

Contributing 🙌🏽

Yes, I am willing to help answer this question in a PR

[ConciergeMento]

@agusterodin i am doing something similar as well, if you find a work around can you post it here as well?

[balazsorban44]

I don't think we log the outgoing requests at the moment. I'll look into if we can do that https://github.com/panva/node-openid-client/tree/main/docs#customizing-individual-http-requests

[agusterodin]

Unfortunate that I can't get profile claims when I send a request out myself using that library.

Ended up change my backend API not to rely so much on profile claims (now it will only sync Google picture and display name periodically when those claims are present which is good enough for my purposes.

This is no blocker for updating the example repo. I should have that cleaned up and posted here in a zip file by the end of the day along with a PR for the docs. I prefer not to host the example repo from my GitHub account.

Worst case scenario if you don't want to host it from this account is that the zip file will be here for people to use and obviously the docs will be up to date!

Looking forward to the possibility of this library supporting refreshing out of the box. Also really hoping that the profile claims show up in those refreshed tokens 😀. Glad to be sponsoring this project. I really believe in what you are doing. You are making A LOT of people's lives easier.

[balazsorban44]

Thank you, that means a lot! What is and isn't returned by Google is kind of out of our control though, unfortunately. 🙁

You could check this endpoint by attaching an auth header and see if it returns what you are after. https://openidconnect.googleapis.com/v1/userinfo

openid-client also has a helper method for this: https://github.com/panva/node-openid-client/blob/main/docs/README.md#clientuserinfoaccesstoken-options

[agusterodin]

Put a PR in for the docs fix: nextauthjs/docs#117. Attached a working v4 example to it if you decide you want to use it as well. This combined with your soon to come "secret required" warning fixes should address everything.

[ndom91]

Thanks a lot @agusterodin, we've uploaded this at nextauthjs/next-auth-refresh-token-example and made sure to thank you in the README and list you as author in the package.json ❤️ 🎉

[mrkirchner]

@balazsorban44 one thing i noticed is if i use authorizationUrl instead of authorization i tend to not get JWEDecryptionFailed. Ive tried it in this app and another which doesnt really need the google specific access_type or connection_scope stuff.

   DOES NOT WORK - I never get refresh_token but i also dont get any JWEDecryptionFailed messages either.

    Auth0Provider({
      clientId: process.env.AUTH0_CLIENT_ID as string,
      clientSecret: process.env.AUTH0_CLIENT_SECRET as string,
      issuer: process.env.AUTH0_ISSUER,
      authorizationUrl: `${process.env.AUTH0_ISSUER}/authorize?response_type=code&prompt=consent&connection_scope=https://www.googleapis.com/auth/calendar&access_type=offline`,
    }),


vs 

   WORKS KIND OF - in the sense that i get Refresh Token on Identity but i get JWEDecryptionFailed: decryption operation failed any time i get session

 Auth0Provider({
      clientId: process.env.AUTH0_CLIENT_ID as string,
      clientSecret: process.env.AUTH0_CLIENT_SECRET as string,
      issuer: process.env.AUTH0_ISSUER,
      authorization: `${process.env.AUTH0_ISSUER}/authorize?response_type=code&prompt=consent&connection_scope=https://www.googleapis.com/auth/calendar&access_type=offline`,
    }),

vs 

   WORKS KIND OF - in the sense that i get Refresh Token on Identity but i get JWEDecryptionFailed: decryption operation failed any time i get session

    Auth0Provider({
      clientId: process.env.AUTH0_CLIENT_ID as string,
      clientSecret: process.env.AUTH0_CLIENT_SECRET as string,
      issuer: process.env.AUTH0_ISSUER,
      authorization: {
        params: {
          prompt: "consent",
          response_type: "code",
          access_type: "offline",
          connection_scope:
            "https://www.googleapis.com/auth/calendar",
        },
    }}),

Any insight on what is going on between these 3? Thanks for your help.

[balazsorban44]

authorizationUrl does nothing in v4. there is no reference to it in the core