OAuthAccountNotLinked With only 1 user and 1 provider

[rafiqumsieh0]

Describe the bug
I have only 1 user in the database and am using only 1 provider, which is Google. I am using MongoDB Atlas for the database. Initial signIn works fine and the user is created in the database, and a session is created. The bug occurs when I log that user out and I try to log in again. Now, when I try to sign the user in (User record is already in the database), it redirects me to the default sign in page:

OAuthAccountNotLinked with the message : "To confirm your identity, sign in with the same account you used originally".

Every subsequent request will lead to the same result.

If I delete the user from the database, it will work fine again.

I console logged the signIn callback, and Google is returning all the necessary data.

Steps to reproduce
Set up:

Safari browser
Google Provider
MongoDB Atlas Database

Steps:
1-) Try an initial log in with Google.
2-) After a successful user creation and session creation, log out.
3-) Try logging back in.

The bug should happen at step 3.

Expected behavior
I expected the signIn with Google to work fine since the initial SignIn works fine.

Screenshots or error logs
Just that default Sign In Page

Additional context
None at the moment.

Feedback
Thanks for the great library

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[balazsorban44]

could you provide the error being thrown?

your configuration and client side code for signIn and signOut could also help resolving the problem

[rafiqumsieh0]

@balazsorban44 Thanks for the prompt response. The error is OAuthAccountNotLinked. I updated the comment to include more information including what is displayed on the default sign in page along with the error. Please let me know if you need any additional information.

[dr-starchildren]

I'm encountering the same error on Chrome and Firefox. The steps to reproduce are the same as the original poster.

Okay, this was a long journey... to find my own screw up see below for details.
TLDR; make sure to clear Accounts and Users collections when doing testing.

I have a custom Signin page and am receiving the OAuthAccountNotLinked error after signing out a user. I can only get a Signin again after deleting the account in the MongoDB. I don't use a custom signout page, just a button in the Navbar that calls signOut(). See my Signin and config page below.

import { providers, csrfToken, email } from 'next-auth/client';
....
export default function SignIn({
  callbackUrl,
  providers,
  csrfToken,
}) {

  return (
    <Layout pageTitle={title} useBackground>
    ...
          <Content>
            {error && (
              <Error>
                <p>{error}</p>
              </Error>
            )}
            {Object.values(providers).map((provider) => (
              <div key={provider.id}>
                {provider.type === 'email' && (
                  <Form action={provider.signinUrl} method='POST'>
                    <input type='hidden' name='csrfToken' value={csrfToken} />
                    <EmailDiv>
                      <input
                        id={`input-email-for-${provider.id}-provider`}
                        autoFocus
                        type='text'
                        name='email'
                        value={email}
                        placeholder='email@example.com'
                      />
                    </EmailDiv>
                    <Button type='submit' disabled={!checkbox}>
                      Sign in with {provider.name}
                    </Button>
                  </Form>
                )}

                {provider.type === 'oauth' && (
                  <div>
                    <form action={provider.signinUrl} method='POST'>
                      <input type='hidden' name='csrfToken' value={csrfToken} />
                      {callbackUrl && (
                        <input
                          type='hidden'
                          name='callbackUrl'
                          value={callbackUrl}
                        />
                      )}
                      <Button type='submit' disabled={!checkbox}>
                        Sign in with {provider.name}
                      </Button>
                    </form>
                  </div>
                )}
              </div>
            ))}
    </Layout>
  );
}

SignIn.getInitialProps = async (context) => {
  return {
    providers: await providers(context),
    csrfToken: await csrfToken(context),
  };
};

Here's my next-auth config

const options = {
  site: process.env.NEXTAUTH_URL,
  providers: [
    // OAuth authentication providers...
    Providers.Google({
      clientId: process.env.GOOGLE_ID,
      clientSecret: process.env.GOOGLE_SECRET,
    }),
    Providers.Facebook({
      clientId: process.env.FACEBOOK_ID,
      clientSecret: process.env.FACEBOOK_SECRET,
    }),

    Providers.Email({
      server: {
        port: process.env.EMAIL_SERVER_PORT,
        host: process.env.EMAIL_SERVER_HOST,
        secure: true,
        auth: {
          user: process.env.EMAIL_SERVER_USER,
          pass: process.env.EMAIL_SERVER_PASSWORD,
        },
        tls: {
          rejectUnauthorized: false,
        },
      },
      from: process.env.EMAIL_FROM,
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },

  adapter: Adapters.TypeORM.Adapter(
    // The first argument should be a database connection string or TypeORM config object
    //process.env.DATABASE_URL,
    process.env.DB_LOCAL_LOGIN,
    // The second argument can be used to pass custom models and schemas
    {
      models: {
        User: Models.User,
      },
    }
  ),
  callbacks: {
    redirect: async (url, _) => {
      return Promise.resolve('/reading-program');
    },
  },
};

[balazsorban44]

@rafiqumsieh0 you say you updated the original comment, but I can see no relevant change. I appreciate @dr-starchildren 's addition, but you reported the bug, so I would like to have a look at your configuration/reproduction as well.

@dr-starchildren which version are you using? I am noticing a site property in your options, which indicates a very old (2.x) version. Is this the case? Then I would start with upgrading to our latest release (as of this writing 3.10.1) and you can safely remove the site property. It does nothing really. The important part is that the env variable is set.

Also, you say you have the same reproduction, but still, the OP says they use a single provider, while your code example shows at least 3.

[dr-starchildren]

@balazsorban44 I am using 3.10, just didn't realize I could remove the site. Thanks!

While my code allows for 3 providers, I've replicated with just a single provider. My problem is with Google only currently. I isolated Facebook and email verification and didn't have a problem signing in and out with them.

update
So like the OP, I turned on debug mode and see that I'm getting the correct OAuth Profile back during the second sign on event (after signing out). The get_authorization_url, profile_data, oauth_callback_response and OAuthProfile result from the request is identical to the first login.

The type_orm_link_account result is less clear to me. I can't interpret all the fields, but they seem to have the same identifiers as the initial request. The only thing I can't decipher is the typeorm_link_account response. It shows some undefined and null fields though. I've marked the fields I can match to other parts of the request in bold. I can't find type_orm_link in the code repo though, so unsure how to figure out these other fields in the request.

[next-auth][debug][typeorm_link_account] MongoDBObjectID google oauth GoogleOAuthID undefined providerAccount.AccessToken null

[dr-starchildren]

So it's failing in the manager.findOne(User, { [idKey]: account.userId }) step of the get user account. It returns undefined, even though there is an account to be found.

async function getUserByProviderAccountId (providerId, providerAccountId) {
      debug('GET_USER_BY_PROVIDER_ACCOUNT_ID', providerId, providerAccountId)
      try {
        const account = await manager.findOne(Account, { providerId, providerAccountId })
        if (!account) { return null }
        return manager.findOne(User, { [idKey]: account.userId })
      } catch (error) {
        logger.error('GET_USER_BY_PROVIDER_ACCOUNT_ID_ERROR', error)
        return Promise.reject(new Error('GET_USER_BY_PROVIDER_ACCOUNT_ID_ERROR', error))
      }
    }

update
Ok, the actual error is in the Account look up. I don't really understand how the Account generator function works, but it returns the wrong userId. All the other fields in it are correct. And it works correctly with Facebook for some reason...
const account = await manager.findOne(Account, { providerId, providerAccountId })

[dr-starchildren]

Okay, this was a long journey... to find my own screw up.
TLDR; make sure to clear Accounts and Users collections when doing testing.

I missed that there was an accounts collection created and I was only resetting my users collection when doing my testing. So, a new account would be created successfully, however it would create a new ObjectID in Mongo under users. Then the findOne request in getUserbyProviderAccountId would return the first ObjectID in accounts, but that user no longer existed.

This function found the older ObjectID in accounts, which didn't match the new one in users.
const account = await manager.findOne(Account, { providerId, providerAccountId })

This was entirely user error in resetting my database, but a possible solution is to return the latest ObjectID for a providerAccountId from the OAuth request, instead of the first. The risk is that poor database management would allow the Accounts collection to fill up with useless data.

[rafiqumsieh0]

Sorry guys I was afk. My code is very similar to dr-starchildren. Thanks to @dr-starchildren , I was able to solve the problem. I was not aware of the "accounts" collection that is used internally to keep track of users. I was deleting the "users" collection without clearing the "accounts' collection. I found multiple records in the "accounts" collection. That was probably created during initial setup and testing. Deleting both collections (users and accounts) solved my issue, and now I can log in with no issues so far.

Thank you both @balazsorban44 @dr-starchildren

[shivamragnar]

@balazsorban44 Well thanks for the great library again. IMO this issue is still there and we cannot delete the collections of the app that is running live. I think the issue is something else, may be it is with how the linking of accounts is handled.

We have a user with correct data in users and accounts collections. Each having only single record no multiple records, neither with any other provider nor for any multiple signIn requests. Having this level of clean data is still returning error as OAuthAccountNotLinked.
We tested this, for us everything works fine unless we remove data from accounts collection for a user and then we experience this error. But the use-case i have mentioned above have both the entries in users and in accounts.
We are using "next": "^12.0.3", "next-auth": "^3.13.3", in our app.

Any help would be helpful so that we can rectify this particular user's login issue.