Provider OAuth JWT Header Access

[mod-flux]

Summary of proposed feature
Provide access to the JWT header of the responding idToken from the OAuth provider in the profile() function.

Purpose of proposed feature
It's best practice to validate the contents of an idToken against public keys provided by the OAuth vendor (usually found at a .well-known endpoint provided by the vendor. Whilst this is possible due to the async nature of the profile() function, we currently do have access to the JWT header in said function (the first section of the 3 sections a JWT is made up of) which contains the following payload:

{
  "alg": "HS256",
  "type": "JWT",
  "kid": "....",
}

We need access to the key ID above in order to validate the idToken validate the idToken against the .well-known endpoint provided by the OAuth vendor as they will rotate keys often and we need to be able to select the correct one that matches up with the kid we have received.

Detail about proposed feature
Provide another parameter on the profile() service that provides the header aswell as the payload and profile information. Furthermore, the ability to cache and retrieve the public keys on the Lambda would be preferable as public keys only tend to rotate every 3 months so wouldn't want to make an API call every time if it could be avoided.

Potential problems
None that I can tell.

Describe any alternatives you've considered
I've been told that there is work currently ongoing to customise request and response methods for providers with the ability to use async methods such as API calls which may negate this proposal entirely but I thought it best to leave the contributors to judge this.

Additional context
I don't feel I have the necessary skills to contribute on code with this one but happy to help.

[balazsorban44]

Hi, please have a look at #1846 and tell me if it could help in your case?

Note that the profile callback already has a second parameter, containing also the id_token!

[mod-flux]

Will take a look @balazsorban44, I'm committed with work at the moment but it looks to be building traction!

[stale]

Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep it open. (Read more at #912) Thanks!

[balazsorban44]

@mod-flux If I am not mistaken, this is done through the jwks_uri, right? If so, then #2411 is going to add support of this, and you won't have to do anything other than configuring the jwks_uri provider option! (Automatic .well-known discovery might make this even easier, but the PR is huge, will inform on your other issue when that is in sight)

Here is an example of how the config should look like:
https://github.com/nextauthjs/next-auth/blob/a86140e496799bd173f8f8c7a6093b8bb3d18b6b/src/providers/auth0.js

I just learned that in the case of OIDC compliant providers, the jwks_uri is actually required, so whenever a provider sets idToken: true in token, this endpoint will actually be required from the user as well, otherwise openid-client throws an error.

I am still thinking of a way how to require the least amount of config from the end-user but also leaving enough flexibility for power users. Open to any suggestions!

[mod-flux]

@mod-flux If I am not mistaken, this is done through the jwks_uri, right? If so, then #2411 is going to add support of this, and you won't have to do anything other than configuring the jwks_uri provider option! (Automatic .well-known discovery might make this even easier, but the PR is huge, will inform on your other issue when that is in sight)

Here is an example of how the config should look like:
https://github.com/nextauthjs/next-auth/blob/a86140e496799bd173f8f8c7a6093b8bb3d18b6b/src/providers/auth0.js

I just learned that in the case of OIDC compliant providers, the jwks_uri is actually required, so whenever a provider sets idToken: true in token, this endpoint will actually be required from the user as well, otherwise openid-client throws an error.

I am still thinking of a way how to require the least amount of config from the end-user but also leaving enough flexibility for power users. Open to any suggestions!

@balazsorban44 yes this looks like it would cover this use case absolutely. The link you referenced would be awesome to set up a OAuth provider! Is that already available or as part of the next major version?

[balazsorban44]

I have it working locally, but no release yet. I can soon create an experimental release so you could test it out. 😊 My current headache is to transfer all the currently built-in providers. We did a great job using patches for some of them, but openid-client (the new underlying library) is a bit more strict about following the spec, so we might have to go through all the providers one-by-one to convert them... 😕

[balazsorban44]

@mod-flux I created an experimental release here next-auth@0.0.0-pr.2411.0f8b51b3!

I still try to figure out the best API for everything, but currently.. You can set wellKnown to your Provider's .well-known endpoint, and jwks_uri will be picked up from there and used where it is needed (like verifying the validity of the id_token).

Have a look at Auth0 for an example:

https://github.com/nextauthjs/next-auth/blob/2a16cc0da59d5d5f07126798df344dffb55b4dff/src/providers/auth0.js

Configuration will look like this:

Auth0Provider({
  clientId: process.env.AUTH0_ID,
  clientSecret: process.env.AUTH0_SECRET,
  issuer: process.env.AUTH0_ISSUER,
}),

[mod-flux]

Awesome, I've just left a comment @balazsorban44. This is an awesome solution! Thank you for working on this.

[balazsorban44]

Support for JWKS is landed in next-auth@4.0.0-next.20. The user won't have to do any manual verification, it will be done under the hood. Configure it with the wellKnown option on the Provider config.