Well Known Support

[mod-flux]

Summary of proposed feature
For OAuth providers that have .well-known configuration endpoints, offer the ability to provide these and have NextAuth dynamically discover and setup against all endpoints and everything that's provided as opposed to hardcoding all the endpoints manually.

Purpose of proposed feature
Dynamic service discovery is always advisable as it means the vendor can change their endpoints and/or configuration and a NextAuth enabled website can pick up the configuration dynamically and continue operating. Furthermore, it takes a lot of work out of manually configuring all of the endpoints which have inherent human error.

Detail about proposed feature
In the provider's options, provide the ability to set a .well-known endpoint and have the NextAuth service set up as per the configuration. Perhaps saving this configuration in the Lambda cache so it doesn't have to be requested every time.

Potential problems
Could conflict with other OAuth provider options. Could also lead to more time on the initial request.

Describe any alternatives you've considered
Manual configuration, which is what I've done to date.

[balazsorban44]

#1048 should probably be preceeding this, that would made implementation especially easy. Although the new alternative does not support OAuth 1.x, which is a bummer. If we want to keep it, we might have to have two oauth dependencies, which would increase package size a lot.

Most of the built-in/already pre-configured providers could use this as well, although this should be more of a fallback option in my opinion, to avoid an additional request on each invocation. Maybe we could extract this build-time somehow? If one of the endpoints aren't present or wrong, we could utilize the well-known endpoint to fetch the missing ones and show a warning that tells about the extra request in each invocation.

If we change the oauth package for OAuth 2 and OIDC providers, the provider options shape will probably have to change, as there is no fine overlap there and exposing the client config for both packages might be confusing.

Open for ideas how we could migrate with the least possible amount of breaking changes and confusion for users.

[balazsorban44]

So after playing around with #1698, I even think that this could be introduced in a non-breaking change! I got openid-client working with the configuration, no changes needed from the user! 🎉

One downside of .well-known is that there will always be an extra call to that endpoint, whenever you interact with NextAuth. It would make more sense maybe to fetch the config build-time and provide that instead. What do you think?

This could tie in neatly with #1846, where wellKnown could be an OAuthEndpoint type (see #1846 for explanation), and you could use the request method and cache the config however you want for example.

[mod-flux]

This makes sense and great news @balazsorban44! Could we not cache it on the Lambda similar to how the auto-generated keys work? I don't know the inner workings but atleast that way it would only request per lambda for aslong as it's alive. Failing that, build time seems the most appropriate, as you've highlighted.

[balazsorban44]

I decided to leave this out from #1698 initially to decrease the scope of the PR. We could address this subsequently in another one later on.

[balazsorban44]

Landed in next-auth@4.0.0-next.20. For now, I will await any optimization/caching of the endpoint result. We will see if there is actual interest/need for it. openid-client actually already uses lru-cache, so it might not even be needed.