providers
CredentialInput
Re-exports CredentialInput
CredentialsConfig
Re-exports CredentialsConfig
CredentialsProviderType
Re-exports CredentialsProviderType
EmailConfig
Re-exports EmailConfig
EmailProviderType
Re-exports EmailProviderType
EmailUserConfig
Re-exports EmailUserConfig
AppProvider
Shared across all ProviderType
Extends
Properties
callbackUrl
callbackUrl: string;
id
id: string;
Uniquely identifies the provider in AuthConfig.providers It’s also part of the URL
Inherited from
name
name: string;
The provider name used on the default sign-in page’s sign-in button. For example if it’s “Google”, the corresponding button will say: “Sign in with Google”
Inherited from
signinUrl
signinUrl: string;
type
type: ProviderType;
See ProviderType
Inherited from
CommonProviderOptions
Shared across all ProviderType
Extended by
Properties
id
id: string;
Uniquely identifies the provider in AuthConfig.providers It’s also part of the URL
name
name: string;
The provider name used on the default sign-in page’s sign-in button. For example if it’s “Google”, the corresponding button will say: “Sign in with Google”
type
type: ProviderType;
See ProviderType
OAuth2Config<Profile>
TODO: Document
Extends
CommonProviderOptions
.PartialIssuer
Type parameters
Type parameter |
---|
Profile |
Properties
account?
optional account: AccountCallback;
Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.
You need to adjust your database’s Account model to match the returned properties. Check out the documentation of your database adapter for more information.
Defaults to: access_token
, id_token
, refresh_token
, expires_at
, scope
, token_type
, session_state
Example
import GitHub from "@auth/core/providers/github"
// ...
GitHub({
account(account) {
// https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
const refresh_token_expires_at =
Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
return {
access_token: account.access_token,
expires_at: account.expires_at,
refresh_token: account.refresh_token,
refresh_token_expires_at
}
}
})
See
- Database Adapter: Account model
- https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
- https://www.ietf.org/rfc/rfc6749.html#section-5.1
allowDangerousEmailAccountLinking?
optional allowDangerousEmailAccountLinking: boolean;
Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.
Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.
However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address
associated with the account. Set allowDangerousEmailAccountLinking: true
to enable automatic account linking.
authorization?
optional authorization: string | AuthorizationEndpointHandler;
The login process will be initiated by sending the user to this URL.
checks?
optional checks: ("none" | "state" | "pkce")[];
The CSRF protection performed on the callback endpoint.
Default
["pkce"]
Note
When redirectProxyUrl
or AuthConfig.redirectProxyUrl is set,
"state"
will be added to checks automatically.
RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE) | RFC 6749 - The OAuth 2.0 Authorization Framework | OpenID Connect Core 1.0 |
client?
optional client: Partial<Client>;
Pass overrides to the underlying OAuth library.
See oauth4webapi
client for details.
clientId?
optional clientId: string;
clientSecret?
optional clientSecret: string;
id
id: string;
Identifies the provider when you want to sign in to a specific provider.
Example
signIn('github') // "github" is the provider ID
Overrides
issuer?
optional issuer: string;
Overrides
PartialIssuer.issuer
jwks_endpoint
jwks_endpoint: any;
Inherited from
PartialIssuer.jwks_endpoint
name
name: string;
The name of the provider. shown on the default sign in page.
Overrides
profile?
optional profile: ProfileCallback<Profile>;
Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.
Defaults to: id
, email
, name
, image
See
redirectProxyUrl?
optional redirectProxyUrl: string;
style?
optional style: OAuthProviderButtonStyles;
token?
optional token: string | TokenEndpointHandler;
type
type: "oauth";
See ProviderType
Overrides
userinfo?
optional userinfo: string | UserinfoEndpointHandler;
wellKnown?
optional wellKnown: string;
OpenID Connect (OIDC) compliant providers can configure
this instead of authorize
/token
/userinfo
options
without further configuration needed in most cases.
You can still use the authorize
/token
/userinfo
options for advanced control.
OAuthProviderButtonStyles
Properties
bg?
optional bg: string;
Deprecated
Please use ‘brandColor’ instead
brandColor?
optional brandColor: string;
logo?
optional logo: string;
text?
optional text: string;
Deprecated
OIDCConfig<Profile>
Extension of the OAuth2Config.
See
https://openid.net/specs/openid-connect-core-1_0.html
Extends
Omit
<OAuth2Config
<Profile
>,"type"
|"checks"
>
Type parameters
Type parameter |
---|
Profile |
Properties
account?
optional account: AccountCallback;
Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.
You need to adjust your database’s Account model to match the returned properties. Check out the documentation of your database adapter for more information.
Defaults to: access_token
, id_token
, refresh_token
, expires_at
, scope
, token_type
, session_state
Example
import GitHub from "@auth/core/providers/github"
// ...
GitHub({
account(account) {
// https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
const refresh_token_expires_at =
Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
return {
access_token: account.access_token,
expires_at: account.expires_at,
refresh_token: account.refresh_token,
refresh_token_expires_at
}
}
})
See
- Database Adapter: Account model
- https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
- https://www.ietf.org/rfc/rfc6749.html#section-5.1
Inherited from
Omit.account
allowDangerousEmailAccountLinking?
optional allowDangerousEmailAccountLinking: boolean;
Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.
Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.
However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address
associated with the account. Set allowDangerousEmailAccountLinking: true
to enable automatic account linking.
Inherited from
Omit.allowDangerousEmailAccountLinking
authorization?
optional authorization: string | AuthorizationEndpointHandler;
The login process will be initiated by sending the user to this URL.
Inherited from
Omit.authorization
checks?
optional checks: ("none" | "state" | "nonce" | "pkce")[];
client?
optional client: Partial<Client>;
Pass overrides to the underlying OAuth library.
See oauth4webapi
client for details.
Inherited from
Omit.client
clientId?
optional clientId: string;
Inherited from
Omit.clientId
clientSecret?
optional clientSecret: string;
Inherited from
Omit.clientSecret
id
id: string;
Identifies the provider when you want to sign in to a specific provider.
Example
signIn('github') // "github" is the provider ID
Inherited from
Omit.id
idToken?
optional idToken: boolean;
If set to false
, the userinfo_endpoint
will be fetched for the user data.
Note
An id_token
is still required to be returned during the authorization flow.
issuer?
optional issuer: string;
Inherited from
Omit.issuer
jwks_endpoint
jwks_endpoint: any;
Inherited from
Omit.jwks_endpoint
name
name: string;
The name of the provider. shown on the default sign in page.
Inherited from
Omit.name
profile?
optional profile: ProfileCallback<Profile>;
Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.
Defaults to: id
, email
, name
, image
See
Inherited from
Omit.profile
redirectProxyUrl?
optional redirectProxyUrl: string;
Inherited from
Omit.redirectProxyUrl
style?
optional style: OAuthProviderButtonStyles;
Inherited from
Omit.style
token?
optional token: string | TokenEndpointHandler;
Inherited from
Omit.token
type
type: "oidc";
userinfo?
optional userinfo: string | UserinfoEndpointHandler;
Inherited from
Omit.userinfo
wellKnown?
optional wellKnown: string;
OpenID Connect (OIDC) compliant providers can configure
this instead of authorize
/token
/userinfo
options
without further configuration needed in most cases.
You can still use the authorize
/token
/userinfo
options for advanced control.
Inherited from
Omit.wellKnown
AccountCallback()
type AccountCallback: (tokens) => TokenSet | undefined | void;
Parameters
Parameter | Type |
---|---|
tokens | TokenSet |
Returns
TokenSet
| undefined
| void
AppProviders
type AppProviders: (Provider | ReturnType<BuiltInProviders[keyof BuiltInProviders]>)[];
AuthorizationEndpointHandler
type AuthorizationEndpointHandler: EndpointHandler<AuthorizationParameters>;
BuiltInProviderType
type BuiltInProviderType: RedirectableProviderType | OAuthProviderType | WebAuthnProviderType;
BuiltInProviders
type BuiltInProviders: Record<OAuthProviderType, (config) => OAuthConfig<any>> & Record<CredentialsProviderType, typeof default> & Record<EmailProviderType, typeof default> & Record<WebAuthnProviderType, (config) => WebAuthnConfig>;
OAuthChecks
type OAuthChecks: OpenIDCallbackChecks | OAuthCallbackChecks;
OAuthConfig<Profile>
type OAuthConfig<Profile>: OIDCConfig<Profile> | OAuth2Config<Profile>;
Type parameters
Type parameter |
---|
Profile |
OAuthEndpointType
type OAuthEndpointType: "authorization" | "token" | "userinfo";
OAuthProviderType
type OAuthProviderType:
| "42-school"
| "apple"
| "asgardeo"
| "auth0"
| "authentik"
| "azure-ad-b2c"
| "azure-ad"
| "azure-devops"
| "bankid-no"
| "battlenet"
| "beyondidentity"
| "box"
| "boxyhq-saml"
| "bungie"
| "click-up"
| "cognito"
| "coinbase"
| "descope"
| "discord"
| "dribbble"
| "dropbox"
| "duende-identity-server6"
| "eventbrite"
| "eveonline"
| "facebook"
| "faceit"
| "foursquare"
| "freshbooks"
| "fusionauth"
| "github"
| "gitlab"
| "google"
| "hubspot"
| "identity-server4"
| "instagram"
| "kakao"
| "keycloak"
| "kinde"
| "line"
| "linkedin"
| "mailchimp"
| "mailgun"
| "mailru"
| "mastodon"
| "mattermost"
| "medium"
| "microsoft-entra-id"
| "naver"
| "netlify"
| "netsuite"
| "nodemailer"
| "notion"
| "okta"
| "onelogin"
| "ory-hydra"
| "osso"
| "osu"
| "passage"
| "passkey"
| "patreon"
| "ping-id"
| "pinterest"
| "pipedrive"
| "postmark"
| "reddit"
| "resend"
| "roblox"
| "salesforce"
| "sendgrid"
| "simplelogin"
| "slack"
| "spotify"
| "strava"
| "threads"
| "tiktok"
| "todoist"
| "trakt"
| "twitch"
| "twitter"
| "united-effects"
| "vk"
| "webauthn"
| "webex"
| "wechat"
| "wikimedia"
| "wordpress"
| "workos"
| "yandex"
| "zitadel"
| "zoho"
| "zoom";
OAuthUserConfig<Profile>
type OAuthUserConfig<Profile>: Omit<Partial<OAuthConfig<Profile>>, "options" | "type">;
Type parameters
Type parameter |
---|
Profile |
OIDCConfigInternal<Profile>
type OIDCConfigInternal<Profile>: OAuthConfigInternal<Profile> & {
checks: OIDCConfig<Profile>["checks"];
idToken: OIDCConfig<Profile>["idToken"];
};
Type declaration
checks
checks: OIDCConfig<Profile>["checks"];
idToken
idToken: OIDCConfig<Profile>["idToken"];
Type parameters
Type parameter |
---|
Profile |
OIDCUserConfig<Profile>
type OIDCUserConfig<Profile>: Omit<Partial<OIDCConfig<Profile>>, "options" | "type">;
Type parameters
Type parameter |
---|
Profile |
ProfileCallback()<Profile>
type ProfileCallback<Profile>: (profile, tokens) => Awaitable<User>;
Type parameters
Type parameter |
---|
Profile |
Parameters
Parameter | Type |
---|---|
profile | Profile |
tokens | TokenSet |
Returns
Provider<P>
type Provider<P>:
| OIDCConfig<P>
| OAuth2Config<P>
| EmailConfig
| CredentialsConfig
| WebAuthnConfig & InternalProviderOptions | (...args) =>
| OAuth2Config<P>
| OIDCConfig<P>
| EmailConfig
| CredentialsConfig
| WebAuthnConfig & InternalProviderOptions & InternalProviderOptions;
Must be a supported authentication provider config:
- OAuthConfig
- EmailConfigInternal
- CredentialsConfigInternal
For more information, see the guides:
See
Type parameters
Type parameter | Value |
---|---|
P extends Profile | any |
ProviderType
type ProviderType:
| "oidc"
| "oauth"
| "email"
| "credentials"
| WebAuthnProviderType;
Providers passed to Auth.js must define one of these types.
See
- RFC 6749 - The OAuth 2.0 Authorization Framework
- OpenID Connect Core 1.0
- Email or Passwordless Authentication
- Credentials-based Authentication
RedirectableProviderType
type RedirectableProviderType: "email" | "credentials";
TokenEndpointHandler
type TokenEndpointHandler: EndpointHandler<UrlParams, {
checks: OAuthChecks;
params: CallbackParamsType;
}, {
tokens: TokenSet;
}>;
UserinfoEndpointHandler
type UserinfoEndpointHandler: EndpointHandler<UrlParams, {
tokens: TokenSet;
}, Profile>;