Skip to main content

providers

Provider<P>​

type Provider<P>: OIDCConfig< P > | OAuth2Config< P > | EmailConfig | CredentialsConfig & InternalProviderOptions | (...args) => OAuth2Config< P > | OIDCConfig< P > | EmailConfig | CredentialsConfig & InternalProviderOptions & InternalProviderOptions;

Must be a supported authentication provider config:

  • [OAuthConfig]([object Object])
  • EmailConfigInternal
  • CredentialsConfigInternal

For more information, see the guides:

See​

Type parameters​

β–ͺ P extends Profile = any


ProviderType​

type ProviderType: "oidc" | "oauth" | "email" | "credentials";

Providers passed to Auth.js must define one of these types.

See​


CommonProviderOptions​

Shared across all ProviderType

Extended By​

Properties​

id​

id: string;

Uniquely identifies the provider in AuthConfig.providers It's also part of the URL

name​

name: string;

The provider name used on the default sign-in page's sign-in button. For example if it's "Google", the corresponding button will say: "Sign in with Google"

type​

type: ProviderType;

See ProviderType


OAuth2Config<Profile>​

TODO: Document

Extends​

Type parameters​

β–ͺ Profile

Properties​

id​

id: string;

Identifies the provider when you want to sign in to a specific provider.

Example​
signIn('github') // "github" is the provider ID
Overrides​

providers.CommonProviderOptions.id

name​

name: string;

The name of the provider. shown on the default sign in page.

Overrides​

providers.CommonProviderOptions.name

account​

account?: AccountCallback;

Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.

note

You need to adjust your database's Account model to match the returned properties. Check out the documentation of your database adapter for more information.

Defaults to: access_token, id_token, refresh_token, expires_at, scope, token_type, session_state

Example​
import GitHub from "@auth/core/providers/github"
// ...
GitHub({
account(account) {
// https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
const refresh_token_expires_at =
Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
return {
access_token: account.access_token,
expires_at: account.expires_at,
refresh_token: account.refresh_token,
refresh_token_expires_at
}
}
})
See​

allowDangerousEmailAccountLinking​

allowDangerousEmailAccountLinking?: boolean;

Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.

Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.

However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address associated with the account. Set allowDangerousEmailAccountLinking: true to enable automatic account linking.

authorization​

authorization?: string | AuthorizationEndpointHandler;

The login process will be initiated by sending the user to this URL.

Authorization endpoint

checks​

checks?: ("pkce" | "state" | "none")[];

The CSRF protection performed on the callback endpoint.

Default​
["pkce"]
Note​

When redirectProxyUrl or AuthConfig.redirectProxyUrl is set, "state" will be added to checks automatically.

RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE) | RFC 6749 - The OAuth 2.0 Authorization Framework | OpenID Connect Core 1.0 |

client​

client?: Partial< Client >;

Pass overrides to the underlying OAuth library. See oauth4webapi client for details.

profile​

profile?: ProfileCallback< Profile >;

Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.

Defaults to: id, email, name, image

See​

Database Adapter: User model

wellKnown​

wellKnown?: string;

OpenID Connect (OIDC) compliant providers can configure this instead of authorize/token/userinfo options without further configuration needed in most cases. You can still use the authorize/token/userinfo options for advanced control.

Authorization Server Metadata


OIDCConfig<Profile>​

Extension of the OAuth2Config.

See​

https://openid.net/specs/openid-connect-core-1_0.html

Extends​

Type parameters​

β–ͺ Profile

Properties​

id​

id: string;

Identifies the provider when you want to sign in to a specific provider.

Example​
signIn('github') // "github" is the provider ID
Inherited from​

Omit.id

name​

name: string;

The name of the provider. shown on the default sign in page.

Inherited from​

Omit.name

account​

account?: AccountCallback;

Receives the full TokenSet returned by the OAuth provider, and returns a subset. It is used to create the account associated with a user in the database.

note

You need to adjust your database's Account model to match the returned properties. Check out the documentation of your database adapter for more information.

Defaults to: access_token, id_token, refresh_token, expires_at, scope, token_type, session_state

Example​
import GitHub from "@auth/core/providers/github"
// ...
GitHub({
account(account) {
// https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/refreshing-user-access-tokens#refreshing-a-user-access-token-with-a-refresh-token
const refresh_token_expires_at =
Math.floor(Date.now() / 1000) + Number(account.refresh_token_expires_in)
return {
access_token: account.access_token,
expires_at: account.expires_at,
refresh_token: account.refresh_token,
refresh_token_expires_at
}
}
})
See​
Inherited from​

Omit.account

allowDangerousEmailAccountLinking​

allowDangerousEmailAccountLinking?: boolean;

Normally, when you sign in with an OAuth provider and another account with the same email address already exists, the accounts are not linked automatically.

Automatic account linking on sign in is not secure between arbitrary providers and is disabled by default. Learn more in our Security FAQ.

However, it may be desirable to allow automatic account linking if you trust that the provider involved has securely verified the email address associated with the account. Set allowDangerousEmailAccountLinking: true to enable automatic account linking.

Inherited from​

Omit.allowDangerousEmailAccountLinking

authorization​

authorization?: string | AuthorizationEndpointHandler;

The login process will be initiated by sending the user to this URL.

Authorization endpoint

Inherited from​

Omit.authorization

client​

client?: Partial< Client >;

Pass overrides to the underlying OAuth library. See oauth4webapi client for details.

Inherited from​

Omit.client

profile​

profile?: ProfileCallback< Profile >;

Receives the full Profile returned by the OAuth provider, and returns a subset. It is used to create the user in the database.

Defaults to: id, email, name, image

See​

Database Adapter: User model

Inherited from​

Omit.profile

wellKnown​

wellKnown?: string;

OpenID Connect (OIDC) compliant providers can configure this instead of authorize/token/userinfo options without further configuration needed in most cases. You can still use the authorize/token/userinfo options for advanced control.

Authorization Server Metadata

Inherited from​

Omit.wellKnown