Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Breaking change with local testing using V4 plugin #1846

Closed
6 tasks done
bweber opened this issue Dec 16, 2024 · 10 comments
Closed
6 tasks done

Breaking change with local testing using V4 plugin #1846

bweber opened this issue Dec 16, 2024 · 10 comments

Comments

@bweber
Copy link

bweber commented Dec 16, 2024

Checklist

Description

We are currently using the npm package oidc-provider recommended here: https://github.com/auth0/nextjs-auth0/blob/main/TESTING.md

Given that, with the change to the new AUTH0_DOMAIN, it throws an error if you prepend http:// on the front of the domain saying it cannot contain a schema.

This creates a breaking change for us as we need to disable https for local testing.

The alternative is a way to disable SSL validation to support self-signed certificates for local development as it appears this is failing.

We do not want to do local development directly against Auth0 as we generate dummy user accounts for testing and don't want to share ClientID/Secrets amongst all of our developers.

Reproduction

  1. Create an Next 15 application with Beta V4 plugin configured with the following:
AUTH0_SECRET=test
AUTH0_DOMAIN=host.docker.internal:3001
AUTH0_CLIENT_ID=test
AUTH0_CLIENT_SECRET=test
APP_BASE_URL=http://localhost:3000
  1. Setup a NodeJS application with oidc-provider running on port 3001 using the following env variables:
PORT=3001
AUTH0_AUDIENCE=test_application
APP_BASE_URL=http://localhost:3000
AUTH0_DOMAIN=http://host.docker.internal:3001/
AUTH0_CLIENT_ID=test
AUTH0_CLIENT_SECRET=test

My oidc-provider configuration is as follows:

const baseUrl = process.env.APP_BASE_URL;
const audience = process.env.AUTH0_AUDIENCE;
const clientId = process.env.AUTH0_CLIENT_ID;
const clientSecret = process.env.AUTH0_CLIENT_SECRET;
const domain = process.env.AUTH0_DOMAIN;

const issueRefreshToken = async function (_ctx, client, code) {
  if (!client.grantTypeAllowed('refresh_token')) {
    return false;
  }
  return (
    code.scopes.has('offline_access') ||
    (client.applicationType === 'web' && client.clientAuthMethod === 'none')
  );
};

const config = {
  clients: [
    {
      client_id: clientId,
      client_secret: clientSecret,
      redirect_uris: [`${baseUrl}/auth/callback`],
      post_logout_redirect_uris: [baseUrl],
      token_endpoint_auth_method: 'client_secret_post',
      grant_types: ['authorization_code', 'refresh_token'],
    },
  ],
  routes: {
    authorization: '/authorize',
    token: '/oauth/token',
    end_session: '/v2/logout',
    jwks: '/.well-known/jwks.json'
  },
  claims: {
    profile: ['name', 'picture', 'family_name', 'given_name'],
    email: ['email', 'email_verified'],
  },
  findAccount: LocalAccount.findAccount,
  issueRefreshToken: issueRefreshToken,
  features: {
    resourceIndicators: {
      enabled: true,
      defaultResource() {
        return baseUrl;
      },
      useGrantedResource() {
        return true;
      },
      getResourceServerInfo(_ctx, resourceIndicator) {
        if (resourceIndicator === baseUrl) {
          return {
            scope: 'api:access',
            audience,
            accessTokenTTL: 1 * 60 * 60,
            accessTokenFormat: 'jwt',
          };
        }

        throw new Error(`Unable to find resource for resource URL ${resourceIndicator}`);
      },
    },
  },
};

const createProvider = () => {
  const provider = new Provider(domain, config);

  provider.use(async (ctx, next) => {
    await next();

    if (ctx.oidc?.route === 'end_session_success') {
      ctx.redirect(baseUrl);
    }
  });

  return provider;
};

export default createProvider;

The rest of the NextJS and Auth0 setup matches what is in the documentation in the Readme for V4.

Additional context

No response

nextjs-auth0 version

v4-beta10

Next.js version

15

Node.js version

22

@bweber
Copy link
Author

bweber commented Dec 16, 2024

Some additional information. When I setup a self-signed SSL certificate for local testing, it fails the discovery check in this method in the dependent library: https://github.com/panva/oauth4webapi/blob/d2085804c79783ec52feb391953f06d2461675be/src/index.ts#L1180

I was able to verify the URL it is trying to call does load from the oidc-provider library at .well-known/openid-configuration however, I believe it is failing to validate the SSL certificate since it is self-signed.

@guabu guabu mentioned this issue Dec 17, 2024
@guabu
Copy link

guabu commented Dec 17, 2024

Hey @bweber 👋 Thanks for the feedback here! The underlying library you mentioned no longer allows non-HTTPS requests as of v3 without passing a specific flag.

In the upcoming release (linked above), you should be able to pass an allowInsecureRequests flag (only when NODE_ENV is not production), like so:

import { Auth0Client } from "@auth0/nextjs-auth0/server"

export const auth0 = new Auth0Client({
  allowInsecureRequests: true,
})

and specify an issuer with a protocol (e.g.: http://my-local-mock-oidc-server).

Hopefully this should help with developing locally against the mock OIDC server.

@guabu
Copy link

guabu commented Dec 17, 2024

The latest release (4.0.0-beta.11) should now contain the above changes. Would you mind upgrading when you have a moment and let us know if this resolves the issue for you?

@bweber
Copy link
Author

bweber commented Dec 17, 2024

The changes work when I am running using next dev, however, it does NOT work when I am running the application in a Docker container or with next start because NextJS forces production mode in that scenario. For local acceptance/integration testing, this breaks for us as we standup oidc-provider and our application in Docker containers and test using Playwright.

Is there a way we can remove these lines from the auth0-client:

if (this.allowInsecureRequests && process.env.NODE_ENV === "production") {
throw new Error(
"Insecure requests are not allowed in production environments."
)
}

I removed them from the copy in my node_modules to verify this works with next start and it worked as expected.

@guabu
Copy link

guabu commented Dec 17, 2024

Is there a way we can remove these lines from the auth0-client

We'd like to make sure the setting is not unintentionally left enabled in production. We can change it to log a warning in the console instead of throwing an error to support the use case of running next start in e2e tests.

@bweber
Copy link
Author

bweber commented Dec 17, 2024

Yea, that would be good. If we can log a warning to ensure developers see it, that is how the underlying library you are using is also working by showing a warning about an insecure issuer.

As long as we aren't throwing an error here, this will fix my issue for local testing.

@guabu
Copy link

guabu commented Dec 17, 2024

Sounds good, we'll get that fixed in the next release. Thanks for your feedback!

@bweber
Copy link
Author

bweber commented Dec 17, 2024

Awesome, do you know when that may be? Any way we can cut a new release with the change?

@guabu guabu mentioned this issue Dec 18, 2024
@guabu
Copy link

guabu commented Dec 18, 2024

Hey @bweber 👋 The latest release (4.0.0-beta.12) should contain these changes

@bweber
Copy link
Author

bweber commented Dec 18, 2024

@guabu Just verified this worked. Thank you again!

@bweber bweber closed this as completed Dec 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants