private_key_jwt auth - aud
property
#120
Replies: 3 comments 8 replies
-
What is the provider? |
Beta Was this translation helpful? Give feedback.
-
Just following up my comment about nextauth not passing the private key into oauth4webapi, here's the PR for that lib to pass it across: nextauthjs/next-auth#11132 |
Beta Was this translation helpful? Give feedback.
-
@panva Quick update. The NHS login team have advised (via the Slack channel) that they're going to make the change to the Also, my next-auth PR to pass the key into oauth4web has been approved and merged (thanks again @balazsorban44 🙏). |
Beta Was this translation helpful? Give feedback.
-
Hi,
I'm trying to get nextauth working with an auth provider who use
private_key_jwt
for authorisation. nextauth usesoauth4webapi
under the covers.The issue we're coming across is that when
oauth4webapi
creates the JWT to send to the token endpoint, theaud
property is being created as an array. The provider we're using will strictly only accept a string for this property.The line where this happens is here:
oauth4webapi/src/index.ts
Line 1400 in 787efb2
I've found this spec which seems to imply the aud should be a string but then goes on to talk about aud values as a plural, so I don't know for sure: https://datatracker.ietf.org/doc/html/rfc7523#section-2.2
Either way, is it feasible to submit a PR to make aud optionally a string with a single value instead of an array?
Thanks,
Lee
Beta Was this translation helpful? Give feedback.
All reactions