Comments (5)
drudv
commented on May 4, 2024
Also I think we could resolve it by marking some identity providers as safe (false by default), to prevent such situation. I understand that there are some strategies (like OpenID) that allow users to make their own auth server to forge other users' identity, but if we are talking about trusted centralized identity providers like GitHub, we can safely let users to sign-in through them even if there are local accounts associated with their emails, right?
from next-auth.
iaincollins
commented on May 4, 2024
Thanks for raising this - I dislike the current user journey for this flow too.
I like the idea of a much better option for the user that asks them to confirm what they are trying to do rather than giving them a confusing error. I haven't sat down to think about the flow for a while so I can't remember if there are any edge cases off hand.
I think it page currently gets passed what service the user tried to use with a view that it might be possible to improve it later. I'd welcome any PRs to improve the behaviour! I've tried to focus on a secure-by-default but the user experience isn't great in this case.
Having the option to mark providers as trusted in some way sounds reasonable. I think many providers these days require you to validate your email address before you can use it for oAuth, which would - in practice - be sufficiently secure for many cases.
from next-auth.
drudv
commented on May 4, 2024
@iaincollins Could you please take a look at PR #64?
Looks like redirecting to a confirmation page with a password input would require a temporary state to keep profile data received from external identity provider in order to use the data for creating an account after the intent confirmation. I didn't want to introduce a breaking change, so I ended up sticking with the second option we were talking about: trustedIdentity property in provider config.
Thanks!
from next-auth.
iaincollins
commented on May 4, 2024
Oh that's great thanks, will comment on the PR!
from next-auth.
iaincollins
commented on May 4, 2024
PR #64 is now merged but not rolled out in a new version on NPM yet. I'd like to update the template pages and documentation, and ideally get some automated testing in place in the next few days before we do that.
from next-auth.
Related Issues (20)
- Improve Auth.js Intro HOT 2
- next.js 14.2.1 gives 404 on /auth/signin HOT 14
- authjs.session-token send to backend but is error HOT 1
- JWT strings must contain exactly 2 period characters. Found: 4 HOT 2
- Unexpected Modification of User Object in Next.js Authentication Callback
- Property 'authorization' does not exist on type... HOT 1
- Active Directory Integration HOT 1
- Documentation doesn't make clear that update() from useSession() doesn't log you out HOT 2
- error on middleware documentation link HOT 1
- Sveltekit Custom Error Pages within /auth path HOT 4
- Eve online provider jwt session error HOT 1
- So are we supposed to expose AUTH_SECRET publicly? HOT 1
- Set Session Cookie missing from azure-ad callback in production HOT 1
- Set Session Cookie missing from azure-ad callback in production #10613 HOT 1
- Broken link on https://authjs.dev/concepts/faq#security HOT 2
- v5 Microsoft Entra docs reference provider that doesn't exist in @auth/[email protected] / 5.0.0-beta.16 HOT 2
- Postmark provider missing HOT 1
- Azure AD B2C authorization code flow fails because of validation of "expires_in" value returned in token response HOT 1
- Broken link in tutorial documentation HOT 1
- Detect Origin Function is not configurable by the auth options which cause issues for multi tenancy across subdomains HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from next-auth.