I’m working on a Next.js application that uses Okta as an identity provider. I’m new to OIDC, and appreciate any corrections on terminology or misunderstandings I have.
The app uses a custom API Authorization Server in Okta, and users log in with the authorization code flow. Currently the Authorization Server is configured with a number of custom scopes that define permissions the users may be granted, and all of those scopes are defaults. We use Access Policies to control which of those default policies are granted to users based on group membership as a form of role based access control. So, if a user is a member of the MyAppReadWrite
group, they could get myapp:api:read
and myapp:api:write
scopes in addition to the openid
that is required in the authorization code flow.
The default options for next-auth that I see here are to request openid
, email
, and profile
:
export default function Okta<P extends OktaProfile>(
options: OAuthUserConfig<P>
): OAuthConfig<P> {
return {
id: "okta",
name: "Okta",
type: "oauth",
wellKnown: `${options.issuer}/.well-known/openid-configuration`,
authorization: { params: { scope: "openid email profile" } },
idToken: true,
profile(profile) {
return {
id: profile.sub,
name: profile.name ?? profile.preferred_username,
email: profile.email,
image: profile.picture,
}
},
style: { logo: "/okta.svg", bg: "#000", text: "#fff" },
options,
}
}
When I log in to the app and introspect the token I get back from Okta, it correctly has those three scopes (and their associated claims) as I expect. However, I know from interacting with the authorization server directly in Postman that if I omit the scope parameter entirely Okta will issue me back any default scopes that are permitted in the Access Policy that I match on. I want to do that same thing in next-auth so that users are issued the scopes appropriate for their role automatically on login. I’ve tried to override these defaults by setting the scopes to either undefined
or ""
but when I do so my login attempts fail with the error Try signing in with a different account.
How can I omit scopes entirely from the next-auth request to Okta? Or, if there is a more appropriate way to be issued the correct scopes for a user’s role in Okta, how do I accomplish that if not through default scopes and access policies?
Thank you!