next-auth icon indicating copy to clipboard operation
next-auth copied to clipboard
verified publisher icon nextauthjs

Clicking back button after succesful login with keycloak results in "PKCE code_verifier cookie was missing.." error

Open MarkLyck opened this issue 1 year ago • 1 comments

Environment

System:
    OS: macOS 14.5
    CPU: (10) arm64 Apple M1 Max
    Memory: 857.22 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.12.0 - /usr/local/bin/node
    Yarn: 1.22.17 - /usr/local/bin/yarn
    npm: 10.5.0 - /usr/local/bin/npm
    pnpm: 9.5.0 - ~/Library/pnpm/pnpm
    bun: 1.1.25 - ~/.bun/bin/bun
  Browsers:
    Brave Browser: 119.1.60.118
    Chrome: 126.0.6478.185
    Safari: 17.5
  npmPackages:
    next: 15.0.0-canary.103 => 15.0.0-canary.103
    next-auth: 5.0.0-beta.18 => 5.0.0-beta.18
    react: 19.0.0-rc-187dd6a7-20240806 => 19.0.0-rc-187dd6a7-20240806

Reproduction URL

https://github.com/MarkLyck/keycloak-pkce-error-reproduction

Describe the issue

May be related to https://github.com/nextauthjs/next-auth/issues/11641 (which is the more serious issue, but this may help resolve it as well, it's certainly easier to reproduce)

If you login with next-auth using the keycloak provider using standard flow, without an idp_hint, the login is succesful and you will be redirected to the dashboard and everything will work.

However if you click the browser "back" button, after the redirect to the dashboard, you will be redirected to:

"https://colony-nextjs-git-patch-next-auth-with-logs-colonynetworks.vercel.app/api/auth/error?error=Configuration"

with the error:

[31m[auth][error][0m InvalidCheck: PKCE code_verifier cookie was missing.. Read more at https://errors.authjs.dev#invalidcheck

I added a console.log inside the @auth/core package where the pkce check is done, and the code_verifier is undefined.

🛡️ ~ @auth / oauth / checks / pkce / codeVerifier: undefined

Maybe it gets deleted after a succesful verification and the no longer exists when the user clicks back? Or maybe it's because of the 900 age limit on the cookie.

How to reproduce

  • Set up keycloak with standard flow
  • Remove idp_hint from reproduction app, and update the issuer to match your keycloak deployment
  • Deploy reproduction app to Vercel
  • Login (see succeful redirect)
  • Click back button.
  • See error

Expected behavior

Clicking "back" button after a succesful login in this case should redirect you to / (the same page you are already on)

MarkLyck avatar Aug 20 '24 19:08 MarkLyck

same problem

Edit by maintainer bot: Comment was automatically minimized because it was considered unhelpful. (If you think this was by mistake, let us know). Please only comment if it adds context to the issue. If you want to express that you have the same problem, use the upvote 👍 on the issue description or subscribe to the issue for updates. Thanks!

audriuiv avatar Jun 13 '25 08:06 audriuiv