Keep getting redirected with error: OAuthAccountNotLinked #519
Comments
iaincollins
added
stale
|
This is the error page displayed for the
If you see |
|
Ah, but I only have signed in with Twitter. That's the only Provider I have with my app besides email AND I have only used this email via twitter oauth. |
|
In fact I only have 1 account in my entire |
|
Btw, I don't have this problem in |
|
I also wanted to say that I think this is a great library and I really appreciate all your hard work. 👏👏👏 |
|
I am not able to replicate this issue.
I can only suggest enabling |
To confirm, the callback API has not changed between version 2 and version 3. The documentation for providers is correct: https://next-auth.js.org/configuration/providers#using-a-built-in-provider The second callback URL format is for version 1 which was released in 2016-2017. At the top of the page it says "WARNING This documentation is for version 1 which is no longer supported." ^ Edit: It might be worth us removing the v1 one docs from the website if they are coming up in search results above more relevant results. |
Hmm that's interesting. Can you replicate this issue with the example project? |
|
PS: My suspicion here is that it might be a weird interaction with the Atlas Mongo instance. I no longer have an active mongo.net instance to hand to test it, but it would be worth identifying if the same issue be replicated with the example project. If it can it's probably related to the database connection in some way. |
|
I will test the example project right now and report back |
|
Thanks! If you do get the same issue, any information you can provide about the database / connection type (including example of the connection info, minus sensitive info) would be very helpful. |
|
It works with NEXTAUTH_URL=http://localhost:3000
SECRET=
AUTH0_ID=
AUTH0_SECRET=
AUTH0_DOMAIN=
FACEBOOK_ID=
FACEBOOK_SECRET=
GITHUB_ID=
GITHUB_SECRET=
GOOGLE_ID=
GOOGLE_SECRET=
TWITTER_ID=my-twitter-id
TWITTER_SECRET=my-twitter-secret
EMAIL_SERVER=smtp://username:[email protected]:587
EMAIL_FROM=NextAuth <[email protected]>
DATABASE_URL=mongodb+srv://username:[email protected]/database-name?retryWrites=true&w=majority&synchronize=true
|
|
I can't replicate an issue with the example project, using MongoDB and Twitter. I don't have any problems signing in, signing out and then back in again. The example uses 3.x. Did you downgrade the version of it? Can you replicate the issue raise with the example project, running 3.x? |
|
^ Sorry hit save prematurely (was on mobile). Thinking about it, if it's just a test account I'd be included to drop those collections and just re-create it again (and use v3). I have absolutely no idea what would be causing this. I've spun up a mongo.net service on Atlas and still can't replicate it. |
|
I'll drop and try again. Yes, I downgraded and checked in |
|
You were correct. It was the DB. Weird... So sorry I drug you through all this. I should've tried that from the get go. I also tried your example with a fresh DB and it worked. Didn't try a new collection within the same db, but I'd assume it would work with one. |
|
Hi @iaincollins I just found the same error when testing oauth with Google and Github. I'm wondering is there a way to connect both providers to the same user instead of rejecting it? So sign in with Google and sign in with Github will go to the same user account. |
|
I got the same error if both facebook and google has the same email. It's better to provide option to merge user. |
|
@fzxu I've been tinkering with this since yesterday. Until the library handles the merge, I think you need to handle the sign-in process yourself I've tried writing the SignIn callback configurations, but it seems to be called after the DB operation is resolved. |
|
@nsebhastian @fzxu Please feel free to open a new issue if you have a question about why something works a particular way. This has come up before so I've raised a PR which addresses it in the FAQ: When I sign in with another account with the same email address, why are accounts not linked automatically?Automatic account linking on sign in is not secure between arbitrary providers - with the exception of allowing users to sign in via an email addresses as a fallback (as they must verify their email address as part of the flow). When an email address is associated with an OAuth account it does not necessarily mean that it has been verified as belonging to account holder — how email address verification is handled is not part of the OAuth specification and varies between providers (e.g. some do not verify first, some do verify first, others return metadata indiciating the verification status). With automatic account linking on sign in, this can be exploited by bad actors to hijack accounts by creating an OAuth account associated with the email address of another user. For this reason it is not secure to automatically link accounts between abitrary providers on sign in, which is why this feature is generally not provided by authentication service and is not provided by NextAuth.js. Automatic acccount linking is seen on some sites, sometimes insecurely. It can be technically possible to do automatic account linking securely if you trust all the providers involved to ensure they have securely verified the email address associated with the account, but requires placing trust (and transfering the risk) to those providers to handle the process securely. Examples of scenarios where this is secure include with an OAuth provider you control (e.g. that only authorizes users internal to your organization) or with a provider you explicitly trust to have verified the users email address. Automatic account linking is not a planned feature of NextAuth.js, however there is scope to improve the user experience of account linking and of handling this flow, in a secure way. Typically this involves providing a fallback option to sign in via email, which is already possible (and recommended), but the current implementation of this flow could be improved on. Providing support for secure account linking and unlinking of additional providers - which can only be done if a user is already signed in already - was origionally a feature in v1.x but has not been present since v2.0, is planned to return in a future release. |
This also worked for me. Thanks so much everyone! |
|
I'm having this issue with a new user account using email only with Auth0 (no other oauth providers are enabled), and using a brand new database isn't a possibility. Is there an alternative to that fix? |
|
Actually, it appears to work correctly when using session instead of database, i.e.: |
|
I am getting this OAuthAccountNotLinked when trying to login with github. But if I get this error I wish it would redirect or do anything but its just stuck in the login page with no session I think I am doing something wrong. |
|
please use |
|
I was getting this error (OAuthAccountNotLinked) with the following dependencies: next-auth@^4.10.3 It's only when I enabled the [next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR]
https://next-auth.js.org/errors#oauth_callback_handler_error E11000 duplicate key error collection: next-auth-db.accounts index: accounts_provider_provider_account_id_key dup key: { provider: "github", provider_account_id: null } MongoServerError: E11000 duplicate key error collection: next-auth-db.accounts index: accounts_provider_provider_account_id_key dup key: { provider: "github", provider_account_id: null }
at /code/node_modules/mongodb/lib/operations/insert.js:53:33
at /code/node_modules/mongodb/lib/cmap/connection_pool.js:299:25
at /code/node_modules/mongodb/lib/sdam/server.js:212:17
at handleOperationResult (/code/node_modules/mongodb/lib/sdam/server.js:287:20)
at Connection.onMessage (/code/node_modules/mongodb/lib/cmap/connection.js:219:9)
at MessageStream.<anonymous> (/code/node_modules/mongodb/lib/cmap/connection.js:60:60)
at MessageStream.emit (events.js:400:28)
at processIncomingData (/code/node_modules/mongodb/lib/cmap/message_stream.js:132:20)
at MessageStream._write (/code/node_modules/mongodb/lib/cmap/message_stream.js:33:9)
at writeOrBuffer (internal/streams/writable.js:358:12) {
name: 'LinkAccountError',
code: 11000
}What stood out to me here is that On further investigation, I appeared to have a unique index setup in the database for a property that wasn't being used anymore:
This meant that only a single account could ever be present in the database 😬 I've inherited this project/database so I'm not sure where that came from. Does this module ever create the indexes for you? Has that ever been a feature? It would've been nice if NextAuth bubbled up the appropriate error to the surface, at least on development, instead of hiding it behind a generic error code. I hope this helps someone else in this situation! Thanks again for the module. |
I don't see this option as available. I am using |
You should pass the |
Thank you! This worked for me. |
|
I'm getting the same error. While trying to create a user data on the database. It works if I don't add a callback it. But I added it because I need the token field to be added. Now I'm getting error=OAuthAccountNotLinked. if someone has resolved it can you help this fellow dev out. |
|
I ran into this issue, what works for me was defining the provider id, check below: |
I have a very similar setup to you and am getting the above error too. Were you able to resolve this? |
|
Yes I'll share the code with you in a bit I did something with
prisma.upsert if the account exists update the user else create the user in
sign in next auth
…On Tue, 16 May 2023, 6:07 pm Bhavik Shah, ***@***.***> wrote:
kirtirajsinh
I have a very similar setup to you and am getting the above error too.
Were you able to resolve this?
—
Reply to this email directly, view it on GitHub
<#519 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXM4BWTDDVNHXCDBWMZ5L3XGNWRNANCNFSM4PRGFAVA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Thanks for your reply, I needed to update Next.js and then next-auth. Now I am using |
pls, do share. I'm still stuck on the same issue. |
|
import NextAuth, { NextAuthOptions } from 'next-auth';
import { PrismaClient, USER_ROLES } from ***@***.***/client';
import { verify } from 'argon2';
import Credentials from 'next-auth/providers/credentials';
import GithubProvider from 'next-auth/providers/github';
import GoogleProvider from 'next-auth/providers/google';
const prisma = new PrismaClient();
export const authOptions: NextAuthOptions = {
session: {
strategy: 'jwt',
maxAge: 10000,
},
providers: [
Credentials({
type: 'credentials',
credentials: {},
async authorize(credentials, req) {
const { username, password } = credentials as { username:
string; password: string };
const user = await prisma.user.findFirst({
where: { username },
});
if (!user) {
throw new Error('User with this username has not been registered.');
}
const isValidPassword = await verify(user.password, password as string);
if (!isValidPassword) {
throw new Error('Invalid password.');
}
return {
id: user.id,
email: user.email,
username: user.username,
role: user.role,
};
},
}),
GithubProvider({
clientId: process.env.GITHUB_ID as string,
clientSecret: process.env.GITHUB_SECRET as string,
}),
GoogleProvider({
clientId: process.env.GOOGLE_ID as string,
clientSecret: process.env.GOOGLE_SECRET as string,
}),
],
callbacks: {
async signIn({ user, credentials }) {
if (credentials) {
return true;
}
const dbUser = await prisma.user.upsert({
where: { email: user.email as string },
update: {
name: user.name,
image: user.image,
},
create: {
name: user.name,
email: user.email,
image: user.image,
password: user.name as string,
username: user.name as string,
role: USER_ROLES.USER,
},
});
// add the userId to the session object
user.role = dbUser.role;
user.id = dbUser.id;
return true;
},
jwt(params) {
if (params?.user?.role) {
params.token.username = params.user.username;
params.token.role = params.user?.role;
params.token.id = params.user?.id;
}
return params.token;
},
session: (params) => {
if (params.session?.user) {
params.session.user.username = params.token.username;
params.session.user.role = params.token?.role;
params.session.user.id = params.token?.id;
}
return params.session;
},
},
pages: {
signIn: '/auth/login',
},
};
export default NextAuth(authOptions);
Message ID: ***@***.***>
… |
|
the above is my ...nextauth.ts
…On Thu, May 18, 2023 at 7:57 PM Meta-K ***@***.***> wrote:
share the code with you in a bit I did something with prisma.upsert if the
ac
pls, do share. I'm still stuck on the same issue.
—
Reply to this email directly, view it on GitHub
<#519 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXM4BTZCPYOPSD34NUACYLXGYU3JANCNFSM4PRGFAVA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Oh my god I love you |
|
I am getting this OAuthAccountNotLinked when trying to login with DISCORD . its just stuck in the login page with no session & can’t enter a giveaway without connecting my discord account. Any idea how to fix it ? |
|
I was having this issue as well, and in the hopes this will help at least someone: Using the Prisma adapter, I had a seeder populating the database with our administrators (users, roles, permissions, etc.) which ended up causing this. The User was being created with the default cuid() id value, instead of the (selected) provider user id. |
Hey man, I am having this issue right now with the next auth v5 beta, what did you do to solve the problem of prisma adapter generating the default cuid? Thank you really much |
Can you expand on this i am stuck on this issue been trying to solve for a long time now |
|
Don't use this package fr I implemented on my own and so much easier and
predictable than this trash
…On Mon, 12 Feb 2024, 8:07 am Yaseen Deen, ***@***.***> wrote:
I was having this issue as well, and in the hopes this will help at least
someone: Using the Prisma adapter, I had a seeder populating the database
with our administrators (users, roles, permissions, etc.) which ended up
causing this. The User was being created with the default cuid() id value,
instead of the (selected) provider user id.
Can you expand on this i am stuck on this issue been trying to solve for a
long time now
—
Reply to this email directly, view it on GitHub
<#519 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXM4BXPBHYDJSQ57FERYV3YTF4FBAVCNFSM4PRGFAVKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TCOJTG44TSMBXHA4A>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
add GoogleProvider({
clientId: process.env.GOOGLE_CLIENT_ID,
clientSecret: process.env.GOOGLE_CLIENT_SECRET,
allowDangerousEmailAccountLinking: true,
authorization: {
params: {
prompt: "consent",
access_type: "offline",
response_type: "code",
},
},
}), |
|
i had this same problem, I dropped my solution here: |
and others
Describe the bug
In your next-auth-example, default login screen (http://localhost:3000/api/auth/signin)
yarn && yarn add mongodb && yarn dev/api/auth/callback/twitterinstead of redirecting back to the home screen, it goes to/api/auth/error?error=OAuthAccountNotLinkedthen/api/auth/signin?error=OAuthAccountNotLinkedI noticed that when I console.log in the
signIn callbackI still get the twitter data.Am I missing something here or is this a bug? Because I'm getting the same issue in my personal app.
Documentation feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.
The text was updated successfully, but these errors were encountered: