diff --git a/src/server/index.js b/src/server/index.js
index 9bae971aca..8f7975d302 100644
--- a/src/server/index.js
+++ b/src/server/index.js
@@ -72,15 +72,15 @@ async function NextAuthHandler (req, res, userOptions) {
     const providers = parseProviders({ providers: userOptions.providers, baseUrl, basePath })
     const provider = providers.find(({ id }) => id === providerId)
 
-    if (provider &&
-      provider.type === 'oauth' && provider.version?.startsWith('2') &&
-       (!provider.protection && provider.state !== false)
-    ) {
-      provider.protection = 'state' // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
-    }
-
-    if (typeof provider?.protection === 'string') {
-      provider.protection = [provider.protection]
+    // Protection only works on OAuth 2.x providers
+    if (provider?.type === 'oauth' && provider.version?.startsWith('2')) {
+      // When provider.state is undefined, we still want this to pass
+      if (!provider.protection && provider.state !== false) {
+        // Default to state, as we did in 3.1 REVIEW: should we use "pkce" or "none" as default?
+        provider.protection = ['state']
+      } else if (typeof provider.protection === 'string') {
+        provider.protection = [provider.protection]
+      }
     }
 
     const maxAge = 30 * 24 * 60 * 60 // Sessions expire after 30 days of being idle
diff --git a/src/server/lib/oauth/pkce-handler.js b/src/server/lib/oauth/pkce-handler.js
index 72063b0f1b..d5613392da 100644
--- a/src/server/lib/oauth/pkce-handler.js
+++ b/src/server/lib/oauth/pkce-handler.js
@@ -16,7 +16,8 @@ const PKCE_MAX_AGE = 60 * 15 // 15 minutes in seconds
 export async function handleCallback (req, res) {
   const { cookies, provider, baseUrl, basePath } = req.options
   try {
-    if (!provider.protection.includes('pkce')) { // Provider does not support PKCE, nothing to do.
+    // Provider does not support PKCE, nothing to do.
+    if (!provider.protection?.includes('pkce')) {
       return
     }
 
@@ -50,7 +51,7 @@ export async function handleCallback (req, res) {
 export async function handleSignin (req, res) {
   const { cookies, provider, baseUrl, basePath } = req.options
   try {
-    if (!provider.protection.includes('pkce')) { // Provider does not support PKCE, nothing to do.
+    if (!provider.protection?.includes('pkce')) { // Provider does not support PKCE, nothing to do.
       return
     }
     // Started login flow, add generated pkce to req.options and (encrypted) code_verifier to a cookie
diff --git a/src/server/lib/oauth/state-handler.js b/src/server/lib/oauth/state-handler.js
index 01815045d9..8c866f62fb 100644
--- a/src/server/lib/oauth/state-handler.js
+++ b/src/server/lib/oauth/state-handler.js
@@ -12,7 +12,8 @@ import { OAuthCallbackError } from '../../../lib/errors'
 export async function handleCallback (req, res) {
   const { csrfToken, provider, baseUrl, basePath } = req.options
   try {
-    if (!provider.protection.includes('state')) { // Provider does not support state, nothing to do.
+    // Provider does not support state, nothing to do.
+    if (!provider.protection?.includes('state')) {
       return
     }
 
@@ -41,7 +42,7 @@ export async function handleCallback (req, res) {
 export async function handleSignin (req, res) {
   const { provider, baseUrl, basePath, csrfToken } = req.options
   try {
-    if (!provider.protection.includes('state')) { // Provider does not support state, nothing to do.
+    if (!provider.protection?.includes('state')) { // Provider does not support state, nothing to do.
       return
     }