Is it possible to use next-auth behind a proxy?

[khuezy]

Please refer to the documentation, the example project and existing issues before creating a new issue.

Your question
Hi, is it possible to run next-auth behind a proxy app?

What are you trying to do
I have the nextjs app running on :3000 and it sits behind a proxy on :8000.
I would like the /api/auth callback to redirect to the proxy:8000 instead of :3000.

Documentation feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

Thanks!

[jsphkhan]

I guess you can use Nginx and proxy pass calls to 3000

http {

    include mime.types;

    upstream all {
        server nextapp:3000;
    }

    server {
        listen 8080;

        # this will proxy the root call as well as
        # the api calls eg. /api/auth/login, /api/auth/logout
        location / {
            proxy_pass http://all;
        }
    }
}

events {

}

So every call to localhost:8080/* will be proxied.

[khuezy]

Thanks for the suggestion @jsphkhan , the issue I'm having is that the next-auth is redirecting to the SITE port :3000 but I need it to redirect back to the proxy port. When I set the SITE to the proxy, the next-auth seems to fail via CONNECTION REFUSED.

[jsphkhan]

@khuezy Aah, ok got it. I will give that a try and let you know...

[iaincollins]

@khuezy

If the proxy URL is valid (e.g. http://localhost:8000) then you can just specify that as your site URL.

Can you give examples of what your production URLs look like and an idea what the proxy config does?

I assume you are not running URLs like https://example.com:8000 and https://example.com:3000 in production?

[khuezy]

@iaincollins
My production URL is https://example.com (nginx handles the SSL and proxies / to the proxy:8000)
But that isn't my issue (yet), I'm trying next-auth in dev where I'm access everything through my proxy:8000.

My proxy setup running on PORT 8000:
app.use('/api/auth', proxy(process.env.APP_HOST, '/api/auth') <=== nextjs /api/auth endpoint
app.use('/api', proxy(process.env.API_HOST, '/api')) <=== API
app.use('/auth', proxy(process.env.AUTH_HOST, '/auth')) <=== Auth/session server (seeing if I could replace this w/ next-auth)
app.use('/', httpProxy(process.env.APP_HOST)) <=== Nextjs app PORT=3000

When I set the SITE to 8000, next-auth has issues connecting to /api/auth/session (127.0.0.1 connection refused).
Thanks for the reply!

[crisgarlez]

I have the same problem how did you finish this?

[khuezy]

It's been a while since and I've moved on to a serverless arch. Maybe this will help: #387 (comment)

[zimonitrome]

Did you solve it this way @crisgarlez?

[iaincollins]

My production URL is https://example.com (nginx handles the SSL and proxies / to the proxy:8000)
But that isn't my issue (yet), I'm trying next-auth in dev where I'm access everything through my proxy:8000.

1. Can you access http://localhost:8000/api/auth/session in a browser? You should get an empty object back (i.e. {}).

You should also be able to get a response from http://localhost:8000/api/auth/providers.

2. Are you running any of this inside a Docker container?

[dendisuhubdy]

1. yes but I don't get back an empty object
2. Yes I am running this inside a docker container, what solution did you figure out @iaincollins @khuezy ?

[khuezy]

1. Yes, I do get back a response when I access that URL
2. Yes, each of those services are inside their Docker container.

[iaincollins]

Ah, so if it's running in a Docker container then http://localhost:8000 from the perspective of the Docker container NextAuth.js is running in will be localhost inside that same Docker container.

[khuezy]

You're correct. From the perspective of the next-auth site: http://localhost:8000/api/auth/session, which doesn't exist.
I'm calling getSession inside getInitialProps which runs on the server so the URL must be absolute.

One way around this is to set the site to be on the nextjs app site (PORT 3000) and add a REDIRECT_URL that redirects to the host localhost:8000

[zimonitrome]

I'm sorry but I don't understand how to do this. I'm using something very similar to this setup: https://github.com/nextauthjs/solid-start-auth-example/blob/main/src/routes/api/auth/%5B...solidauth%5D.ts

Can I set the site and REDIRECT_URL somewhere in this auth config? Or are you talking about something that is specific to Express?

[iaincollins]

One way around this is to set the site to be on the nextjs app site (PORT 3000) and add a REDIRECT_URL that redirects to the host localhost:8000

I was trying to think of practical ways to work around this; that sounds like a good idea!

[spencerfornaciari]

So I am having an issue similar to this. I have it running in a docker container (port 8003, which forwards to 3000). Everything seems to forward correctly, except when I try and go to /api-example - there seems to be an error with getSession...I get null returned. If I go to /api/auth/session directly I get the correct info back.

When I look at the logs for the container when I go to api-example I see:
2020-08-24T19:57:21.001426285Z Session
2020-08-24T19:57:21.024260478Z [next-auth][error][client_fetch_error] [
2020-08-24T19:57:21.024295000Z 'http://example.com/api/auth/session',
2020-08-24T19:57:21.024301157Z FetchError: request to http://example.com/api/auth/session failed, reason: connect ECONNREFUSED 0.0.0.0:80
2020-08-24T19:57:21.024305345Z at ClientRequest. (/usr/src/app/node_modules/next/dist/compiled/node-fetch/index.js:1:147710)
2020-08-24T19:57:21.024309711Z at ClientRequest.emit (events.js:314:20)
2020-08-24T19:57:21.024313380Z at Socket.socketErrorListener (_http_client.js:469:9)
2020-08-24T19:57:21.024317075Z at Socket.emit (events.js:314:20)
2020-08-24T19:57:21.024320714Z at emitErrorNT (internal/streams/destroy.js:100:8)
2020-08-24T19:57:21.024324313Z at emitErrorCloseNT (internal/streams/destroy.js:68:3)
2020-08-24T19:57:21.024328008Z at processTicksAndRejections (internal/process/task_queues.js:80:21) {
2020-08-24T19:57:21.024331703Z type: 'system',
2020-08-24T19:57:21.024335269Z errno: 'ECONNREFUSED',
2020-08-24T19:57:21.024338825Z code: 'ECONNREFUSED'
2020-08-24T19:57:21.024342337Z }
2020-08-24T19:57:21.024345886Z ]
2020-08-24T19:57:21.024349463Z https://next-auth.js.org/errors#client_fetch_error

Similar to this, is there a way to customize what the session contains? By default it has the user (name, email, image), token, expiration. But I am not using name (I've customized this in my model - which is working), and I'd like to update that in the session data. Thanks.

I have also notice that if I use the nextauth_url as localhost:3000 it works in the docker container, but if I use a domain everything seems to work except this (including it registering that I'm still signed in).

[dendisuhubdy]

I got the same problem @spencerfornaciari how did you finish this?

[faizbyp]

AFAIK, next-auth doesn't support callback function for signIn. So I think there's no way to customize what the session contains.
What I'm doing for that is get some user info based on the user id (or username, or email) and add some data on an API response.

[archywillhe]

related: #676

[stale[bot]]

Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep ot open. Thanks!

[Californian]

I ran into this running in docker-compose as well, but finally found a solution.

I fixed this by setting the internal port that next runs on to the same as the external port it's mapped to, and using the internal server host:port for my auth service.

In particular, I'm using fusionauth as the auth provider, which is internally running on 9011 (but mapped to a different external port, e.g. 8000). I manually overrode a few options: {authorizationUrl: "auth.example.test", accessTokenUrl: "fusionauth:9011/acces-token/path", profileUrl: "fusionauth:9011/profile/path"}. I'm running behind a reverse proxy (traefik), hence the auth.example.test domain (which traefik sends to the fusionauth container). For next's config, I set my Dockerfile's EXPOSE to, e.g. EXPOSE 3001, and my npm run dev command maps to next dev -p $PORT, where $PORT is defined in my .env.local file.

Hope that helps!

I'll note that, between this frustration and the general lack of sane defaults for a lot of things/generally unfavorable developer experience, we've decided to switch back to Auth0.

[corysimmons]

@Californian I keep retracing your steps between Hasura, Docker, next-auth, etc. I think I'm literally making the same app as you.

[markers16123]

In my case using NEXTAUTH_URL INTERNAL solved the issue.
.env
NEXTAUTH_URL=http://localhost:8081 NEXTAUTH_URL_INTERNAL=http://localhost:3000
8081:8080 is the port map of the proxy (nginx) container, 3001:3000 is the port map of the nextjs container.

[Cygra]

Using a proxy with TUN mode works for me, e.g. https://github.com/clash-verge-rev/clash-verge-rev

有人接入 Google 登录一直失败的话，可以试一下 Clash Verge 的 TUN 模式。