nextauthjs · balazsorban44 · Nov 7, 2020 · Nov 7, 2020 · Dec 5, 2020 · Dec 30, 2020
diff --git a/src/server/lib/oauth/callback.js b/src/server/lib/oauth/callback.js
@@ -83,7 +83,7 @@ export default async (req, provider, csrfToken, callback) => {
             results.id_token,
             async (error, profileData) => {
               const { profile, account, OAuthProfile } = await _getProfile(error, profileData, accessToken, refreshToken, provider, user)
-              callback(error, profile, account, OAuthProfile)
+              callback(error, profile, account, OAuthProfile, results.id_token)
             }
           )
         } else {
@@ -96,7 +96,7 @@ export default async (req, provider, csrfToken, callback) => {
             results,
             async (error, profileData) => {
               const { profile, account, OAuthProfile } = await _getProfile(error, profileData, accessToken, refreshToken, provider)
-              callback(error, profile, account, OAuthProfile)
+              callback(error, profile, account, OAuthProfile, results.id_token)
             }
           )
         }

diff --git a/src/server/routes/callback.js b/src/server/routes/callback.js
@@ -32,7 +32,7 @@ export default async (req, res, options, done) => {
 
   if (type === 'oauth') {
     try {
-      oAuthCallback(req, provider, csrfToken, async (error, profile, account, OAuthProfile) => {
+      oAuthCallback(req, provider, csrfToken, async (error, profile, account, OAuthProfile, idToken) => {
         try {
           if (error) {
             logger.error('CALLBACK_OAUTH_ERROR', error)
@@ -68,7 +68,7 @@ export default async (req, res, options, done) => {
           }
 
           try {
-            const signInCallbackResponse = await callbacks.signIn(userOrProfile, account, OAuthProfile)
+            const signInCallbackResponse = await callbacks.signIn(userOrProfile, account, OAuthProfile, idToken)
             if (signInCallbackResponse === false) {
               return redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
             }
@@ -90,7 +90,7 @@ export default async (req, res, options, done) => {
               picture: user.image,
               sub: user.id?.toString()
             }
-            const jwtPayload = await callbacks.jwt(defaultJwtPayload, user, account, OAuthProfile, isNewUser)
+            const jwtPayload = await callbacks.jwt(defaultJwtPayload, user, account, OAuthProfile, isNewUser, idToken)
 
             // Sign and encrypt token
             const newEncodedJwt = await jwt.encode({ ...jwt, token: jwtPayload })

diff --git a/www/docs/configuration/callbacks.md b/www/docs/configuration/callbacks.md
@@ -16,7 +16,7 @@ You can specify a handler for any of the callbacks below.
 ```js title="pages/api/auth/[...nextauth].js"
 ...
   callbacks: {
-    signIn: async (user, account, profile) => {
+    signIn: async (user, account, profile, idToken) => {
       return Promise.resolve(true)
     },
     redirect: async (url, baseUrl) => {
@@ -25,7 +25,7 @@ You can specify a handler for any of the callbacks below.
     session: async (session, user) => {
       return Promise.resolve(session)
     },
-    jwt: async (token, user, account, profile, isNewUser) => {
+    jwt: async (token, user, account, profile, isNewUser, idToken) => {
       return Promise.resolve(token)
     }
 ...
@@ -44,6 +44,7 @@ callbacks: {
    * @param  {object} user     User object
    * @param  {object} account  Provider account
    * @param  {object} profile  Provider profile 
+   * @param  {string} idToken  OpenID Connect `id_token` returned by compliant Providers
    * @return {boolean}         Return `true` (or a modified JWT) to allow sign in
    *                           Return `false` to deny access
    */
@@ -165,6 +166,7 @@ callbacks: {
    * @param  {object}  account   Provider account (only available on sign in)
    * @param  {object}  profile   Provider profile (only available on sign in)
    * @param  {boolean} isNewUser True if new user (only available on sign in)
+   * @param  {string}  idToken   OpenID Connect `id_token` returned by compliant Providers (only available on sign in)
    * @return {object}            JSON Web Token that will be saved
    */
   jwt: async (token, user, account, profile, isNewUser) => {

diff --git a/www/docs/configuration/options.md b/www/docs/configuration/options.md
@@ -230,7 +230,7 @@ You can specify a handler for any of the callbacks below.
 
 ```js
 callbacks: {
-  signIn: async (user, account, profile) => {
+  signIn: async (user, account, profile, idToken) => {
     return Promise.resolve(true)
   },
   redirect: async (url, baseUrl) => {
@@ -239,7 +239,7 @@ callbacks: {
   session: async (session, user) => {
     return Promise.resolve(session)
   },
-  jwt: async (token, user, account, profile, isNewUser) => {
+  jwt: async (token, user, account, profile, isNewUser, idToken) => {
     return Promise.resolve(token)
   }
 }