nextauthjs/next-auth

Keep getting redirected with error: OAuthAccountNotLinked

Closed this issue Β· 48 comments

alex-cory commented

Describe the bug
In your next-auth-example, default login screen (http://localhost:3000/api/auth/signin)

  1. I added TWITTER_ID and TWITTER_SECRET and DATABASE_URL to .env.local
  2. added all these callback URLs to twitter since they changed:
  3. did all the initial stuff: yarn && yarn add mongodb && yarn dev
  4. click sign in, then click login to twitter
  5. once it redirects back to /api/auth/callback/twitter instead of redirecting back to the home screen, it goes to /api/auth/error?error=OAuthAccountNotLinked then /api/auth/signin?error=OAuthAccountNotLinked
    image

I noticed that when I console.log in the signIn callback I still get the twitter data.
image

Am I missing something here or is this a bug? Because I'm getting the same issue in my personal app.

Documentation feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

  • Found the documentation helpful
  • Found documentation but was incomplete
  • Could not find relevant documentation
  • Found the example project helpful
  • Did not find the example project helpful
iaincollins commented

This is the error page displayed for the OAuthAccountNotLinked:

error

If you see OAuthAccountNotLinked it means you have already signed in with a different provider that is associated with the same email address.

  • πŸ‘37
  • ❀️2
alex-cory commented

Ah, but I only have signed in with Twitter. That's the only Provider I have with my app besides email AND I have only used this email via twitter oauth.
image

  • πŸ‘2
  • πŸ˜•1
alex-cory commented

In fact I only have 1 account in my entire accounts collection, and that is the twitter signin for this user.

alex-cory commented

Btw, I don't have this problem in 2.2.0

  • πŸ˜•2
alex-cory commented

I also wanted to say that I think this is a great library and I really appreciate all your hard work. πŸ‘πŸ‘πŸ‘

  • πŸ‘56
iaincollins commented

I am not able to replicate this issue.

  • I can sign in with Twitter OAuth account, signed out, then sign back in.
  • I have explicitly tired this with a MongoDB database.
  • This can be confirmed using the example project.

I can only suggest enabling debug: true option and seeing if your database connection is throwing any errors or unexpected behaviour.

iaincollins commented

added all these callback URLs to twitter since they changed:
http://localhost:3000/api/auth/callback/twitter
http://localhost:3000/auth/oauth/twitter/callback <- old docs said this (came up when I searched "twitter" on next-auth.js.og)

To confirm, the callback API has not changed between version 2 and version 3. The documentation for providers is correct: https://next-auth.js.org/configuration/providers#using-a-built-in-provider

The second callback URL format is for version 1 which was released in 2016-2017. At the top of the page it says "WARNING This documentation is for version 1 which is no longer supported."

^ Edit: It might be worth us removing the v1 one docs from the website if they are coming up in search results above more relevant results.

  • πŸ‘1
iaincollins commented

Btw, I don't have this problem in 2.2.0

Hmm that's interesting.

Can you replicate this issue with the example project?

iaincollins commented

PS: My suspicion here is that it might be a weird interaction with the Atlas Mongo instance. I no longer have an active mongo.net instance to hand to test it, but it would be worth identifying if the same issue be replicated with the example project. If it can it's probably related to the database connection in some way.

alex-cory commented

I will test the example project right now and report back

  • πŸ‘1
iaincollins commented

Thanks! If you do get the same issue, any information you can provide about the database / connection type (including example of the connection info, minus sensitive info) would be very helpful.

alex-cory commented

It works with 2.2.0 in the example.
image
My .env.local looks like

NEXTAUTH_URL=http://localhost:3000
SECRET=
AUTH0_ID=
AUTH0_SECRET=
AUTH0_DOMAIN=
FACEBOOK_ID=
FACEBOOK_SECRET=
GITHUB_ID=
GITHUB_SECRET=
GOOGLE_ID=
GOOGLE_SECRET=
TWITTER_ID=my-twitter-id
TWITTER_SECRET=my-twitter-secret
EMAIL_SERVER=smtp://username:password@smtp.example.com.com:587
EMAIL_FROM=NextAuth <noreply@example.com>
DATABASE_URL=mongodb+srv://username:password@clusterName.u01ei.mongodb.net/database-name?retryWrites=true&w=majority&synchronize=true
iaincollins commented

I can't replicate an issue with the example project, using MongoDB and Twitter. I don't have any problems signing in, signing out and then back in again.

The example uses 3.x. Did you downgrade the version of it? Can you replicate the issue raise with the example project, running 3.x?

iaincollins commented

^ Sorry hit save prematurely (was on mobile).

Thinking about it, if it's just a test account I'd be included to drop those collections and just re-create it again (and use v3).

I have absolutely no idea what would be causing this. I've spun up a mongo.net service on Atlas and still can't replicate it.

alex-cory commented

I'll drop and try again. Yes, I downgraded and checked in yarn.lock to make sure it was 2.2.0.

alex-cory commented

You were correct. It was the DB. Weird... So sorry I drug you through all this. I should've tried that from the get go.

I also tried your example with a fresh DB and it worked. Didn't try a new collection within the same db, but I'd assume it would work with one.

  • πŸ‘6
  • πŸŽ‰3
  • πŸš€3
codewithnathan97 commented

Hi @iaincollins I just found the same error when testing oauth with Google and Github. I'm wondering is there a way to connect both providers to the same user instead of rejecting it? So sign in with Google and sign in with Github will go to the same user account.

  • πŸ‘40
fzxu commented

I got the same error if both facebook and google has the same email. It's better to provide option to merge user.

  • πŸ‘8
codewithnathan97 commented

@fzxu I've been tinkering with this since yesterday. Until the library handles the merge, I think you need to handle the sign-in process yourself

I've tried writing the SignIn callback configurations, but it seems to be called after the DB operation is resolved.
The next option is updating the next-auth.functions.js to see if it works.

iaincollins commented

@nsebhastian @fzxu

Please feel free to open a new issue if you have a question about why something works a particular way.

This has come up before so I've raised a PR which addresses it in the FAQ:

When I sign in with another account with the same email address, why are accounts not linked automatically?

Automatic account linking on sign in is not secure between arbitrary providers - with the exception of allowing users to sign in via an email addresses as a fallback (as they must verify their email address as part of the flow).

When an email address is associated with an OAuth account it does not necessarily mean that it has been verified as belonging to account holder β€” how email address verification is handled is not part of the OAuth specification and varies between providers (e.g. some do not verify first, some do verify first, others return metadata indiciating the verification status).

With automatic account linking on sign in, this can be exploited by bad actors to hijack accounts by creating an OAuth account associated with the email address of another user.

For this reason it is not secure to automatically link accounts between abitrary providers on sign in, which is why this feature is generally not provided by authentication service and is not provided by NextAuth.js.

Automatic acccount linking is seen on some sites, sometimes insecurely. It can be technically possible to do automatic account linking securely if you trust all the providers involved to ensure they have securely verified the email address associated with the account, but requires placing trust (and transfering the risk) to those providers to handle the process securely.

Examples of scenarios where this is secure include with an OAuth provider you control (e.g. that only authorizes users internal to your organization) or with a provider you explicitly trust to have verified the users email address.

Automatic account linking is not a planned feature of NextAuth.js, however there is scope to improve the user experience of account linking and of handling this flow, in a secure way. Typically this involves providing a fallback option to sign in via email, which is already possible (and recommended), but the current implementation of this flow could be improved on.

Providing support for secure account linking and unlinking of additional providers - which can only be done if a user is already signed in already - was origionally a feature in v1.x but has not been present since v2.0, is planned to return in a future release.

  • πŸ‘37
  • πŸ‘€2
mattzuckermann commented

You were correct. It was the DB. Weird... So sorry I drug you through all this. I should've tried that from the get go.

I also tried your example with a fresh DB and it worked. Didn't try a new collection within the same db, but I'd assume it would work with one.

This also worked for me. Thanks so much everyone!

spsaucier-bakkt commented

I'm having this issue with a new user account using email only with Auth0 (no other oauth providers are enabled), and using a brand new database isn't a possibility. Is there an alternative to that fix?

  • πŸ‘3
spsaucier-bakkt commented

Actually, it appears to work correctly when using session instead of database, i.e.:

  session: {
    // Use JSON Web Tokens for session instead of database sessions.
    jwt: true, 
    
    // Seconds - How long until an idle session expires and is no longer valid.
    maxAge: 30 * 24 * 60 * 60, // 30 days
  },
vorcigernix commented

I have a same problem with google only setup with version 3.4.2. Using session as suggested by @spsaucier-bakkt didn't help. I don't see anything useful in debug. We do use a custom User model in a project though.

balazsorban44 commented

@vorcigernix please open a new bug report with a complete reproduction, so we can help you, thanks!

ahallora commented

I got this error OAuthAccountNotLinked when I had signed up with my facebook login and then trying to log in with my google account (both of them using the same email).

According to the documentation:

OAuthAccountNotLinked: If the email on the account is already linked, but not with this OAuth account

The reason for not just merging the two Oauth accounts is stated here:

[...] it is not secure to automatically link accounts between arbitrary providers on sign in, which is why this feature is generally not provided by authentication service and is not provided by NextAuth.js.

➑️ TLDR; it's not possible to log in with more than one OAuth provider (using the same email), but it IS possible to log in with an OAuth provider AND use email login (using the same email).

For the best user experience signin page should warn the user that this user is already linked with another provider and encourage the user to either use that OAuth provider instead or log in with email. I'm still to figure out where to catch the OAuthAccountNotLinked and perform proper redirects back to signin, but I will update this post once I figure it out. πŸ˜…

  • ❀️21
mrgoonie commented

@ahallora have you tried this one: https://simplernerd.com/next-auth-custom-error-page/

  • ❀️7
  • πŸ‘€1
nimeshmaharjan1 commented

I am getting this OAuthAccountNotLinked when trying to login with github. But if I get this error I wish it would redirect or do anything but its just stuck in the login page with no session I think I am doing something wrong.

swiftcc624 commented

please use allowDangerousEmailAccountLinking: true

https://next-auth.js.org/configuration/providers/oauth

  • πŸ‘38
  • ❀️9
domharrington commented

I was getting this error (OAuthAccountNotLinked) with the following dependencies:

next-auth@^4.10.3
@next-auth/mongodb-adapter@^1.0.4

It's only when I enabled the debug option that I saw the following come up in the logs during another failed signin attempt:

[next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR]
https://next-auth.js.org/errors#oauth_callback_handler_error E11000 duplicate key error collection: next-auth-db.accounts index: accounts_provider_provider_account_id_key dup key: { provider: "github", provider_account_id: null } MongoServerError: E11000 duplicate key error collection: next-auth-db.accounts index: accounts_provider_provider_account_id_key dup key: { provider: "github", provider_account_id: null }
    at /code/node_modules/mongodb/lib/operations/insert.js:53:33
    at /code/node_modules/mongodb/lib/cmap/connection_pool.js:299:25
    at /code/node_modules/mongodb/lib/sdam/server.js:212:17
    at handleOperationResult (/code/node_modules/mongodb/lib/sdam/server.js:287:20)
    at Connection.onMessage (/code/node_modules/mongodb/lib/cmap/connection.js:219:9)
    at MessageStream.<anonymous> (/code/node_modules/mongodb/lib/cmap/connection.js:60:60)
    at MessageStream.emit (events.js:400:28)
    at processIncomingData (/code/node_modules/mongodb/lib/cmap/message_stream.js:132:20)
    at MessageStream._write (/code/node_modules/mongodb/lib/cmap/message_stream.js:33:9)
    at writeOrBuffer (internal/streams/writable.js:358:12) {
  name: 'LinkAccountError',
  code: 11000
}

What stood out to me here is that provider_account_id is not what the property is called anymore, it is now called providerAccountId. This changed in NextAuth v4 compared to v3: https://next-auth.js.org/getting-started/upgrade-v4#schema-changes

On further investigation, I appeared to have a unique index setup in the database for a property that wasn't being used anymore:

Untitled

This meant that only a single account could ever be present in the database 😬 I've inherited this project/database so I'm not sure where that came from. Does this module ever create the indexes for you? Has that ever been a feature? It would've been nice if NextAuth bubbled up the appropriate error to the surface, at least on development, instead of hiding it behind a generic error code.

I hope this helps someone else in this situation! Thanks again for the module.

fjprobos-divisin commented

please use allowDangerousEmailAccountLinking: true

https://next-auth.js.org/configuration/providers/oauth

I don't see this option as available. I am using next-auth": "^4.10.3

  • πŸ‘3
  • πŸš€3
leonardomso commented

please use allowDangerousEmailAccountLinking: true
https://next-auth.js.org/configuration/providers/oauth

I don't see this option as available. I am using next-auth": "^4.10.3

You should pass the allowDangerousEmailAccountLinking option to your provider, like this:

GoogleProvider({
    clientId: process.env.GOOGLE_CLIENT_ID || '',
    clientSecret: process.env.GOOGLE_CLIENT_SECRET || '',
    allowDangerousEmailAccountLinking: true,
}),
  • πŸ‘18
stevenirby commented

allowDangerousEmailAccountLinking: true,

Thank you! This worked for me.

  • πŸ‘1
kirtirajsinh commented

I'm getting the same error. While trying to create a user data on the database.
Here's my code:

import { getServerSession } from "next-auth";
import { PrismaAdapter } from "@next-auth/prisma-adapter";
import { prisma } from "./db";
import GoogleProvider from "next-auth/providers/google";

export const authOptions = {
  callbacks: {
    async signIn({ user, account, session }) {
      try {
        console.log(account, "account");
        console.log(user, "user");
        console.log(session, "session");
        // Check if the OAuth account is already linked to an existing user account
        const linkedAccount = await prisma.user.findUnique({
          where: {
            email: user.email,
          },
        });

        console.log(linkedAccount, "linkedAccount");

        if (linkedAccount) {
          // If the OAuth account is already linked, return the corresponding user
          return true;
        } else {
          // If the OAuth account is not linked, create a new user account and link it to the OAuth account
          const newUser = await prisma.user.create({
            data: {
              name: user.name,
              email: user.email,
              image: user.image,
              token: 0.1,
            },
          });

          // Return the newly created user
          return true;
        }
      } catch (error) {
        console.error(error);
        return false;
      }
    },
  },

  adapter: PrismaAdapter(prisma),
  secret: process.env.NEXTAUTH_SECRET,
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
    }),
  ],
};

export const getServerAuthSession = (ctx) => {
  return getServerSession(ctx.req, ctx.res, authOptions);
};

It works if I don't add a callback it. But I added it because I need the token field to be added. Now I'm getting error=OAuthAccountNotLinked. if someone has resolved it can you help this fellow dev out.

  • πŸ‘€2
pedroferreira37 commented

I ran into this issue, what works for me was defining the provider id, check below:

providers: [
>     GoogleProvider({
>       id: "google",
>       name: "Google",
>       clientId: process.env.GOOGLE_CLIENT_ID,
>       clientSecret: process.env.GOOGLE_SECRET_KEY,
>     }),
>   ],
shahbhavik01 commented

kirtirajsinh

I have a very similar setup to you and am getting the above error too. Were you able to resolve this?

nimeshmaharjan1 commented
fjprobos-divisin commented

please use allowDangerousEmailAccountLinking: true
https://next-auth.js.org/configuration/providers/oauth

I don't see this option as available. I am using next-auth": "^4.10.3

You should pass the allowDangerousEmailAccountLinking option to your provider, like this:

GoogleProvider({
    clientId: process.env.GOOGLE_CLIENT_ID || '',
    clientSecret: process.env.GOOGLE_CLIENT_SECRET || '',
    allowDangerousEmailAccountLinking: true,
}),

Thanks for your reply, I needed to update Next.js and then next-auth. Now I am using next-auth 4.20.1 and next 12.3.4 and the property is part of the social provider.

  • πŸ‘1
kirtirajsinh commented

share the code with you in a bit I did something with prisma.upsert if the ac

pls, do share. I'm still stuck on the same issue.

nimeshmaharjan1 commented
nimeshmaharjan1 commented
leo-petrucci commented

You should pass the allowDangerousEmailAccountLinking option to your provider, like this:

Oh my god I love you

  • πŸ‘1
0xw5555 commented

I am getting this OAuthAccountNotLinked when trying to login with DISCORD . its just stuck in the login page with no session & can’t enter a giveaway without connecting my discord account. Any idea how to fix it ?

Mirasaki commented

I was having this issue as well, and in the hopes this will help at least someone: Using the Prisma adapter, I had a seeder populating the database with our administrators (users, roles, permissions, etc.) which ended up causing this. The User was being created with the default cuid() id value, instead of the (selected) provider user id.

unknwOO commented

I was having this issue as well, and in the hopes this will help at least someone: Using the Prisma adapter, I had a seeder populating the database with our administrators (users, roles, permissions, etc.) which ended up causing this. The User was being created with the default cuid() id value, instead of the (selected) provider user id.

Hey man, I am having this issue right now with the next auth v5 beta, what did you do to solve the problem of prisma adapter generating the default cuid? Thank you really much

Ydin0 commented

I was having this issue as well, and in the hopes this will help at least someone: Using the Prisma adapter, I had a seeder populating the database with our administrators (users, roles, permissions, etc.) which ended up causing this. The User was being created with the default cuid() id value, instead of the (selected) provider user id.

Can you expand on this i am stuck on this issue been trying to solve for a long time now

nimeshmaharjan1 commented
  • πŸ‘Ž6
  • πŸ‘€1
BrunoLagoa commented

add allowDangerousEmailAccountLinking: true,

GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
      allowDangerousEmailAccountLinking: true,
      authorization: {
        params: {
          prompt: "consent",
          access_type: "offline",
          response_type: "code",
        },
      },
    }),
  • πŸ‘2