NextAuth passes static redirect_uri from provider config during token exchange — not current domain

[CodeWizardHemant]

I'm running into a problem when using NextAuth.js with a custom provider (Duende IdentityServer6) in a multi-subdomain setup (e.g., admin.hemant.com, app.hemant.com, etc.).

🔍 The issue

When using a dynamic provider like this:

(req) =>
  DuendeIdentityServer6({
    issuer: getBaseUrl(req),
    authorization: {
      url: `${getBaseUrl(req)}/connect/authorize`,
      params: { scope: "openid profile offline_access" },
    },
    token: `${getBaseUrl(req)}/connect/token`,
    callbackUrl: `${getBaseUrl(req)}/api/auth/callback/duende-identity-server6`,
    idToken: true,
  })

...NextAuth still sends the redirect_uri from the static provider config (likely from provider.callbackUrl or fallback to NEXTAUTH_URL) — even though I expected it to be based on the request’s current subdomain (req.headers.host).

---

🧵 Evidence (code reference)

Looking at the internal code, the token exchange uses:

let redirect_uri = provider.callbackUrl;
if (!options.isOnRedirectProxy && provider.redirectProxyUrl) {
  redirect_uri = provider.redirectProxyUrl;
}

This means it always uses callbackUrl from the static provider config, rather than dynamically resolving it from the request like getBaseUrl(req), even if the provider is defined as a function.

---

⚠️ Result

This leads to:

• invalid_grant or invalid_redirect_uri errors from IdentityServer

---

💬 Questions

1. Is there a way to override redirect_uri at runtime, just like we can for token, authorization, and userinfo?
2. Can provider.callbackUrl or the internal token handler respect the incoming request context (req.headers.host)?

---

🧪 Setup

• NextAuth: 5.0.0-beta.27
• Next.js: App Router
• Deployment: multiple subdomains (*.hemant.com)
• Provider: Duende IdentityServer6 (OIDC)

---

Any suggestions would be greatly appreciated. I'm happy to post a minimal repro if needed!

Thanks 🙏