How to handle appsecret_proof parameter in Facebook provider?

[marcinkrasowski]

Hi,

we have encountered a serious problem using the Facebook provider, with NextAuth v4.24.6 (but I believe the same would occur in v5) and Next v14.1.0 (though I don't believe Next's version affects it in any way).

Facebook enables to configure an additional server-side security when calling it's API by signing each request with the secret: https://developers.facebook.com/docs/facebook-login/security/#proof . We have verified that this option is the cause of the error we're getting when trying to use this provider (however the exact message is quite generic, sadly):

 POST /api/auth/signin/facebook 200 in 11ms
[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error expected 200 OK, got: 400 Bad Request {
  error: OPError: expected 200 OK, got: 400 Bad Request
      at processResponse (C:\workspace\frontend\node_modules\openid-client\lib\helpers\process_response.js:41:11)
      at Client.userinfo (C:\workspace\frontend\node_modules\openid-client\lib\client.js:1291:18)
      at process.processTicksAndRejections (node:internal/process/task_queues:105:5)
      at async Object.request (C:\workspace\frontend\node_modules\next-auth\providers\facebook.js:25:16)
      at async oAuthCallback (C:\workspace\frontend\node_modules\next-auth\core\lib\oauth\callback.js:103:17)
      at async Object.callback (C:\workspace\frontend\node_modules\next-auth\core\routes\callback.js:45:11)
      at async AuthHandler (C:\workspace\frontend\node_modules\next-auth\core\index.js:175:28)
      at async NextAuthApiHandler (C:\workspace\frontend\node_modules\next-auth\next\index.js:18:19)
      at async K (C:\workspace\frontend\node_modules\next\dist\compiled\next-server\pages-api.runtime.dev.js:21:2871)
      at async U.render (C:\workspace\frontend\node_modules\next\dist\compiled\next-server\pages-api.runtime.dev.js:21:3955)
      at async DevServer.runApi (C:\workspace\frontend\node_modules\next\dist\server\next-server.js:598:9)
      at async NextNodeServer.handleCatchallRenderRequest (C:\workspace\frontend\node_modules\next\dist\server\next-server.js:269:37)
      at async DevServer.handleRequestImpl (C:\workspace\frontend\node_modules\next\dist\server\base-server.js:817:17)
      at async C:\workspace\frontend\node_modules\next\dist\server\dev\next-dev-server.js:339:20
      at async Span.traceAsyncFn (C:\workspace\frontend\node_modules\next\dist\trace\trace.js:154:20) {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'facebook',
  message: 'expected 200 OK, got: 400 Bad Request'
}

After disabling that option in the security area of the Facebook app, this problem disappears and we are able to go through the sign-in process, which I believe is enough to suggest that it is caused by exactly this setting.

So the questions is, how can we handle this properly? Is is possible to extend the provider in some way to be able to manually add the appsecret_proof header to each request to https://graph.facebook.com? Generating the hash itself probably is not a problem, but I don't see any way how can we inject it int every API call that happens "underneath" inside openid-client library.