Error when trying to authenticate via OAuth 2.0 with Next-Auth

I want to authenticate with OAuth 2.0 to our Atlassian Cloud Instance.

I use Next-Auth lib with the atlassian provide to do that.
I have set up everything (see below) and it routes me first to that url:

https://auth.atlassian.com/login?state=hKFo2SBKODVVMzVfY3NLbUsyMHhCcG15QXhnYkdMSHFiT1QwZaFupWxvZ2luo3RpZNkgMjVnRWhORTlFODJTelhhN3JXOVZONlY4SXV3akJ6cWKjY2lk2SBKclZnbERXSFQycndNaGtKSnNhNFQ3eThtZ05mRVQ3cg&client=XXX&protocol=oauth2&prompt=consent&scope=openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fapi%2Fauth%2Fcallback%2Fatlassian&audience=api.atlassian.com

and then to that url which shows an errror.

https://api.atlassian.com/oauth2/authorize/consent?state=hKFo2SBaM2VSclE4eEtyVXZURXhlSDg3alRWN3lXX1JlcE5TT6Fup2NvbnNlbnSjdGlk2SBvRlVmZE9rejJvbVJ6VFVuOEdmTEx1dzhQYlg1ZkRZeqNjaWTZIEpyVmdsRFdIVDJyd01oa0pKc2E0VDd5OG1nTmZFVDdy

As there is no further information on that above page available I have no idea whats wrong here.
So hopefully I can get some help here.

Thats my config for NextAuth Provider:

import NextAuth from "next-auth"
import AtlassianProvider from "next-auth/providers/atlassian"

export default NextAuth({
  // Configure one or more authentication providers
  providers: [
    AtlassianProvider({
      clientId: process.env.ATLASSIAN_CLIENT_ID,
      clientSecret: process.env.ATLASSIAN_CLIENT_SECRET,
      scope: "write:jira-work read:jira-work read:jira-user offline_access read:me"
    }),
  ],
})

Welcome to the Atlassian developer community @PierreKrohmer,

The 2nd URL that shows you an error is not enough information. Only you can see that error on that page because it requires a login (the 1st URL). Errors on this page are specific to your client id and user. Can you share a screenshot or text of the error?

@ibuchanan Sure. But value of that information is very low.

Oh, that error. :confused:

I’m not sure how next-auth works but I assume the first URL is after a redirect from https://auth.atlassian.com/authorize. But let’s peal off the parameters because those would cause this error.

:white_check_mark: state= This is app generated content. I assume generated by next-auth. In any case, the example value you provided works for me.
:question: client= This parameter is wrong. It should be client_id. But I think this is copy/paste error into this website because using client instead of client_id causes a different error.
:question: protocol=oauth2 This parameter is not specified for Atlassian’s 3LO. In my testing, this parameter is ignored and, to my knowledge, all extra parameters are ignored. I suspect next-auth is adding this parameter but that suggests the Atlassian provider is not well-tested.
:white_check_mark: prompt=consent Correct according to Atlassian specification.
:x: scope=openid That’s not a valid scope. My testing indicates this will cause the problem you observe.
:white_check_mark: response_type=code Correct according to Atlassian specification.
:white_check_mark: redirect_uri= The next-auth docs for the Atlassian provider indicate you should use the value you have provided. That doesn’t cause any errors yet; certainly not the one you are seeing.
:white_check_mark: audience=api.atlassian.com Correct according to Atlassian specification.

I don’t know anything about next-auth but I tried searching the docs and I can’t find where that scope value comes from. Sorry I can’t help more.

@ibuchanan Thanks for digging into this. I will check your remarks and hope I can solve that.

Do you have a recommedation of a java script library which doing the authentification with atlassian OAuth?

@PierreKrohmer,

Sorry, I don’t have any recommendations. At this point, I haven’t had a need to explore available JavaScript libraries. Most of my work just keeps me at the level of raw HTTP requests with Insomnia or HTTPie.