NextAuth url?error=callback on production but working on localhost:3000/

[eleqtrasoft]

My development next auth google provider is working but on production (vercel) is gives an error=callback.

On production, I m still able to login with credentials but not with google provider

[amisir0219]

did you ever fix this? facing same issue :'(

[balazsorban44]

Hard to do anything without reproduction. You can see a working google example here: https://next-auth-example.vercel.app/

So most probably a user misconfiguration.

[anirudhmaddy]

I'm facing the same issue, did you guys figure out what was the problem?

I checked the configs in Vercel, Google, Code everywhere. I couldn't figure it out.

[emgrey02]

I'm using nextjs, next-auth, vercel, google provider and only on production I can't sign in to google. I can't figure out the issue. Has anyone found a solution?

[Enkronan]

Like someone mentioned above, quite hard to assist without reproduction. However, some of the issues/mistakes that I've faced with that setup were:

1. Forgot to update tokens in Vercel for prod env
2. It's easy to mistype the redirect url, and especially if you're using vercels generated urls
3. Remember that you may need to get your google oauth approved for prod (in google console)

[gmzi]

Same issue here, working fine on localhost:3000 but not in local production build. Context:

• Next.js 13.4.2
• next-auth 4.22.3

/pages/api/auth/[...nextauth].js:

import NextAuth from "next-auth";
import GithubProvider from "next-auth/providers/github"
import CredentialsProvider from "next-auth/providers/credentials";

const BASE_URL = process.env.NEXT_PUBLIC_BASE_URL;
const SAVE_TOKEN = process.env.NEXT_PUBLIC_SAVE_TOKEN;

export const authOptions = {
    providers: [
        CredentialsProvider({
            name: 'Credentials',
            credentials: {
                password: { label: "Password", type: "password" }
            },
            async authorize(credentials, req) {
                const res = await fetch(`${BASE_URL}/api/login`, {
                    method: 'POST',
                    body: JSON.stringify(credentials),
                    headers: {
                        "Content-Type": "application/json",
                        'Authorization': `Bearer ${SAVE_TOKEN}`
                    }
                })

                const user = await res.json()

                if (res.ok && user) {
                    return user
                }

                return null
            }
        })
    ], 
    callbacks: {
        async signIn({user, account, profile, email, credentials}){
            const isAllowed = true;
            if (isAllowed){
                return true
            } else {
                return '/editor/unauthorized'
            }
        }, 
        async redirect({ur, baseUrl}){
            return '/editor'
        }
    }
}

export default NextAuth(authOptions)

callbacks.signIn() executes in dev mode, not in prod build, same thing with callbacks.redirect()

Here's dashboard.js, where I'm trying to get a user signed in:

import { SignIn, SignOut } from "./actions";
import { getServerSession } from "next-auth";
import { authOptions } from "@/pages/api/auth/[...nextauth]"

export const dynamic = 'force-dynamic';

export default async function EditorMainPage() {
  let session;
  const [sessionRes] = await Promise.allSettled([getServerSession(authOptions)]);

  if (sessionRes.status === "fulfilled") {
    session = sessionRes.value;
  } else {
    console.error(sessionRes);
  }

  return (
    <div>
      {session ? <SignOut /> : <SignIn />}
    </div>
  )
}

actions.js:

'use client';

import { signIn, signOut } from 'next-auth/react';

export function SignOut() {
  return (
    <button onClick={() => signOut()}>
      → Sign out
    </button>
  );
}

export function SignIn() {
  return (
    <button onClick={() => signIn()}>
      <div>Sign in</div>
    </button>
  );
}

and these are the requests headers I'm getting in prod build only:

`
Request URL: http://localhost:3000/api/auth/callback/credentials,
Status Code: 302 Found

Request URL: http://localhost:3000/api/auth/error?error=fetch%20failed
Status Code: 304 Not Modified
`

[Apoorv3000]

did it got fixed cause i am getting the same thing with google provider in production

[rabiahmed8]

you need to change the auth url localhost:3000 in env file to the url on production

[parsa-mz]

I'm facing the same issue. Has anyone find any solution for this ?

[parsa-mz]

[Update]
I updated my next-auth to the latest version and changed a code a bit according to the new one (they've changed it compared to the older version that I was using like session, and NextAuthOptions), then it got fixed.

[gkhulbe4]

paste the source code link

[THamza]

Same issue here :(

[THamza]

My problem was that production database was not up to date. I'm using platnetscale where a branch is used for development and another branch for production.

To update the database schema, you can either create a migration:
npx prisma migrate dev --name init

then deploy it:
npx prisma migrate deploy

Or manually update the database url in your .env file and run
npx prisma db push

[riccardolinares]

My database in production is updated... I don't know I m getting this error too :/

[riccardolinares]

Same issue here. But until a couple of days ago everything was working smoothly. How is this even possible?

[riccardolinares]

The error seems to be there only from iOS mobile. I report the error:

[next-auth][error][adapter_error_deleteSession] 
https://next-auth.js.org/errors#adapter_error_deletesession 
Invalid `prisma.session.delete()` invocation:


An operation failed because it depends on one or more records that were required but not found. Record to delete does not exist. {
  message: '\n' +
    'Invalid `prisma.session.delete()` invocation:\n' +
    '\n' +
    '\n' +
    'An operation failed because it depends on one or more records that were required but not found. Record to delete does not exist.',
  stack: 'PrismaClientKnownRequestError: \n' +
    'Invalid `prisma.session.delete()` invocation:\n' +
    '\n' +
    '\n' +
    'An operation failed because it depends on one or more records that were required but not found. Record to delete does not exist.\n' +
    '    at zr.handleRequestError (/var/task/node_modules/@prisma/client/runtime/library.js:122:8308)\n' +
    '    at zr.handleAndLogRequestError (/var/task/node_modules/@prisma/client/runtime/library.js:122:7697)\n' +
    '    at zr.request (/var/task/node_modules/@prisma/client/runtime/library.js:122:7307)',
  name: 'PrismaClientKnownRequestError'
}
[next-auth][error][CALLBACK_EMAIL_ERROR] 
https://next-auth.js.org/errors#callback_email_error 
Invalid `prisma.session.delete()` invocation:


An operation failed because it depends on one or more records that were required but not found. Record to delete does not exist. PrismaClientKnownRequestError: 
Invalid `prisma.session.delete()` invocation:


An operation failed because it depends on one or more records that were required but not found. Record to delete does not exist.
    at zr.handleRequestError (/var/task/node_modules/@prisma/client/runtime/library.js:122:8308)
    at zr.handleAndLogRequestError (/var/task/node_modules/@prisma/client/runtime/library.js:122:7697)
    at zr.request (/var/task/node_modules/@prisma/client/runtime/library.js:122:7307) {
  name: 'DeleteSessionError',
  code: 'P2025'
}

[CPoffWebster]

I ran into this error before I added updated my environment variables on production.

[neelS-hah]

If you deploy from Vercel it overrides the environment variables defined within the UI with the file. I'd be careful with .env or .env.local too.

[irvanster]

There are several things to consider when deploying from local to production:

1. Set the OAuth 2.0 Client ID Callback Setting in the Google Console. Set the Authorized Redirect URI to the domain you are using.
   Don't: http://localhost:3000/api/auth/callback/google
   Do : https://example.com/api/auth/callback/google

2. Add NEXTAUTH_URL=https://example.com/ to the environment variables. This avoids the default callback from localhost:3000 to the actual production URL/domain. Reference: https://next-auth.js.org/configuration/options#nextauth_url

[bhalsodkhushal]

Same issue here. In localhost everything is working smoothly. How is this even possible?

[ferdezjuani]

Do u solved this? Facing the same issue.

[CPoffWebster]

it's most likely something wrong with your environment variables or auth setup

[ferdezjuani]

Something wrong here?

app/api/auth/[...nextauth]/route.ts

import User from "@/app/server/user/model";
import NextAuth from "next-auth";
import CredentialsProvider from "next-auth/providers/credentials";
import GoogleProvider from "next-auth/providers/google";
import bcrypt from "bcryptjs";
import dbConnect from "@/app/server/db-connect";

const handler = NextAuth({
  providers: [
    GoogleProvider({
      clientId: process.env.GOOGLE_CLIENT_ID as string,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
      authorization: {
        params: {
          prompt: "consent",
          access_type: "offline",
          response_type: "code"
        }
      }
    }),
    CredentialsProvider({
      name: "Credentials",
      id: "credentials",
      credentials: {
        email: { label: "Email", type: "text" },
        password: { label: "Password", type: "password" },
      },
      async authorize(credentials) {
        await dbConnect();
        const userFound = await User.findOne({
          email: credentials?.email,
        }).select("+password");

        if (!userFound) throw new Error("Invalid credentials");

        const passwordMatch = await bcrypt.compare(
          credentials!.password,
          userFound.password
        );

        if (!passwordMatch) throw new Error("Invalid credentials");

        return userFound;
      },
    }),
  ],
  session: {
    strategy: "jwt",
  },
  callbacks: {
    async jwt({ token, user }) {
      if (user) token.user = user;
      return token;
    },
    async session({ session, token }) {
      session.user = token.user as any;
      return session;
    },
  },
  secret: process.env.NEXTAUTH_SECRET as string,
});

export { handler as GET, handler as POST };

Vercel Enviroment Variables

[andreimacavei]

I had the same issue, getting error=OAuthSign because I didn't had the the /api/auth/callback/google set on the Authorized Redirect URL (https://example.com/api/auth/callback/google)

Now I'm not getting an error anymore, but after sign in I'm redirected to my "/" page instead of the one used in the signIn function

onst handleGoogleSignIn = async () => {
    const response = await signIn("google", {
      callbackUrl: "/dashboard/overview",
    });

Anyone have an idea why the sign in doesn't redirect to my callbackUrl but to my site domain?

[vidhanshu]

In mine case the issue was related to wrong postinstall script for prisma,
I figured out the logs in the vercel and I could find the issue

[next-auth][error][OAUTH_CALLBACK_HANDLER_ERROR] 
https://next-auth.js.org/errors#oauth_callback_handler_error 
Invalid `prisma.account.findUnique()` invocation:


The table `public.accounts` does not exist in the current database. PrismaClientKnownRequestError: 
Invalid `prisma.account.findUnique()` invocation:


The table `public.accounts` does not exist in the current database.
    at In.handleRequestError (/var/task/node_modules/@prisma/client/runtime/library.js:122:6854)
    at In.handleAndLogRequestError (/var/task/node_modules/@prisma/client/runtime/library.js:122:6188)
    at In.request (/var/task/node_modules/@prisma/client/runtime/library.js:122:5896)
    at async l (/var/task/node_modules/@prisma/client/runtime/library.js:127:10871)
    at async getUserByAccount (/var/task/.next/server/app/api/auth/[...nextauth]/route.js:1:2682) {
  name: 'GetUserByAccountError',
 
 code: 'P2021'
}

Then I just updated my postinstall script
"postinstall": "prisma generate" -> "postinstall": "prisma migrate deploy"

[mauriciopiber]

In my case I've wrongly copied the development credentials instead of production credentials. Remember that you should have separate credentials for development (http://localhost:3000) and production, so be aware of copy the correct one.

On the other side, I'm not sure in which level this errors messages can be improved to facilitate.