+3
We Are trying to implement a Plugin using the Google Sign Button. The problem is however that the sign does not work because Google is trying to open a new window. That of course doesn't work in the plug-in within the Front app.
Hence, my question is if anyone else has built such an integration and how did they manage to integrate Google sign in within the Front app plugin?
Best answer by xdmnl
View original
+7
Hi
Let us know if you have questions!
+3
Thanks this got the Login to work at least but how can I set cookies in the front app then for my auth? I am using next-auth with the google sign in…
Right now I can signin in the popup but then in my plugin I am still not logged in. I guess its because it is not acually setting the auth cookies correctly
+7
I put together a basic demo app using Next.js (though not next-auth) recently which sets cookies via Server Actions - https://github.com/dugjason/nextjs-front-plugin-with-cookie
Importantly you should ensure you’re setting a partioned cookie to comply with upcoming browser privacy proposals (see this post for details), as well as setting samesite: ‘none’ and secure: true.
It looks like next-auth allows for you to send custom instructions to be used when creating cookies (see next-auth docs). I believe sending something like the following in your next-auth config should work;
...
{
...
cookies: {
sameSite: 'none',
secure: true,
partitioned: true,
}
}Looking forward to hearing how that goes 🤞
+3
Thanks to me it is still not clear how it works with cookies across multiples domains.
I have this signin logic:
import { useFrontContext } from "@/providers/frontContext";
import { signIn, useSession } from "next-auth/react";
import { useRouter } from "next/router";
export default function Login() {
const { data, status } = useSession();
console.log("session", data, status);
const router = useRouter();
const context = useFrontContext();
const handleSignIn = () => {
if (context) {
context.openUrlInPopup(
"http://localhost:3000/api/auth/signin/google",
{}
);
} else {
signIn("google", { callbackUrl: "/offers" });
}
};
if (status === "authenticated") {
router.push("/youAreLoggedIn");
}
return (
<>
<button
onClick={() => handleSignIn()}
className="text-sm font-semibold leading-6"
>
Google
</button>
</>
);
}
Then when I click on the button it opens a new tab (when I am opening in the front app), and I get redirected to the API endpoint via this /api endpoint in nextjs:
import NextAuth, { AuthOptions } from "next-auth";
import GoogleProvider from "next-auth/providers/google";
export const authOptions: AuthOptions = {
providers: [
GoogleProvider({
clientId: process.env.GOOGLE_ID as string,
clientSecret: process.env.GOOGLE_SECRET as string,
}),
],
session: {
strategy: "jwt",
},
};
export default NextAuth(authOptions);
However then I can see that the next-auth tokens are set correctly in the localhost:3000 Cookie tab under the Applications in Dev Tools but I cannot see them in my frontapp.com cookie tab and I do not know how this cross website auth could possbily work
Can anyone support here what I might be missing?
+3
Thanks to me it is still not clear how it works with cookies across multiples domains.
I have this signin logic:
import { useFrontContext } from "@/providers/frontContext";
import { signIn, useSession } from "next-auth/react";
import { useRouter } from "next/router";
export default function Login() {
const { data, status } = useSession();
console.log("session", data, status);
const router = useRouter();
const context = useFrontContext();
const handleSignIn = () => {
if (context) {
context.openUrlInPopup(
"http://localhost:3000/api/auth/signin/google",
{}
);
} else {
signIn("google", { callbackUrl: "/offers" });
}
};
if (status === "authenticated") {
router.push("/youAreLoggedIn");
}
return (
<>
<button
onClick={() => handleSignIn()}
className="text-sm font-semibold leading-6"
>
Google
</button>
</>
);
}
Then when I click on the button it opens a new tab (when I am opening in the front app), and I get redirected to the API endpoint via this /api endpoint in nextjs:
import NextAuth, { AuthOptions } from "next-auth";
import GoogleProvider from "next-auth/providers/google";
export const authOptions: AuthOptions = {
providers: [
GoogleProvider({
clientId: process.env.GOOGLE_ID as string,
clientSecret: process.env.GOOGLE_SECRET as string,
}),
],
session: {
strategy: "jwt",
},
};
export default NextAuth(authOptions);
However then I can see that the next-auth tokens are set correctly in the localhost:3000 Cookie tab under the Applications in Dev Tools but I cannot see them in my frontapp.com cookie tab and I do not know how this cross website auth could possbily work
Can anyone support here what I might be missing?
+3
I mean I cannot possibly be the first one to ever implement google auth in a front plugin?
+3
Sorry my previous answer has not been accepted by the admins of this forum yet. My last post seems a bit out of context now
+8
Sorry
+3
Does anyone have a clue? Basically I am looking for a working example of embedding an iframe including Google Auth ideally via next-auth in react.
I manage to open the auth in a new tab but then the cookies are not written correctly back to front so that my auth session claims I am not logged in...
+3
So what works:
I can also see in the other Cookie tab of Front that my front_id etc are set coorectly.
The problem is: When I come back to my plugin in front it shows me the “Sign in with google” button again, because it does not find the session because it is stored in the localhost cookie tab.
I am not sure what to do here.
+7
Hi
This is the recommended solution because it is completely transparent for the end-user.
Alternatively, your plugin can use the Storage Access API to ask the user permission to use third-party cookies.
+3
I have been trying for weeks now: I manage to implement the tool so I can use it in front via iFrame and google Auth but now I cannot use it in a regular browser anymore because the cookies are not set securely via the popup window to the parent. I have spent countless hours trying to fix this. It is incredibly frustrating and delaying our deployment since weeks now….
In Chrome my App only runs if the next-auth.session-key is set with a “__Secure-….” in front of it. If I do this however, then my Front App wont pass my auth anymore because it expects it differently.
So either one works (Front Integration) or my Browser….
Below my authOptions:
import { NextAuthOptions } from "next-auth";
import GoogleProvider from "next-auth/providers/google";
const cookieOptions = {
httpOnly: true,
partitioned: true,
sameSite: "none" as "none",
secure: true,
path: "/",
};
export const authOptions: NextAuthOptions = {
secret: process.env.NEXTAUTH_SECRET,
// Configure one or more authentication providers
providers: [
GoogleProvider({
clientId: process.env.AUTH_GOOGLE_ID as string,
clientSecret: process.env.AUTH_GOOGLE_SECRET as string,
}),
],
// Update cookie options to be secure and sameSite: 'none' and partioned
cookies: {
sessionToken: {
name: `next-auth.session-token`,
options: cookieOptions,
},
callbackUrl: {
name: `next-auth-callback-url`,
options: cookieOptions,
},
csrfToken: {
name: `next-auth.csrf-token`,
options: cookieOptions,
},
pkceCodeVerifier: {
name: `next-auth.pkce.code_verifier`,
options: cookieOptions,
},
},
};
Then my middleware:
import { authOptions } from "@/lib/auth/auth-options";
import withAuth from "next-auth/middleware";
export default withAuth({
jwt: { decode: authOptions.jwt?.decode },
callbacks: {
authorized: ({ token }) => !!token,
},
pages: {
signIn: "/signin",
error: "/error",
},
});
export const config = { matcher: ["/", "/offers", "/offer/:path"] };
And my API route in Next JS:
import NextAuth from "next-auth";
import { authOptions } from "@/lib/auth/auth-options";
const handler = NextAuth(authOptions);
export { handler as GET, handler as POST };
This issue is incredibly time consuming on our end. I do not really understand how Front does not have this (Provider OAuth) out of the box? Our internal stakeholders are waiting since weeks for this feature and we simply cannot release it because of this auth topic
+7
Hi
I’ll re-share that repo and a hosted example where it works both in-browser and in Front:
I’m seeing it logs in successfully, and will allow you to access a /secure page only when logged in.
Something to note about Front plugins is that they are best built as a single-page app, and use states (rather than pages/paths) to alter that’s being shown to the user. Given that Front plugins are typically designed with a “mobile-first” layout given the small max-width, we often find developers will add a separate page to their app for the Front plugin, and render components as needed in the smaller viewport.
+3
Thanks for sharing this. I seriously copied everything 1:1. When I click on “Sign In” in my app it redirects me immediately to /api/auth/signin?csrf=true and just shows me the sign in with google button - on click on the button nothing happens at all…
I seriously checked each file 100 times and just copied them from your repo… 😅
But I do agree: Your example works fine. Could it be that my Google Auth is wrongly configured?! But I cant really believe this, it worked fine before
+7
So when initiating a sign-in in my version, we use an onclick handler (see code) to open a new window containing this page where the user clicks to start the auth process (but the plugin page remains unchanged).
I think what might be happening for you is that the user is being redirected to the login auth page inside the iframe. They then click sign in, the OAuth popup window opens and they start the auth flow, but it can’t update the page rendered in the iframe, so you get stuck at this point.
I hope that helps unblock you! 🤞
+3
Thanks I copied all of that over, I replaced all successive components with your code: I end up at the weird Google Sign In button that does nothing… I will have to take yet another look tomorrow morning, I think it might also be some .env or Google Config stuff. But I doubt it since this already worked before
+3
I just cloned and replicated your repo and it works fine on my machine. there is some difference somewhere I will try to find tomorrow. Thanks again for all the support
+7
Just sharing a screenshot from my Google OAuth console to show how I configured the origin/redirect URL for the hosted app;
+3
Thanks for sharing! Funny enough, if I clone the current repo, add my .env file and Click on SIgn In in Chrome I get the same issue as I do currently. I even removed and cloned your repo again. This is incredibly weird. It is in Chrome and Brave though
+3
Ok this was wild but I got it now: The problem was with security of local vs prod and the including __Secure- prefix. I am setting an env in prod now like so:
const productionPrefix = process.env.AUTH_REQUIREMENT === "PRODUCTION" ? "__Secure-" : "";
And then my cookies like so:
cookies: {
sessionToken: {
name: `${productionPrefix}next-auth.session-token`,
options: cookieOptions,
},
…
}
This finally got it to work in both prod as well as local.
It should be alright security wise I guess since it is all server side.
+7
Great to hear you got it working! 🚀
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.