[Bug] next-auth fetch failed with third auth provider

[alwqx]

📦 部署环境

Docker

📌 软件版本

v1.15.18

💻 系统环境

Ubuntu

🌐 浏览器

Chrome, Safari

🐛 问题描述

env

lobechat database with third auth provider: auth0, cloudflare-zero-trust.

problem

when click login, will throw error:

$ docker compose logs -f lobechat-db
lobe  | [Database] Start to migration...
lobe  | ✅ database migration pass.
lobe  | -------------------------------------
lobe  |   ▲ Next.js 14.2.8
lobe  |   - Local:        http://localhost:3210
lobe  |   - Network:      http://0.0.0.0:3210
lobe  |
lobe  |  ✓ Starting...
lobe  |  ✓ Ready in 45ms
lobe  | [auth][error] TypeError: fetch failed
lobe  |     at node:internal/deps/undici/undici:13178:13
lobe  |     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
lobe  |     at async ia (/app/.next/server/chunks/76974.js:357:40645)
lobe  |     at async ic (/app/.next/server/chunks/76974.js:357:43280)
lobe  |     at async ip (/app/.next/server/chunks/76974.js:357:45913)
lobe  |     at async im (/app/.next/server/chunks/76974.js:357:49748)
lobe  |     at async /app/node_modules/.pnpm/[email protected]_@[email protected][email protected]__@[email protected][email protected]._itjmu72s7n7tov6po6nkhcdpya/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
lobe  |     at async eC.execute (/app/node_modules/.pnpm/[email protected]_@[email protected][email protected]__@[email protected][email protected]._itjmu72s7n7tov6po6nkhcdpya/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
lobe  |     at async eC.handle (/app/node_modules/.pnpm/[email protected]_@[email protected][email protected]__@[email protected][email protected]._itjmu72s7n7tov6po6nkhcdpya/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186)
lobe  |     at async doRender (/app/node_modules/.pnpm/[email protected]_@[email protected][email protected]__@[email protected][email protected]._itjmu72s7n7tov6po6nkhcdpya/node_modules/next/dist/server/base-server.js:1359:42)
lobe  | [NextAuth] Error: {
lobe  |   cause: 'Configuration',
lobe  |   message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
lobe  |   name: 'NextAuth Error'
lobe  | }

📷 复现步骤

lobechat database with auth0,cloudflare-zero-trust auth.

detaild see video:

lobedb-auth-error.mov

🚦 期望结果

I think this may be caused by network timeout config.

when click cloudflare-zero-trust, lohechat will fetch something from cloudfalre but failed. May be we can set fetch timeout to a longer value such as 5s.

📝 补充信息

No response

[lobehubbot]

👀 @alwqx

Thank you for raising an issue. We will investigate into the matter and get back to you as soon as possible.
Please make sure you have given us as much context as possible.
非常感谢您提交 issue。我们会尽快调查此事，并尽快回复您。 请确保您已经提供了尽可能多的背景信息。

[dosubot[bot]]

Hey, @alwqx! I'm here to help you with any bugs, questions, or contributions you have. Let's get this issue sorted out!

To resolve the fetch failed error with next-auth when using third-party auth providers like Auth0 and Cloudflare Zero Trust in a Docker-deployed environment, ensure that the environment variables for the Cloudflare Zero Trust provider are correctly set. These variables include CLOUDFLARE_ZERO_TRUST_CLIENT_ID, CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET, and CLOUDFLARE_ZERO_TRUST_ISSUER.

Here is the relevant code snippet for setting up the Cloudflare Zero Trust provider:

import type { OIDCConfig } from '@auth/core/providers';

import { authEnv } from '@/config/auth';

import { CommonProviderConfig } from './sso.config';

export type CloudflareZeroTrustProfile = {
  email: string;
  name: string;
  sub: string;
};

const provider = {
  id: 'cloudflare-zero-trust',
  provider: {
    ...CommonProviderConfig,
    authorization: { params: { scope: 'openid email profile' } },
    checks: ['state', 'pkce'],
    clientId: authEnv.CLOUDFLARE_ZERO_TRUST_CLIENT_ID,
    clientSecret: authEnv.CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET,
    id: 'cloudflare-zero-trust',
    issuer: authEnv.CLOUDFLARE_ZERO_TRUST_ISSUER,
    name: 'Cloudflare Zero Trust',
    profile(profile) {
      return {
        email: profile.email,
        name: profile.name ?? profile.email,
        providerAccountId: profile.sub,
      };
    },
    type: 'oidc',
  } satisfies OIDCConfig<CloudflareZeroTrustProfile>,
};

export default provider;

Ensure that these environment variables are correctly configured in your Docker environment. You can set them in your Dockerfile or docker-compose.yml file as follows:

Dockerfile:

ENV CLOUDFLARE_ZERO_TRUST_CLIENT_ID=your_client_id
ENV CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET=your_client_secret
ENV CLOUDFLARE_ZERO_TRUST_ISSUER=your_issuer

docker-compose.yml:

version: '3.8'
services:
  app:
    image: your_image
    environment:
      - CLOUDFLARE_ZERO_TRUST_CLIENT_ID=your_client_id
      - CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET=your_client_secret
      - CLOUDFLARE_ZERO_TRUST_ISSUER=your_issuer

Make sure to replace your_client_id, your_client_secret, and your_issuer with the actual values from your Cloudflare Zero Trust setup.

Additionally, ensure that your auth.ts configuration file includes the necessary environment variables for Cloudflare Zero Trust:

export const getAuthConfig = () => {
  return createEnv({
    client: {
      NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: z.string().optional(),
      NEXT_PUBLIC_ENABLE_CLERK_AUTH: z.boolean().optional(),
      NEXT_PUBLIC_ENABLE_NEXT_AUTH: z.boolean().optional(),
    },
    server: {
      CLERK_SECRET_KEY: z.string().optional(),
      CLERK_WEBHOOK_SECRET: z.string().optional(),
      NEXT_AUTH_SECRET: z.string().optional(),
      NEXT_AUTH_SSO_PROVIDERS: z.string().optional().default('auth0'),
      AUTH0_CLIENT_ID: z.string().optional(),
      AUTH0_CLIENT_SECRET: z.string().optional(),
      AUTH0_ISSUER: z.string().optional(),
      GITHUB_CLIENT_ID: z.string().optional(),
      GITHUB_CLIENT_SECRET: z.string().optional(),
      AZURE_AD_CLIENT_ID: z.string().optional(),
      AZURE_AD_CLIENT_SECRET: z.string().optional(),
      AZURE_AD_TENANT_ID: z.string().optional(),
      AUTHENTIK_CLIENT_ID: z.string().optional(),
      AUTHENTIK_CLIENT_SECRET: z.string().optional(),
      AUTHENTIK_ISSUER: z.string().optional(),
      AUTHELIA_CLIENT_ID: z.string().optional(),
      AUTHELIA_CLIENT_SECRET: z.string().optional(),
      AUTHELIA_ISSUER: z.string().optional(),
      CLOUDFLARE_ZERO_TRUST_CLIENT_ID: z.string().optional(),
      CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET: z.string().optional(),
      CLOUDFLARE_ZERO_TRUST_ISSUER: z.string().optional(),
      GENERIC_OIDC_CLIENT_ID: z.string().optional(),
      GENERIC_OIDC_CLIENT_SECRET: z.string().optional(),
      GENERIC_OIDC_ISSUER: z.string().optional(),
      ZITADEL_CLIENT_ID: z.string().optional(),
      ZITADEL_CLIENT_SECRET: z.string().optional(),
      ZITADEL_ISSUER: z.string().optional(),
      LOGTO_CLIENT_ID: z.string().optional(),
      LOGTO_CLIENT_SECRET: z.string().optional(),
      LOGTO_ISSUER: z.string().optional(),
    },
    runtimeEnv: {
      NEXT_PUBLIC_ENABLE_CLERK_AUTH: !!process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY,
      NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY,
      CLERK_SECRET_KEY: process.env.CLERK_SECRET_KEY,
      CLERK_WEBHOOK_SECRET: process.env.CLERK_WEBHOOK_SECRET,
      NEXT_PUBLIC_ENABLE_NEXT_AUTH: !!process.env.NEXT_AUTH_SECRET,
      NEXT_AUTH_SSO_PROVIDERS: process.env.NEXT_AUTH_SSO_PROVIDERS,
      NEXT_AUTH_SECRET: process.env.NEXT_AUTH_SECRET,
      AUTH0_CLIENT_ID: process.env.AUTH0_CLIENT_ID,
      AUTH0_CLIENT_SECRET: process.env.AUTH0_CLIENT_SECRET,
      AUTH0_ISSUER: process.env.AUTH0_ISSUER,
      GITHUB_CLIENT_ID: process.env.GITHUB_CLIENT_ID,
      GITHUB_CLIENT_SECRET: process.env.GITHUB_CLIENT_SECRET,
      AZURE_AD_CLIENT_ID: process.env.AZURE_AD_CLIENT_ID,
      AZURE_AD_CLIENT_SECRET: process.env.AZURE_AD_CLIENT_SECRET,
      AZURE_AD_TENANT_ID: process.env.AZURE_AD_TENANT_ID,
      AUTHENTIK_CLIENT_ID: process.env.AUTHENTIK_CLIENT_ID,
      AUTHENTIK_CLIENT_SECRET: process.env.AUTHENTIK_CLIENT_SECRET,
      AUTHENTIK_ISSUER: process.env.AUTHENTIK_ISSUER,
      AUTHELIA_CLIENT_ID: process.env.AUTHELIA_CLIENT_ID,
      AUTHELIA_CLIENT_SECRET: process.env.AUTHELIA_CLIENT_SECRET,
      AUTHELIA_ISSUER: process.env.AUTHELIA_ISSUER,
      CLOUDFLARE_ZERO_TRUST_CLIENT_ID: process.env.CLOUDFLARE_ZERO_TRUST_CLIENT_ID,
      CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET: process.env.CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET,
      CLOUDFLARE_ZERO_TRUST_ISSUER: process.env.CLOUDFLARE_ZERO_TRUST_ISSUER,
      GENERIC_OIDC_CLIENT_ID: process.env.GENERIC_OIDC_CLIENT_ID,
      GENERIC_OIDC_CLIENT_SECRET: process.env.GENERIC_OIDC_CLIENT_SECRET,
      GENERIC_OIDC_ISSUER: process.env.GENERIC_OIDC_ISSUER,
      ZITADEL_CLIENT_ID: process.env.ZITADEL_CLIENT_ID,
      ZITADEL_CLIENT_SECRET: process.env.ZITADEL_CLIENT_SECRET,
      ZITADEL_ISSUER: process.env.ZITADEL_ISSUER,
      LOGTO_CLIENT_ID: process.env.LOGTO_CLIENT_ID,
      LOGTO_CLIENT_SECRET: process.env.LOGTO_CLIENT_SECRET,
      LOGTO_ISSUER: process.env.LOGTO_ISSUER,
    },
  });
};

export const authEnv = getAuthConfig();

Additional Steps for Cloudflare Zero Trust Configuration

1. Create an Application in Cloudflare Zero Trust:

   • Visit https://one.dash.cloudflare.com/ and navigate to Access - Applications.
   • Click Add an application and select SaaS.
   • Fill in the application name (e.g., LobeChat SSO), select OIDC, and click Add application.
   • In Redirect URLs, enter https://chat.example.com/api/auth/callback/cloudflare-zero-trust (replace chat.example.com with your instance address).
   • Record the Client secret, Client ID, and Issuer for later use.

2. Set Environment Variables:

   • Configure the following environment variables in your Docker environment:
     • NEXT_AUTH_SECRET: Key for encrypting Auth.js session tokens.
     • NEXT_AUTH_SSO_PROVIDERS: Set to cloudflare-zero-trust.
     • CLOUDFLARE_ZERO_TRUST_CLIENT_ID: Your Cloudflare Zero Trust Client ID.
     • CLOUDFLARE_ZERO_TRUST_CLIENT_SECRET: Your Cloudflare Zero Trust Client secret.
     • CLOUDFLARE_ZERO_TRUST_ISSUER: Your Cloudflare Zero Trust Issuer.
     • NEXTAUTH_URL (optional): Specify the callback URL for OAuth verification if the default is incorrect.

By following these steps, you can ensure that your environment variables are correctly configured, which should resolve the fetch failed error with next-auth in a Docker-deployed environment. For more detailed instructions, you can refer to the LobeChat documentation on configuring Cloudflare Zero Trust ^[1][2][3][4].

To continue talking to Dosu, mention @dosu.

[cy948]

If your server located in mainland China, you will get this networking problem.

[arvinxx]

you can try with PROXY_URL

[alwqx]

Thank you! set PROXY_URL works for me. And I find the docs of PROXY_URL in Lobe Docs-Environments.

[lobehubbot]

✅ @alwqx

This issue is closed, If you have any questions, you can comment and reply.
此问题已经关闭。如果您有任何问题，可以留言并回复。

[alwqx]

@arvinxx Hi, set PROXY_URL helps solve one problem. But get bellow error with postgres after auth in auth0:

I use pgvector/pgvector:pg15 docker image

[Database] Start to migration...
✅ database migration pass.
-------------------------------------
  ▲ Next.js 14.2.8
  - Local:        http://localhost:3210
  - Network:      http://0.0.0.0:3210

 ✓ Starting...
 ✓ Ready in 46ms
[auth][error] AdapterError: Read more at https://errors.authjs.dev#adaptererror
[auth][cause]: Error: Connection terminated unexpectedly
    at /app/node_modules/.pnpm/[email protected][email protected]/node_modules/pg-pool/index.js:45:11
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /app/.next/server/chunks/57614.js:16:11989
    at async getUserByAccount (/app/.next/server/app/api/auth/[...nextauth]/route.js:1:3597)
    at async r.<computed> (/app/.next/server/chunks/76974.js:1:42082)
    at async ir (/app/.next/server/chunks/76974.js:357:34268)
    at async ip (/app/.next/server/chunks/76974.js:357:45375)
    at async im (/app/.next/server/chunks/76974.js:357:49748)
    at async /app/node_modules/.pnpm/[email protected]_@[email protected][email protected]__@[email protected][email protected]._itjmu72s7n7tov6po6nkhcdpya/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/[email protected]_@[email protected][email protected]__@[email protected][email protected]._itjmu72s7n7tov6po6nkhcdpya/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
[auth][details]: {}
[auth][error] AdapterError: Read more at https://errors.authjs.dev#adaptererror
[auth][cause]: Error: Connection terminated unexpectedly
    at /app/node_modules/.pnpm/[email protected][email protected]/node_modules/pg-pool/index.js:45:11
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /app/.next/server/chunks/57614.js:16:11989
    at async getUserByAccount (/app/.next/server/app/api/auth/[...nextauth]/route.js:1:3597)
    at async r.<computed> (/app/.next/server/chunks/76974.js:1:42082)
    at async ir (/app/.next/server/chunks/76974.js:357:34268)
    at async ip (/app/.next/server/chunks/76974.js:357:45375)
    at async im (/app/.next/server/chunks/76974.js:357:49748)
    at async /app/node_modules/.pnpm/[email protected]_@[email protected][email protected]__@[email protected][email protected]._itjmu72s7n7tov6po6nkhcdpya/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
    at async eC.execute (/app/node_modules/.pnpm/[email protected]_@[email protected][email protected]__@[email protected][email protected]._itjmu72s7n7tov6po6nkhcdpya/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
[auth][details]: {}
[NextAuth] Error: {
  cause: 'Configuration',
  message: 'Wrong configuration, make sure you have the correct environment variables set. Visit https://lobehub.com/docs/self-hosting/advanced/authentication for more details.',
  name: 'NextAuth Error'
}