Please help me with Next authentication issue

[DavidLamos]

I'm wondering how I can use NEXT_AUTH, for example, if the end user logs into the frontend app using Google provider, how can I use NEXT_AUTH on the frontend to call the API on app (2) and use the same credentials.

I guess in this case I should persist the user and share the same mongoDB database for the user, but I have a feeling it won't be that simple.

[venuswhispers]

The solution i have found is to sign the JWT with an asymmetric key and then share the PUBLIC KEY with the other APIS this way I can verify the information was signed by my server ( jwt issuer which holds the private key ).

There is a need to override the encode / decode methods for JWT on next-auth in order to use RS256 instead of the default algorithm.

From that point I would be able to send the encrypted JWT token to another HTTP API ( via HTTP HEADER ) and verify it on the HTTP API which will only need to know the PUBLIC KEY in order to verify the signature ( the private key never leaves my jwt issuing environment ) thus being able to verify the signature even if offline ( i.e. no extra http requests are needed ).

Some related read can be done here:

https://github.com/auth0/node-jsonwebtoken
https://auth0.com/blog/navigating-rs256-and-jwks/
On a side note nextauthjs/next-auth#3150 (comment) explains the expected behaviour from his point of view but unfortunately the implementation is not clear to me, the solution above is the most secure and straight forward i have found so far.

Please let me know your thoughts, i'm wondering which other alternative implementations could be used here and if the implementation i'm suggesting has any flaws.

You can check this another github discussion here
nextauthjs/next-auth#5603

[DavidLamos]

Look good, thanks