How to use with Steam openid

[Siljesc]

Your question
Steam uses OpenID 2.0 (older than OpenID Connect) and apparently is not supported by this library, so is there any way to make it work? If it's there no way to do it, Can I update the next-auth session if I authorize the user outside next-auth?

What are you trying to do
I want to let clients sign in with their steam account.

[iaincollins]

At a glace of the docs yes it should be possible to add Steam as a custom provider, even if it doesn't support OpenID! It would be great to add as a built-in provider.

It seems it returns ID, name and avatar in a fairly conventional way, but I think possibly not email - which isn't a problem and just means they won't be able to use email as a fallback to sign in.

There isn't a built in way to link them without doing this, though if you find it easier, you could create your own database table to store this info against the Users ID, and create a custom API endpoint that accesses the Users session (and look up the User ID from the session secure) and then returns information from that table, using the User ID as a key.

[Wolfleader101]

The docs you listed is not correct. That is strictly for steam partners, anyone else wishing to use steam login MUST youse openid 2.0

https://steamcommunity.com/dev

[Maykin-99]

I have the same issue and unfortunately this library does not support OpenID 2.0.
The docs, @iaincollins refers to, is exclusively for Steamworks Partners.
Those who aren't part of the Steamworks club need to use the Steam Web API and OpenID 2.0.

I forked this library, added a new type: "openid" and added a Steam Provider. It works for my use case. I'm not sure if the maintainers of next-auth are interested in supporting a legacy protocol, though.

[balazsorban44]

I am pretty sure we do not wish to ADD new support for legacy solutions. Would be interesting how you worked around the problem though. Do you have a link to your fork or information what needed to be changed? We are also in the process of converting to https://github.com/panva/node-openid-client as our underlying library, and I don't think they support OpenID 2.0 either.

[Wolfleader101]

I looked through old mates code, I couldn't see how he got openID 2.0 working.
I looked into some sites that use steam for login and managed to find some old openID 2.0 specs. Really all steam's OpenID does is direct you to their login, and once logged in, just provide the site with display name, pfp and steamid, it isn't too far off oAuth2, however it also does some things a bit differently.

openid connect is different to steams legacy openid 2.0.

[jonaslagoni]

@Maykin-99 code can be found here: Maykin-99@0dea894 @balazsorban44

As I too need this feature, do any of you see a way forward to support this, or am I stuck with a custom Next server? Anything I can do to help?

[THE-SIMPLE-MARK]

This would be an awesome thing to have included in next-auth. Even though it's legacy, Steam will probably not upgrade their login flow. Any chance we could have support for this? Maybe a separate repo that adds support for legacy login flows?

[modyabhi]

Even if openid is legacy it's highly unlikely steam is going to change anytime soon. Having support for it would be amazing.

[1337cookie]

There will be no word from Steam/Valve about updating their implementation. Valve is pretty notorious for leaving external APIs and things to get very stale unless it affects their internal team and they have a good track record of of not announcing anything (make no promises). SteamCMD is an example of their CLI where interacting with it programmatically is really nuanced and problematic.

I would love to see a Steam provider in NextAuth. For more than just SSO it lets you validate a steam user id which has applications for any game that uses steam networking. That means if you want to make a website that interacts with a game server this would be the way to go whether you're a game dev or someone hosting a custom game server or building custom mods for games and want to have a website display information from the game.

[Scarso327]

Big fact +1, Steam won't update their login protocol and it's a huge platform so allowing us to at least use it out of the box here would be most welcomed.

[dollannn]

@balazsorban44 Is this on hold currently or will we see this as a PR anytime soon?

[1337cookie]

I'm happy to work on this is if it's a possibility but I'll likely need some help with typing, catching edge cases and tests. Also happy to write up docs etc but would like to get some confirmation before I go ahead.
I suspect the team is probably quite busy at the moment with the change to Authjs.

[qbeauperin]

Just getting caught up on all the Steam-related discussions, do you all know if any progress been made on that front in the last 6+ months? 👀

[qwertyuiop6]

https://github.com/Nekonyx/next-auth-steam

[SacredAI]

So I ended up on this thread and after sadly not finding a solution that would let me stay up to date with next-auth I ended up manufacturing what can only be referred to as a very hacky use of allowing custom request functions for oauth provider.

It works for allowing a steam Login, although I don't know how safe it is.

It does require an Advanced setup as it needs access to the request.

`
const handler = async (req: NextApiRequest, res: NextApiResponse) => {

return await NextAuth(req, res, {
    // Configure one or more authentication providers
    providers: [
        {
            id: "steam",
            name: "Steam",
            type: "oauth",
            authorization: {
                url: "https://steamcommunity.com/openid/login",
                params: {
                    "openid.ns": "http://specs.openid.net/auth/2.0",
                    "openid.mode": "checkid_setup",
                    "openid.return_to": `${process.env.HOST_NAME}/api/v1/auth/callback/steam`,
                    "openid.realm": `${process.env.HOST_NAME}`,
                    "openid.identity": "http://specs.openid.net/auth/2.0/identifier_select",
                    "openid.claimed_id": "http://specs.openid.net/auth/2.0/identifier_select",
                }
            },
            token: {
                async request(ctx) {
                    const token_params = {
                        "openid.assoc_handle": req.query["openid.assoc_handle"],
                        "openid.signed": req.query["openid.signed"],
                        "openid.sig": req.query["openid.sig"],
                        "openid.ns": "http://specs.openid.net/auth/2.0",
                        "openid.mode": "check_authentication",
                    };
                    for (const val of req.query["openid.signed"].split(",")) {
                        //@ts-ignore
                        token_params[`openid.${val}`] = req.query[`openid.${val}`];
                    }
                    const token_url = new URL("https://steamcommunity.com/openid/login");
                    const token_url_params = new URLSearchParams(token_params);
                    //@ts-ignore
                    token_url.search = token_url_params;
                    const token_res = await fetch(token_url, {
                        method: "POST",
                        headers: {
                            "Accept-language": "en\r\n",
                            "Content-type": "application/x-www-form-urlencoded\r\n",
                            "Content-Length": `${token_url_params.toString().length}\r\n`,
                        },
                        body: token_url_params.toString(),
                    });
                    const result = await token_res.text();
                    if (result.match(/is_valid\s*:\s*true/i)) {
                        let matches = req.query["openid.claimed_id"].match(
                            /^https:\/\/steamcommunity.com\/openid\/id\/([0-9]{17,25})/
                        );
                        const steamid = matches[1].match(/^-?\d+$/) ? matches[1] : 0;
                        const tokenset = new TokenSet({
                            id_token: uuidv4(),
                            access_token: uuidv4(),
                            steamid: steamid,
                        });
                        return { tokens: tokenset };
                    } else {
                        return { tokens: new TokenSet({}) };
                    }
                },
            },
            userinfo: {
                async request(ctx) {
                    const user_result = await fetch(
                        `https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=${ctx.provider.clientSecret}&steamids=${ctx.tokens.steamid}`
                    );
                    const json = await user_result.json();
                    return json.response.players[0];
                },
            },
            idToken: false,
            checks: ["none"],
            profile(profile: any) {
                return {
                    id: profile.steamid,
                    image: profile.avatarfull,
                    name: profile.personaname,
                };
            },
            clientId: "whateveryouwant",
            clientSecret: process.env.STEAM_API,
        }
    ],
})

}

export default handler;
`

HOST_NAME is something like https://www.example.com
STEAM_API is your steam API Key

I Hope someone finds some use for this and I wholeheartedly hope support for steam is added natively to next auth in the future!

[coldino]

When I try this today I get the error:

[auth][error][InvalidEndpoints]: Provider "steam" is missing both `issuer` and `authorization` endpoint config. At least one of them is required.. Read more at https://errors.authjs.dev#invalidendpoints

If I give it an issuer to bypass the check it progresses a little. User is sent to Steam to authenticate then returns to the callback with all the expected openid.* values, but immediately errors in handlOAuth without touching the custom token endpoint:

[auth][error][CallbackRouteError]: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: OperationProcessingError: no authorization code in "callbackParameters"
    at Module.authorizationCodeGrantRequest (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/[email protected]/node_modules/oauth4webapi/build/index.js:963:15)
    at handleOAuth (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/oauth/callback.js:63:37)
    at async Module.callback (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/routes/callback.js:14:41)        
    at async AuthInternal (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/index.js:64:38)
    at async Proxy.Auth (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/index.js:100:30)
    at async Module.respond (/node_modules/.pnpm/@[email protected][email protected][email protected]/node_modules/@sveltejs/kit/src/runtime/server/respond.js:248:20)
    at async file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected][email protected][email protected]/node_modules/@sveltejs/kit/src/exports/vite/dev/index.js:500:22

I'm struggling to see how this could work given the OAuth codepath seems to be so hardcoded in the core. Am I missing something or is this not possible anymore?

[SacredAI]

When I try this today I get the error:

[auth][error][InvalidEndpoints]: Provider "steam" is missing both `issuer` and `authorization` endpoint config. At least one of them is required.. Read more at https://errors.authjs.dev#invalidendpoints

If I give it an issuer to bypass the check it progresses a little. User is sent to Steam to authenticate then returns to the callback with all the expected openid.* values, but immediately errors in handlOAuth without touching the custom token endpoint:

[auth][error][CallbackRouteError]: Read more at https://errors.authjs.dev#callbackrouteerror
[auth][cause]: OperationProcessingError: no authorization code in "callbackParameters"
    at Module.authorizationCodeGrantRequest (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/[email protected]/node_modules/oauth4webapi/build/index.js:963:15)
    at handleOAuth (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/oauth/callback.js:63:37)
    at async Module.callback (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/routes/callback.js:14:41)        
    at async AuthInternal (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/lib/index.js:64:38)
    at async Proxy.Auth (file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected]/node_modules/@auth/core/index.js:100:30)
    at async Module.respond (/node_modules/.pnpm/@[email protected][email protected][email protected]/node_modules/@sveltejs/kit/src/runtime/server/respond.js:248:20)
    at async file:///D:/Work/Dev/sveltekit-auth-db-tmpl/node_modules/.pnpm/@[email protected][email protected][email protected]/node_modules/@sveltejs/kit/src/exports/vite/dev/index.js:500:22

I'm struggling to see how this could work given the OAuth codepath seems to be so hardcoded in the core. Am I missing something or is this not possible anymore?

I've never used this with anything other than next auth I'm unaware of the differences between svelte and next.
From your first error tho it seems like you've misconfigured it, as the authorization endpoint should be there with all the values

[Nekonyx]

I kinda got inspired by your code, so made next-auth-steam: https://github.com/Nekonyx/next-auth-steam

[qwertyuiop6]

I kinda got inspired by your code, so made next-auth-steam: https://github.com/Nekonyx/next-auth-steam

Looks good, does it support app/ routing?

[Nekonyx]

I kinda got inspired by your code, so made next-auth-steam: https://github.com/Nekonyx/next-auth-steam

Looks good, does it support app/ routing?

I'm unsure cause I didn't touch app/ yet.

[3lang3]

If Provider is not available now, I hope to see an informal example of steam docking to solve the urgent needs.👀

[tenub]

This is still unsolved in both v4 and v5 (beta).

OperationProcessingError: no authorization code in "callbackParameters"