As soon as the user clicks on Sign in with Github in T&T Admin, many requests and responses are sent. This document attempts to describe them all.
To indeed check that Github and Email/Password are available providers, the following request is sent:
GET /api/auth/providers HTTP/1.1
Host: 127.0.0.1:3000
This is done with the following request:
GET /api/auth/csrf HTTP/1.1
Host: 127.0.0.1:3000
This sets the following cookie:
| Cookie | Value |
|---|---|
| next-auth.csrf-token | A long, random value |
This request looks like the following:
POST /api/auth/signin/github? HTTP/1.1
Host: 127.0.0.1:3000
Content-Type: application/x-www-form-urlencoded
Cookie: next-auth.csrf-token=*<THE_CSRF_TOKEN>*;
csrfToken=*<THE_CSRF_TOKEN>*&callbackUrl=*<THE_CALLBACK_URL>*&json=true
…and generates the following response:
HTTP/1.1 200 OK
Set-Cookie: next-auth.callback-url=*<THE_CALLBACK_URL>*; Path=/; HttpOnly; SameSite=Lax
Set-Cookie: next-auth.state=*<NEXTAUTH_STATE>*; Max-Age=900; Path=/; Expires=Mon, 07 Aug 2023 19:45:44 GMT; HttpOnly; SameSite=Lax
Content-Type: application/json; charset=utf-8
{"url":"<https://github.com/login/oauth/authorize?client_id=*><THE_CLIENT_ID>*&scope=repo%20user%3Aemail&response_type=code&redirect_uri=<THE_REDIRECT_URI>&state=*<THE_STATE>*"}
Exactly the same URL that we got from the previous response is used when making the request to Github. The user then signs in if needed and thereafter accepts the OAuth 2.0 app.
redirect_uriTo send the generated code back to our service, the following request is made:
GET /api/auth/callback/github?code=*<THE_CODE>*&state=*<THE_STATE>* HTTP/1.1
Host: 127.0.0.1:3000
Cookie: next-auth.csrf-token=*<THE_CSRF_TOKEN>*; next-auth.callback-url=*<THE_CALLBACK_URL>*; next-auth.state=*<THE_STATE>*
Upon receiving the response, the cookie next-auth.state is cleared, and a next-auth.session-token cookie is created.