Gave Up on NextAuth

Sunday, May 18, 2025

Continuing work on securing the endpoints.

I'm trying to make the auth as simple as possible, so I'm using NextAuth on the NextJS app, which I rely on to do the oauth flow and create JWTs. But the problem is, I need users in my db, and I need to add the ID to the JWT, which means I need to create users right after logging in, but at that point the JWT isn't created.

Anyways, long story short, I decided to create a sort of a hacky client credentials flow, where I added a client secret which I use to sign a token specifically for this, and the backend will use this secret only for the endpoint that creates users.

This seems like the simplest way that avoids deploying my own Keycloak instance or whatever.

The auth works, but I'm struggling to retrieve the token on the frontend. It's unbelievable how hard it is to achieve the simplest things with NextJS libraries. An auth library doesn't provide a way to retrieve the token from wherever they're storing it? What the fuck?

I've been trying to achieve the simple task of getting the JWT for the past 3 hours.

After a small nervous breakdown, I've given up. I'm going to roll my own auth (Keycloak) and connect to it manually. I'll need a reliable Auth provider for other projects anyways, and investing some time into it now is surely going to pay off in the future.

Set up Keycloak, the GitHub auth works, now I need to set it up on the backend. Took a bit of time but now it's simple, it's secure, and most importantly, I understand it.

Finally finished everything. Works amazingly well, blazingly fast. It also has a bunch of built in features I'll be using like RBAC. Should've gone with this setup from the start.

Very happy with how it's turning out.

Next up, I need to work on the public page, landing page (very crude) and the dashboard (vey crude, pretty much done). Enough for today though.