Inconsistent configuration of issuer/authorization/token URLs in Keycloak provider config

[ace130-github]

Provider type

Keycloak

Environment

  System:
    OS: Windows 11 10.0.26100
    CPU: (16) x64 AMD Ryzen 7 PRO 7840U w/ Radeon 780M Graphics  
    Memory: 6.26 GB / 27.72 GB
  Binaries:
    Node: 22.10.0 - C:\Program Files\nodejs\node.EXE
    npm: 10.9.0 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: Chromium (131.0.2903.99)
    Internet Explorer: 11.0.26100.1882
  npmPackages:
    next: 15.1.6 => 15.1.6 
    next-auth: beta => 5.0.0-beta.25 
    react: ^19.0.0 => 19.0.0 

Reproduction URL

https://github.com/ace130-github/authjs-provider-config

Describe the issue

Not really a bug, but an inconsistency in the configuration:

When not using an issuer config with the Keycloak provider (or any OAuth2 provider, ftm), it is compulsory to configure the authorization, token, and userinfo endpoints.

However, configuring the latter ones doesn't work in the expected way.

Configuring the issuer works the way one would expect:

export const { handlers, auth, signIn, signOut } = NextAuth({
  secret: "abc",
  providers: [
    Keycloak({
      issuer: "http://localhost",
    })
  ],
// ...

One (at least, me) would then expect to configure authorization etc. it like this:

export const { handlers, auth, signIn, signOut } = NextAuth({
  secret: "abc",
  providers: [
    Keycloak({
      token: "http://localhost",
      authorization: "http://localhost",
      userinfo: "http://localhost"
    })
  ],
// ...

However, this does not work, as you can see in the linked repository (branch main).

In order to make it work, you have to write the configuration like this:

export const { handlers, auth, signIn, signOut } = NextAuth({
  secret: "abc",
  providers: [
    {
      ...Keycloak({}),
      token: "http://localhost",
      authorization: "http://localhost",
      userinfo: "http://localhost"
    }
  ],
// ...

which is pretty counter-intuitive.

In case this is intended (which I would think is a questionable decision), then at least a clear documentation should be in place how to configure the particular endpoints, as opposed to the issuer endpoint.

How to reproduce

See the linked repository.

The branch main shows an error when trying to sign in:

[auth][error] InvalidEndpoints: Provider "keycloak" is missing both `issuer` and `authorization` endpoint config. At least one of them is required. Read more at https://errors.authjs.dev#invalidendpoints
    at assertConfig (webpack-internal:///(rsc)/./node_modules/next-auth/node_modules/@auth/core/lib/utils/assert.js:92:24)
    at Auth (webpack-internal:///(rsc)/./node_modules/next-auth/node_modules/@auth/core/index.js:91:95)
    at runNextTicks (node:internal/process/task_queues:65:5)
    at process.processImmediate (node:internal/timers:459:9)
    at process.callbackTrampoline (node:internal/async_hooks:130:17)

The branch https://github.com/ace130-github/authjs-provider-config/tree/fix/n/a_resolveConfigProblem shows the above mentioned workaround.

Expected behavior

The authorization, token, and userinfo endpoints should be configurable in the same way as the issuer.

[ace130-github]

I think the issue can be tracked down to

next-auth/packages/core/src/lib/utils/assert.ts

Line 133 in 507aadd

!(provider.issuer ?? provider.options?.issuer)

and following lines, where issuer is read from the provider object or, alternatively, from the provider.options object, whereas authorization, token, and userinfo are only read from provider directly.