CSRF token gets inconsistently invalidated if I mutate the provider oAuth URL's

[ChuckJonas]

Your question
Why is my CSRF token getting invalidated (inconsistently) if I mutate the provider oAuth URL's?

What are you trying to do
I've tried my best to debug what is actually going on, but I'm stumped.

In order to try and support Salesforce, for which a single oAuth app can be used for different tenants, I've attempted to override the base oAuth urls by passing a parameter into the signin function like so:

// on login button
signin('salesforce', {instanceUrl})

//[...nextauth]
export default (req, res) => {
  if (req.body.instanceUrl) {
    const instanceUrl = req.body.instanceUrl || 'https://login.salesforce.com';
    options.providers[0].accessTokenUrl = `${instanceUrl}/services/oauth2/token`;
    options.providers[0].requestTokenUrl = `${instanceUrl}/services/oauth2/authorize`;
    options.providers[0].authorizationUrl = `${instanceUrl}/services/oauth2/authorize?response_type=code&prompt=login`;
    options.providers[0].profileUrl = `${instanceUrl}/services/oauth2/userinfo`;
  }
  return NextAuth(req, res, options);
}; 

I know this is a hack, but it seems like it should work. And it does work! But only ~50% of the time 😞.

The other half, I get redirected to /api/auth/signin?csrf=true. I've confirmed it's happening on this line because !csrfTokenVerified, but I can't seem to figure out why. I don't see anything in the code that would cause this to happen. Based on the inconsistency, it seems like it has to be a race condition of some sort.

Reproduction

I can try to provide a reproduction if no one has any ideas why this might be happening...

Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.

• Found the documentation helpful
• Found documentation but was incomplete
• Could not find relevant documentation
• Found the example project helpful
• Did not find the example project helpful

[ChuckJonas]

🤦 ... Not sure how I missed this on my first scan of the code but it's right there... The secret is created by hashing the Options.
https://github.com/nextauthjs/next-auth/blob/canary/src/server/index.js#L66

Doesn't seem like this "secret" option is documented. Throws a type error when I set it, but everything is at least working now.

[balazsorban44]

You can find the documentation for the secret option here: https://next-auth.js.org/configuration/options#secret