I am using NextAuth with the Google Provider and have followed an example they provide whereby you can check the domain and reject the login if the user's email domain does not match whatever you have hard set. The example is at the bottom of this page: https://next-auth.js.org/providers/google
const options = {
...
callbacks: {
async signIn({ account, profile }) {
if (account.provider === "google") {
return profile.email_verified && profile.email.endsWith("@example.com")
}
return true // Do different verification for other providers that don't have `email_verified`
},
}
...
}
The code works great...locally
However, when being used in production a user who attempts to log in with an email that doesn't match is rejected (expected behaviour) but is then prevented from accessing the account selection page. Any subsequent calls of signIn('google') from the client simply redirects the user to the following path /api/auth/error?error=AccessDenied
It's as if the same account details are being used by Google on every request.
After 2 hours stuck on this task, I found the answer a minute after posting the question (typical). The solution was to pass in prompt: 'select_account' as an auth param with the signIn function...
<button onClick={async () => signIn('google', undefined, {
prompt: 'select_account',
})} className='btn btn-outline btn-primary'>
Sign In
</button>