How to enable IDP initiated login for OAuth?

[flx5]

Hi, I'd like to enable IDP initiated login. However redirecting the user to the https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider endpoint isn't possible as it requires a POST request and a CSRF token.

What is the intended workflow to start the flow from the Idp provider?

[everton-dgn]

The CSRF requirement on POST /api/auth/signin/[provider] is intentional, it blocks login CSRF, which is the whole reason IdP-initiated flows hitting that endpoint will always fail.

The entry point you actually want is the callback URL, not the sign-in URL:

/api/auth/callback/[provider]

Steps that work for IdP-initiated OAuth:

1. Configure your IdP to redirect the user straight to the callback with an authorization code:

   https://yourapp.com/api/auth/callback/your-provider?code=...

2. Disable the state/PKCE checks on that provider, NextAuth validates them against a cookie set during the signIn phase, which never happens on an IdP-initiated flow, so the callback would otherwise reject the request:

   // auth.ts (Auth.js v5)
   providers: [
     {
       id: "your-provider",
       // ...rest of the provider config
       checks: ["none"],
     },
   ];

   In NextAuth v4 the equivalent is protection: "none" on the provider config.

Important caveat: turning off state/pkce removes one layer of CSRF protection on the callback. That's acceptable for a controlled enterprise IdP, but don't do it for public OAuth providers. If you're doing SAML-based IdP-initiated SSO specifically, a dedicated SAML library (e.g. next-auth + a SAML adapter, or passport-saml behind an API route) is a better fit than the OAuth callback path.