Implementing Third-party OAuth Flow with NextAuth in React Frontend Connected to External Java API

Frontend
1

I need assistance with setting up OAuth authentication in my application. Here’s my setup:

  • I’m using React for the frontend, specifically Next.js (client-side only).
  • The backend is a separate Java Spring Boot API.
  • I want to integrate an external OAuth provider (not Google or GitHub).
  • For session management, I’m utilizing NextAuth.

My goal is to authenticate users via a third-party OAuth service, but I’m unclear about the exact flow. It’s crucial that my Java backend handles all security aspects instead of Next.js.

Here are two options I’m considering:

Approach A:
The frontend directs the user to the OAuth provider → Receives an authorization code → Sends this code to the Java API → Obtains JWT tokens → Stores these in the NextAuth session.

Approach B:
The frontend routes the user to a Java API endpoint → The backend manages the OAuth flow → Redirects back to the frontend → Finds a way to include tokens into NextAuth.

I have several key questions:

  1. What is the correct way to construct the OAuth authorization URL?
  2. Is it appropriate to use useEffect for sending the authorization code to my backend right after the redirect?
  3. How do I insert custom JWT tokens into the NextAuth session within the route handler?
  4. Regarding Approach B, how does the frontend retrieve the tokens after multiple redirects?

I’ve consulted AI resources, but they tend to suggest handling OAuth directly through Next.js API routes, which contradicts my intention of having a separate secure backend.

Versions in use: Next.js 15.1.6, NextAuth 4.24.11, React 19.

2

i think approach B makes more sense too. let your java backend do all the heavy lifting with oauth. when it gets the token, send it back to next.js securely. then you can manage the session with nextauth seamlessly. way easier!

3

I’ve built similar setups before - go with Approach B but tweak it a bit. Have your Java backend handle the full OAuth flow with Spring Security OAuth2 client. Once it gets the tokens, generate a secure session ID or temp token and pass it back to your frontend through URL params or secure cookies. For NextAuth, create a custom provider that validates this session ID against your Java backend. The backend returns user info and issues its own JWT tokens. This way all OAuth credentials stay server-side but NextAuth still handles frontend sessions. For token refresh, do everything on the Java side with scheduled jobs or interceptors. Your NextAuth sessions should just reference the backend session instead of storing actual OAuth tokens. You get security plus NextAuth’s session management benefits.

4

Interesting challenge! What’s your plan for handling token refresh? And which OAuth provider are you using? Some have quirks that’ll affect which approach works best. I like approach A - cleaner setup - but I’m wondering about the security risks of passing codes through the frontend :thinking: