Introduction# This article explains how to integrate the research data management platform “GakuNin RDM” with a Next.js application using OAuth2. Since GakuNin RDM provides an API compatible with OSF (Open Science Framework), implementation can be based on the OSF OAuth2 flow.
This article provides a detailed explanation of the implementation using next-auth and the pitfall of automatic access token refresh .
What is GakuNin RDM?# GakuNin RDM (Research Data Management) is a research data management service provided by the National Institute of Informatics (NII).
It is a platform where researchers can safely store, share, and publish research data, and through integration with GakuNin authentication, users from Japanese universities and research institutions can use it.
Preparation# 1. Registering an OAuth Application# Register an OAuth application from the GakuNin RDM settings screen.
Access https://rdm.nii.ac.jp/settings/applications/ Click “Register a developer application” Configure the following:Application name : App nameApplication homepage URL : http://localhost:3000 (for development)Application description : DescriptionAuthorization callback URL : http://localhost:3000/api/auth/callback/gakunin After registration, a Client ID and Client Secret are issued.
2. Setting Environment Variables# # G G N N O A A E E S . K K X X F e U U T T _ n N N A A S v I I U U C . N N T T O l _ _ H H P o C C _ _ E c L L U S = a I I R E o l E E L C s N N = R f T T h E . _ _ t T f I S t = u D E p y l = C : l y R u _ o E / r r u T l _ e r = o r a _ y c a d c o a n l u l d o i r h o s e _ o m f n c s _ . t l t s f _ i : e u i e 3 c l d n 0 r l t 0 e _ _ 0 t w s r e i c t r e e t Custom Provider Configuration with next-auth# Since GakuNin RDM is not included in next-auth’s built-in providers, it needs to be configured as a custom provider.
Basic Configuration# i e } m x ; p p p ] l o o r , i r r o { } b t t v , / i i n t c c a } t } u p } a t c d d a y l l u , o , s r , u y o e : m p i i t u p } k u a } e o r } t p n r e e e e h r a , e r s , r f e ; h e s s " : : n n o l r c s r r n l y c } c ) c i } r i i t i n e . t : g t t r : a l c e e : : n o ) o ; o f e n l u d a m t { a " " I S i m i o s d c n c c c g r ; n " { } n t t f e r : m a s a [ k G o d e z " s e p p i { " s l l o r e s h s ( h u o ( n e i N u u a a : c a h : n e o r h r t i i d a d t t m h } b t ! r r : p p : l e t n k u r t t t : n e t e e e e n i t e e , o r o n r { r : x h i u t p e i t { _ s c t q b n n : t r r p t a " d j e w " o o p t O n N h r t o p i p e t p u o t t _ e e s h d C y s s { h f f r p A p " i " o : n s d r _ _ s e d _ _ c t c s : o e o , o . n t i i o r u t , n , c : : : o t u : s y i s o y t / d r n n o e t t l l f o t i e p / c y r / t d e n p _ = / : s t k w o p e e i f h o R s r { / p e p i / ( = : c t e u a : e = ) k s ) . l i O n D s o a r s e : a c r e : r a c " n E e : d e l p s M . c c o s : c o n p e x i w c P { t a { r n / { a . e t : " e e c c . ` c n e r t t " : a o O - w r s / t d . i , n s o e e " $ o t w o : . a i u S T a o : a a a d o N v s u s n c { u e c p u ` t n T y i r p . t a n e . . n s v o p n x U e p a t $ t " p t ( j i i a t s x G e t . . d r t t R s r r h { f s , e ` s . d . a t A n s e O e o s ) L s o a o p e . " r T o r , a . } A K v . n S " c . S . c m r r t r : e o n d t a u U . r v F , e r { e e e s i o c d s k m t t f t N G d . _ s d a n s . z c h m " . e } . r t r h I A m G S s m r v s c a e ( . a j n ; n i r o O N K . A C . . c . . o t s n p s i b i m p _ U n K O e n h G e d i s i p o r i u b t C N i U P n i P A n e o . i l n e . t u " i L I i N E v i a K v n e . i ( q a e t n o I N . I . . r U . a _ n a c ) u c s e e n E _ a N N a a N G s c v c a ; e . . s x s N C c _ E c m I A o . . t s j f . t T L . C X . s N K s d N j i t p u e - = _ I j L " T j ( _ U t e E p o / l m a I E p I o A p { C N r " X / n f v l a u { D N / E s U / L I i , T o / a 2 _ i t , T o N f T o I N n A a x i / n l h _ a T . H a E _ g U u - l u a , " S u _ f _ u N C , T t w e s m ; E t I u U t T L H h w d e e C h D l R h _ I _ 2 w : r , R 2 , l L 2 I E U / - s E / _ } / D N R t f $ / T a r / t ! T L o o { m , u e a o , _ } k r r e t a p k S / e m e / h d i e E a n - s " o / n C p " u . , r o a " R i , r s i s u , E / l t z f t T a e a e . h ! u n t " f / , t c u , u c h o s l a / d T l l c e e _ l a d x w b l " t r a l , } i c b ` t k a ) e / c ; " g k , a / k g u a n k i u n n ` i , n ` , Key Points# Customizing token.request : Since GakuNin RDM expects token requests in application/x-www-form-urlencoded format, a custom request function is implementedParsing userinfo : Since the OSF API returns responses in { data: { id, attributes: { ... } } } structure, mapping is done in the profile functionPitfall: Automatic Token Refresh# Problem# OAuth2 access tokens have an expiration time (approximately 1 hour for GakuNin RDM).
In the default implementation of next-auth, token refresh is not performed . Therefore, after being logged in for a while, the following error occurs:
F a i l e d t o f e t c h p r o j e c t s : 4 0 1 - { " e r r o r s " : [ { " d e t a i l " : " U s e r p r o v i d e d a n i n v a l i d O A u t h 2 a c c e s s t o k e n " } ] }
This creates a confusing situation where the user is logged in but the API returns a 401 error.
Solution# Manage the token expiration in the JWT callback and automatically refresh before expiration.
d } d } a } e } e e s x ; c i } c i } y t } } p c } l T l n l n R n r A a , i y a t a e a t a r a e e c y c } c ) c i } r } c r } d r l a } a } b p r e c r r e c e c r f o ) o ; o f e ; a e ; d t l s , s , / e e r c r e r c f c r r f { n c c r g ; n " { } n t t a a r t t e b y i } i } r y s s r a f e o f e r e o e u s l l e r s h s ( h u c c e c u r c c a n f f e n e e e u d m a s r m a s e s r s n t i i f a t t m h } b t ! r r . c c f h r . r a o c c r } r t c s s t t e o c s ? o c s s s ? h c e e r n t e e , o r o n t e e r n t o l n p k O ( e ; I ( e T u s s u h f d e T : d e T h T : t b n n e t r p t a " d r e w o s s e ( o r l s r s j n a t a r a u f t t o r s i i r . i u o u o T o f i o t t s _ e s h d C y e s { k s s s e { k : b t o : w c u c e c s o u k n e o o n t n l S k s l J k o k s u o d _ _ h t s : o e o , f p n e T T h r e a v t i c r . c f c e t k r e s n n s i e e e t e W e k e t n n y i s _ y p d r n r o e n o o T r n " c a i { ( n o n t e r e r o e n n r s . . s t s n r T n e n r c d e t p / : s t e n w , k k o o , R k u d { i u o s e s I k n e i a e e i " s ? i " ? n E i t r = : c o e n a : e s s e e k r e s t e t n { k s s s d e . t e f o c r s o n i : n n { : ? x n i e r k : s c " n h e E n n e ) f h r t i t e T h T : n a o x r n c r s n e o g e : p g o f n p e e e c P { t e . r : E n r t O s o a ) n o T o c k p e ( e o i x n s ; x s i ; n r e r t n " o O - d o r x : { e o p k l , k o k u i c e i s { s r o e t t t t s r e w o : : r = u S T T k o r p s t c e { e k e s s e n r h s n x - { r - r t e s c e n T y o ) r e i r h a i o n s n e n e s ; e A s T = ; t a i a i r s h U e p t f a t " p k ( f r e A u o n , i : n E r s s d c e o e u n u n i ? A R s r o r w s , e e { " r e f c t n f g : x ? t T c s k t n t g t g n : c L s o k e a . " n R e s r c h s i a n a p . i o e s e o s h ; h ; g c S . c e s i r : s e s : e e O : g c - c a i i l k s i n k i " / ; n e e e e n h t d f h s s p u c i c c r d l e s o e o j u s a n s . _ m " = r e D h s t N r o n o c e , n r T n = n n { w m s r v s r t f . a e d a e T i e a u u o s v E e o , . s t b T c . . e o e n p a s T t d o o x t n n u : a x f k t e " e o h G e f k t i p w h o e T k n t i t t n l p r e t o r r k P A n r e c i l a A k . o e s A o , . t D i i e n o k r { ; e a K v e n h . i i c e n k n u n a . a d r s ( k e o n r U . s " ( a c t c n o e E t u c r t e h t e n r ( a N G h , c a e s w n r h s c e e ( s o n . ; t m I A T . t r s . ( s r O e e f . w k a o s N K o j i e s a ) . o p r s r n i & e } c k ( _ U k p o s T c r r t s e o t & n ) c e { C N e / n p o c + e " i } _ s w h ) e n L I n o / o k e f , o ) t h ( D ; { s : I N ! a x n e s r r n o _ ) 6 a s E _ , u - s n s e e s { k t 0 t T J N C t w e E _ f s e o - e o W T L h w . r t r h = n k s . k T _ I 2 w j r o e _ , e ( e n e ) I E / - s o k s t { n a c o n D N t f o r e h o , c o w ; { ! T o o n " n e k c n ( , _ k r ( ) , d e o d ) S e m ) ; T n u E n - ; o n b < C " u k ? t u R , r e ? . f t E l n e f o T e s t x e k ! n . o p r e , c e k i ) n o x e r . d p n e a e i . s c d r r _ c " e e i e , s f n s _ r s i e a T n s s o h k T n e o u n 1 k m E 0 e b x 0 n e p 0 , r i , ) r e s 1 - 0 0 6 0 0 , 0 0 0 ) { Flow Diagram# ┌ │ ├ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └ ─ ─ ─ ─ ─ ─ ─ ─ a a r ─ ─ ─ c c e ─ ─ ─ c c f ─ ─ ─ o e r ─ ─ ─ u s Y N e ─ ─ ─ n │ N │ ▼ s │ e │ o │ ▼ s ─ ─ ─ t o T s h ─ ─ ─ o A ─ ─ ─ e k ─ c ─ ─ ─ x e ─ c ─ ─ ─ i n ─ e ─ ─ ─ s E ─ s ─ ─ ─ t x ─ s ─ ─ ─ s p ─ T ─ ─ ─ ? i ─ o ─ ─ ─ r ─ k ─ ─ ─ ─ e ─ e ─ ─ ─ ─ s ─ n ─ ─ ─ Y ─ ( ─ ─ ─ e > ─ ) ─ ─ J ─ s ─ ─ ─ W ─ ─ n ─ ─ ─ ─ T ─ ─ o > ─ ─ ─ ─ > w > ─ ─ C ─ R ─ ─ a ─ I - - - + e R o ─ ─ l ─ n t e r ─ ─ l ─ i S S S 6 u t ─ ─ b ─ t a a a 0 r u s ─ ─ a ─ i v v v s n r e ─ ─ c ─ a e e e ? n t ─ ─ k ─ l t ─ ─ ─ a r a o n e ─ ─ ─ s c e c k e r ─ ─ ─ i c f c e w r ─ ─ ─ g e r e n o ─ ─ ─ n s e s t r ─ ─ ─ - s s s a o ─ ─ ─ i T h T s k ─ ─ ─ n o T o - e ─ ─ ─ k o k i n ─ ─ ─ e k e s ─ ─ ─ n e n ─ ─ ─ n E ─ ─ ─ x ─ ─ ─ p ─ ─ ─ i ─ ─ ─ r ─ ─ ─ e ─ ─ ─ s ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐ │ ┤ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ┘ │
Client-Side Error Handling# If the refresh token has also expired, session.error is set to "RefreshAccessTokenError". This can be detected to prompt re-sign-in.
" i i e } u m m x s p p p c u } r c e o o o o s , e o r r r n e i } t m c t t t s E f [ u p l t f s s r o i { { f f ( i e n n e u { e s g s e n u u n c e T n s n t s s c d t s o I i > t " e e t a ( s k n o { s ; S E i t ( i e ( n c / e f o a ) o n " ] h S s f n : n g ) i e s e = ? r a ; l s i c S s > . e k d s o t e e e f u r i n s s { r r n e o , } s s r e i n n i i o s n } G s f o o r h " < u i r n n ) / a g o G = f ; > r n m u } = a ; d I a = i . n " r = l t r d " e s } e ( u R d x a { s e f c e f r t c S r o " h e e m ; i s s p l s h r " d i A o n r o c m e e n c p x n ( e t t ) s - } ; s r a : T e u o - t { k s h e i / c n g r h E n e i r - a l r i c d o n t r r " e " ; n ) : { R e a c t . R e a c t N o d e } ) { API Usage Example# i i i e } m m m x p p p p c i } c } c r a o o o o o f o ) o e p r r r r n r ) n h } ; n t p t t t t s ( e ; U s e , s u / t ! t { { s t a A t r a { { { a s u e d u n p s s e r e s r e t d i N g a y e s n r t a e r h a N / e e u n s s r a u s s o t e r x t t c s i N o t t p : r a x d t S h i o e r u o o i t m R e O f o n x : s - n { z = R / e r p u n ? t : r s a e p s v t n . R " e e t a s r p e i c = a e N 4 f i w p o o r o t c s o 0 r = o a o j n S n i a c p t 1 e n i n e s e s o w e o s a : t s c e s n a s n a } h w e t s } i s s u e a ` r . s } i G t T e t d i B e j / o f E o . h t e s s r f n r T g k j e a a p o o r o ( e e s n c f r o n u o } m ) t n o t c e e n ( t m S ) n i e t r s d e f " { e ( c s c e a . " r @ r { a s h $ . t t n o / v t T ( { j a s e m l e e o " s s ) x i r d k h e o ; t " b S " e t s n / n / e n t s ( s e a s } p i ) e x u s , s o ; r t t i : n v - h o / . e a " n / a r u ; ( a c " t a p c ; h u i e " t . s ; h r s O d T p m o t . k i n e o i n n i } s . ` ) a , ; c . j p / v 2 / u s e r s / m e / n o d e s / " , { Summary# Key points when integrating GakuNin RDM with next-auth:
Configuration as a custom provider is required Token requests must be in application/x-www-form-urlencoded formatWithout implementing automatic access token refresh , 401 errors will occur even when logged in Implement client-side error handling for cases when the refresh token also expires The third point, token refresh, is easy to overlook, so be sure to consider it when implementing OAuth2 integration.
References#