fix(providers): add issuer to GitHub provider for RFC 9207 compliance

[Vinay152003]

Summary

Adds RFC 9207 (OAuth 2.0 Authorization Server Issuer Identification) compatibility to the GitHub provider by configuring the issuer value that GitHub now returns in OAuth callbacks.

Problem

GitHub recently implemented RFC 9207 by silently returning an iss=https://github.com/login/oauth parameter in OAuth callback responses (April 6-10, 2026). The openid-client library validates this parameter unconditionally, and without an configured issuer, it throws:

issuer must be configured on the issuer

This breaks GitHub OAuth sign-in for all applications using this provider.

Solution

Add issuer: \ to the GitHub provider configuration. This works for both:

• Standard GitHub: issuer: "https://github.com/login/oauth"
• GitHub Enterprise Server: issuer: \ (dynamically derived)

Changes

• Added 1 line to packages/core/src/providers/github.ts
• No breaking changes, fully backward compatible
• Supports both GitHub and GitHub Enterprise Server

References

• Langfuse Issue #13091 - Original bug report with production evidence
• Langfuse PR #13093 - Original NextAuth fix attempt (without GHES)
• RFC 9207 Specification
• GitHub Community Discussion

Test Plan

• Standard GitHub OAuth sign-in succeeds
• GitHub Enterprise Server OAuth sign-in succeeds
• Existing auth flows unaffected

Fixes: langfuse/langfuse#13091

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
auth-docs	Ready	Preview, Comment	Apr 10, 2026 7:07pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
next-auth-docs	Ignored	Preview	Apr 10, 2026 7:07pm

[vercel]

@Vinay152003 is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

[hpsin]

I love the use of the base URL here so that it can also work for GHE-DR and GHES instances as well as github.com. Thanks for submitting this fix!

For the maintainers - once the issuer is merged into next-auth, I'll want to include a link to the next release in our changelog announcement so that folks can pick up the update. We can't ship the issuer parameter in the authz code response until this is fixed. As is, any app that doesn't update to the next release of next-auth will break if they are using GitHub auth once we do ship the feature.

I'm hoping to re-release the feature in 2-3 weeks - does that work with your release cadence and the usual rate at which folks pick them up?

(Also this fixes #13409)

[panva]

@Bekacru there should be a corresponding fix in v4 stable as well and a release of both (v4 and v5.beta)

[Bekacru]

For the maintainers - once the issuer is merged into next-auth, I'll want to include a link to the next release in our changelog announcement so that folks can pick up the update. We can't ship the issuer parameter in the authz code response until this is fixed. As is, any app that doesn't update to the next release of next-auth will break if they are using GitHub auth once we do ship the feature.

Yeah should be released early this week

[Bekacru]

@panva thanks, will do