[Bug]V5 OAuth Provider token.request configuration not working, defaults to token.url direct request

[leonwangcn]

🐛 Bug Description

When customizing an OAuth Provider with a token.request function to handle special token exchange logic, the function is never called. Auth.js defaults to making a direct request using token.url, causing third-party OAuth services to return errors.

📋 Steps to Reproduce

1. Create a custom OAuth Provider with token.request function configured
2. Perform OAuth login flow
3. Observe logs - notice that logs from token.request function never appear
4. Receive error: OperationProcessingError: "response" is not a conform Token Endpoint response

💻 Code Example

export default function DingtalkProvider(options: OAuthUserConfig<DingtalkProfile>): OAuthConfig<DingtalkProfile> {
  return {
    id: "dingtalk",
    name: "DingTalk", 
    type: "oauth",
    authorization: {
      url: "https://login.dingtalk.com/oauth2/auth",
      params: {
        scope: 'openid corpid',
        response_type: 'code',
      }
    },
    token: {
      url: 'https://api.dingtalk.com/v1.0/oauth2/userAccessToken',
      async request(context) {
        console.log("=== Custom Token Request Started ==="); // This log never appears
        
        // DingTalk API requires special JSON format parameters
        const response = await fetch('https://api.dingtalk.com/v1.0/oauth2/userAccessToken', {
          method: 'POST',
          headers: { 'Content-Type': 'application/json' },
          body: JSON.stringify({
            clientId: options.clientId,
            clientSecret: options.clientSecret,
            code: context.params.code,
            grantType: 'authorization_code'
          }),
        });
        
        const data = await response.json();
        return {
          tokens: {
            access_token: data.accessToken,
            expires_in: data.expireIn ?? 7200,
            refresh_token: data.refreshToken ?? '',
            token_type: "Bearer",
          }
        };
      },
    },
    // ... other configurations
  };
}

🔍 Actual Behavior

• token.request function is never called
• Auth.js directly uses default OAuth2 flow to request token.url
• Since DingTalk API requires special JSON format parameters (camelCase), default request fails
• Returns error: OperationProcessingError: "response" is not a conform Token Endpoint response

🎯 Expected Behavior

• When token.request function is configured, it should be called instead of using default token exchange logic
• Custom token request logic should be properly executed

🔧 Current Workaround

Currently can only use token.conform to handle response format conversion, but this requires the third-party API to accept standard OAuth2 parameter formats.

📊 Environment

• Auth.js Version: @auth/core@^0.37.2
• Next.js Version: 15.0.3
• Node.js Version: 20.x
• Browser: Chrome/Safari
• OS: macOS

🔗 Related Files

• OAuth Provider implementation
• Auth.js configuration file

💡 Additional Context

This issue particularly affects OAuth providers that don't follow standard OAuth2 parameter naming conventions (like DingTalk, which uses camelCase instead of snake_case). The token.request function should provide a way to completely override the token exchange process, but it appears to be ignored in the current implementation.

Hope this issue can be fixed to make token.request configuration work properly.

[leonwangcn]

https://github.com/leonwangcn/t3-app