Need Help Single Sign-On (SSO) with OIDC Provider Plugin

Hey everyone! I'm integrating Single Sign-On (SSO) with Better Auth using the OIDC Provider Plugin across two Next.js apps:

Main app (Backend + Auth) → http://localhost:3000
Frontend (SSO Login UI) → http://localhost:3001

Current Setup
Main App - Auth Configuration (
auth.ts
auth.ts
)

import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { db } from "@/db";
import {
  oidcProvider,
  phoneNumber,
  openAPI,
  admin,
  organization,
  jwt,
} from "better-auth/plugins";
import { sso } from "better-auth/plugins/sso";
import { authSchema } from "@/db/schema";
import { nextCookies } from "better-auth/next-js";


export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: "pg", // or "mysql", "sqlite"
    schema: {
      ...authSchema,
      user: authSchema.user,
    },
  }),

  trustedOrigins: ["http://localhost:3001"],

  account: {
    accountLinking: {
      enabled: true,
      trustedProviders: ["google", "test-app"],
    },
  },

  user: {
    additionalFields: {
      jobTitle: {
        type: "string",
        required: false,
      },
    },
  },
  emailAndPassword: {
    enabled: true,
  },
  socialProviders: {
    google: {
      clientId: process.env.NEXT_PUBLIC_GOOGLE_CLIENT_ID as string,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
    },
  },

  plugins: [
    phoneNumber(),
    openAPI(),
    organization(),
    admin(),
    nextCookies(),
    oidcProvider({
      loginPage: "/sign-in",
      consentPage: "/oauth2/authorize",
      requirePKCE: true,
    }),
    jwt(),
    sso(),
  ]
});

import { betterAuth } from "better-auth";
import { drizzleAdapter } from "better-auth/adapters/drizzle";
import { db } from "@/db";
import {
  oidcProvider,
  phoneNumber,
  openAPI,
  admin,
  organization,
  jwt,
} from "better-auth/plugins";
import { sso } from "better-auth/plugins/sso";
import { authSchema } from "@/db/schema";
import { nextCookies } from "better-auth/next-js";


export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: "pg", // or "mysql", "sqlite"
    schema: {
      ...authSchema,
      user: authSchema.user,
    },
  }),

  trustedOrigins: ["http://localhost:3001"],

  account: {
    accountLinking: {
      enabled: true,
      trustedProviders: ["google", "test-app"],
    },
  },

  user: {
    additionalFields: {
      jobTitle: {
        type: "string",
        required: false,
      },
    },
  },
  emailAndPassword: {
    enabled: true,
  },
  socialProviders: {
    google: {
      clientId: process.env.NEXT_PUBLIC_GOOGLE_CLIENT_ID as string,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
    },
  },

  plugins: [
    phoneNumber(),
    openAPI(),
    organization(),
    admin(),
    nextCookies(),
    oidcProvider({
      loginPage: "/sign-in",
      consentPage: "/oauth2/authorize",
      requirePKCE: true,
    }),
    jwt(),
    sso(),
  ]
});

nibirOP•2/24/25, 10:54 PM

Main App - Client Configuration ()

nibirOP•2/24/25, 10:54 PM

Frontend - SSO Login () -

nibirOP•2/24/25, 10:55 PM

Issue 1: /oauth2/token Returns 401

Logs:

Reason:

Missing `client_id` and `client_secret` in `/oauth2/token` request **Fix:**
Manually added and via
Now returns 200 OK

###

Issue 2: "Key not found" & "token_not_verified"
Logs:

Reason:

The issued token cannot be verified with the JWKS keys **JWKS Response (`/api/auth/jwks`):** ```json{"keys": [ { "crv": "Ed25519", "x": "d_aGBZ-mriny68ulckvvsaCHLi1Go64nNzjKCmR0vpY", "kty": "OKP", "kid": "eqfft7yeL6QdVeWitEFY834lMYXDyWpr" }]}```

If anyone has faced similar issues or knows a better fix, please share your insights! Thanks in advance!

Kwae (GK)•2/25/25, 9:54 AM

are you doing PKCE?

nibirOP•2/25/25, 10:57 PM

Yes, but failid to verifcation.