[Idea solicit] Pass authentication to another NextJS app after a logging in on a separate NextJS app
First, thank you very much for this powerful auth library!
So we are building on a project where we are using AWS Cognito to store users and credentials.
We have multiple NextJS application for each different role in our system, and another separate NextJS application whose only role is to serve the login page and authenticate the user. All are using latest NextJS 15 app router and is implementing SSR.
Before we invest our time into building a AWS Cognito provider for Better Auth, we are wondering if the following use case is possible and if someone can suggest ideas on how to do them:
1. A user logins in our NextJS login page. AWS Cognito basically have only 1 option for us to control the flow which is the URL callback, the URL where the user will be redirected back along with their tokens. So in this scenario, the login page redirects the user to the AWS hosted login page and after they completed their authentication steps there they get back to the URL callback which would be the NextJS login app still.
2. Now, once we authenticated the user in the login app, we call the database to get their role.
3. Once we get their role, we should redirect them to the proper NextJS dashboard, i.e,
teacher.my.app
4. It is important that the authentication along with the tokens are passed to the proper NextJS app, and that the authentication in the login page deleted since they would be working on their role dashboard henceforth.
What we were thinking is that we save the tokens we received in the URL callback to the database and generate some hash for it.
We use the same hash to compose a URL for that role dashboard, and once used those tokens will be assigned to the user as if they logged in the final dashboard in the first place.
I am not just sure where can we do this "manually passing of auth tokens" using Better Auth, or if Better Auth suits our needs?
I appreciate for any help or advise from anyone!
Thank you!12 Replies
I think you could use both https://www.better-auth.com/docs/plugins/oidc-provider and https://www.better-auth.com/docs/plugins/generic-oauth
Using the OIDC on the the nextjs app that will handle the authentication whether that be passkeys or password like auth-for-myapp.com and then using on your other apps you could do https://www.better-auth.com/docs/plugins/generic-oauth
Regarding checking user details and roles I have no idea i do see in the does the OIDC provides a user info endpoint.
I hope this gives you an idea in another way you could do it
OIDC Provider | Better Auth
Open ID Connect plugin for Better Auth that allows you to have your own OIDC provider.
Generic OAuth | Better Auth
Authenticate users with any OAuth provider
@ZiriusPH \
@lonelyplanet awesome, these are definitely good place to start looking on. Planet is definitely not lonely when you are getting help
Haha! Love it enjoy the setup, please let use know what you decide to do in here so that future people with similar questions can refer to!
@lonelyplanet can you please elaborate on post login on the authenticator app?
So after the user logged in with the OIDC provider in the authenticator nextjs. They will have to login again using the oAuth provider in the final app? Is the oauth provider configured on the final app also the client keys from cognito? Or it will be a custom oauth from my own server?
Your app with the OIDC would be like a login with google button
The user goes to secondary app and they go press a button Login with AUTHAPP
Basically the Red Box could be seen as like Google Login, you go to google console create a oauth app get the client secret and id and then you use them in the green apps.
By doing this if you want to in the future move away from better auth in the green apps or a different framework you totally can as this method you are using the oauth standard.
In you case you want to build a custom google login and thats what your red box would be
@ZiriusPH I hope that explains the suggestion i made
The user would go to authenticator app and login with what ever credentials whether that be with a AWS cognito setup (I don't know how that works)
They would have an account on Authenticator App
Then for every final app they would have an account there aswel that to login to they have to login on you authenticator app.
Your final app login screen could look like that
and it redirects the user to a login screen like Google that once logged in with aws cognito or email/password however you want redirects back to final app and you are logged in
@lonelyplanet thank you very much for this. Do you reckon this will still work since we want a login page as well in the final app, for example, once the session has expired in the final app, we want the login to just be on the login page of the final app rather than going back to authenticator app. The reason why we try to hide the final app is so that no can learn the url for the final app beside from the role users.
You technically possibly could but as long as you secure the app enough you should be fine to show the urls!
I recommend for both keeping things simple and also better maintaining do the separated applications that when a user is on FinalApp and they click login it redirect the user to authenticator app to login with AWS Cognito on your AuthenticatorApp and then once logged into redirects back to FinalApp.
The AuthenticatorApp is just a auth service so it wont use finalapp final app use it, get it? So the AuthenticatorApp can be accessed but since you just login it wont allow a user to really do anything except login/logout
You could use middleware in the authenticator app to also disable any routes that arent related to OIDC or oAuth
so the AuthenticatorApp could basically just be an API in a sense