Keycloak SSO Integration
I'm trying to integrate betterAuth with Keycloak SSO to handle sign-in and token rotation, but I'm struggling with the configuration.
I don't want to use a database in my Next.js frontend since Keycloak manages all user database tables and is integrated with the backend.
The backend is already integrated with keycloak to verify JWT.
Keycloak has its own sign-in page with a redirect callback, which was previously handled by NextAuth. However, with betterAuth, I'm unsure where or how to handle this properly.
Has anyone successfully set up betterAuth with Keycloak? Any guidance on handling authentication flow and token management would be greatly appreciated!
6 Replies
Hey @Hasan , we have the same situation. Asked about it here: https://discord.com/channels/1288403910284935179/1339334939237421167/1339334939237421167
Better Auth isn't meant to be used like this. Better Auth is KeyCloak itself in a sense. It's not a session management library or a way to integrate an IDP to your application. I'd really suggest using something like iron session or even Next Auth (AuthJS) instead, if your use case is just wanting to manage sessions and have KeyCloak handle everything.
First thanks for the response, didn't expect to get one from the author himself 😅 I really love what you're doing.
Second, yeah you're right I did more digging and realized that, unfortunately it's not possible to replace keycloak because it's used across multiple apps and I was looking for something to replace nextAtuh because i had nightmares and a lot of down time working with it. I will check out iron session. Thanks a lot for the suggestion
Are there any plans to make Better Auth work for stateless use cases (e.g. OIDC RP), i.e. become a complete next-auth replacement? BA replaces next-auth in stateful fashion already. It would be so cool if BA could be the 1 auth library for all modern use cases! Especially since databases are not always practical on clients, it's a bit heavy and redundant to have a database on each OIDC RP for example
If this is simply not a goal for BA, understood, we will keep using next-auth or similar. We've experienced some pains with next-auth ourselves, much as @Hasan laid out above
It's not our main goal right now, but it would make sense to provide it at least for those already using Better Auth as an IDP and wanting to use it elsewhere as a stateless server to handle sessions. We want the ease of assuming there is always a db for the plugin architecture. We'll think about it, but it's unlikely to be something we release soon.
This makes sense especially with natural initial development turbulence + many other use cases to cover beyond this one as a general auth lib. Thank you so much for this information, I will keep an eye out for developments, we are still planning on using BA as an OIDC OP right now (replacing keycloak).