BA
Better Auth4w ago
bc 🐧🪺

Next Auth `iss` claim missing

Hi, I'm not sure whether to ask this in Next Auth/Auth.js server or here, but I assume here because the same Next Auth config works for other OIDC providers without modification. When attempting to sign in with Better Auth + OIDC plugin, I receive this error from Next Auth: OperationProcessingError: JWT "iss" (issuer) claim missing. Attached screenshot of supported claims from well-known endpoint on BA side, as you can see iss is listed, which makes me think BA is not the problem. Any ideas? If this is a Next Auth error after all, I'm confused why it works for other OIDC providers EDIT: also asked in Auth.js server and linked back here: https://discord.com/channels/1200116961590399008/1354958631476531220/1354958631476531220
No description
4 Replies
bc 🐧🪺
bc 🐧🪺OP4w ago
Here are the claims that come back to the client (notice these are most of the standard scope claims, just missing iss): 
"claims": {
  "sub": "...",
  "aud": "...",
  "iat": 1743113287,
  "given_name": "First",
  "family_name": "Last",
  "name": "First Last",
  "profile": "",
  "updated_at": "2025-03-20T06:54:55.855Z",
  "email": "[email protected]",
  "email_verified": true,
  "exp": 1743116887
},
"claims": {
  "sub": "...",
  "aud": "...",
  "iat": 1743113287,
  "given_name": "First",
  "family_name": "Last",
  "name": "First Last",
  "profile": "",
  "updated_at": "2025-03-20T06:54:55.855Z",
  "email": "[email protected]",
  "email_verified": true,
  "exp": 1743116887
},
bc 🐧🪺
bc 🐧🪺OP4w ago
Maybe this is a clue? This is logged prior to the aforementioned error. State parameter is missing
No description
bc 🐧🪺
bc 🐧🪺OP4w ago
issuer from OIDC OP and OIDC RP config match
No description
No description
bc 🐧🪺
bc 🐧🪺OP4w ago
I got it! Fixed by adding this to oidcProvider config: 
  getAdditionalUserInfoClaim: (user, scopes) => ({
        ...scopes,
        iss: "https://localhost:8000/api/auth",
      }),
  getAdditionalUserInfoClaim: (user, scopes) => ({
        ...scopes,
        iss: "https://localhost:8000/api/auth",
      }),

Did you find this page helpful?