Single Auth Multiple apps setup.
Hi. I am trying to setup a central auth which will be used by multiple apps. I tried creating OIDC but its not working good for me. I came across this comment. How should we go about this.
I have nextjs central auth and tanstack start first client app. Do i need auth.ts in tanstack server api routes or only in nextjs central.
20 Replies
I did this
Central auth nextjs. localhost is the tanstack app.
export const auth = betterAuth({
trustedOrigins: [env.CENTRAL_AUTH_URL, "http://localhost:3004"],
database: drizzleAdapter(db, {
provider: "pg",
schema: schema,
}),
emailAndPassword: {
enabled: true,
},
secret: env.AUTH_SECRET,
baseUrl: env.CENTRAL_AUTH_URL,
plugins: [
],
});
In tanstack app i created the client using central auth url
export const authClient = createAuthClient({
baseURL: env.CENTRAL_AUTH_URL,
plugins: [genericOAuthClient(), organizationClient(), ssoClient()],
});
Is it the correct way? I have to create login page in every apps this way right? Is there any way i can generate magic link or something in central app. Like google apps. where i click it and it authenitcates me into the app.
But if i have db instance do i even need central auth url to authenticate. I can use different auth instances connected to same db.
Is this correct approachyou can do that to avoid making request from one server to another but I'm not sure why you even have 2 differnt server in the first place?
That central server is for handling billing and products subscription in one place.
Multiple products are multiple tanstack start apps.
I have been wanting to do something like this
I tried making oidc but when login the redirect doesnt happen
I generated client using oidc in central auth server. And then put the creds in generic oauth config in the tanstack auth instance
And it sucesfully generates the central auth uri. I see the form and all the oauth stuff in header.
But when log in is succesful no redirect happens. Previously It used to even though it was buggy. but 302 were there.
Now it shows 200 only
Same with the sso plugin
Any thing you would like to suggest. What kind of setup should i go for.
1. I want all users in same db table.
2. They can access different products on different domains.
Thankyou
It is cross domain also. And ithink OIDC makes sense for cross domain, as there is no way to share cookie.
But i dont see oidc cookiee being set when logging in. Previously it used to iguess
@bekacru I just tested oidc cookie issue. Its been there since 1.2.0. I am able to get oidc_login_prompt and oidc_consent cookie on version 1.1.9
For what it's worth, I'm also interested in a similar setup.
Well, if it's any help I found the need for something similar, which is a central authorization-server issuing access & refresh tokens which other apps can use to consume APIs. Let me know if this is something you are interested about.
From my understanding (and I asked this in the past here on discord), their OIDC plugin is NOT for this purpose, it's for 3rd parties to authenticate with your users, if I'm not mistaken. For the below model, you have to use something else for OIDC but you can use better auth for the auth layer.
I have currently same setup. but because of cookie issue. Redirect is not happening. It works fine when user is already logged into central auth server
Did you set up your server as oidcProvider? It doesn't show in the code example above.
And you can use oidcClient instead of generic OAuth
https://www.better-auth.com/docs/plugins/oidc-provider
OIDC Provider | Better Auth
Open ID Connect plugin for Better Auth that allows you to have your own OIDC provider.
Can you give example? How can i use oidc client.
Oh sorry... After reading the documentation again I see I was wrong about using the client plugin. It's meant to be used to expose the register endpoint via ui.
I believe you need to do the following:
Set your server as oidc provider using the plugin, then use the register endpoint to generate a new client (via curl/postman or similar).
Add the generic OAuth plugin to both server and client. Use the client ID and secret to set the server plugin.
Then, use the generic OAuth client plugin to authenticate.
I'm only using the server side atm so didn't try the generic OAuth client, but I've set up Grafana with my server without issues
yes. I do the same.Its just that automatic redirection failed because of no cookie. Its been there since 1.2.0
I mocked the authorize endpoint.
endpoints: {
authorize: createAuthEndpoint(
"/oauth2/authorize",
{
method: "GET",
},
async (ctx) => {
await ctx.setSignedCookie(
"oidc_login_prompt",
JSON.stringify(ctx.query),
ctx.context.secret,
{
maxAge: 10000,
},
);
const queryFromURL = ctx.request?.url?.split("?")[1];
const cookie = await ctx.getSignedCookie(
"oidc_login_prompt",
ctx.context.secret,
);
// console.log("oidc_login_prompt", cookie);
throw ctx.redirect(/login?${queryFromURL});
},
),
},
And I see that when there is throw ctx.redirect or return ctx.redirect the cookie is not getting set. But when i do ctx.json() response the cookie is being correctly set.
On Nextjs route I also see oidc_cookie in "Set-Cookie" response header. But it is not there on cookie storage.
const res = await auth.handler(req);
const cookieValue = res.headers.get("Set-Cookie");
console.log("res.cookie", cookieValue);also running into a similar issue
I’m thinking it’s more related to the better-call middleware at this point
@bekacru I think the cookie issue on redirect is from better-call v1. Till v 0.3.3 and 1.1.9 it was working fine.
I think it's only for OIDC plugin. I'll check. Just been caught up with some stuff these days but this is on top of my list
SameSite cookie attribute was missing from oidc responses
I was able to fix it by appending SameSite attrib
good catch. will be patched on the next release
Thankyou