Better Auth•6d ago

On-User-Behalf flow (Microsoft Entra)

I'm trying better-auth for the first time and like it a lot. But I don't get my head around some behaviours and would be super happy if someone could just point me in the right direction. I'm using Astro and Microsoft Entra only. No e-mail/password or other socials. What I'm trying to achieve: - [x] User can login with Microsoft entra - [x] Add scopes to authentication - [ ] Get access token to call Microsoft Graph (on-user-behalf flow) - [ ] Create api endpoint to get access token client-side - [ ] Refresh access token of Microsoft Entra automatically My questions are the following: - The only place in which I found the Microsoft Entra access token is the getUserInfo function. Is this the correct place to get it from? Should I save it in a cookie or append it to the User-object directly? - Will the access token be refreshed or do I need to implement that myself? - Do I need a database at all and if so, how can I use @astro/db for that? *I searched the docs and this help forum but couldn't find the right answer.. Sorry if I just overlooked something. It seems such a common use-case. 🤔 *

import { ENTRA_APP_ID, ENTRA_APP_SECRET } from "astro:env/server";
import { betterAuth } from "better-auth";

export const auth = betterAuth({
    socialProviders: {
        microsoft: {
            clientId: ENTRA_APP_ID,
            clientSecret: ENTRA_APP_SECRET,
            tenantId: "organizations",
            scope: [
                "openid",
                "profile",
                "offline_access",
                "Group.Read.All",
                "GroupMember.Read.All",
                "Sites.Read.All",
                "User.Read",
                "User.ReadBasic.All",
            ],
        },
    },
});

import { ENTRA_APP_ID, ENTRA_APP_SECRET } from "astro:env/server";
import { betterAuth } from "better-auth";

export const auth = betterAuth({
    socialProviders: {
        microsoft: {
            clientId: ENTRA_APP_ID,
            clientSecret: ENTRA_APP_SECRET,
            tenantId: "organizations",
            scope: [
                "openid",
                "profile",
                "offline_access",
                "Group.Read.All",
                "GroupMember.Read.All",
                "Sites.Read.All",
                "User.Read",
                "User.ReadBasic.All",
            ],
        },
    },
});

Solution:

So I switched over to Lucia and got it working. I was following another help thread in here, which got a similar problem. You might find your solution here @mikewilliams : I cannot copy the link.. dont know why. Discord doesn't let me. The thread is called "RefressAcceshToken in SocialProvider (Microsoft) and NextJs 15"...

Jump to solution

4 Replies

SyntarexOP•6d ago

Oh I might learned more. The getUserInfo function returns the object which gets saved to my database. so I can just add an additionalField containing my accessToken and use that on server- and client-side to call graph on-user-behalf. I'm wondering if the accessToken will be refreshed before it expires. I dont know when the getUserInfo function gets triggered. Only on login?

mikewilliams•6d ago

Kind of in the same boat here. Trying to figure out if there's a way to access tokens using the getUserInfo hook. We're using a custom oauth and everything works fine with a userInfoUrl and mapProfileToUser, so we technically dont need the getUserInfo function. We're also using microsoft as well on another project so am interesting in the graph thing.

SyntarexOP•6d ago

I will grind for the solution tomorrow. If I get it working, I wll post my solution here. 🙂 After sleeping I realized that the User-Object is not the right place to save tokens. Saving it in there would mean that a user can only have one token. I will start trying now. 🙂

Solution

Syntarex•6d ago

Gaming

Programming

On-User-Behalf flow (Microsoft Entra)

Did you find this page helpful?