Peter Lustig Posts - Answer Overflow

Peter Lustig

•Created by Peter Lustig on 3/3/2025 in #help

OAuth Proxy Setup

Hi, I have a question about the OAuth proxy setup. Accorinding to the docs (https://www.better-auth.com/docs/plugins/oauth-proxy) I should use something like this inlib/auth.ts:

export const auth = betterAuth({
    database: new Database("./sqlite.db"),
    plugins: [
        genericOAuth({
            config: [
                {
                    providerId: "keycloak",
                    clientId: "dev-web-app",
                    clientSecret: "secret",
                    discoveryUrl: "http://localhost:9080/realms/dev-realm/.well-known/openid-configuration",
                    scopes: ["openid", "profile", "email"],
                    redirectURI: "http://localhost:3000/api/auth/oauth2/callback/keycloak",
                }
            ]
        }),
        oAuthProxy()
    ]
});

export const auth = betterAuth({
    database: new Database("./sqlite.db"),
    plugins: [
        genericOAuth({
            config: [
                {
                    providerId: "keycloak",
                    clientId: "dev-web-app",
                    clientSecret: "secret",
                    discoveryUrl: "http://localhost:9080/realms/dev-realm/.well-known/openid-configuration",
                    scopes: ["openid", "profile", "email"],
                    redirectURI: "http://localhost:3000/api/auth/oauth2/callback/keycloak",
                }
            ]
        }),
        oAuthProxy()
    ]
});

But that does not work for me. It results in an error in the master app because after login it redirect to the redirectURI without modifying it. So the oauth proxy on the master app is never used. After digging through the code a bit, I modified it to this:

export const auth = betterAuth({
    database: new Database("./sqlite.db"),
    plugins: [
        genericOAuth({
            config: [
                {
                    providerId: "keycloak",
                    clientId: "dev-web-app",
                    clientSecret: "secret",
                    discoveryUrl: "http://localhost:9080/realms/dev-realm/.well-known/openid-configuration",
                    scopes: ["openid", "profile", "email"],
                }
            ]
        }),
        oAuthProxy({
            productionURL: "http://localhost:3000"
        })
    ]
});

export const auth = betterAuth({
    database: new Database("./sqlite.db"),
    plugins: [
        genericOAuth({
            config: [
                {
                    providerId: "keycloak",
                    clientId: "dev-web-app",
                    clientSecret: "secret",
                    discoveryUrl: "http://localhost:9080/realms/dev-realm/.well-known/openid-configuration",
                    scopes: ["openid", "profile", "email"],
                }
            ]
        }),
        oAuthProxy({
            productionURL: "http://localhost:3000"
        })
    ]
});

and now it works correctly. Alternatively setting the env var BETTER_AUTH_URL would work, I think. I also tried with the github social provider instead of the genericOAuth plugin, but same behavior. Am I misunderstanding something here? Or is the documentation about the oauth proxy plugin just wrong here? In the latter case, I would be happy to create a PR for it.

4 replies

Gaming

Programming