shu-sin
BABetter Auth
•Created by shu-sin on 4/6/2025 in #bug-reports
Generic oauth failing on missing email
Ouath providers that do not offer an email claim fail when using the generic oauth plugin with
email_is_missing.
Seeing how both Twitter and Tiktok allow for null emails, I would expect similar behavior in the generic oauth plugin as well. Or, alternatively, a way (a la Auth.js) to write and use custom providers.
Moreover, mapProfileToUser has no affect on the above as this method is being invoked after the email check fails. One must use a custom getUserInfo method to get around this restriction. See here: https://github.com/better-auth/better-auth/blob/6a0898fa88d1a49163b711fdbfa05489e0301a2c/packages/better-auth/src/plugins/generic-oauth/index.ts#L6066 replies
BABetter Auth
•Created by shu-sin on 4/6/2025 in #help
Guidance on JWT / Bearer usage for external APIs
Hi all, after some tinkering, I have JWT set up within a Nextjs app to use as a bearer token for an external api. The api uses the JWKS endpoint to validate the token. This works fine. I am looking for guidance of best implementation guidelines for security and performance. We heavily use server patterns in Next so we don't rely on nor use
authClient, just the server api.
At the moment, if I call auth.api.getToken, it issues a new token every time thus invalidating any fetch caching to the external api. I can store this token outside the request scope (variable or local storage) however this doesn't take into account expiration of the JWT token within decrypt it and checking timestamps on each request. While this works, I am wondering if there's a more efficient or more "betterauth" way of doing this. Perhaps the OIDC Provider is a better choice here?
To sum:
- External API that takes a bearer token that should verify against our main Nextjs app via JWKS
- Main Next app uses this external api and must provide a unified JWT bearer token to it
- Other external consumers (eventually) need to use a client credential flow to use the external API with bearer which in turn validates against the main Nextjs app with JWKS3 replies
BABetter Auth
•Created by shu-sin on 3/30/2025 in #help
Dealing with generic OAuth provider that does not send email and account linking
Two part question:
Hi all, we have a external OIDC IdP that does not reliably return an email in the token claims. When using the generic Oauth plugin, we get a
Error Code: email_is_missing on callback. mapProfileToUser does not seem to get around this error. What's the best approach here?
Second, we do get a reliable universal user identifier in the claims that can link a user to a specific human. Is there a way to customize the account linking feature based on something other than email but instead this unique user key?4 replies