Jim-Y
Jim-Y
PostsComments
BABetter Auth
Created by Songkeys on 3/24/2025 in #help
passkey plugin's endpoint `generate-register-options` gives me 401
No description
9 replies
BABetter Auth
Created by Songkeys on 3/24/2025 in #help
passkey plugin's endpoint `generate-register-options` gives me 401
how do you make an anonymous user? Do you signup an email with a random password first or is there any other method for this?
9 replies
BABetter Auth
Created by AB on 3/28/2025 in #help
Single Auth Multiple apps setup.
No description
39 replies
BABetter Auth
Created by Jim-Y on 3/25/2025 in #help
2-step login flow and organization question
Thanks @bekacru . I will try it out. Do you have any input on my other question? To phrase that question simpler, is it possible to query the database tables when there is no session? That is, using the server api when the headers won't contain a cookie? I want to search information about an email address which might, or might not be in the system. (note: i did implement this but not using better-auth, but simply querying the db. I'm just wondering if this is possible with the better-auth api)
4 replies
BABetter Auth
Created by Jim-Y on 3/7/2025 in #help
OIDC Provider questions
Will check it thanks, also I will try to reproduce it on an isolated example and let you know about it if reproducible.
14 replies
BABetter Auth
Created by Jim-Y on 3/7/2025 in #help
OIDC Provider questions
That's good for an oidc use-case but I am trying to use better-auth as a basis for an authn/authz server issuing access_tokens. So it would be a 3-legged system. Frontend, API backend and authz server with better auth. In this scenario the API backend gets an access_token from the frontend (the frontend previously got it from the authz server) and so the API needs to validate the access_token (and not the id_token). As I saw, the access_token is an opaque token right now and not a jwt, so it can't use the JWKS uri to validate the token, for an opaque token it would need an introspection endpoint OR arguably even better, the access_token could be a JWT so the API could validate it without a roundtrip to the authz server (better-auth).
14 replies
BABetter Auth
Created by Jim-Y on 3/7/2025 in #help
OIDC Provider questions
Hi! It seems, this happens when the user is not yet signed in, the authorize endpoint redirects to the login screen, the login screen calls (in my case) signIn.email. The expected would be to get a 302 to the consent screen or to the callback url, but instead the signIn.email call get http 200 and the token and user object, so the oauth flow just breaks. The documentation says that you don't have to change your signin logic and that the plugin will handle the redirect(s) and I was wondering if that's the case.
14 replies
BABetter Auth
Created by Jim-Y on 3/7/2025 in #help
OIDC Provider questions
So I tried two ways to login: Client side login With authClient.signIn.email() where authClient is 
export const authClient = createAuthClient({
    plugins: [oidcClient()]
})
export const authClient = createAuthClient({
    plugins: [oidcClient()]
})
const signin = async () => {
  const res = await signIn.email({
    email,
    password
  });
  console.log(res);
}
const signin = async () => {
  const res = await signIn.email({
    email,
    password
  });
  console.log(res);
}
Server-side login With auth.api.signInEmail My problem is that neither method redirects me to neither the consent nor the callbackURI. Both methods just return HTTP 200 and the payload: 
{
    "redirect": false,
    "token": "<some_token>",
    "user": {
        "id": "UAJmyiqzWtlU2uiNsITNW6XTI7fAnizs",
        "email": "<email>",
        "name": "<name>",
        "image": null,
        "emailVerified": false,
        "createdAt": "2025-03-07T12:52:08.535Z",
        "updatedAt": "2025-03-07T12:52:08.535Z"
    }
}
{
    "redirect": false,
    "token": "<some_token>",
    "user": {
        "id": "UAJmyiqzWtlU2uiNsITNW6XTI7fAnizs",
        "email": "<email>",
        "name": "<name>",
        "image": null,
        "emailVerified": false,
        "createdAt": "2025-03-07T12:52:08.535Z",
        "updatedAt": "2025-03-07T12:52:08.535Z"
    }
}
If I first login, then I hit the authorize endpoint, then skipping the login screen the callback uri gets called with the code which I could exchange for an access_token on the token endpoint with postman. Additional question If I have a payload like 
{
    "access_token": "owsjcxomiiwqjyfqlrnwjyybspzbhgwe",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "openid email",
    "id_token": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVQUpteWlxeld0bFUydWlOc0lUTlc2WFRJN2ZBbml6cyIsImF1ZCI6ImFua2hjeXZubXprY3VqaGh3b3phcWluaHBkdG91eGxkIiwiaWF0IjoxNzQxMzY1ODg2LCJhY3IiOiJ1cm46bWFjZTppbmNvbW1vbjppYXA6c2lsdmVyIiwiZW1haWwiOiJhdHRpbGEua2xpbmdAcGVyc29uYXIuYWkiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImV4cCI6MTc0MTM2OTQ4Nn0.qGDxiDnnLqZOmfveiZgH86OHjKHzOlFIYopF3vkEayo"
}
{
    "access_token": "owsjcxomiiwqjyfqlrnwjyybspzbhgwe",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "openid email",
    "id_token": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVQUpteWlxeld0bFUydWlOc0lUTlc2WFRJN2ZBbml6cyIsImF1ZCI6ImFua2hjeXZubXprY3VqaGh3b3phcWluaHBkdG91eGxkIiwiaWF0IjoxNzQxMzY1ODg2LCJhY3IiOiJ1cm46bWFjZTppbmNvbW1vbjppYXA6c2lsdmVyIiwiZW1haWwiOiJhdHRpbGEua2xpbmdAcGVyc29uYXIuYWkiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImV4cCI6MTc0MTM2OTQ4Nn0.qGDxiDnnLqZOmfveiZgH86OHjKHzOlFIYopF3vkEayo"
}
How can the resource server validate the access_token at the provider? As I saw there is no token_introspection endpoint implemented?! Thanks folks 🙂
14 replies