Better AuthBA
Better Auth•9mo ago
Syntarex

On-User-Behalf flow (Microsoft Entra)

I'm trying better-auth for the first time and like it a lot. But I don't get my head around some behaviours and would be super happy if someone could just point me in the right direction.

I'm using Astro and Microsoft Entra only. No e-mail/password or other socials.

What I'm trying to achieve:
  • [x] User can login with Microsoft entra
  • [x] Add scopes to authentication
  • [ ] Get access token to call Microsoft Graph (on-user-behalf flow)
  • [ ] Create api endpoint to get access token client-side
  • [ ] Refresh access token of Microsoft Entra automatically
My questions are the following:
  • The only place in which I found the Microsoft Entra access token is the getUserInfo function. Is this the correct place to get it from? Should I save it in a cookie or append it to the User-object directly?
  • Will the access token be refreshed or do I need to implement that myself?
  • Do I need a database at all and if so, how can I use @astro/db for that?
*I searched the docs and this help forum but couldn't find the right answer.. Sorry if I just overlooked something. It seems such a common use-case. 🤔 *

import { ENTRA_APP_ID, ENTRA_APP_SECRET } from "astro:env/server";
import { betterAuth } from "better-auth";

export const auth = betterAuth({
    socialProviders: {
        microsoft: {
            clientId: ENTRA_APP_ID,
            clientSecret: ENTRA_APP_SECRET,
            tenantId: "organizations",
            scope: [
                "openid",
                "profile",
                "offline_access",
                "Group.Read.All",
                "GroupMember.Read.All",
                "Sites.Read.All",
                "User.Read",
                "User.ReadBasic.All",
            ],
        },
    },
});
Solution
So I switched over to Lucia and got it working.

I was following another help thread in here, which got a similar problem. You might find your solution here @mikewilliams : I cannot copy the link.. dont know why. Discord doesn't let me. The thread is called "RefressAcceshToken in SocialProvider (Microsoft) and NextJs 15"
Jump to solution
Was this page helpful?