BA
Better Auth6d ago
Isthiyaaq

Better Auth Not Respecting OIDC Discovery Document Endpoints with IdentityServer4

Problem Description When implementing OAuth 2.0/OpenID Connect with IdentityServer4, Better Auth is not using the endpoints from the discovery document despite proper configuration. Instead, it's trying to use its own API structure (/api/auth/sign-in/oauth2). Current Implementation 1. Server Configuration (server.ts): 
export const auth = betterAuth({
  plugins: [
    genericOAuth({
      config: [{
        providerId: "ids4",
        authorizationUrl: 'https://example.egov.mv/connect/authorize',
        tokenUrl: 'https://example.egov.mv/connect/token',
        userInfoUrl: 'https://example.egov.mv/connect/userinfo',
        clientId: 'your-client-id',
        clientSecret: "",
        pkce: true,
        scopes: ["openid", "profile", "offline_access"],
        redirectURI: 'com.example.app://oauth',
        responseType: 'code',
      }]
    }),
    expo(),
  ],
  trustedOrigins: ["com.example.app://"],
});
export const auth = betterAuth({
  plugins: [
    genericOAuth({
      config: [{
        providerId: "ids4",
        authorizationUrl: 'https://example.egov.mv/connect/authorize',
        tokenUrl: 'https://example.egov.mv/connect/token',
        userInfoUrl: 'https://example.egov.mv/connect/userinfo',
        clientId: 'your-client-id',
        clientSecret: "",
        pkce: true,
        scopes: ["openid", "profile", "offline_access"],
        redirectURI: 'com.example.app://oauth',
        responseType: 'code',
      }]
    }),
    expo(),
  ],
  trustedOrigins: ["com.example.app://"],
});
2. Client Configuration (client.ts): 
export const authClient = createAuthClient({
  baseURL: 'https://example.egov.mv',
  plugins: [
    genericOAuthClient(),
    expoClient({
      scheme: 'com.example.app',
      storagePrefix: "auth_token_storage",
      storage: mmkvStorage,
    }),
  ]
});
export const authClient = createAuthClient({
  baseURL: 'https://example.egov.mv',
  plugins: [
    genericOAuthClient(),
    expoClient({
      scheme: 'com.example.app',
      storagePrefix: "auth_token_storage",
      storage: mmkvStorage,
    }),
  ]
});
3. API Route Handler ([...auth]+api.ts): 
import { auth } from "@/auth/server";
const handler = auth.handler;
export { handler as GET, handler as POST };
import { auth } from "@/auth/server";
const handler = auth.handler;
export { handler as GET, handler as POST };
Expected Behavior - Better Auth should use the configured OIDC endpoints from the server configuration - Authentication flow should follow the standard OAuth 2.0/OpenID Connect protocol with IdentityServer4 Actual Behavior - Better Auth is ignoring the configured endpoints - Attempting to use its own API structure (/api/auth/sign-in/oauth2) - Results in "Request Rejected" errors when trying to authenticate #help
3 Replies
Isthiyaaq
IsthiyaaqOP6d ago
{
  "response": {
    "type": "default",
    "status": 200,
    "ok": true,
    "statusText": "",
    "headers": {
      "map": {
        "cache-control": "no-cache",
        "content-type": "text/html; charset=utf-8",
        "date": "Thu, 24 Apr 2025 10:15:41 GMT",
        "server": "cloudflare",
        "strict-transport-security": "max-age=7776000; includeSubDomains",
        "x-content-type-options": "nosniff",
        "x-frame-options": "SAMEORIGIN",
        "x-xss-protection": "1; mode=block"
      }
    },
    "url": "https://example.egov.mv/api/auth/sign-in/oauth2",
    "bodyUsed": true,
    "_bodyInit": {
      "_data": {
        "size": 245,
        "offset": 0,
        "blobId": "74275C8F-398D-459B-8C94-A46D5917141B",
        "type": "text/html",
        "name": "oauth2.html"
      }
    }
  },
  "request": {
    "baseURL": "https://example.egov.mv/api/auth",
    "method": "POST",
    "plugins": [
      {
        "id": "redirect",
        "name": "Redirect",
        "hooks": {}
      },
      {
        "id": "expo",
        "name": "Expo",
        "hooks": {}
      },
      {
        "id": "apply-schema",
        "name": "Apply Schema",
        "version": "1.0.0"
      }
    ],
    "body": "{\"providerId\":\"ids4\",\"callbackURL\":\"com.example.app:///(tabs)/(home)\",\"scopes\":[\"openid\",\"profile\",\"email\",\"offline_access\"]}",
    "credentials": "omit",
    "headers": {
      "map": {
        "cookie": "",
        "expo-origin": "com.example.app://",
        "content-type": "application/json"
      }
    },
    "url": "https://example.egov.mv/api/auth/sign-in/oauth2",
    "signal": {}
  }
}
{
  "response": {
    "type": "default",
    "status": 200,
    "ok": true,
    "statusText": "",
    "headers": {
      "map": {
        "cache-control": "no-cache",
        "content-type": "text/html; charset=utf-8",
        "date": "Thu, 24 Apr 2025 10:15:41 GMT",
        "server": "cloudflare",
        "strict-transport-security": "max-age=7776000; includeSubDomains",
        "x-content-type-options": "nosniff",
        "x-frame-options": "SAMEORIGIN",
        "x-xss-protection": "1; mode=block"
      }
    },
    "url": "https://example.egov.mv/api/auth/sign-in/oauth2",
    "bodyUsed": true,
    "_bodyInit": {
      "_data": {
        "size": 245,
        "offset": 0,
        "blobId": "74275C8F-398D-459B-8C94-A46D5917141B",
        "type": "text/html",
        "name": "oauth2.html"
      }
    }
  },
  "request": {
    "baseURL": "https://example.egov.mv/api/auth",
    "method": "POST",
    "plugins": [
      {
        "id": "redirect",
        "name": "Redirect",
        "hooks": {}
      },
      {
        "id": "expo",
        "name": "Expo",
        "hooks": {}
      },
      {
        "id": "apply-schema",
        "name": "Apply Schema",
        "version": "1.0.0"
      }
    ],
    "body": "{\"providerId\":\"ids4\",\"callbackURL\":\"com.example.app:///(tabs)/(home)\",\"scopes\":[\"openid\",\"profile\",\"email\",\"offline_access\"]}",
    "credentials": "omit",
    "headers": {
      "map": {
        "cookie": "",
        "expo-origin": "com.example.app://",
        "content-type": "application/json"
      }
    },
    "url": "https://example.egov.mv/api/auth/sign-in/oauth2",
    "signal": {}
  }
}
bekacru
bekacru6d ago
you haven't provided discoveryUrl
Isthiyaaq
IsthiyaaqOP5d ago
i tried with discoveryUrl, same thing.

Did you find this page helpful?