OAuth provider
I want my app (let's call it "XYZ") to become an OAuth provider, meaning that I'd like other devs to be able to integrate "Connect/Sign In with XYZ" on their own apps. For this I see two main points:
The users are redirected to XYZ's consent screen when they press the "Connect/Sign In with XYZ". They are prompted to enter the credentials / sign in with their XYZ account (if they have no session saved). This is very straighforward and it's very clear to me how to do this with better auth.
The user is redirected back to the original app with a an access token (or a code if PKCE) and requests protected resources to XYZ's API by sending the retrieved access token alongsided the requests (in an auth header for example). This one seems a bit more tricky.
Given this context, I have a couple questions:
Does better auth support becoming my own OAuth provider
Do I need OIDC? My understanding is that OIDC is useful for authentication but not for authorization (this is still handled by OAuth). In my use case, it won't be so much of a "Sign In with XYZ" but more of a "Connect with XYZ". The only thing that matters is for apps to get the access_token, knowing the user identity is not super relevant, which leads me to conclude that OIDC is not necessary?
I know that better auth supports building my own OIDC provider. Should I use it even if the answer to the previous question is that I don't need OIDC and only direct OAuth?
The users are redirected to XYZ's consent screen when they press the "Connect/Sign In with XYZ". They are prompted to enter the credentials / sign in with their XYZ account (if they have no session saved). This is very straighforward and it's very clear to me how to do this with better auth.
The user is redirected back to the original app with a an access token (or a code if PKCE) and requests protected resources to XYZ's API by sending the retrieved access token alongsided the requests (in an auth header for example). This one seems a bit more tricky.
Given this context, I have a couple questions:
Does better auth support becoming my own OAuth provider
Do I need OIDC? My understanding is that OIDC is useful for authentication but not for authorization (this is still handled by OAuth). In my use case, it won't be so much of a "Sign In with XYZ" but more of a "Connect with XYZ". The only thing that matters is for apps to get the access_token, knowing the user identity is not super relevant, which leads me to conclude that OIDC is not necessary?
I know that better auth supports building my own OIDC provider. Should I use it even if the answer to the previous question is that I don't need OIDC and only direct OAuth?
