How to associate OAuth access tokens with application-specific context during OIDC flow?
I'm building a data sync platform where users can create multiple "destinations" (e.g., different Airtable bases, Notion workspaces) to send their data to. I want to use the OIDC plugin so that each OAuth access token is tied to a specific destination.
Current setup:
* Using better-auth's OIDC provider plugin
* Have a destinations table that I want to link to oauthAccessToken via a new destinationId column
* Custom consent screen where users select which destination to authorize
What I need:
When a user goes through the OAuth consent flow, I need to pass context about which destination they're authorizing, so that when the access token is created, I can associate it with the correct destination record.
Attempted approaches:
* State parameter: The OAuth2 spec's state parameter is designed for this, but I can't find documentation on how to inject custom data into better-auth's state handling
* Route hooks: I could potentially use better-auth's hooks when the token is created, but I need a way to pass the destination context through the flow
Questions:
* Does the OIDC plugin support passing custom data through the state parameter?
* Are there route hooks that fire during token creation where I could access request context?
* Is there another recommended pattern for associating tokens with application-specific data?
The goal is that when my API receives a request with an access token, I can look up
oauthAccessToken.destinationId to know which destination the client is accessing.
Any guidance would be appreciated!3 Replies
@Ping curious if you have any thoughts here.
I'm not quite sure I fully understand your use case. State is handled by the OAuth client - whatever state they send, we return when redirecting back from the authorization flow. That said, if I understand the problem correctly, you want to add additional metadata to the state parameter so that when the user is redirected back to the client, the client knows how to handle that state value. Is that correct?
Fair, instead of state, perhaps there's some other place to share context between the consent screen and the token creation
Essentially, the ideal flow is:
1. User clicks on "Connect to Finta (my app)" within an external application
2. Finta shows a custom consent screen where user creates a "destination" (name, settings, etc.).
3. User consents, my app creates the destination in the database, and then , via the OIDC plugin, issues an access token to the external app
4 Later, when the external app makes API calls to Finta using that token, I need to know which destination it corresponds to
The problem:
I need to associate the access token that better-auth creates with the destination data the user entered on the consent screen.
What I'm looking for:
A way to pass context from my consent screen (step 2) to the token creation process (step 3) so I can store destinationId in the oauthAccessToken table or store the id of the access token on my destinations table.
@bekacru is this possible or should I submit a feature request?