OIDC Plugin + Organization Plugin for limiting user OAuth to specific organizations tied to an app
I may have missed this in the documentation, but is there a way for me to combine the OIDC plugin with the Organizations plugin such that when a user tries to authenticate into a specific application, we check that user's membership with an associated organization during the OAuth process, and if the user doesn't have a membership, then authentication into that app should be denied.
Basically, I am making an
auth-gateway system to where my team can internally tie different applications (and OAuth configs) to different end customers (better-auth organizations plugin) via an administration portal. My team will deploy a client-application that users log into by OIDC, pointed to the auth-gateway application we have setup (both NextJS apps will use better-auth, with auth-gateway being the source of truth and client-application pointing to our auth-gateway with it's configured credentials.
In other plugins, I see the ability to add custom fields and callbacks/validators on the actions, but from what I can tell, I can't do that for the OIDC provider plugin.1 Reply
@elmd I'm facing the exact same issue. According to my limited understanding the organization plugin is unfortunately closely tied to the session cookie. It would be awesome if there was a layer in the organization api where you could just pass organization id and user id. Or expose a handler for different types of auth requests. It's really too bad as it would be beautiful combination.