OIDC Login page question

I’m building an internal-only OIDC provider with Hono on backend.mydomain.com.
All consuming services will be on the same parent domain (*.mydomain.com) and expect OIDC-compliant JWTs.

Can I keep the actual login UI (username/password form, MFA, etc.) on a separate host—accounts.mydomain.com—while still having the OIDC discovery, token, and JWKS endpoints served from backend.mydomain.com?
In other words, is it valid (and what do I need to configure) so that:

backend.mydomain.com/.well-known/openid-configuration points to
accounts.mydomain.com/authorize for user login,
but tokens are still issued from backend.mydomain.com/token?
Will this split break anything for clients that share the same parent domain?

import { betterAuth } from "better-auth";
 
export const auth = betterAuth({
    plugins: [oidcProvider({
        loginPage: "/sign-in" // <-? accounts.mydomain.com/signin or signup 
    })]
})

import { betterAuth } from "better-auth";
 
export const auth = betterAuth({
    plugins: [oidcProvider({
        loginPage: "/sign-in" // <-? accounts.mydomain.com/signin or signup 
    })]
})

import { betterAuth } from "better-auth";
 
export const auth = betterAuth({
    plugins: [oidcProvider({
        loginPage: "/sign-in" // <-? accounts.mydomain.com/signin or signup 
    })]
})

import { betterAuth } from "better-auth";
 
export const auth = betterAuth({
    plugins: [oidcProvider({
        loginPage: "/sign-in" // <-? accounts.mydomain.com/signin or signup 
    })]
})

also will that have issue with subdomain logins and stuff like that?

OIDC Login page question

Similar Threads

Similar Threads

Similar Threads