Reach of OIDC access_token
Hi, guys.
Quick question about the OIDC plugin. Right now, when doing the authorization_code flow, the access_token you get only seems to work with the /userinfo endpoint.
Is that the only thing it's meant to access for now? Or is there (or will there be) support for using that same access token to hit other endpoints like the ones related to organizations, default endpoints. How should I handle those kinds of actions with the provided access token?
3 Replies
I suppose you could set your own custom scopes and write your own work arounds. I'm not sure of any way you can link the organization plugin to this plugin (with a simple config).
https://github.com/better-auth/better-auth/blob/canary/packages%2Fbetter-auth%2Fsrc%2Fplugins%2Foidc-provider%2Findex.ts#L976-L1018 thats how the plugin checks the token
GitHub
better-auth/packages/better-auth/src/plugins/oidc-provider/index.ts...
The most comprehensive authentication framework for TypeScript - better-auth/better-auth
Thanks a lot! Yeah, I figured there’s no simple way to link OIDC directly with the organization plugin or other endpoints just via config.
One workaround I’ve been testing is manually sending the access token to my secondary storage (where I keep user sessions), and then using the bearer plugin to allow those tokens to hit the other endpoints via header auth. I’m also playing with setting custom scopes to fetch whatever org-related data/actions I need that way.
Appreciate the help!