Account linking with the generic SSO plugin with EntraID
Hi all!
We have organizations and each organization might have an sso_provider setup. For example, az organization might use the generic SSO plugin to setup their corporate EntraID. The problem I ran into is that Entra won't return an
email_verified claim, this means that users in the organization who already have a user account before their first login through the SSO gets rejected with an account not linked error. https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/oauth2/link-account.ts#L64
I thought fine, I will implement the linking feature for those users who won't be provisioned by Entra but were already existing, but I found that i can't use authClient.linkSocial on sso_providers which were created with the sso plugin. I simply get {"code":"PROVIDER_NOT_FOUND","message":"Provider not found"} despite the provider being available in the database. I found in the code, that https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/api/routes/account.ts#L197C30-L197C45 the provider is searched in the socialProviders which doesn't include the providers created by the sso plugin.
Any idea how to solve this? I saw that EntraID can send verified_primary_email so if I could map this to the email_verified field prior to account linking that would be good. I also checked that the Microsoft Entra ID social provider simply hardcodes emailVerified to true https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/social-providers/microsoft-entra-id.ts#L216 hence it alleviates the accountLinking problem I mentioned.
I can't use this social provider, because multiple organizations might setup their own EntraID, so i have to use the sso plugin.
Any idea @bekacru ?3 Replies
One more thing:
I though I might try to set
trustEmailVerified to false, mentioned at https://www.better-auth.com/docs/plugins/sso#options but that still wouldn't and wasn't working because of the following check: https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/oauth2/link-account.ts#L55Single Sign-On (SSO) | Better Auth
Integrate Single Sign-On (SSO) with your application.
GitHub
better-auth/packages/better-auth/src/oauth2/link-account.ts at 5e50...
The most comprehensive authentication framework for TypeScript - better-auth/better-auth
@Better Auth anything on this?
Hi there! Could you clarify what you’re referring to? Are you asking about a specific feature or integration in Better Auth—maybe something like the plugin ecosystem, social sign-on, or even integrations like the AdonisJS feature request [1], [6]? Let me know so I can help with exactly what you're looking for.
Sources:
[1] Introduction | Better Auth
[6] Feature Request: Integrate AdonisJS with Better-Auth
GitHub
better-auth/better-auth
The most comprehensive authentication framework for TypeScript - better-auth/better-auth
Introduction | Better Auth
Introduction to Better Auth.
GitHub
Feature Request: Integrate AdonisJS with Better-Auth · Issue #1877...
Hello there, I would like to propose the integration of AdonisJS into Better-Auth. AdonisJS is a Node.js framework that offers a rich set of features and a great developer experience. Despite they ...