3 replies

Account linking with the generic SSO plugin with EntraID

Hi all!

We have organizations and each organization might have an sso_provider setup. For example, az organization might use the generic SSO plugin to setup their corporate EntraID. The problem I ran into is that Entra won't return an

email_verified

email_verified

claim, this means that users in the organization who already have a user account before their first login through the SSO gets rejected with an account not linked error. https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/oauth2/link-account.ts#L64

I thought fine, I will implement the linking feature for those users who won't be provisioned by Entra but were already existing, but I found that i can't use

authClient.linkSocial

authClient.linkSocial

on sso_providers which were created with the sso plugin. I simply get

{"code":"PROVIDER_NOT_FOUND","message":"Provider not found"}

{"code":"PROVIDER_NOT_FOUND","message":"Provider not found"}

despite the provider being available in the database. I found in the code, that https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/api/routes/account.ts#L197C30-L197C45 the provider is searched in the

socialProviders

socialProviders

which doesn't include the providers created by the sso plugin.

Any idea how to solve this? I saw that EntraID can send

verified_primary_email

verified_primary_email

so if I could map this to the

email_verified

email_verified

field prior to account linking that would be good. I also checked that the Microsoft Entra ID social provider simply hardcodes

emailVerified

emailVerified

to true https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/social-providers/microsoft-entra-id.ts#L216 hence it alleviates the accountLinking problem I mentioned.

I can't use this social provider, because multiple organizations might setup their own EntraID, so i have to use the sso plugin.

Any idea @bekacru ?

Better Auth•5mo ago•

3 replies

Jim-Y

Account linking with the generic SSO plugin with EntraID

email_verified

email_verified

authClient.linkSocial

authClient.linkSocial

on sso_providers which were created with the sso plugin. I simply get

{"code":"PROVIDER_NOT_FOUND","message":"Provider not found"}

{"code":"PROVIDER_NOT_FOUND","message":"Provider not found"}

socialProviders

socialProviders

which doesn't include the providers created by the sso plugin.

Any idea how to solve this? I saw that EntraID can send

verified_primary_email

verified_primary_email

so if I could map this to the

email_verified

email_verified

field prior to account linking that would be good. I also checked that the Microsoft Entra ID social provider simply hardcodes

emailVerified

emailVerified

Account linking with the generic SSO plugin with EntraID

Account linking with the generic SSO plugin with EntraID

Similar Threads

Similar Threads

Similar Threads