Account linking with the generic SSO plugin with EntraID
Hi all!
We have organizations and each organization might have an sso_provider setup. For example, az organization might use the generic SSO plugin to setup their corporate EntraID. The problem I ran into is that Entra won't return an
I thought fine, I will implement the linking feature for those users who won't be provisioned by Entra but were already existing, but I found that i can't use
Any idea how to solve this? I saw that EntraID can send
I can't use this social provider, because multiple organizations might setup their own EntraID, so i have to use the sso plugin.
Any idea @bekacru ?
We have organizations and each organization might have an sso_provider setup. For example, az organization might use the generic SSO plugin to setup their corporate EntraID. The problem I ran into is that Entra won't return an
email_verified claim, this means that users in the organization who already have a user account before their first login through the SSO gets rejected with an account not linked error. https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/oauth2/link-account.ts#L64I thought fine, I will implement the linking feature for those users who won't be provisioned by Entra but were already existing, but I found that i can't use
authClient.linkSocial on sso_providers which were created with the sso plugin. I simply get {"code":"PROVIDER_NOT_FOUND","message":"Provider not found"} despite the provider being available in the database. I found in the code, that https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/api/routes/account.ts#L197C30-L197C45 the provider is searched in the socialProviders which doesn't include the providers created by the sso plugin. Any idea how to solve this? I saw that EntraID can send
verified_primary_email so if I could map this to the email_verified field prior to account linking that would be good. I also checked that the Microsoft Entra ID social provider simply hardcodes emailVerified to true https://github.com/better-auth/better-auth/blob/5e50205a3f9a7ee6608703f23d26a2b944a8cce9/packages/better-auth/src/social-providers/microsoft-entra-id.ts#L216 hence it alleviates the accountLinking problem I mentioned.I can't use this social provider, because multiple organizations might setup their own EntraID, so i have to use the sso plugin.
Any idea @bekacru ?
