Implementing Silent SSO/iFrame Authentication with Custom OIDC Provider in HonoJs/better-auth
I'm building a HonoJs API using better-auth. This API is consumed by a set of small, independent web components that are embedded on various external, top-level domains.
The Challenge & Constraint:
I cannot rely on traditional cross-site cookies for session management in the embedded web components.
My goal is to implement Single Sign-On (SSO) that is silent (using an iframe) to maintain a continuous session.
The web components will access my API using an Access Token (for protected resources) and a Refresh Token (to renew the access token).
My Attempt & Current Understanding:
I've noted that better-auth supports configuring a custom OIDC Provider.
I've set up my custom provider within the framework.
The Core Question:
When a user lands on an external site with my component, A hidden iframe pointing to login page (hosted by me) checks if there is a active session or renews it with an refresh token. Which method should I use to initiate the sign-in/SSO process with my custom OIDC provider?
await authClient.signIn.social(...) (as it's a custom OIDC/OAuth flow)?
await authClient.signIn.sso(...) (as my goal is Single Sign-On)?
Any guidance on the recommended better-auth flow for this cross-domain, silent SSO scenario would be greatly appreciated!
The Challenge & Constraint:
I cannot rely on traditional cross-site cookies for session management in the embedded web components.
My goal is to implement Single Sign-On (SSO) that is silent (using an iframe) to maintain a continuous session.
The web components will access my API using an Access Token (for protected resources) and a Refresh Token (to renew the access token).
My Attempt & Current Understanding:
I've noted that better-auth supports configuring a custom OIDC Provider.
I've set up my custom provider within the framework.
The Core Question:
When a user lands on an external site with my component, A hidden iframe pointing to login page (hosted by me) checks if there is a active session or renews it with an refresh token. Which method should I use to initiate the sign-in/SSO process with my custom OIDC provider?
await authClient.signIn.social(...) (as it's a custom OIDC/OAuth flow)?
await authClient.signIn.sso(...) (as my goal is Single Sign-On)?
Any guidance on the recommended better-auth flow for this cross-domain, silent SSO scenario would be greatly appreciated!
