Better AuthBA
Better Auth2mo ago
michidk

OAuth Proxy State Mismatch Issue with Localhost → Production Flow

@Better Auth

We're using better-auth with the oAuthProxy plugin to enable OAuth login from localhost through our production deployment, since our OAuth provider (AWS Cognito) only has the production URL whitelisted.

Expected Flow


  1. User clicks sign-in on localhost:3000
  2. OAuth state is created and stored (cookie/database)
  3. User redirected to OAuth provider with redirect_uri=https://production.example.com/api/auth/callback/cognito&state=xyz
  4. OAuth provider redirects back to https://production.example.com/api/auth/callback/cognito?code=...&state=xyz
  5. Production should skip state cookie check (since it was initiated from localhost)
  6. Production validates the code and proxies back to localhost with encrypted cookies
## Actual Behavior

Steps 1-4 work correctly, but at step 5:
  • Production receives the callback with state=<state-value>
  • Production tries to verify the state cookie, but the cookie is on localhost, not production
  • Production returns state_mismatch error
Was this page helpful?