5 replies

Persistent auth/error on First Login Attempt (OAuth State Loss)

Next.js

Hello, I'm integrating Keycloak with

better-auth

better-auth

(Next.js App Router). I'm hitting a persistent issue with OAuth state management on every login attempt.

The Problem: Failure Loop

1. Attempt 1 (Fails): User initiates login, authenticates on Keycloak, but is redirected back to /api/auth/error
/api/auth/error
(Error:

authentication_expired

authentication_expired

state_mismatch

state_mismatch

).
2. Attempt 2 (Succeeds): If the user clicks "Sign In" again, they are immediately logged in without re-entering Keycloak credentials.

Diagnosis: Keycloak successfully establishes an SSO session on Attempt 1, but the

better-auth

better-auth

callback fails, most likely because it cannot read the temporary radar.oauth_state
radar.oauth_state
cookie.

Setup Details:

- Provider: Keycloak
- Framework: Next.js App Router (

toNextJsHandler(auth)

toNextJsHandler(auth)

for API routes).
- Environment: Local development (

http://localhost:3001

http://localhost:3001

).
- Cookie Prefix:

radar

radar

Questions:

1. Cookie Fix: What is the recommended explicit configuration for

SameSite

SameSite

and

Path

Path

auth.ts

auth.ts

to ensure the temporary

radar.oauth_state

radar.oauth_state

cookie survives the redirect from Keycloak back to the callback URL?
2. Dev Environment: Could running on

http://localhost

http://localhost

be the known cause of this temporary cookie loss?
3. Workaround: Is redirecting users from

/api/auth/error

/api/auth/error

back to the sign-in page the safest short-term fix?

Better Auth•2mo ago•

5 replies

Rijual Kaushal

Persistent auth/error on First Login Attempt (OAuth State Loss)

Next.js

Hello, I'm integrating Keycloak with

better-auth

better-auth

(Next.js App Router). I'm hitting a persistent issue with OAuth state management on every login attempt.

The Problem: Failure Loop

1. Attempt 1 (Fails): User initiates login, authenticates on Keycloak, but is redirected back to /api/auth/error
/api/auth/error
(Error:

authentication_expired

authentication_expired

state_mismatch

state_mismatch

better-auth

better-auth

callback fails, most likely because it cannot read the temporary radar.oauth_state
radar.oauth_state
cookie.

Setup Details:

- Provider: Keycloak
- Framework: Next.js App Router (

toNextJsHandler(auth)

toNextJsHandler(auth)

for API routes).
- Environment: Local development (

http://localhost:3001

http://localhost:3001

).
- Cookie Prefix:

radar

radar

Questions:

1. Cookie Fix: What is the recommended explicit configuration for

SameSite

SameSite

and

Path

Path

auth.ts

auth.ts

to ensure the temporary

radar.oauth_state

radar.oauth_state

cookie survives the redirect from Keycloak back to the callback URL?
2. Dev Environment: Could running on

http://localhost

http://localhost

be the known cause of this temporary cookie loss?
3. Workaround: Is redirecting users from

/api/auth/error

/api/auth/error

back to the sign-in page the safest short-term fix?

Persistent auth/error on First Login Attempt (OAuth State Loss)

The Problem: Failure Loop

Setup Details:

Questions:

Similar Threads

Persistent auth/error on First Login Attempt (OAuth State Loss)

The Problem: Failure Loop

Setup Details:

Questions:

Similar Threads

Similar Threads

Similar Threads