Syntarex
Syntarex
PostsComments
BABetter Auth
Created by Syntarex on 4/14/2025 in #help
On-User-Behalf flow (Microsoft Entra)
I'm trying better-auth for the first time and like it a lot. But I don't get my head around some behaviours and would be super happy if someone could just point me in the right direction. I'm using Astro and Microsoft Entra only. No e-mail/password or other socials. What I'm trying to achieve: - [x] User can login with Microsoft entra - [x] Add scopes to authentication - [ ] Get access token to call Microsoft Graph (on-user-behalf flow) - [ ] Create api endpoint to get access token client-side - [ ] Refresh access token of Microsoft Entra automatically My questions are the following: - The only place in which I found the Microsoft Entra access token is the getUserInfo function. Is this the correct place to get it from? Should I save it in a cookie or append it to the User-object directly? - Will the access token be refreshed or do I need to implement that myself? - Do I need a database at all and if so, how can I use @astro/db for that? *I searched the docs and this help forum but couldn't find the right answer.. Sorry if I just overlooked something. It seems such a common use-case. 🤔 * 
import { ENTRA_APP_ID, ENTRA_APP_SECRET } from "astro:env/server";
import { betterAuth } from "better-auth";

export const auth = betterAuth({
    socialProviders: {
        microsoft: {
            clientId: ENTRA_APP_ID,
            clientSecret: ENTRA_APP_SECRET,
            tenantId: "organizations",
            scope: [
                "openid",
                "profile",
                "offline_access",
                "Group.Read.All",
                "GroupMember.Read.All",
                "Sites.Read.All",
                "User.Read",
                "User.ReadBasic.All",
            ],
        },
    },
});
import { ENTRA_APP_ID, ENTRA_APP_SECRET } from "astro:env/server";
import { betterAuth } from "better-auth";

export const auth = betterAuth({
    socialProviders: {
        microsoft: {
            clientId: ENTRA_APP_ID,
            clientSecret: ENTRA_APP_SECRET,
            tenantId: "organizations",
            scope: [
                "openid",
                "profile",
                "offline_access",
                "Group.Read.All",
                "GroupMember.Read.All",
                "Sites.Read.All",
                "User.Read",
                "User.ReadBasic.All",
            ],
        },
    },
});
7 replies