From 01f3b408e98a0510dc6c198e3b6a8e7b9ff9467a Mon Sep 17 00:00:00 2001
From: Sean O'Connor <sean@soconnor.dev>
Date: Wed, 14 Jan 2026 03:30:15 -0500
Subject: [PATCH] upd: change plugin for oidc

---
 src/app/auth/signin/page.tsx                  |  4 +-
 .../settings/_components/settings-content.tsx |  4 +-
 src/lib/auth-client.ts                        |  9 ++--
 src/lib/auth.ts                               | 46 +++++++------------
 4 files changed, 23 insertions(+), 40 deletions(-)

diff --git a/src/app/auth/signin/page.tsx b/src/app/auth/signin/page.tsx
index 67f069e..c44f66b 100644
--- a/src/app/auth/signin/page.tsx
+++ b/src/app/auth/signin/page.tsx
@@ -51,8 +51,8 @@ function SignInForm() {
   async function handleSocialSignIn() {
     setLoading(true);
     try {
-      await authClient.signIn.sso({
-        domain: "beenvoice.soconnor.dev",
+      await authClient.signIn.oauth2({
+        providerId: "authentik",
         callbackURL: callbackUrl,
       });
       // The signIn.sso method will automatically redirect to the SSO provider
diff --git a/src/app/dashboard/settings/_components/settings-content.tsx b/src/app/dashboard/settings/_components/settings-content.tsx
index c3123ea..5ef7b1b 100644
--- a/src/app/dashboard/settings/_components/settings-content.tsx
+++ b/src/app/dashboard/settings/_components/settings-content.tsx
@@ -87,8 +87,8 @@ export function SettingsContent() {
   const handleLinkAuthentik = async () => {
     setIsLinking(true);
     try {
-      await authClient.signIn.sso({
-        domain: "beenvoice.soconnor.dev",
+      await authClient.signIn.oauth2({
+        providerId: "authentik",
         callbackURL: "/dashboard/settings",
       });
     } catch (error) {
diff --git a/src/lib/auth-client.ts b/src/lib/auth-client.ts
index 520e02e..d69e670 100644
--- a/src/lib/auth-client.ts
+++ b/src/lib/auth-client.ts
@@ -1,15 +1,12 @@
 "use client";
 
 import { createAuthClient } from "better-auth/react";
-import { ssoClient } from "@better-auth/sso/client";
+import { genericOAuthClient } from "better-auth/client/plugins";
 
 /**
- * Auth client for better-auth with SSO support.
- * 
- * Better-auth handles SSR internally, so we can just create the client directly.
+ * Auth client configuration
  */
-
 export const authClient = createAuthClient({
     baseURL: process.env.NEXT_PUBLIC_APP_URL,
-    plugins: [ssoClient()],
+    plugins: [genericOAuthClient()],
 });
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 895cf3b..a983c85 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,7 +1,7 @@
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { nextCookies } from "better-auth/next-js";
-import { sso } from "@better-auth/sso";
+import { genericOAuth } from "better-auth/plugins";
 import { db } from "~/server/db";
 import * as schema from "~/server/db/schema";
 
@@ -39,35 +39,21 @@ export const auth = betterAuth({
     },
     plugins: [
         nextCookies(),
-        sso({
-            // Only configure default SSO if Authentik credentials are provided
-            defaultSSO:
-                process.env.AUTHENTIK_ISSUER &&
-                    process.env.AUTHENTIK_CLIENT_ID &&
-                    process.env.AUTHENTIK_CLIENT_SECRET
-                    ? [
-                        {
-                            providerId: "authentik",
-                            domain: "beenvoice.soconnor.dev",
-                            oidcConfig: {
-                                issuer: process.env.AUTHENTIK_ISSUER,
-                                clientId: process.env.AUTHENTIK_CLIENT_ID,
-                                clientSecret: process.env.AUTHENTIK_CLIENT_SECRET,
-                                discoveryEndpoint: `${process.env.AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
-                                // Explicit endpoints to bypass discovery issues
-                                authorizationEndpoint: "https://auth.soconnor.dev/application/o/authorize/",
-                                tokenEndpoint: "https://auth.soconnor.dev/application/o/token/",
-                                userInfoEndpoint: "https://auth.soconnor.dev/application/o/userinfo/",
-                                jwksEndpoint: "https://auth.soconnor.dev/application/o/beenvoice/jwks/",
-                                scopes: ["openid", "email", "profile"],
-                                pkce: true,
-                                mapping: {
-                                    emailVerified: "email_verified",
-                                },
-                            },
-                        },
-                    ]
-                    : [],
+        genericOAuth({
+            config: [
+                {
+                    providerId: "authentik",
+                    clientId: process.env.AUTHENTIK_CLIENT_ID!,
+                    clientSecret: process.env.AUTHENTIK_CLIENT_SECRET!,
+                    discoveryUrl: `${process.env.AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
+                    // Explicit endpoints to ensure correct routing in production
+                    authorizationUrl: "https://auth.soconnor.dev/application/o/authorize/",
+                    tokenUrl: "https://auth.soconnor.dev/application/o/token/",
+                    userInfoUrl: "https://auth.soconnor.dev/application/o/userinfo/",
+                    scopes: ["openid", "email", "profile"],
+                    pkce: true,
+                },
+            ],
         }),
     ],
 });