upd: change plugin for oidc

2026-02-05 00:06:36 -05:00 · 2026-01-14 03:30:15 -05:00
parent ea9dc35323
commit 01f3b408e9
4 changed files with 23 additions and 40 deletions
--- a/src/app/auth/signin/page.tsx
+++ b/src/app/auth/signin/page.tsx
@@ -51,8 +51,8 @@ function SignInForm() {
  async function handleSocialSignIn() {
    setLoading(true);
    try {
-      await authClient.signIn.sso({
+      await authClient.signIn.oauth2({
-        domain: "beenvoice.soconnor.dev",
+        providerId: "authentik",
        callbackURL: callbackUrl,
      });
      // The signIn.sso method will automatically redirect to the SSO provider
--- a/src/app/dashboard/settings/_components/settings-content.tsx
+++ b/src/app/dashboard/settings/_components/settings-content.tsx
@@ -87,8 +87,8 @@ export function SettingsContent() {
  const handleLinkAuthentik = async () => {
    setIsLinking(true);
    try {
-      await authClient.signIn.sso({
+      await authClient.signIn.oauth2({
-        domain: "beenvoice.soconnor.dev",
+        providerId: "authentik",
        callbackURL: "/dashboard/settings",
      });
    } catch (error) {
--- a/src/lib/auth-client.ts
+++ b/src/lib/auth-client.ts
@@ -1,15 +1,12 @@
 "use client";
 import { createAuthClient } from "better-auth/react";
-import { ssoClient } from "@better-auth/sso/client";
+import { genericOAuthClient } from "better-auth/client/plugins";
 /**
- * Auth client for better-auth with SSO support.
+ * Auth client configuration
 * 
 * Better-auth handles SSR internally, so we can just create the client directly.
 */
 export const authClient = createAuthClient({
    baseURL: process.env.NEXT_PUBLIC_APP_URL,
-    plugins: [ssoClient()],
+    plugins: [genericOAuthClient()],
 });
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -1,7 +1,7 @@
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { nextCookies } from "better-auth/next-js";
-import { sso } from "@better-auth/sso";
+import { genericOAuth } from "better-auth/plugins";
 import { db } from "~/server/db";
 import * as schema from "~/server/db/schema";
@@ -39,35 +39,21 @@ export const auth = betterAuth({
    },
    plugins: [
        nextCookies(),
-        sso({
+        genericOAuth({
-            // Only configure default SSO if Authentik credentials are provided
+            config: [
-            defaultSSO:
+                {
-                process.env.AUTHENTIK_ISSUER &&
+                    providerId: "authentik",
-                    process.env.AUTHENTIK_CLIENT_ID &&
+                    clientId: process.env.AUTHENTIK_CLIENT_ID!,
-                    process.env.AUTHENTIK_CLIENT_SECRET
+                    clientSecret: process.env.AUTHENTIK_CLIENT_SECRET!,
-                    ? [
+                    discoveryUrl: `${process.env.AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
-                        {
+                    // Explicit endpoints to ensure correct routing in production
-                            providerId: "authentik",
+                    authorizationUrl: "https://auth.soconnor.dev/application/o/authorize/",
-                            domain: "beenvoice.soconnor.dev",
+                    tokenUrl: "https://auth.soconnor.dev/application/o/token/",
-                            oidcConfig: {
+                    userInfoUrl: "https://auth.soconnor.dev/application/o/userinfo/",
-                                issuer: process.env.AUTHENTIK_ISSUER,
+                    scopes: ["openid", "email", "profile"],
-                                clientId: process.env.AUTHENTIK_CLIENT_ID,
+                    pkce: true,
-                                clientSecret: process.env.AUTHENTIK_CLIENT_SECRET,
+                },
-                                discoveryEndpoint: `${process.env.AUTHENTIK_ISSUER}/.well-known/openid-configuration`,
+            ],
                                // Explicit endpoints to bypass discovery issues
                                authorizationEndpoint: "https://auth.soconnor.dev/application/o/authorize/",
                                tokenEndpoint: "https://auth.soconnor.dev/application/o/token/",
                                userInfoEndpoint: "https://auth.soconnor.dev/application/o/userinfo/",
                                jwksEndpoint: "https://auth.soconnor.dev/application/o/beenvoice/jwks/",
                                scopes: ["openid", "email", "profile"],
                                pkce: true,
                                mapping: {
                                    emailVerified: "email_verified",
                                },
                            },
                        },
                    ]
                    : [],
        }),
    ],
 });