Skip to main content
Overlay’s initial private identity presets use OpenID Connect authorization code flow with PKCE. The provider must expose a valid discovery document and issue standard identity claims.

Required provider behavior

  • Authorization code flow is enabled.
  • PKCE with S256 is accepted.
  • Scopes openid email profile are allowed.
  • The ID token or userinfo response contains sub, email, and email_verified.
  • Issuer and discovery metadata use HTTPS outside localhost.
  • Client secrets are stored only in the server runtime or its secret manager.

Callback formula

For a connection ID named workspace:
The final path segment must exactly match BETTER_AUTH_CONNECTION_ID. Register the exact scheme, host, port, path, and casing with the IdP.

Access policy

Provider login success is not enough. Overlay separately enforces verified email and allowed domains:
This policy is server-side. UI labels and an IdP’s hosted-domain hint are not authorization controls.

Presets versus generic OIDC

Presets provide known issuer/discovery defaults, icons, labels, and required trusted endpoint origins. Use a preset when available:
  • google-workspace
  • auth0
  • entra-id
  • generic-oidc
Use generic-oidc when the issuer is deployment-specific. Configure the issuer explicitly and override discovery only when the provider does not use the standard /.well-known/openid-configuration location.

Runtime endpoints

After configuration: Unknown connection IDs and cross-origin post-login redirects must fail closed.