Required provider behavior
- Authorization code flow is enabled.
- PKCE with
S256is accepted. - Scopes
openid email profileare allowed. - The ID token or userinfo response contains
sub,email, andemail_verified. - Issuer and discovery metadata use HTTPS outside localhost.
- Client secrets are stored only in the server runtime or its secret manager.
Callback formula
For a connection ID namedworkspace:
BETTER_AUTH_CONNECTION_ID. Register the exact scheme, host, port, path, and casing with the IdP.
Access policy
Provider login success is not enough. Overlay separately enforces verified email and allowed domains:Presets versus generic OIDC
Presets provide known issuer/discovery defaults, icons, labels, and required trusted endpoint origins. Use a preset when available:google-workspaceauth0entra-idgeneric-oidc
generic-oidc when the issuer is deployment-specific. Configure the issuer explicitly and override discovery only when the provider does not use the standard /.well-known/openid-configuration location.
Runtime endpoints
After configuration:
Unknown connection IDs and cross-origin post-login redirects must fail closed.