Verify the Microsoft (Entra ID) and generic OIDC sign-in paths end-to-end against real IdPs. The wiring shipped with #30 (better-auth genericOAuth) typechecks and follows the documented API, but no Entra/OIDC app was available to exercise the actual round-trip.
To test
For each of Microsoft and a generic OIDC provider (e.g. Okta/Auth0/Keycloak):
- Register an app at the IdP with redirect URI:
- Microsoft:
${BETTER_AUTH_URL}/api/auth/oauth2/callback/microsoft
- OIDC:
${BETTER_AUTH_URL}/api/auth/oauth2/callback/oidc
- Set the env (
MICROSOFT_CLIENT_ID/SECRET[/TENANT_ID] or OIDC_DISCOVERY_URL/CLIENT_ID/CLIENT_SECRET[/PROVIDER_NAME/SCOPES]) and redeploy.
- Confirm the login screen shows the provider button and
signIn.oauth2({ providerId }) redirects to the IdP and back.
Acceptance criteria
- A new sign-in via Microsoft / OIDC creates an account only when the email is an instance admin or invited (the invite-only gate in
user.create.before applies to oauth2 the same as social).
- An invited user signing in via Microsoft/OIDC auto-joins their workspace(s) on first sign-in (invite resolution by email).
email/name map correctly from the provider profile to the user row.- Multiple providers configured at once each render a button and work independently.
- The first-run setup screen's redirect URIs match what the IdP expects.
Pointers
web/src/lib/auth-providers.ts (genericOAuth config from env), web/src/lib/auth.ts (plugin + invite gate), web/src/components/sign-in-buttons.tsx, web/src/components/auth-setup-guide.tsx.
Split out of #30 (implementation done there); this is the live-IdP verification.
Verify the Microsoft (Entra ID) and generic OIDC sign-in paths end-to-end against real IdPs. The wiring shipped with #30 (better-auth
genericOAuth) typechecks and follows the documented API, but no Entra/OIDC app was available to exercise the actual round-trip.To test
For each of Microsoft and a generic OIDC provider (e.g. Okta/Auth0/Keycloak):
${BETTER_AUTH_URL}/api/auth/oauth2/callback/microsoft${BETTER_AUTH_URL}/api/auth/oauth2/callback/oidcMICROSOFT_CLIENT_ID/SECRET[/TENANT_ID]orOIDC_DISCOVERY_URL/CLIENT_ID/CLIENT_SECRET[/PROVIDER_NAME/SCOPES]) and redeploy.signIn.oauth2({ providerId })redirects to the IdP and back.Acceptance criteria
user.create.beforeapplies to oauth2 the same as social).email/namemap correctly from the provider profile to theuserrow.Pointers
web/src/lib/auth-providers.ts(genericOAuth config from env),web/src/lib/auth.ts(plugin + invite gate),web/src/components/sign-in-buttons.tsx,web/src/components/auth-setup-guide.tsx.Split out of #30 (implementation done there); this is the live-IdP verification.