[GH-ISSUE #4198] [OIDC] Kysely + CamelCasePlugin choke with redirectURLs #18492

New Issue

GiteaMirror · 2026-04-15T16:58:06-05:00

GiteaMirror commented

2026-04-15 16:58:06 -05:00

Originally created by @julen on GitHub (Aug 24, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/4198

Background

Hi there 👋, we are using Kysely alongside its CamelCasePlugin to ensure our DB tables and columns are defined in snake case while the interaction via TS remains in camel case. This is something we do across our entire DB, and it also applies to the tables handled by better-auth.

While using the OIDC plugin, we created a new client and when going through the authorization flow, it'd always fail with a "Invalid redirect URI" error.

The Issue

Debugging has shown oauthApplication.redirectURLs comes as undefined from the DB, and this happens because by default the field name cannot be reliably translated both ways: the DB field redirect_urls gets mapped to redirectUrls, but the code expects a redirectURLs column.

Potential Solutions

The CamelCasePlugin can be customized to work around this case:

Use the underscoreBetweenUppercaseLetters option, s.t. redirectURLs becomes the redirect_u_r_l_s column in the DB. That'd allow the reverse mapping to work. Not good looking, but oh well.
Customize the CamelCasePlugin to special-case this scenario. This is what we are currently doing:

class BetterAuthCompatibleCamelCasePlugin extends CamelCasePlugin {
	protected override camelCase(str: string): string {
		if (str === "redirect_urls") {
			return "redirectURLs";
		}

		return super.camelCase(str);
	}
}

Another possibility would be for better-auth to re-define redirectURLs as redirecUrls — and more broadly apply this principle to its core + plugin field names — use strict camel case, with no exceptions for acronyms.

Test Case

I pushed a commit on my fork at 73a8de84f1 that showcases the issue in a test case.

Is This a Bug?

I'm not sure this can be considered a bug per-se.

On the one hand, better-auth has been working flawlessly with our original database configuration, and we had no reason to think we would have problems when starting to use a new plugin. I checked across all the core + plugin schemas, and redirectURLs is the only occurrence where an acronym remains capitalized, so from that standpoint, this is an inconsistency with undesired side-effects.

If better-auth is supposed to work out-of-the-box with Kysely + CamelCasePlugin, then it'd be fair to enforce all schema fields to be strictly defined using camel case (no acronym exceptions).

On the other hand, if there are no compatibility guarantees from better-auth's side for using Kysely plugins, then maybe it'd be a good idea to warn users about this in the database documentation.

In any case, I hope this report is helpful for other folks who might run into the same issue.

Originally created by @julen on GitHub (Aug 24, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/4198 ## Background Hi there 👋, we are using Kysely alongside its [`CamelCasePlugin`](https://kysely-org.github.io/kysely-apidoc/classes/CamelCasePlugin.html) to ensure our DB tables and columns are defined in snake case while the interaction via TS remains in camel case. This is something we do across our entire DB, and it also applies to the tables handled by better-auth. While using the OIDC plugin, we created a new client and when going through the authorization flow, it'd always fail with a [_"Invalid redirect URI"_ error](https://github.com/better-auth/better-auth/blob/4696b9e7ec02a061af5473a414a99cbdb3bb67f8/packages/better-auth/src/plugins/oidc-provider/authorize.ts/#L121-L123). ## The Issue Debugging has shown `oauthApplication.redirectURLs` comes as `undefined` from the DB, and this happens because by default the field name cannot be reliably translated both ways: the DB field `redirect_urls` gets mapped to `redirectUrls`, but the code expects a `redirectURLs` column. ## Potential Solutions The `CamelCasePlugin` can be customized to work around this case: * Use the `underscoreBetweenUppercaseLetters` option, s.t. `redirectURLs` becomes the `redirect_u_r_l_s` column in the DB. That'd allow the reverse mapping to work. Not good looking, but oh well. * Customize the `CamelCasePlugin` to special-case this scenario. This is what we are currently doing: ```ts class BetterAuthCompatibleCamelCasePlugin extends CamelCasePlugin { protected override camelCase(str: string): string { if (str === "redirect_urls") { return "redirectURLs"; } return super.camelCase(str); } } ``` Another possibility would be for better-auth to re-define `redirectURLs` as `redirecUrls` — and more broadly apply this principle to its core + plugin field names — use strict camel case, with no exceptions for acronyms. ## Test Case I pushed a commit on my fork at https://github.com/julen/better-auth/commit/73a8de84f1d6af8aa7666257ed0ad262f71217f8 that showcases the issue in a test case. ## Is This a Bug? I'm not sure this can be considered a bug per-se. On the one hand, better-auth has been working flawlessly with our original database configuration, and we had no reason to think we would have problems when starting to use a new plugin. I checked across all the core + plugin schemas, and `redirectURLs` is the only occurrence where an acronym remains capitalized, so from that standpoint, this is an inconsistency with undesired side-effects. If better-auth is supposed to work out-of-the-box with Kysely + `CamelCasePlugin`, then it'd be fair to enforce all schema fields to be strictly defined using camel case (no acronym exceptions). On the other hand, if there are no compatibility guarantees from better-auth's side for using Kysely plugins, then maybe it'd be a good idea to warn users about this in the database documentation. In any case, I hope this report is helpful for other folks who might run into the same issue.

GiteaMirror added the locked label 2026-04-15 16:58:06 -05:00

GiteaMirror closed this issue

2026-04-15 16:58:07 -05:00

GiteaMirror commented

2026-04-15 16:58:08 -05:00

@dosubot[bot] commented on GitHub (Aug 24, 2025):

You're right—redirectURLs is the only field in better-auth that uses an acronym with uppercase letters in camelCase, while all other fields follow strict camelCase (like clientId, userId, jwksEndpoint) across both core and plugins. This inconsistency causes issues with Kysely's CamelCasePlugin, which maps redirect_urls to redirectUrls, not redirectURLs, resulting in the field being undefined and breaking the OIDC flow [source].

Your workaround—customizing the plugin or using underscoreBetweenUppercaseLetters—is currently the best approach. If better-auth were to rename redirectURLs to redirectUrls, it would align with the rest of the codebase and resolve this mapping issue for everyone using Kysely or similar tools. Since this is the only field with this pattern, the migration impact would be narrowly scoped to the OIDC plugin and should be manageable [source].

There’s no official naming convention policy or documentation about acronym casing or Kysely plugin compatibility in better-auth right now [source]. Until this is standardized, it would be helpful for the docs to warn about this edge case.

For now, customizing your CamelCasePlugin as you’ve done is the most robust fix. If you want to future-proof your setup, you could monitor for a potential rename to redirectUrls in better-auth and plan a simple migration for your DB and code when/if that happens. For new plugins or schema fields, sticking to strict camelCase (no acronym exceptions) is the safest bet to avoid similar issues.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Aug 24, 2025):  You're right—`redirectURLs` is the only field in better-auth that uses an acronym with uppercase letters in camelCase, while all other fields follow strict camelCase (like `clientId`, `userId`, `jwksEndpoint`) across both core and plugins. This inconsistency causes issues with Kysely's `CamelCasePlugin`, which maps `redirect_urls` to `redirectUrls`, not `redirectURLs`, resulting in the field being `undefined` and breaking the OIDC flow [[source]](https://github.com/better-auth/better-auth/blob/8c23eb07396478a51b4dc7de669c010cdadc5479/packages/better-auth/src/plugins/oidc-provider/types.ts). Your workaround—customizing the plugin or using `underscoreBetweenUppercaseLetters`—is currently the best approach. If better-auth were to rename `redirectURLs` to `redirectUrls`, it would align with the rest of the codebase and resolve this mapping issue for everyone using Kysely or similar tools. Since this is the only field with this pattern, the migration impact would be narrowly scoped to the OIDC plugin and should be manageable [[source]](https://github.com/better-auth/better-auth/blob/8c23eb07396478a51b4dc7de669c010cdadc5479/packages/better-auth/src/plugins/oidc-provider/schema.ts). There’s no official naming convention policy or documentation about acronym casing or Kysely plugin compatibility in better-auth right now [[source]](https://better-auth.com/docs/concepts/database). Until this is standardized, it would be helpful for the docs to warn about this edge case. For now, customizing your `CamelCasePlugin` as you’ve done is the most robust fix. If you want to future-proof your setup, you could monitor for a potential rename to `redirectUrls` in better-auth and plan a simple migration for your DB and code when/if that happens. For new plugins or schema fields, sticking to strict camelCase (no acronym exceptions) is the safest bet to avoid similar issues.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/d2852862-2726-4015-ba03-5e0ed18ae0a0?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/d2852862-2726-4015-ba03-5e0ed18ae0a0?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/d2852862-2726-4015-ba03-5e0ed18ae0a0?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/d2852862-2726-4015-ba03-5e0ed18ae0a0?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/d2852862-2726-4015-ba03-5e0ed18ae0a0?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/d2852862-2726-4015-ba03-5e0ed18ae0a0?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/d2852862-2726-4015-ba03-5e0ed18ae0a0?feedback_type=other)</sup>  [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4198)

GiteaMirror commented

2026-04-15 16:58:09 -05:00

@ping-maxwell commented on GitHub (Aug 24, 2025):

Hmm, I think it should be customized at the better-auth plugin schema level.
Usually plugins have options to modify the schema, which includes the ability to rename field names, but I just checked and it seems we don't have schema customization in the oidc plugin options

@ping-maxwell commented on GitHub (Aug 24, 2025): Hmm, I think it should be customized at the better-auth plugin schema level. Usually plugins have options to modify the schema, which includes the ability to rename field names, but I just checked and it seems we don't have schema customization in the oidc plugin options

GiteaMirror commented

2026-04-15 16:58:10 -05:00

@julen commented on GitHub (Aug 24, 2025):

Indeed—that was filed separately as #4199 earlier today with the fix at #4200.

@julen commented on GitHub (Aug 24, 2025): Indeed—that was filed separately as #4199 earlier today with the fix at #4200.

GiteaMirror commented

2026-04-15 16:58:10 -05:00

@ping-maxwell commented on GitHub (Aug 24, 2025):

Oh awesome, make sure to update the docs (feel free to look at my PR to know what I mean)
I'll just close mine

@ping-maxwell commented on GitHub (Aug 24, 2025): Oh awesome, make sure to update the docs (feel free to look at my PR to know what I mean) I'll just close mine

GiteaMirror commented

2026-04-15 16:58:11 -05:00

@julen commented on GitHub (Aug 24, 2025):

Thanks for the quick feedback @ping-maxwell — it's updated now.

@julen commented on GitHub (Aug 24, 2025): Thanks for the quick feedback @ping-maxwell — it's updated now.

GiteaMirror commented

2026-04-15 16:58:12 -05:00

@julen commented on GitHub (Aug 24, 2025):

Hmm, I think it should be customized at the better-auth plugin schema level.

Btw, to be clear, note that the issue presented here is orthogonal to being able to modify the schema, and no { schema: { oauthApplication: { fields: { redirectURLs: 'redirect_urls' } } } } config would help because the CamelCasePlugin makes redirect_urls available as redirectUrls.

@julen commented on GitHub (Aug 24, 2025): > Hmm, I think it should be customized at the better-auth plugin schema level. Btw, to be clear, note that the issue presented here is orthogonal to being able to modify the schema, and no `{ schema: { oauthApplication: { fields: { redirectURLs: 'redirect_urls' } } } }` config would help because the `CamelCasePlugin` makes `redirect_urls` available as `redirectUrls`.

GiteaMirror commented

2026-04-15 16:58:13 -05:00

@ping-maxwell commented on GitHub (Aug 24, 2025):

Oh, I see

In that case I think it makes sense for you to have that workaround in your custom plugin for kysely

@ping-maxwell commented on GitHub (Aug 24, 2025): Oh, I see In that case I think it makes sense for you to have that workaround in your custom plugin for kysely

GiteaMirror commented

2026-04-15 16:58:13 -05:00

@julen commented on GitHub (Aug 26, 2025):

While we have a workaround in place, our use of type generation (via kysely-codegen) requires additional third-party package patches to maintain type safety. From a DX perspective, this creates an unfortunate situation where we must implement multiple workarounds for functionality that should work seamlessly out-of-the-box.

Given that Kysely is a built-in adapter, I think it's fair to expect its built-in plugins to function flawlessly without requiring these additional steps. I understand that schema changes are generally undesirable, but considering the plugin is advertised as being in active development and potentially unsuitable for production use, perhaps the better-auth team should reconsider whether the field could still be renamed to redirectUrls to improve the overall developer experience.

@julen commented on GitHub (Aug 26, 2025): While we have a workaround in place, our use of type generation (via kysely-codegen) requires additional third-party package patches to maintain type safety. From a DX perspective, this creates an unfortunate situation where we must implement multiple workarounds for functionality that should work seamlessly out-of-the-box. Given that Kysely is a built-in adapter, I think it's fair to expect its built-in plugins to function flawlessly without requiring these additional steps. I understand that schema changes are generally undesirable, but considering the plugin is advertised as being in active development and potentially unsuitable for production use, perhaps the better-auth team should reconsider whether the field could still be renamed to `redirectUrls` to improve the overall developer experience.

GiteaMirror commented

2026-04-15 16:58:14 -05:00

@rusel1989 commented on GitHub (Aug 26, 2025):

Hi @ping-maxwell , I'd like to support @julen 's case. As he mentions we had to resort to quite ugly workaround, to get around this issue. And given the Kysely is the default I was also expecting plugins like CamelCasePlugin to work without any issues.

@rusel1989 commented on GitHub (Aug 26, 2025): Hi @ping-maxwell , I'd like to support @julen 's case. As he mentions we had to resort to quite ugly workaround, to get around this issue. And given the Kysely is the default I was also expecting plugins like `CamelCasePlugin` to work without any issues.

GiteaMirror commented

2026-04-15 16:58:15 -05:00

@ping-maxwell commented on GitHub (Aug 26, 2025):

I'll bring it up to the team.

@ping-maxwell commented on GitHub (Aug 26, 2025): I'll bring it up to the team.

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#18492

[GH-ISSUE #4198] [OIDC] Kysely + CamelCasePlugin choke with redirectURLs #18492

Background

The Issue

Potential Solutions

Test Case

Is This a Bug?

[GH-ISSUE #4198] [OIDC] Kysely + `CamelCasePlugin` choke with `redirectURLs` #18492