github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-06-03 12:57:09 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #4459] How to get email when user does social login for example with Google #18570

New Issue
Closed
opened 2026-04-15 17:04:22 -05:00 by GiteaMirror · 13 comments
GiteaMirror commented 2026-04-15 17:04:22 -05:00
Owner
Copy Link

Originally created by @MariuzM on GitHub (Sep 5, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/4459

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

I have business case where when user sing up with google social login, i need to get an email their where using so then i can check in database against some records and then continue allow social login or throw error

Current vs. Expected behavior

Ability to get email when user is doing social login

What version of Better Auth are you using?

1.3.7

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:29 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6000",
    "release": "24.6.0",
    "cpuCount": 10,
    "cpuModel": "Apple M1 Max",
    "totalMemory": "64.00 GB",
    "freeMemory": "30.31 GB"
  },
  "node": {
    "version": "v24.7.0",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "11.5.1"
  },
  "frameworks": [
    {
      "name": "fastify",
      "version": "^5.5.0"
    }
  ],
  "databases": [
    {
      "name": "pg",
      "version": "^8.16.3"
    },
    {
      "name": "postgres",
      "version": "^3.4.7"
    },
    {
      "name": "drizzle",
      "version": "^0.44.5"
    },
    {
      "name": "kysely",
      "version": "^0.28.5"
    }
  ],
  "betterAuth": {
    "version": "Unknown",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

No response

Originally created by @MariuzM on GitHub (Sep 5, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/4459 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce I have business case where when user sing up with google social login, i need to get an email their where using so then i can check in database against some records and then continue allow social login or throw error ### Current vs. Expected behavior Ability to get email when user is doing social login ### What version of Better Auth are you using? 1.3.7 ### System info ```bash { "system": { "platform": "darwin", "arch": "arm64", "version": "Darwin Kernel Version 24.6.0: Mon Jul 14 11:30:29 PDT 2025; root:xnu-11417.140.69~1/RELEASE_ARM64_T6000", "release": "24.6.0", "cpuCount": 10, "cpuModel": "Apple M1 Max", "totalMemory": "64.00 GB", "freeMemory": "30.31 GB" }, "node": { "version": "v24.7.0", "env": "development" }, "packageManager": { "name": "npm", "version": "11.5.1" }, "frameworks": [ { "name": "fastify", "version": "^5.5.0" } ], "databases": [ { "name": "pg", "version": "^8.16.3" }, { "name": "postgres", "version": "^3.4.7" }, { "name": "drizzle", "version": "^0.44.5" }, { "name": "kysely", "version": "^0.28.5" } ], "betterAuth": { "version": "Unknown", "config": null } } ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context _No response_
GiteaMirror added the locked label 2026-04-15 17:04:22 -05:00
GiteaMirror commented 2026-04-15 17:04:24 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Sep 5, 2025):

To get the user's email during Google social login with Better Auth, you need to enable the Google provider in your config and ensure the scopes include "email", "profile", and "openid" (these are included by default). The user's email is extracted from the Google profile after authentication and is accessible via the mapProfileToUser function in the provider config, which lets you run custom logic—like checking the email against your database before allowing login or throwing an error if needed. Here’s a simplified example:

import { betterAuth } from "better-auth";

export const auth = betterAuth({
  socialProviders: {
    google: {
      clientId: process.env.GOOGLE_CLIENT_ID!,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET!,
      mapProfileToUser: async (profile) => {
        // profile.email contains the user's email
        const userExists = await checkUserInDatabase(profile.email);
        if (!userExists) throw new Error("User not allowed");
        return { email: profile.email };
      },
    },
  },
});

Make sure your Google Cloud Console OAuth app is set up with the correct callback URL (usually /api/auth/callback/google) and the required scopes. The mapProfileToUser hook is the recommended place to intercept the flow and run your database check using the extracted email. If the email is missing, Better Auth will log an error and redirect with an email_is_missing error [source].

If you want to block users whose email matches an existing credential account but isn’t linked, you can implement that logic in this hook as well [source].

Let me know if you need a more detailed example for your specific database!

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3258338223 --> @dosubot[bot] commented on GitHub (Sep 5, 2025): <!-- Answer --> To get the user's email during Google social login with Better Auth, you need to enable the Google provider in your config and ensure the scopes include `"email"`, `"profile"`, and `"openid"` (these are included by default). The user's email is extracted from the Google profile after authentication and is accessible via the `mapProfileToUser` function in the provider config, which lets you run custom logic—like checking the email against your database before allowing login or throwing an error if needed. Here’s a simplified example: ```typescript import { betterAuth } from "better-auth"; export const auth = betterAuth({ socialProviders: { google: { clientId: process.env.GOOGLE_CLIENT_ID!, clientSecret: process.env.GOOGLE_CLIENT_SECRET!, mapProfileToUser: async (profile) => { // profile.email contains the user's email const userExists = await checkUserInDatabase(profile.email); if (!userExists) throw new Error("User not allowed"); return { email: profile.email }; }, }, }, }); ``` Make sure your Google Cloud Console OAuth app is set up with the correct callback URL (usually `/api/auth/callback/google`) and the required scopes. The `mapProfileToUser` hook is the recommended place to intercept the flow and run your database check using the extracted email. If the email is missing, Better Auth will log an error and redirect with an `email_is_missing` error [[source]](https://github.com/better-auth/better-auth/blob/e812142c6cb91a65bba022b77f1176f7cca6dff2/packages/better-auth/src/social-providers/google.ts). If you want to block users whose email matches an existing credential account but isn’t linked, you can implement that logic in this hook as well [[source]](https://github.com/better-auth/better-auth/issues/1745). Let me know if you need a more detailed example for your specific database! <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/68d3560d-de61-447a-a925-3b4a82e830f3?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/68d3560d-de61-447a-a925-3b4a82e830f3?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/68d3560d-de61-447a-a925-3b4a82e830f3?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/68d3560d-de61-447a-a925-3b4a82e830f3?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/68d3560d-de61-447a-a925-3b4a82e830f3?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/68d3560d-de61-447a-a925-3b4a82e830f3?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/68d3560d-de61-447a-a925-3b4a82e830f3?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4459)
GiteaMirror commented 2026-04-15 17:04:25 -05:00
Author
Owner
Copy Link

@MariuzM commented on GitHub (Sep 5, 2025):

@dosu how can i return a custom callback url for example have query param in header ?error=INVALID_EMAIL ?

<!-- gh-comment-id:3258359685 --> @MariuzM commented on GitHub (Sep 5, 2025): @dosu how can i return a custom callback url for example have query param in header ?error=INVALID_EMAIL ?
GiteaMirror commented 2026-04-15 17:04:26 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Sep 5, 2025):

You can customize the error code in the callback URL by throwing a custom error in your mapProfileToUser function or similar hooks. For example, if you throw an error like throw new Error("INVALID_EMAIL"), Better Auth will redirect to the callback URL with ?error=INVALID_EMAIL as a query parameter. This lets you handle specific error states on your frontend by reading the error code from the URL.

However, you can't fully control the entire redirect URL or add arbitrary custom query parameters from within mapProfileToUser—only the error code is supported in this way. If you need more advanced redirect logic, you would need to implement deeper customization, such as a plugin or custom handler logic in your backend. For most use cases, setting a custom error code is the standard approach and works well for frontend error handling.
Reference

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3258371807 --> @dosubot[bot] commented on GitHub (Sep 5, 2025): <!-- Answer --> You can customize the error code in the callback URL by throwing a custom error in your mapProfileToUser function or similar hooks. For example, if you throw an error like throw new Error("INVALID_EMAIL"), Better Auth will redirect to the callback URL with ?error=INVALID_EMAIL as a query parameter. This lets you handle specific error states on your frontend by reading the error code from the URL. However, you can't fully control the entire redirect URL or add arbitrary custom query parameters from within mapProfileToUser—only the error code is supported in this way. If you need more advanced redirect logic, you would need to implement deeper customization, such as a plugin or custom handler logic in your backend. For most use cases, setting a custom error code is the standard approach and works well for frontend error handling. [Reference](https://github.com/better-auth/better-auth/blob/e812142c6cb91a65bba022b77f1176f7cca6dff2/packages/better-auth/src/social-providers/google.ts) <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/637d9d45-4635-4748-934c-b2d99e290c59?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/637d9d45-4635-4748-934c-b2d99e290c59?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/637d9d45-4635-4748-934c-b2d99e290c59?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/637d9d45-4635-4748-934c-b2d99e290c59?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/637d9d45-4635-4748-934c-b2d99e290c59?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/637d9d45-4635-4748-934c-b2d99e290c59?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/637d9d45-4635-4748-934c-b2d99e290c59?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4459)
GiteaMirror commented 2026-04-15 17:04:28 -05:00
Author
Owner
Copy Link

@MariuzM commented on GitHub (Sep 5, 2025):

@dosu not really working like that

  socialProviders: {
    google: {
      clientId: process.env.GOOGLE_CLIENT_ID,
      clientSecret: process.env.GOOGLE_CLIENT_SECRET,
      mapProfileToUser: async (profile) => {
        const userExists = false
        if (!userExists) throw new Error('INVALID_EMAIL')
        return { email: profile.email }
      },
    },
  },

and the url I'm getting is this

http://localhost:3000/api/auth/callback/google?state=y48J_B55bFqpLTJS93SGTwChiuA5hUogt&code=4%2F0AVMBsJhROmg3PB8oxpV2MS3FEl71RY7yYwtjGRgYzIMmBN6kEpKw7WzxeXa2YJDeEJSSzfvw&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&prompt=none
<!-- gh-comment-id:3258380508 --> @MariuzM commented on GitHub (Sep 5, 2025): @dosu not really working like that ``` socialProviders: { google: { clientId: process.env.GOOGLE_CLIENT_ID, clientSecret: process.env.GOOGLE_CLIENT_SECRET, mapProfileToUser: async (profile) => { const userExists = false if (!userExists) throw new Error('INVALID_EMAIL') return { email: profile.email } }, }, }, ``` and the url I'm getting is this ``` http://localhost:3000/api/auth/callback/google?state=y48J_B55bFqpLTJS93SGTwChiuA5hUogt&code=4%2F0AVMBsJhROmg3PB8oxpV2MS3FEl71RY7yYwtjGRgYzIMmBN6kEpKw7WzxeXa2YJDeEJSSzfvw&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=0&prompt=none ```
GiteaMirror commented 2026-04-15 17:04:29 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Sep 5, 2025):

Throwing an error in mapProfileToUser (like throw new Error('INVALID_EMAIL')) does not automatically add ?error=INVALID_EMAIL to the callback URL in Better Auth. The framework handles errors internally and typically stops the OAuth flow, but the callback URL you see will only have the standard OAuth parameters (state, code, scope, etc.), not your custom error code as a query parameter.

If you need the error code to appear in the callback URL, you’ll likely need to implement a custom error handler or middleware in your backend to catch the error and perform a redirect with the desired query parameter yourself. Better Auth does not natively support customizing the callback URL with arbitrary error codes from within mapProfileToUser—this would require deeper customization or overriding core handler logic. Reference

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3258388408 --> @dosubot[bot] commented on GitHub (Sep 5, 2025): <!-- Answer --> Throwing an error in mapProfileToUser (like `throw new Error('INVALID_EMAIL')`) does not automatically add `?error=INVALID_EMAIL` to the callback URL in Better Auth. The framework handles errors internally and typically stops the OAuth flow, but the callback URL you see will only have the standard OAuth parameters (state, code, scope, etc.), not your custom error code as a query parameter. If you need the error code to appear in the callback URL, you’ll likely need to implement a custom error handler or middleware in your backend to catch the error and perform a redirect with the desired query parameter yourself. Better Auth does not natively support customizing the callback URL with arbitrary error codes from within mapProfileToUser—this would require deeper customization or overriding core handler logic. [Reference](https://github.com/better-auth/better-auth/blob/e812142c6cb91a65bba022b77f1176f7cca6dff2/packages/better-auth/src/social-providers/google.ts) <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/5a0a3ba9-68a1-4e91-ac73-d8474f4f9f02?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/5a0a3ba9-68a1-4e91-ac73-d8474f4f9f02?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/5a0a3ba9-68a1-4e91-ac73-d8474f4f9f02?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/5a0a3ba9-68a1-4e91-ac73-d8474f4f9f02?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/5a0a3ba9-68a1-4e91-ac73-d8474f4f9f02?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/5a0a3ba9-68a1-4e91-ac73-d8474f4f9f02?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/5a0a3ba9-68a1-4e91-ac73-d8474f4f9f02?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4459)
GiteaMirror commented 2026-04-15 17:04:30 -05:00
Author
Owner
Copy Link

@Kinfe123 commented on GitHub (Sep 9, 2025):

the goal is to disable the signup ? or what is the usecase. you want to append the query params on the google callback url ?

<!-- gh-comment-id:3270845873 --> @Kinfe123 commented on GitHub (Sep 9, 2025): the goal is to disable the signup ? or what is the usecase. you want to append the query params on the google callback url ?
GiteaMirror commented 2026-04-15 17:04:30 -05:00
Author
Owner
Copy Link

@Abhishek21k commented on GitHub (Oct 30, 2025):

the goal is to disable the signup ? or what is the usecase. you want to append the query params on the google callback url ?

yes, i was looking for simlar usecase, where i can check the user is valid or not and then show a error msg of INVALID_USER

<!-- gh-comment-id:3469801357 --> @Abhishek21k commented on GitHub (Oct 30, 2025): > the goal is to disable the signup ? or what is the usecase. you want to append the query params on the google callback url ? yes, i was looking for simlar usecase, where i can check the user is valid or not and then show a error msg of INVALID_USER
GiteaMirror commented 2026-04-15 17:04:31 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Oct 30, 2025):

You can achieve this by ensuring that your Google OAuth configuration is set up to request the user’s email and then leveraging a hook (like an after hook) in your Better Auth configuration to check that email before proceeding. For instance, verify that your Google app and Better Auth social provider configuration include the “email” scope so that Google returns the user’s email when a social login occurs. Once the email is available, you can check it against your database and, if it doesn’t meet your criteria, trigger an error callback (such as returning an error message “INVALID_USER”) to effectively disable the signup for that case [1].

Next steps:

  1. Confirm your Google OAuth settings include the ‘email’ scope.
  2. Update your Better Auth configuration to include the social provider settings if not already added.
  3. Implement a hook (for example in the after callback) to inspect the returned email and perform your database check.
  4. If the check fails, return an error response and prevent login/signup.

This approach aligns with the similar use case where you need to validate the user’s email during a Google social login flow before completing the authentication process [1].

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3469802345 --> @better-auth-agent[bot] commented on GitHub (Oct 30, 2025): You can achieve this by ensuring that your Google OAuth configuration is set up to request the user’s email and then leveraging a hook (like an after hook) in your Better Auth configuration to check that email before proceeding. For instance, verify that your Google app and Better Auth social provider configuration include the “email” scope so that Google returns the user’s email when a social login occurs. Once the email is available, you can check it against your database and, if it doesn’t meet your criteria, trigger an error callback (such as returning an error message “INVALID_USER”) to effectively disable the signup for that case [[1]](https://github.com/better-auth/better-auth/issues/4459). Next steps: 1. Confirm your Google OAuth settings include the ‘email’ scope. 2. Update your Better Auth configuration to include the social provider settings if not already added. 3. Implement a hook (for example in the after callback) to inspect the returned email and perform your database check. 4. If the check fails, return an error response and prevent login/signup. This approach aligns with the similar use case where you need to validate the user’s email during a Google social login flow before completing the authentication process [[1]](https://github.com/better-auth/better-auth/issues/4459). <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:04:32 -05:00
Author
Owner
Copy Link

@Abhishek21k commented on GitHub (Oct 30, 2025):

You can achieve this by ensuring that your Google OAuth configuration is set up to request the user’s email and then leveraging a hook (like an after hook) in your Better Auth configuration to check that email before proceeding. For instance, verify that your Google app and Better Auth social provider configuration include the “email” scope so that Google returns the user’s email when a social login occurs. Once the email is available, you can check it against your database and, if it doesn’t meet your criteria, trigger an error callback (such as returning an error message “INVALID_USER”) to effectively disable the signup for that case [1].

Next steps:

  1. Confirm your Google OAuth settings include the ‘email’ scope.
  2. Update your Better Auth configuration to include the social provider settings if not already added.
  3. Implement a hook (for example in the after callback) to inspect the returned email and perform your database check.
  4. If the check fails, return an error response and prevent login/signup.

This approach aligns with the similar use case where you need to validate the user’s email during a Google social login flow before completing the authentication process [1].

DiagramDiscordGitHub

Diagram Join Star

bro you just made the reference to this same issue

<!-- gh-comment-id:3469838053 --> @Abhishek21k commented on GitHub (Oct 30, 2025): > You can achieve this by ensuring that your Google OAuth configuration is set up to request the user’s email and then leveraging a hook (like an after hook) in your Better Auth configuration to check that email before proceeding. For instance, verify that your Google app and Better Auth social provider configuration include the “email” scope so that Google returns the user’s email when a social login occurs. Once the email is available, you can check it against your database and, if it doesn’t meet your criteria, trigger an error callback (such as returning an error message “INVALID_USER”) to effectively disable the signup for that case [[1]](https://github.com/better-auth/better-auth/issues/4459). > > Next steps: > > 1. Confirm your Google OAuth settings include the ‘email’ scope. > 2. Update your Better Auth configuration to include the social provider settings if not already added. > 3. Implement a hook (for example in the after callback) to inspect the returned email and perform your database check. > 4. If the check fails, return an error response and prevent login/signup. > > This approach aligns with the similar use case where you need to validate the user’s email during a Google social login flow before completing the authentication process [[1]](https://github.com/better-auth/better-auth/issues/4459). > > [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) > > [![Diagram](https://camo.githubusercontent.com/278c71f8bd0ffa762d381609b9758b6bf4e7793371f510c36591ac7fca3b0f2e/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4469616772616d2d3262333133373f7374796c653d666c61742d737175617265)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://camo.githubusercontent.com/8a9575fbb02d0ccd0430ba84c6f263f2bedc76dce345f35a8e42bc3f5d733fe2/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6a6f696e2d3538363546323f6c6f676f3d646973636f7264266c6f676f436f6c6f723d7768697465267374796c653d666c61742d737175617265)](https://discord.gg/better-auth) [![Star](https://camo.githubusercontent.com/9b5328a1d305f67c94b8ae6dc4bfb8c58b36148ac58f574cca7272d730f6b7a1/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f737461722d3138313731373f6c6f676f3d676974687562266c6f676f436f6c6f723d7768697465267374796c653d666c61742d737175617265)](https://github.com/better-auth/better-auth) bro you just made the reference to this same issue
GiteaMirror commented 2026-04-15 17:04:34 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Oct 30, 2025):

To troubleshoot and resolve the issue, follow these steps:

  1. Verify that your Google OAuth configuration explicitly requests the email scope. In your Better Auth configuration, ensure that the Google provider settings include "email" as part of the scopes, so that Google returns the user’s email upon login [1].

  2. Confirm that your Google app (in your Google Cloud Console) is set up correctly to allow access to the email. This often means checking that the OAuth consent screen and scopes include the email permission.

  3. In your Better Auth setup, consider adding a custom hook (for example, an "after" hook) that inspects the returned user object on social sign in. In this hook, confirm that the email field is present. If it’s missing or the email doesn’t match your database criteria, you can then trigger an error or stop the sign-in process [1].

  4. Optionally, you might also want to check the logs or any error messages during sign in to see if the email is being filtered out due to misconfiguration.

By ensuring that your OAuth scopes and Google settings are correct and by adding a check in the hook, you’ll be able to retrieve and verify the user’s email before completing the login/signup flow. Let me know if you need further assistance with implementation details.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3469840274 --> @better-auth-agent[bot] commented on GitHub (Oct 30, 2025): To troubleshoot and resolve the issue, follow these steps: 1. Verify that your Google OAuth configuration explicitly requests the email scope. In your Better Auth configuration, ensure that the Google provider settings include "email" as part of the scopes, so that Google returns the user’s email upon login [[1]](https://github.com/better-auth/better-auth/issues/4459). 2. Confirm that your Google app (in your Google Cloud Console) is set up correctly to allow access to the email. This often means checking that the OAuth consent screen and scopes include the email permission. 3. In your Better Auth setup, consider adding a custom hook (for example, an "after" hook) that inspects the returned user object on social sign in. In this hook, confirm that the email field is present. If it’s missing or the email doesn’t match your database criteria, you can then trigger an error or stop the sign-in process [[1]](https://github.com/better-auth/better-auth/issues/4459). 4. Optionally, you might also want to check the logs or any error messages during sign in to see if the email is being filtered out due to misconfiguration. By ensuring that your OAuth scopes and Google settings are correct and by adding a check in the hook, you’ll be able to retrieve and verify the user’s email before completing the login/signup flow. Let me know if you need further assistance with implementation details. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:04:35 -05:00
Author
Owner
Copy Link

@cvienna commented on GitHub (Jan 1, 2026):

I have almost the same issue. I'm using account linking. So there is 1 user with any amount of accounts linked to it (linked using OAuth).

And I want to retrieve the email per account, since every account has a different email.

Is this even possible? I know it's technically possible using some very hacky solutions by implementing new custom tables, but there must be a more clean, built-in approach to do this.

Any help or nudge in the right direction would be greatly appreciated.

<!-- gh-comment-id:3703433959 --> @cvienna commented on GitHub (Jan 1, 2026): I have **almost the same issue**. I'm using account linking. So there is 1 user with any amount of accounts linked to it (linked using OAuth). And I want to retrieve the email **per account**, since **every account** has a **different email**. Is this even possible? I know it's **technically possible** using some very hacky solutions by implementing new custom tables, but there must be a more **clean, built-in approach** to do this. Any help or nudge in the right direction would be **greatly appreciated**.
GiteaMirror commented 2026-04-15 17:04:36 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Mar 26, 2026):

within your google oauth config, there is a mapProfileToUser option which allows you to grab their email and then throw an error based on that data, when thrown it will stop the sign-up process.
https://better-auth.com/docs/concepts/oauth#mapprofiletouser

<!-- gh-comment-id:4137904899 --> @ping-maxwell commented on GitHub (Mar 26, 2026): within your google oauth config, there is a `mapProfileToUser` option which allows you to grab their email and then throw an error based on that data, when thrown it will stop the sign-up process. https://better-auth.com/docs/concepts/oauth#mapprofiletouser
GiteaMirror commented 2026-04-15 17:04:36 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Apr 3, 2026):

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

<!-- gh-comment-id:4181127122 --> @github-actions[bot] commented on GitHub (Apr 3, 2026): This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#18570
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?