github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 07:18:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #4594] OIDC plugin: oidc_login_prompt not cleared after login, causing main app logins to redirect to client #18623

New Issue
Closed
opened 2026-04-15 17:10:56 -05:00 by GiteaMirror · 4 comments
GiteaMirror commented 2026-04-15 17:10:56 -05:00
Owner
Copy Link

Originally created by @humemm on GitHub (Sep 11, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/4594

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

  1. Start an OIDC login from a client app (RP) so the OP sets oidc_login_prompt cookie.
  2. Complete login successfully (session is created).
  3. Later visit the main app’s /login and sign in normally.
  4. You’re redirected to the OIDC client app instead of staying in the main app.

Current vs. Expected behavior

Current: The oidc_login_prompt cookie remains after a successful login, causing subsequent main-app logins to redirect to the OIDC client.

Expected: The plugin clears oidc_login_prompt upon successful login so normal main-app logins land in the main app; the cookie should only influence an active OIDC flow.

What version of Better Auth are you using?

1.3.9

System info

{
  "system": {
    "platform": "linux",
    "arch": "x64"
  },
  "node": {
    "version": "v22.18.0",
    "env": "development"
  },
  "packageManager": {
    "name": "pnpm",
    "version": "10.15.1"
  },
  "frameworks": null,
  "databases": null,
  "betterAuth": {
    "version": "1.3.9",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

No response

Originally created by @humemm on GitHub (Sep 11, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/4594 ### Is this suited for github? - [ ] Yes, this is suited for github ### To Reproduce 1. Start an OIDC login from a client app (RP) so the OP sets `oidc_login_prompt` cookie. 2. Complete login successfully (session is created). 3. Later visit the main app’s `/login` and sign in normally. 4. You’re redirected to the OIDC client app instead of staying in the main app. ### Current vs. Expected behavior **Current:** The `oidc_login_prompt` cookie remains after a successful login, causing subsequent main-app logins to redirect to the OIDC client. **Expected:** The plugin clears `oidc_login_prompt` upon successful login so normal main-app logins land in the main app; the cookie should only influence an active OIDC flow. ### What version of Better Auth are you using? 1.3.9 ### System info ```bash { "system": { "platform": "linux", "arch": "x64" }, "node": { "version": "v22.18.0", "env": "development" }, "packageManager": { "name": "pnpm", "version": "10.15.1" }, "frameworks": null, "databases": null, "betterAuth": { "version": "1.3.9", "config": null } } ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context _No response_
GiteaMirror added the locked label 2026-04-15 17:10:56 -05:00
GiteaMirror commented 2026-04-15 17:11:00 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Sep 11, 2025):

This is a known gap in the current OIDC plugin logic. The oidc_login_prompt cookie is only cleared after a successful OIDC login flow, not after a normal main app login. As a result, if the cookie remains set, subsequent logins to the main app will continue to redirect to the OIDC client, which is not the intended behavior. There is no global post-login handler or middleware in Better Auth v1.3.9 that clears this cookie after any successful login, so the issue persists unless the login is part of an OIDC flow see code reference.

A workaround is to add custom middleware to your main app's login route that explicitly clears the oidc_login_prompt cookie after any successful login. This ensures the cookie only affects active OIDC flows and doesn't cause unwanted redirects for standard logins. There are cookie management utilities in Better Auth you can use for this, but you'll need to implement the clearing logic yourself since it's not handled by default see cookie management code.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3282864079 --> @dosubot[bot] commented on GitHub (Sep 11, 2025): <!-- Answer --> This is a known gap in the current OIDC plugin logic. The `oidc_login_prompt` cookie is only cleared after a successful OIDC login flow, not after a normal main app login. As a result, if the cookie remains set, subsequent logins to the main app will continue to redirect to the OIDC client, which is not the intended behavior. There is no global post-login handler or middleware in Better Auth v1.3.9 that clears this cookie after any successful login, so the issue persists unless the login is part of an OIDC flow [see code reference](https://github.com/better-auth/better-auth/blob/dcac3c7e71e9694f641f9ed567c3c980c46e937c/packages/better-auth/src/plugins/oidc-provider/index.ts). A workaround is to add custom middleware to your main app's login route that explicitly clears the `oidc_login_prompt` cookie after any successful login. This ensures the cookie only affects active OIDC flows and doesn't cause unwanted redirects for standard logins. There are cookie management utilities in Better Auth you can use for this, but you'll need to implement the clearing logic yourself since it's not handled by default [see cookie management code](https://github.com/better-auth/better-auth/blob/dcac3c7e71e9694f641f9ed567c3c980c46e937c/packages/better-auth/src/cookies/index.ts). <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/57946388-2558-4954-a040-aea655a61b61?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/57946388-2558-4954-a040-aea655a61b61?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/57946388-2558-4954-a040-aea655a61b61?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/57946388-2558-4954-a040-aea655a61b61?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/57946388-2558-4954-a040-aea655a61b61?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/57946388-2558-4954-a040-aea655a61b61?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/57946388-2558-4954-a040-aea655a61b61?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4594)
GiteaMirror commented 2026-04-15 17:11:01 -05:00
Author
Owner
Copy Link

@humemm commented on GitHub (Sep 11, 2025):

@dosu this is what the issue is about, the cookie is not cleared after successful OIDC login flow.

<!-- gh-comment-id:3282869176 --> @humemm commented on GitHub (Sep 11, 2025): @dosu this is what the issue is about, the cookie is not cleared after successful OIDC login flow.
GiteaMirror commented 2026-04-15 17:11:01 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Sep 11, 2025):

You're right—this is a bug in the current OIDC plugin logic. The code only clears the oidc_login_prompt cookie if both the cookie and a session token are present in the response cookies, which is supposed to indicate a successful OIDC login. However, if the login flow involves a redirect (which is common), the after-hook middleware responsible for clearing the cookie may not run immediately, causing the cookie to persist even after a successful OIDC login. This can lead to the unwanted redirect behavior you described in subsequent logins see code reference.

There’s no workaround built into Better Auth v1.3.9 for this, so you’ll need to add custom middleware to explicitly clear the oidc_login_prompt cookie after any successful login (OIDC or otherwise) to prevent it from leaking into unrelated flows. This gap isn’t documented or covered by tests, which is why it’s persisted.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3282880970 --> @dosubot[bot] commented on GitHub (Sep 11, 2025): <!-- Answer --> You're right—this is a bug in the current OIDC plugin logic. The code only clears the `oidc_login_prompt` cookie if both the cookie and a session token are present in the response cookies, which is supposed to indicate a successful OIDC login. However, if the login flow involves a redirect (which is common), the after-hook middleware responsible for clearing the cookie may not run immediately, causing the cookie to persist even after a successful OIDC login. This can lead to the unwanted redirect behavior you described in subsequent logins [see code reference](https://github.com/better-auth/better-auth/blob/dcac3c7e71e9694f641f9ed567c3c980c46e937c/packages/better-auth/src/plugins/oidc-provider/index.ts). There’s no workaround built into Better Auth v1.3.9 for this, so you’ll need to add custom middleware to explicitly clear the `oidc_login_prompt` cookie after any successful login (OIDC or otherwise) to prevent it from leaking into unrelated flows. This gap isn’t documented or covered by tests, which is why it’s persisted. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/69e54f15-6fe5-43bd-a84c-34c9b270a83e?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/69e54f15-6fe5-43bd-a84c-34c9b270a83e?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/69e54f15-6fe5-43bd-a84c-34c9b270a83e?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/69e54f15-6fe5-43bd-a84c-34c9b270a83e?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/69e54f15-6fe5-43bd-a84c-34c9b270a83e?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/69e54f15-6fe5-43bd-a84c-34c9b270a83e?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/69e54f15-6fe5-43bd-a84c-34c9b270a83e?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4594)
GiteaMirror commented 2026-04-15 17:11:03 -05:00
Author
Owner
Copy Link

@elmdecoste commented on GitHub (Oct 20, 2025):

This is also causing us problems, @Bekacru do you have an ETA on getting that PR merged?

<!-- gh-comment-id:3423097956 --> @elmdecoste commented on GitHub (Oct 20, 2025): This is also causing us problems, @Bekacru do you have an ETA on getting that PR merged?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#18623
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?