github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-24 08:01:56 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #6350] Device Authorization endpoints don't accept RFC 8628 compliant requests #19122

New Issue
Closed
opened 2026-04-15 17:54:57 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-04-15 17:54:57 -05:00
Owner
Copy Link

Originally created by @bcheung on GitHub (Nov 27, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/6350

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

A minimal api set up with the deviceAuthorization plugin:

# RFC 8628 compliant request - returns 415
curl -X POST http://localhost:3000/api/auth/device/code \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id=my-cli"

# Works, but not RFC compliant
curl -X POST http://localhost:3000/api/auth/device/code \
  -H "Content-Type: application/json" \
  -d '{"client_id":"my-cli"}'

Current vs. Expected behavior

Current behavior:
BetterA uth only accepts application/json, returning HTTP 415 for spec-compliant requests.
Standard OAuth libraries like openid-client (OpenID Certified) fail with HTTP 415

Expected behavior:
Clients following RFC 8628 (OAuth 2.0 Device Authorization Grant) should be compatible with Better Auth using the deviceAuthorization plugin.

What version of Better Auth are you using?

1.4.2

System info

N/A

Which area(s) are affected? (Select all that apply)

Client

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  ...
  plugins: [
  deviceAuthorization({
        verificationUri: `${env.BETTER_AUTH_URL}/auth/device`,
        expiresIn: "15m", 
  }]
});

Additional context

RFC 8628 (OAuth 2.0 Device Authorization Grant) Section 3.1 requires requests to use application/x-www-form-urlencoded.

Better Auth only accepts application/json, returning HTTP 415 for spec-compliant requests.
While this is fine if the client uses the Better Auth auth client, this breaks interoperability with existing OAuth tooling that don't use it.

Suggestion:
Server with the deviceAuthorization plugin should accept the spec compliant format: application/x-www-form-urlencoded

Originally created by @bcheung on GitHub (Nov 27, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/6350 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce A minimal api set up with the deviceAuthorization plugin: ``` # RFC 8628 compliant request - returns 415 curl -X POST http://localhost:3000/api/auth/device/code \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "client_id=my-cli" # Works, but not RFC compliant curl -X POST http://localhost:3000/api/auth/device/code \ -H "Content-Type: application/json" \ -d '{"client_id":"my-cli"}' ``` ### Current vs. Expected behavior Current behavior: BetterA uth only accepts application/json, returning HTTP 415 for spec-compliant requests. Standard OAuth libraries like openid-client (OpenID Certified) fail with HTTP 415 Expected behavior: Clients following RFC 8628 (OAuth 2.0 Device Authorization Grant) should be compatible with Better Auth using the deviceAuthorization plugin. ### What version of Better Auth are you using? 1.4.2 ### System info ```bash N/A ``` ### Which area(s) are affected? (Select all that apply) Client ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ ... plugins: [ deviceAuthorization({ verificationUri: `${env.BETTER_AUTH_URL}/auth/device`, expiresIn: "15m", }] }); ``` ### Additional context [RFC 8628 (OAuth 2.0 Device Authorization Grant) Section 3.1 ](https://datatracker.ietf.org/doc/html/rfc8628#section-3.1) requires requests to use application/x-www-form-urlencoded. Better Auth only accepts application/json, returning HTTP 415 for spec-compliant requests. While this is fine if the client uses the Better Auth auth client, this breaks interoperability with existing OAuth tooling that don't use it. Suggestion: Server with the deviceAuthorization plugin should accept the spec compliant format: application/x-www-form-urlencoded
GiteaMirror added the lockedenhancement labels 2026-04-15 17:54:57 -05:00
GiteaMirror commented 2026-04-15 17:55:00 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 27, 2025):

Hi there, thanks for raising this issue! It looks like our deviceAuthorization plugin currently only accepts JSON payloads for device code requests, which results in an HTTP 415 error when a spec-compliant application/x-www-form-urlencoded request is sent. RFC 8628 Section 3.1 requires that requests use the form URL-encoded format, and we appreciate you highlighting this interoperability issue with common OAuth libraries.

As a next step, our team will review and consider updating the endpoint to support application/x-www-form-urlencoded payloads. In the meantime, you might continue using the JSON format if that’s an option for your integration, or you can add a middleware to transform the form payload into JSON before hitting the endpoint.

Do you see any other specific behaviors or challenges when using the form-encoded requests? Tag @better-auth-agent if you would like an answer from the Agent.

DiagramDiscordGitHub

Diagram Join Star

<!-- gh-comment-id:3584649935 --> @better-auth-agent[bot] commented on GitHub (Nov 27, 2025): Hi there, thanks for raising this issue! It looks like our deviceAuthorization plugin currently only accepts JSON payloads for device code requests, which results in an HTTP 415 error when a spec-compliant application/x-www-form-urlencoded request is sent. RFC 8628 Section 3.1 requires that requests use the form URL-encoded format, and we appreciate you highlighting this interoperability issue with common OAuth libraries. As a next step, our team will review and consider updating the endpoint to support application/x-www-form-urlencoded payloads. In the meantime, you might continue using the JSON format if that’s an option for your integration, or you can add a middleware to transform the form payload into JSON before hitting the endpoint. Do you see any other specific behaviors or challenges when using the form-encoded requests? Tag @better-auth-agent if you would like an answer from the Agent. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-04-15 17:55:00 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Feb 26, 2026):

Hi, @bcheung. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You reported that the deviceAuthorization plugin only accepts application/json requests, causing HTTP 415 errors for RFC 8628-compliant application/x-www-form-urlencoded requests.
  • The Better Auth team confirmed the plugin currently supports only JSON payloads, which conflicts with RFC 8628 requirements.
  • The team acknowledged the compatibility issue and plans to review updating the endpoint to support form URL-encoded payloads.
  • Suggested workarounds include using middleware to transform requests in the meantime.
  • The team invited further feedback on any other challenges related to form-encoded requests.

Next Steps:

  • Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion open.
  • If I don’t hear back within 7 days, I will automatically close this issue.

Thank you for your understanding and contribution!

<!-- gh-comment-id:3967621363 --> @dosubot[bot] commented on GitHub (Feb 26, 2026): Hi, @bcheung. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You reported that the deviceAuthorization plugin only accepts application/json requests, causing HTTP 415 errors for RFC 8628-compliant application/x-www-form-urlencoded requests. - The Better Auth team confirmed the plugin currently supports only JSON payloads, which conflicts with RFC 8628 requirements. - The team acknowledged the compatibility issue and plans to review updating the endpoint to support form URL-encoded payloads. - Suggested workarounds include using middleware to transform requests in the meantime. - The team invited further feedback on any other challenges related to form-encoded requests. **Next Steps:** - Please let me know if this issue is still relevant with the latest version of better-auth by commenting here to keep the discussion open. - If I don’t hear back within 7 days, I will automatically close this issue. Thank you for your understanding and contribution!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label enhancement locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#19122
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?