github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 06:16:18 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

OAuth invalid redirect_uri #2397

New Issue
Closed
opened 2026-03-13 09:49:57 -05:00 by GiteaMirror · 7 comments
GiteaMirror commented 2026-03-13 09:49:57 -05:00
Owner
Copy Link

Originally created by @tydolla00 on GitHub (Nov 26, 2025).

Summary

Clicking Sign in with GitHub shows GitHub’s warning page: Be careful! The redirect_uri is not associated with this application. Inspecting the authorize request shows Better Auth is sending redirect_uri=%2Fcallback%2Fgithub, i.e. a relative path.

I’m attempting to follow the next-auth migration guide and believe I’ve successfully set it up. However, for some reason, my redirect URI is invalid. I’m at a loss as to what’s causing this issue. I’ve tried using incognito mode, different browsers, and clearing my cache, but none of these methods seem to resolve the problem. I’ve configured my next app with the URL NEXT_PUBLIC_APP_URL=http://localhost:3000. Both Google and GitHub are configured to http://localhost:3000/api/auth/callback/google and http://localhost:3000/api/auth/callback/github, respectively, through their OAuth configurations.

https://github.com/login/oauth/authorize?response_type=code&client_id=${clientId}&scope=read%3Auser+user%3Aemail&redirect_uri=%2Fcallback%2Fgithub

Because the redirect URI no longer matches the fully qualified URL we have registered in the GitHub OAuth app, GitHub blocks the flow.

Actual Behavior

  • GitHub rejects the OAuth request, warning that the supplied redirect_uri is not associated with the application because Better Auth encoded /callback/github instead of an absolute URL.
  • Attempting to sign in with Google now yields Access blocked: Authorization Error – Error 400: invalid_request with redirect_uri=/callback/google and flowName=GeneralOAuthFlow, so both providers appear to be affected by the relative redirect.

Expected Behavior

Better Auth should send the fully qualified callback URL (e.g. https://localhost:3000/api/auth/callback/{provider}, matching the value registered with the provider), so the OAuth exchange can finish successfully.

Relevant Configuration

// src/lib/auth.ts
import { betterAuth } from "better-auth";
...
export const auth = betterAuth({
  ...
  socialProviders: {
    github: {
      clientId: config.AUTH_GITHUB_ID!,
      clientSecret: config.AUTH_GITHUB_SECRET!,
      // redirectUri: "http://localhost:3000/api/auth/callback/github",
    },
    google: {
      clientId: config.AUTH_GOOGLE_ID!,
      clientSecret: config.AUTH_GOOGLE_SECRET!,
    },
  },
  plugins: [nextCookies()],
});

Because the explicit redirectUri is commented out, Better Auth appears to fall back to /callback/{provider} rather than inferring the deployed base URL. GitHub rejects the relative path immediately, and Google now responds with invalid_request.

Additional Context

  • Browser: Chrome 131.0.6778.265
  • OS: macOS 15.1 (Apple Silicon)
Originally created by @tydolla00 on GitHub (Nov 26, 2025). --- ### Summary Clicking **Sign in with GitHub** shows GitHub’s warning page: `Be careful! The redirect_uri is not associated with this application.` Inspecting the authorize request shows Better Auth is sending `redirect_uri=%2Fcallback%2Fgithub`, i.e. a relative path. I’m attempting to follow the next-auth migration guide and believe I’ve successfully set it up. However, for some reason, my redirect URI is invalid. I’m at a loss as to what’s causing this issue. I’ve tried using incognito mode, different browsers, and clearing my cache, but none of these methods seem to resolve the problem. I’ve configured my next app with the URL NEXT_PUBLIC_APP_URL=http://localhost:3000. Both Google and GitHub are configured to http://localhost:3000/api/auth/callback/google and http://localhost:3000/api/auth/callback/github, respectively, through their OAuth configurations. ``` https://github.com/login/oauth/authorize?response_type=code&client_id=${clientId}&scope=read%3Auser+user%3Aemail&redirect_uri=%2Fcallback%2Fgithub ``` Because the redirect URI no longer matches the fully qualified URL we have registered in the GitHub OAuth app, GitHub blocks the flow. ### Actual Behavior - GitHub rejects the OAuth request, warning that the supplied `redirect_uri` is not associated with the application because Better Auth encoded `/callback/github` instead of an absolute URL. - Attempting to sign in with Google now yields `Access blocked: Authorization Error – Error 400: invalid_request` with `redirect_uri=/callback/google` and `flowName=GeneralOAuthFlow`, so both providers appear to be affected by the relative redirect. ### Expected Behavior Better Auth should send the fully qualified callback URL (e.g. `https://localhost:3000/api/auth/callback/{provider}`, matching the value registered with the provider), so the OAuth exchange can finish successfully. ### Relevant Configuration ```ts // src/lib/auth.ts import { betterAuth } from "better-auth"; ... export const auth = betterAuth({ ... socialProviders: { github: { clientId: config.AUTH_GITHUB_ID!, clientSecret: config.AUTH_GITHUB_SECRET!, // redirectUri: "http://localhost:3000/api/auth/callback/github", }, google: { clientId: config.AUTH_GOOGLE_ID!, clientSecret: config.AUTH_GOOGLE_SECRET!, }, }, plugins: [nextCookies()], }); ``` Because the explicit `redirectUri` is commented out, Better Auth appears to fall back to `/callback/{provider}` rather than inferring the deployed base URL. GitHub rejects the relative path immediately, and Google now responds with `invalid_request`. ### Additional Context - Browser: Chrome 131.0.6778.265 - OS: macOS 15.1 (Apple Silicon)
GiteaMirror added the social-provider label 2026-03-13 09:49:57 -05:00
GiteaMirror commented 2026-03-13 09:49:58 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 26, 2025):

Hi there, thanks for raising the issue! It looks like Better Auth is defaulting to a relative callback path because the explicit redirectUri is commented out. To resolve the problem, please try the following steps:

  1. Uncomment or explicitly set the redirectUri for each provider using the fully qualified URL (e.g. "http://localhost:3000/api/auth/callback/github"). This ensures the OAuth flow uses an absolute URL that matches your registered settings [1].

  2. Double-check that your NEXT_PUBLIC_APP_URL is correctly set and that no other configuration overrides the redirect URIs.

  3. Verify that any plugins (like nextCookies) aren’t interfering with the expected base URL resolution.

Does this help clarify the next steps? Tag @better-auth-agent if you would like an answer from the Agent.

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Nov 26, 2025): Hi there, thanks for raising the issue! It looks like Better Auth is defaulting to a relative callback path because the explicit redirectUri is commented out. To resolve the problem, please try the following steps: 1. Uncomment or explicitly set the redirectUri for each provider using the fully qualified URL (e.g. "http://localhost:3000/api/auth/callback/github"). This ensures the OAuth flow uses an absolute URL that matches your registered settings [[1]](https://github.com/better-auth/better-auth/issues/4125). 2. Double-check that your NEXT_PUBLIC_APP_URL is correctly set and that no other configuration overrides the redirect URIs. 3. Verify that any plugins (like nextCookies) aren’t interfering with the expected base URL resolution. Does this help clarify the next steps? Tag @better-auth-agent if you would like an answer from the Agent. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:49:58 -05:00
Author
Owner
Copy Link

@tydolla00 commented on GitHub (Nov 26, 2025):

@better-auth-agent uncommenting out the redirect uri line does not work and gives the same error.

@tydolla00 commented on GitHub (Nov 26, 2025): @better-auth-agent uncommenting out the redirect uri line does not work and gives the same error.
GiteaMirror commented 2026-03-13 09:49:59 -05:00
Author
Owner
Copy Link

@better-auth-agent[bot] commented on GitHub (Nov 26, 2025):

It sounds like Better Auth is still defaulting to a relative path even when you try to override it. Our documentation shows that you can set a fully qualified URL in the socialProviders configuration (for example, "http://localhost:3000/api/auth/callback/github") to ensure that the callback matches what you’ve registered with GitHub [1]. Since uncommenting the redirectUri field did not resolve the issue, please verify that your NEXT_PUBLIC_APP_URL environment variable is being properly injected into your build and that it matches exactly the URL you have configured in your GitHub app. Also, double-check if any middleware or plugin (such as your nextCookies plugin) might be inadvertently overriding the computed redirect URL.

Have you confirmed that your environment variables are available at runtime and match your configuration in both Better Auth and GitHub? Tag @better-auth-agent if you would like an answer from the Agent.

DiagramDiscordGitHub

Diagram Join Star

@better-auth-agent[bot] commented on GitHub (Nov 26, 2025): It sounds like Better Auth is still defaulting to a relative path even when you try to override it. Our documentation shows that you can set a fully qualified URL in the socialProviders configuration (for example, "http://localhost:3000/api/auth/callback/github") to ensure that the callback matches what you’ve registered with GitHub [[1]](https://github.com/better-auth/better-auth/issues/4125). Since uncommenting the redirectUri field did not resolve the issue, please verify that your NEXT_PUBLIC_APP_URL environment variable is being properly injected into your build and that it matches exactly the URL you have configured in your GitHub app. Also, double-check if any middleware or plugin (such as your nextCookies plugin) might be inadvertently overriding the computed redirect URL. Have you confirmed that your environment variables are available at runtime and match your configuration in both Better Auth and GitHub? Tag @better-auth-agent if you would like an answer from the Agent. <!-- bot:webhook reply v1 --> [Diagram](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) • [Discord](https://discord.gg/better-auth) • [GitHub](https://github.com/better-auth/better-auth) [![Diagram](https://img.shields.io/badge/Diagram-2b3137?style=flat-square)](https://repodiagrams.s3.eu-north-1.amazonaws.com/better-auth_ultra_detailed_interactive.html) [![Join](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&style=flat-square)](https://discord.gg/better-auth) [![Star](https://img.shields.io/badge/star-181717?logo=github&logoColor=white&style=flat-square)](https://github.com/better-auth/better-auth)
GiteaMirror commented 2026-03-13 09:49:59 -05:00
Author
Owner
Copy Link

@akhansari commented on GitHub (Dec 3, 2025):

I have a similar issue, but the generated URI is http and not https.

@akhansari commented on GitHub (Dec 3, 2025): I have a similar issue, but the generated URI is http and not https.
GiteaMirror commented 2026-03-13 09:50:00 -05:00
Author
Owner
Copy Link

@aoifelee commented on GitHub (Dec 20, 2025):

I am also seeing this issue. Basically the exact same thing as the original reporter.

@aoifelee commented on GitHub (Dec 20, 2025): I am also seeing this issue. Basically the exact same thing as the original reporter.
GiteaMirror commented 2026-03-13 09:50:01 -05:00
Author
Owner
Copy Link

@ping-maxwell commented on GitHub (Jan 7, 2026):

Hello @akhansari @aoifelee things are working fine on my end on latest. Do you guys by chance have a public repository which I can check out? or maybe if possible, if someone can provide a minimal reproduction repo for me to test?

@ping-maxwell commented on GitHub (Jan 7, 2026): Hello @akhansari @aoifelee things are working fine on my end on latest. Do you guys by chance have a public repository which I can check out? or maybe if possible, if someone can provide a minimal reproduction repo for me to test?
GiteaMirror commented 2026-03-13 09:50:02 -05:00
Author
Owner
Copy Link

@akhansari commented on GitHub (Jan 8, 2026):

@ping-maxwell I no longer have it with the latest version, thank you

@akhansari commented on GitHub (Jan 8, 2026): @ping-maxwell I no longer have it with the latest version, thank you ✨
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label social-provider
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#2397
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?