[PR #8633] [MERGED] fix(oauth-provider): let customIdTokenClaims override acr and auth_time #25006

New Issue

GiteaMirror · 2026-04-15T22:41:16-05:00

GiteaMirror commented

2026-04-15 22:41:16 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/8633
Author: @gustavovalverde
Created: 3/16/2026
Status: ✅ Merged
Merged: 3/28/2026
Merged by: @gustavovalverde

Base: main ← Head: fix/oauth-provider-acr-auth-time-override

📝 Commits (2)

8615f09 fix(oauth-provider): let customIdTokenClaims override acr and auth_time
f78ffd6 test(oauth-provider): cover nonce and sid in pinned claims test

📊 Changes

2 files changed (+146 additions, -1 deletions)

View changed files

📝 packages/oauth-provider/src/token.test.ts (+145 -0)
📝 packages/oauth-provider/src/token.ts (+1 -1)

📄 Description

Problem

Follow-up to #7865, which fixed the ordering of userClaims vs customClaims so that customIdTokenClaims can override standard OIDC claims. That fix placed ...customClaims after ...userClaims, but auth_time and acr are assigned after the customClaims spread, silently overwriting any custom values.

This matters for providers that compute acr dynamically (e.g., from MFA status or step-up authentication level) and need customIdTokenClaims to be the final authority.

Changes

In createIdToken, move auth_time and acr assignments before the ...customClaims spread. The resulting order is: userClaims → auth_time/acr (defaults) → customClaims (overrides) → iss/sub/aud/iat/exp (non-overridable).

One-line change.

References

Summary by cubic

Fixes ID token claim precedence so customIdTokenClaims can override acr and auth_time without weakening core claims. Adds tests to lock this behavior, including nonce and sid.

Bug Fixes
- @better-auth/oauth-provider: Move auth_time and acr before customIdTokenClaims in createIdToken so overrides work; keep iss, sub, aud, iat, and exp pinned.
- Add tests verifying acr/auth_time are overridable and pinned claims are not, now also covering nonce and sid.

^{Written for commit f78ffd652f. Summary will update on new commits.}

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/8633 **Author:** [@gustavovalverde](https://github.com/gustavovalverde) **Created:** 3/16/2026 **Status:** ✅ Merged **Merged:** 3/28/2026 **Merged by:** [@gustavovalverde](https://github.com/gustavovalverde) **Base:** `main` ← **Head:** `fix/oauth-provider-acr-auth-time-override` --- ### 📝 Commits (2) - [`8615f09`](https://github.com/better-auth/better-auth/commit/8615f09b4627839ffb0d2129060c400cd7ed4fd1) fix(oauth-provider): let customIdTokenClaims override acr and auth_time - [`f78ffd6`](https://github.com/better-auth/better-auth/commit/f78ffd652f76c44e8a38c3d5821a27e6df65e755) test(oauth-provider): cover nonce and sid in pinned claims test ### 📊 Changes **2 files changed** (+146 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `packages/oauth-provider/src/token.test.ts` (+145 -0) 📝 `packages/oauth-provider/src/token.ts` (+1 -1) </details> ### 📄 Description ## Problem Follow-up to #7865, which fixed the ordering of `userClaims` vs `customClaims` so that `customIdTokenClaims` can override standard OIDC claims. That fix placed `...customClaims` after `...userClaims`, but `auth_time` and `acr` are assigned *after* the `customClaims` spread, silently overwriting any custom values. This matters for providers that compute `acr` dynamically (e.g., from MFA status or step-up authentication level) and need `customIdTokenClaims` to be the final authority. ## Changes In `createIdToken`, move `auth_time` and `acr` assignments before the `...customClaims` spread. The resulting order is: `userClaims` → `auth_time`/`acr` (defaults) → `customClaims` (overrides) → `iss`/`sub`/`aud`/`iat`/`exp` (non-overridable). One-line change. ## References - [OIDC Core §2 — ID Token `auth_time` and `acr` claims](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) - #7865  --- ## Summary by cubic Fixes ID token claim precedence so `customIdTokenClaims` can override `acr` and `auth_time` without weakening core claims. Adds tests to lock this behavior, including `nonce` and `sid`. - **Bug Fixes** - `@better-auth/oauth-provider`: Move `auth_time` and `acr` before `customIdTokenClaims` in `createIdToken` so overrides work; keep `iss`, `sub`, `aud`, `iat`, and `exp` pinned. - Add tests verifying `acr`/`auth_time` are overridable and pinned claims are not, now also covering `nonce` and `sid`. <sup>Written for commit f78ffd652f76c44e8a38c3d5821a27e6df65e755. Summary will update on new commits.</sup>  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-15 22:41:16 -05:00

GiteaMirror closed this issue

2026-04-15 22:41:17 -05:00

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#25006