github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 15:42:09 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #5292] OAuth flow consent screen redirect logic persists after flow and after logout affecting future logins #27528

New Issue
Closed
opened 2026-04-17 18:35:10 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-17 18:35:10 -05:00
Owner
Copy Link

Originally created by @Jackman3005 on GitHub (Oct 14, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/5292

OIDC Provider: oidc_login_prompt and oidc_consent_prompt cookies persist after consent and logout

Description

The OIDC Provider plugin sets two cookies during the OAuth authorization flow:

  • oidc_login_prompt
  • oidc_consent_prompt

These cookies appear to have a 10-minute lifetime (maxAge: 600) but are not explicitly cleared after the OAuth flow completes (either on consent approval/denial) or during user logout. This causes them to persist in the browser beyond their intended use, leading to incorrect behavior on subsequent logins.

Impact

When a user:

  1. Initiates an OAuth flow from an external application
  2. Logs in and sees the consent screen
  3. Approves or denies consent
  4. Logs out from the application
  5. Returns later and performs a normal (non-OAuth) login

Expected: User should be logged in normally without seeing consent screen
Actual: User is incorrectly redirected to the consent page, even though they're not in an OAuth flow

Steps to Reproduce

  1. Set up Better Auth with the oidcProvider plugin:
oidcProvider({
  loginPage: `${APP_BASE_URL}/login`,
  consentPage: `${APP_BASE_URL}/oauth/consent`,
  scopes: ["profile", "email"],
})
  1. Initiate an OAuth authorization flow from an external application (e.g., MCP Inspector client)
  2. User is redirected to login page, then consent page
  3. User clicks "Allow" or "Deny" on consent screen
  4. Check browser cookies - oidc_login_prompt and oidc_consent_prompt still present
  5. User logs out from the application
  6. Check browser cookies - OIDC cookies still present
  7. User returns and performs a normal login (directly on the site, not through OAuth)
  8. User is incorrectly redirected to the consent page

Expected Behavior

The oidc_login_prompt and oidc_consent_prompt cookies should be automatically cleared:

  • After the OAuth consent flow completes (when /oauth2/consent endpoint is called)
  • When the user logs out (when /sign-out endpoint is called)

This would prevent these cookies from affecting subsequent authentication flows.

Environment

  • Better Auth version: 1.3.23
  • Framework: Next.js 15.5.3
  • Database: PostgreSQL with Prisma
  • Cookie behavior: Cookies do not have the configured cookiePrefix on localhost (just oidc_login_prompt instead of better-auth.oidc_login_prompt)

Source Code Reference

From better-auth/src/plugins/oidc-provider/authorize.ts, the cookies are set with:

await ctx.setSignedCookie(
  "oidc_login_prompt",
  JSON.stringify(ctx.query),
  ctx.context.secret,
  {
    maxAge: 600,
    path: "/",
    sameSite: "lax"
  }
);

await ctx.setSignedCookie(
  "oidc_consent_prompt",
  code,
  ctx.context.secret,
  {
    maxAge: 600,
    path: "/",
    sameSite: "lax"
  }
);

However, there is no corresponding cookie clearing logic when these flows complete.

Workaround

As a temporary workaround, we're explicitly expiring these cookies in the hooks.after middleware:

hooks: {
  after: createAuthMiddleware(async (context) => {
    // ... existing hooks ...

    if (context.path === "/oauth2/consent" || context.path === "/sign-out") {
      const expiredDate = new Date(0).toUTCString();
      const oidcCookies = ["oidc_login_prompt", "oidc_consent_prompt"];

      oidcCookies.forEach((cookieName) => {
        const setCookie = `${cookieName}=; Expires=${expiredDate}; Max-Age=0; Path=/; SameSite=lax`;
        context.setHeader("Set-Cookie", setCookie);
      });
    }
  }),
}

Suggested Fix

The OIDC Provider plugin should automatically clear these cookies when:

  1. The consent endpoint (/oauth2/consent) completes successfully (both accept and deny cases)
  2. The sign-out endpoint (/sign-out) is called
  3. The OAuth authorization flow completes successfully

This would match the intended 10-minute lifecycle and prevent cookies from affecting unrelated authentication flows.

Originally created by @Jackman3005 on GitHub (Oct 14, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/5292 # OIDC Provider: `oidc_login_prompt` and `oidc_consent_prompt` cookies persist after consent and logout ## Description The OIDC Provider plugin sets two cookies during the OAuth authorization flow: - `oidc_login_prompt` - `oidc_consent_prompt` These cookies appear to have a 10-minute lifetime (`maxAge: 600`) but are not explicitly cleared after the OAuth flow completes (either on consent approval/denial) or during user logout. This causes them to persist in the browser beyond their intended use, leading to incorrect behavior on subsequent logins. ## Impact When a user: 1. Initiates an OAuth flow from an external application 2. Logs in and sees the consent screen 3. Approves or denies consent 4. Logs out from the application 5. Returns later and performs a **normal** (non-OAuth) login **Expected:** User should be logged in normally without seeing consent screen **Actual:** User is incorrectly redirected to the consent page, even though they're not in an OAuth flow ## Steps to Reproduce 1. Set up Better Auth with the `oidcProvider` plugin: ```typescript oidcProvider({ loginPage: `${APP_BASE_URL}/login`, consentPage: `${APP_BASE_URL}/oauth/consent`, scopes: ["profile", "email"], }) ``` 2. Initiate an OAuth authorization flow from an external application (e.g., MCP Inspector client) 3. User is redirected to login page, then consent page 4. User clicks "Allow" or "Deny" on consent screen 5. Check browser cookies - `oidc_login_prompt` and `oidc_consent_prompt` still present 6. User logs out from the application 7. Check browser cookies - OIDC cookies still present 8. User returns and performs a normal login (directly on the site, not through OAuth) 9. User is incorrectly redirected to the consent page ## Expected Behavior The `oidc_login_prompt` and `oidc_consent_prompt` cookies should be automatically cleared: - After the OAuth consent flow completes (when `/oauth2/consent` endpoint is called) - When the user logs out (when `/sign-out` endpoint is called) This would prevent these cookies from affecting subsequent authentication flows. ## Environment - **Better Auth version:** 1.3.23 - **Framework:** Next.js 15.5.3 - **Database:** PostgreSQL with Prisma - **Cookie behavior:** Cookies do not have the configured `cookiePrefix` on localhost (just `oidc_login_prompt` instead of `better-auth.oidc_login_prompt`) ## Source Code Reference From `better-auth/src/plugins/oidc-provider/authorize.ts`, the cookies are set with: ```typescript await ctx.setSignedCookie( "oidc_login_prompt", JSON.stringify(ctx.query), ctx.context.secret, { maxAge: 600, path: "/", sameSite: "lax" } ); ``` ```typescript await ctx.setSignedCookie( "oidc_consent_prompt", code, ctx.context.secret, { maxAge: 600, path: "/", sameSite: "lax" } ); ``` However, there is no corresponding cookie clearing logic when these flows complete. ## Workaround As a temporary workaround, we're explicitly expiring these cookies in the `hooks.after` middleware: ```typescript hooks: { after: createAuthMiddleware(async (context) => { // ... existing hooks ... if (context.path === "/oauth2/consent" || context.path === "/sign-out") { const expiredDate = new Date(0).toUTCString(); const oidcCookies = ["oidc_login_prompt", "oidc_consent_prompt"]; oidcCookies.forEach((cookieName) => { const setCookie = `${cookieName}=; Expires=${expiredDate}; Max-Age=0; Path=/; SameSite=lax`; context.setHeader("Set-Cookie", setCookie); }); } }), } ``` ## Suggested Fix The OIDC Provider plugin should automatically clear these cookies when: 1. The consent endpoint (`/oauth2/consent`) completes successfully (both accept and deny cases) 2. The sign-out endpoint (`/sign-out`) is called 3. The OAuth authorization flow completes successfully This would match the intended 10-minute lifecycle and prevent cookies from affecting unrelated authentication flows.
GiteaMirror added the locked label 2026-04-17 18:35:10 -05:00
GiteaMirror commented 2026-04-17 18:35:14 -05:00
Author
Owner
Copy Link

@Jackman3005 commented on GitHub (Oct 14, 2025):

@dosubot This looks like it may actually be a duplicate of https://github.com/better-auth/better-auth/issues/4594

<!-- gh-comment-id:3399932502 --> @Jackman3005 commented on GitHub (Oct 14, 2025): @dosubot This looks like it may actually be a duplicate of https://github.com/better-auth/better-auth/issues/4594
GiteaMirror commented 2026-04-17 18:35:15 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Oct 14, 2025):

Yes, this does appear to be a duplicate of issue #4594. Both issues describe the problem of the oidc_login_prompt cookie persisting after login, causing unwanted redirects in subsequent authentication flows see #4594. Your report expands on this by including the oidc_consent_prompt cookie and highlighting that neither cookie is cleared after consent or logout, which affects normal logins as well.

Currently, the codebase sets these cookies during the OAuth flow but does not clear them after consent or sign-out authorize.ts sign-out.ts. The workaround you described—explicitly expiring these cookies in middleware—is still necessary, as there is no built-in fix yet.

If you want to track this as a single issue, linking your report to #4594 makes sense, but your case covers a broader set of scenarios and cookies. If you need both cookies and all flows addressed, referencing both issues may help clarify the scope for maintainers.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3399938180 --> @dosubot[bot] commented on GitHub (Oct 14, 2025): <!-- Answer --> Yes, this does appear to be a duplicate of issue #4594. Both issues describe the problem of the `oidc_login_prompt` cookie persisting after login, causing unwanted redirects in subsequent authentication flows [see #4594](https://github.com/better-auth/better-auth/issues/4594#issuecomment-3282864079). Your report expands on this by including the `oidc_consent_prompt` cookie and highlighting that neither cookie is cleared after consent or logout, which affects normal logins as well. Currently, the codebase sets these cookies during the OAuth flow but does not clear them after consent or sign-out [authorize.ts](https://github.com/better-auth/better-auth/blob/c3acb35269bb2881d30580a6bfc5a0dd4ccb8691/packages/better-auth/src/plugins/oidc-provider/authorize.ts) [sign-out.ts](https://github.com/better-auth/better-auth/blob/c3acb35269bb2881d30580a6bfc5a0dd4ccb8691/packages/better-auth/src/api/routes/sign-out.ts). The workaround you described—explicitly expiring these cookies in middleware—is still necessary, as there is no built-in fix yet. If you want to track this as a single issue, linking your report to #4594 makes sense, but your case covers a broader set of scenarios and cookies. If you need both cookies and all flows addressed, referencing both issues may help clarify the scope for maintainers. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/33aac4c0-d9dd-4cfb-8444-e5f2dfbe1b13?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/33aac4c0-d9dd-4cfb-8444-e5f2dfbe1b13?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/33aac4c0-d9dd-4cfb-8444-e5f2dfbe1b13?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/33aac4c0-d9dd-4cfb-8444-e5f2dfbe1b13?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/33aac4c0-d9dd-4cfb-8444-e5f2dfbe1b13?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/33aac4c0-d9dd-4cfb-8444-e5f2dfbe1b13?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/33aac4c0-d9dd-4cfb-8444-e5f2dfbe1b13?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/5292)
GiteaMirror commented 2026-04-17 18:35:16 -05:00
Author
Owner
Copy Link

@dvanmali commented on GitHub (Dec 24, 2025):

Hi all, we released the new OAuth Provider Plugin which removes cookies in the auth flow altogether. Feel free to let us know how it works :)

<!-- gh-comment-id:3688602445 --> @dvanmali commented on GitHub (Dec 24, 2025): Hi all, we released the new [OAuth Provider Plugin](https://www.better-auth.com/docs/plugins/oauth-provider) which removes cookies in the auth flow altogether. Feel free to let us know how it works :)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#27528
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?