github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 15:42:09 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[PR #5993] [MERGED] fix(oidc-provider): implement proper OIDC prompt parameter handling #31969

New Issue
Closed
opened 2026-04-17 22:50:35 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-17 22:50:35 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/5993
Author: @himself65
Created: 11/14/2025
Status: Merged
Merged: 11/19/2025
Merged by: @himself65

Base: canaryHead: himself65/2025/11/14/fix

📝 Commits (8)

  • 68e269a fix(oidc-provider): implement proper OIDC prompt parameter handling
  • 26919d9 fix: lint
  • b280963 Apply suggestions from code review
  • 9581341 fix: remove `requireLogin
  • 2fdd71f fix: check session
  • 1febf5e fix: sync
  • 2454d50 Revert "fix: sync"
  • cd8effe fix: remove requireLogin from types

📊 Changes

9 files changed (+667 additions, -20 deletions)

View changed files

📝 packages/better-auth/src/plugins/mcp/index.ts (+14 -3)
📝 packages/better-auth/src/plugins/oidc-provider/authorize.ts (+76 -4)
packages/better-auth/src/plugins/oidc-provider/error.ts (+13 -0)
📝 packages/better-auth/src/plugins/oidc-provider/index.ts (+19 -7)
📝 packages/better-auth/src/plugins/oidc-provider/oidc.test.ts (+442 -0)
packages/better-auth/src/plugins/oidc-provider/state/prompt-handled.ts (+0 -5)
📝 packages/better-auth/src/plugins/oidc-provider/types.ts (+4 -1)
packages/better-auth/src/plugins/oidc-provider/utils/prompt.test.ts (+69 -0)
packages/better-auth/src/plugins/oidc-provider/utils/prompt.ts (+30 -0)

📄 Description

Fixes: https://github.com/better-auth/better-auth/issues/4594

Summary by cubic

Implements spec-compliant OIDC prompt and max_age handling, fixes silent login/consent behavior, and prevents unintended redirects after OIDC flows.

  • Bug Fixes

    • prompt=none: return login_required when unauthenticated; consent_required when consent is needed; otherwise proceed without UI.
    • max_age: treat 0 as prompt=login and require reauth when session age exceeds max_age.
    • Clear oidc_login_prompt cookie after resuming flow so later normal logins don’t redirect to the OIDC client.

  • New Features

    • Added parsePrompt utility with validation (none cannot be combined) and tests.
    • Introduced OIDCProviderError/InvalidRequest, broadened prompt type, and resumed flow after login by stripping prompt=login before re-authorizing.

Written for commit cd8effe79c. Summary will update automatically on new commits.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/5993 **Author:** [@himself65](https://github.com/himself65) **Created:** 11/14/2025 **Status:** ✅ Merged **Merged:** 11/19/2025 **Merged by:** [@himself65](https://github.com/himself65) **Base:** `canary` ← **Head:** `himself65/2025/11/14/fix` --- ### 📝 Commits (8) - [`68e269a`](https://github.com/better-auth/better-auth/commit/68e269addee9a53ba10f40dbc234fb0ad1599223) fix(oidc-provider): implement proper OIDC prompt parameter handling - [`26919d9`](https://github.com/better-auth/better-auth/commit/26919d97f6c4671453bbcc47e094b37d1423b080) fix: lint - [`b280963`](https://github.com/better-auth/better-auth/commit/b2809636a71dcc45c2bb67bb9acbf77032f769aa) Apply suggestions from code review - [`9581341`](https://github.com/better-auth/better-auth/commit/9581341e3e46553514ba1afb1b89365ff9829660) fix: remove `requireLogin - [`2fdd71f`](https://github.com/better-auth/better-auth/commit/2fdd71f4b882642d5265d76d8b3bd16abadaccd2) fix: check session - [`1febf5e`](https://github.com/better-auth/better-auth/commit/1febf5e6042e864c2befe07790e1ceff14cc5af9) fix: sync - [`2454d50`](https://github.com/better-auth/better-auth/commit/2454d5045ef6c0ac563a4db480645483486949bf) Revert "fix: sync" - [`cd8effe`](https://github.com/better-auth/better-auth/commit/cd8effe79ce7486dad2196e234d55e0b89ff018d) fix: remove `requireLogin` from types ### 📊 Changes **9 files changed** (+667 additions, -20 deletions) <details> <summary>View changed files</summary> 📝 `packages/better-auth/src/plugins/mcp/index.ts` (+14 -3) 📝 `packages/better-auth/src/plugins/oidc-provider/authorize.ts` (+76 -4) ➕ `packages/better-auth/src/plugins/oidc-provider/error.ts` (+13 -0) 📝 `packages/better-auth/src/plugins/oidc-provider/index.ts` (+19 -7) 📝 `packages/better-auth/src/plugins/oidc-provider/oidc.test.ts` (+442 -0) ➖ `packages/better-auth/src/plugins/oidc-provider/state/prompt-handled.ts` (+0 -5) 📝 `packages/better-auth/src/plugins/oidc-provider/types.ts` (+4 -1) ➕ `packages/better-auth/src/plugins/oidc-provider/utils/prompt.test.ts` (+69 -0) ➕ `packages/better-auth/src/plugins/oidc-provider/utils/prompt.ts` (+30 -0) </details> ### 📄 Description Fixes: https://github.com/better-auth/better-auth/issues/4594 <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Implements spec-compliant OIDC prompt and max_age handling, fixes silent login/consent behavior, and prevents unintended redirects after OIDC flows. - **Bug Fixes** - prompt=none: return login_required when unauthenticated; consent_required when consent is needed; otherwise proceed without UI. - max_age: treat 0 as prompt=login and require reauth when session age exceeds max_age. - Clear oidc_login_prompt cookie after resuming flow so later normal logins don’t redirect to the OIDC client. - **New Features** - Added parsePrompt utility with validation (none cannot be combined) and tests. - Introduced OIDCProviderError/InvalidRequest, broadened prompt type, and resumed flow after login by stripping prompt=login before re-authorizing. <sup>Written for commit cd8effe79ce7486dad2196e234d55e0b89ff018d. Summary will update automatically on new commits.</sup> <!-- End of auto-generated description by cubic. --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-17 22:50:35 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#31969
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?