[GH-ISSUE #4291] Encrypt OIDC Config at Rest #9890

Open
opened 2026-04-13 05:41:54 -05:00 by GiteaMirror · 5 comments
Owner

Originally created by @isaacwasserman on GitHub (Aug 28, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/4291

Originally assigned to: @Paola3stefania on GitHub.

Is this suited for github?

  • Yes, this is suited for github

The OIDC config used by the SSO plugin is stored in the database as plain-text; this includes the clientSecret field which is sensitive information.

Describe the solution you'd like

This config (or at least the clientSecret) should be encrypted at rest using the BETTER_AUTH_SECRET to avoid exposure of sensitive information.

Describe alternatives you've considered

N/A

Additional context

No response

Originally created by @isaacwasserman on GitHub (Aug 28, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/4291 Originally assigned to: @Paola3stefania on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. The OIDC config used by the SSO plugin is stored in the database as plain-text; this includes the `clientSecret` field which is sensitive information. ### Describe the solution you'd like This config (or at least the `clientSecret`) should be encrypted at rest using the `BETTER_AUTH_SECRET` to avoid exposure of sensitive information. ### Describe alternatives you've considered N/A ### Additional context _No response_
GiteaMirror added the enterprisesecurity labels 2026-04-13 05:41:54 -05:00
Author
Owner

@dvanmali commented on GitHub (Aug 29, 2025):

This should be available using the storeClientSecret option in the OIDC plugin

<!-- gh-comment-id:3237469550 --> @dvanmali commented on GitHub (Aug 29, 2025): This should be available using the `storeClientSecret` option in the OIDC plugin
Author
Owner

@isaacwasserman commented on GitHub (Aug 29, 2025):

@dvanmali storeClientSecret appears to be for the OIDC provider plugin. I'm referring to the OIDC config stored by the SSO plugin (I've edited my original post to clarify this).

<!-- gh-comment-id:3237490133 --> @isaacwasserman commented on GitHub (Aug 29, 2025): @dvanmali `storeClientSecret` appears to be for the OIDC _provider_ plugin. I'm referring to the OIDC config stored by the SSO plugin (I've edited my original post to clarify this).
Author
Owner

@dosubot[bot] commented on GitHub (Nov 28, 2025):

Hi, @isaacwasserman. I'm Dosu, and I'm helping the better-auth team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You requested encryption of the sensitive clientSecret field in the OIDC configuration stored by the SSO plugin.
  • The maintainer noted that the existing storeClientSecret option applies only to the OIDC provider plugin, not the SSO plugin.
  • You clarified that your request specifically concerns the SSO plugin's storage of OIDC secrets.
  • The discussion identified a gap: the SSO plugin currently lacks encryption support for stored OIDC secrets.
  • No resolution or implementation has been made yet.

Next Steps:

  • Please let me know if this issue is still relevant to the latest version of better-auth by commenting here.
  • If I do not hear back within 7 days, this issue will be automatically closed.

Thank you for your understanding and contribution!

<!-- gh-comment-id:3589841800 --> @dosubot[bot] commented on GitHub (Nov 28, 2025): Hi, @isaacwasserman. I'm [Dosu](https://dosu.dev), and I'm helping the better-auth team manage their backlog and am marking this issue as stale. **Issue Summary:** - You requested encryption of the sensitive `clientSecret` field in the OIDC configuration stored by the SSO plugin. - The maintainer noted that the existing `storeClientSecret` option applies only to the OIDC provider plugin, not the SSO plugin. - You clarified that your request specifically concerns the SSO plugin's storage of OIDC secrets. - The discussion identified a gap: the SSO plugin currently lacks encryption support for stored OIDC secrets. - No resolution or implementation has been made yet. **Next Steps:** - Please let me know if this issue is still relevant to the latest version of better-auth by commenting here. - If I do not hear back within 7 days, this issue will be automatically closed. Thank you for your understanding and contribution!
Author
Owner

@Daymannovaes commented on GitHub (Mar 3, 2026):

hey @isaacwasserman / @Paola3stefania I added a plugin to encrypt whatever field you'd like, something like this:

const auth = betterAuth({
  plugins: [
    fieldEncryption({
      fields: {
        oidcConfig: ["clientSecret"],
      },
    }),
  ],
});

It could potentially solve this issue in a cleaner more extensible manner. Here's the PR with the feature: https://github.com/better-auth/better-auth/pull/8337

<!-- gh-comment-id:3991708291 --> @Daymannovaes commented on GitHub (Mar 3, 2026): hey @isaacwasserman / @Paola3stefania I added a plugin to encrypt whatever field you'd like, something like this: ```ts const auth = betterAuth({ plugins: [ fieldEncryption({ fields: { oidcConfig: ["clientSecret"], }, }), ], }); ``` It could potentially solve this issue in a cleaner more extensible manner. Here's the PR with the feature: https://github.com/better-auth/better-auth/pull/8337
Author
Owner

@isaacwasserman commented on GitHub (Mar 3, 2026):

This is a good start (and a great contribution), but I would argue that encryption at rest should be a requirement (or at least a default) for fields like this.

<!-- gh-comment-id:3993979930 --> @isaacwasserman commented on GitHub (Mar 3, 2026): This is a good start (and a great contribution), but I would argue that encryption at rest should be a requirement (or at least a default) for fields like this.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#9890