github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-23 15:42:09 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[GH-ISSUE #4453] Support dynamic authorizationUrlParams for Generic OAuth provider #9935

New Issue
Closed
opened 2026-04-13 05:45:46 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-13 05:45:46 -05:00
Owner
Copy Link

Originally created by @nachthammer on GitHub (Sep 5, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/4453

Is this suited for github?

  • Yes, this is suited for github

Is your feature request related to a problem? Please describe.

I currently have setup next-auth in my codebase in production, but I would like to migrate to better-auth as I really adore this library and the thought that went into it.
One of my main problems of the migration is migrating existing SSO connections.
I do this via boxyhq which abstracts the SSO flow and exposes an OAuth flow for my app. Therefore the Generic OAuth provider was my way to go. But the problem is that i need to send a dynamic product and a tenant-id (depending on the organization) to the provider. This is possible but not dynamically:

genericOAuth({
      config: [
        {
          // this is scuffed we need some way to map the enterprises
          mapProfileToUser(profile) {
            console.debug({ profile });
            return { ...profile, name: profile.name ?? '', emailVerified: true };
          },
          providerId: 'boxyhq-saml',
          clientId: 'dummy',
          clientSecret: 'dummy',
          authorizationUrl: 'https://auth.example.com/api/oauth/authorize',
          tokenUrl: 'https://auth.example.com/api/oauth/token',
          userInfoUrl: 'https://auth.example.com/api/oauth/userinfo',
          scopes: [],
          // this is what i need to be customizable
          authorizationUrlParams: { tenant: 'example.com', product: 'productName' },
        },
      ],
    }),

I would like to be able to set this dynamically over the client of be able to set the config async via the request headers

Describe the solution you'd like

genericOAuth({
      // being able to set this dynamically
      config: async request => ([
        {
          // this is scuffed we need some way to map the enterprises
          mapProfileToUser(profile) {
            console.debug({ profile });
            return { ...profile, name: profile.name ?? '', emailVerified: true };
          },
          providerId: 'boxyhq-saml',
          clientId: 'dummy',
          clientSecret: 'dummy',
          authorizationUrl: 'https://auth.example.com/api/oauth/authorize',
          tokenUrl: 'https://auth.example.com/api/oauth/token',
          userInfoUrl: 'https://auth.example.com/api/oauth/userinfo',
          scopes: [],
          authorizationUrlParams: { tenant: `getTenantByHeaders(request.headers)`, product: 'productName' },
        },
      ]),
    }),

or set this via a additional option in the client side auth instance.

Describe alternatives you've considered

Sadly I did not find any way how to do this differently. I cannot just use your SSO/SAML setup as I already have multiple SSO providers.

Additional context

If you need any more context send me a message.

Originally created by @nachthammer on GitHub (Sep 5, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/4453 ### Is this suited for github? - [x] Yes, this is suited for github ### Is your feature request related to a problem? Please describe. I currently have setup next-auth in my codebase in production, but I would like to migrate to better-auth as I really adore this library and the thought that went into it. One of my main problems of the migration is migrating existing SSO connections. I do this via boxyhq which abstracts the SSO flow and exposes an OAuth flow for my app. Therefore the Generic OAuth provider was my way to go. But the problem is that i need to send a dynamic product and a tenant-id (depending on the organization) to the provider. This is possible but not dynamically: ```ts genericOAuth({ config: [ { // this is scuffed we need some way to map the enterprises mapProfileToUser(profile) { console.debug({ profile }); return { ...profile, name: profile.name ?? '', emailVerified: true }; }, providerId: 'boxyhq-saml', clientId: 'dummy', clientSecret: 'dummy', authorizationUrl: 'https://auth.example.com/api/oauth/authorize', tokenUrl: 'https://auth.example.com/api/oauth/token', userInfoUrl: 'https://auth.example.com/api/oauth/userinfo', scopes: [], // this is what i need to be customizable authorizationUrlParams: { tenant: 'example.com', product: 'productName' }, }, ], }), ``` I would like to be able to set this dynamically over the client of be able to set the config async via the request headers ### Describe the solution you'd like ```ts genericOAuth({ // being able to set this dynamically config: async request => ([ { // this is scuffed we need some way to map the enterprises mapProfileToUser(profile) { console.debug({ profile }); return { ...profile, name: profile.name ?? '', emailVerified: true }; }, providerId: 'boxyhq-saml', clientId: 'dummy', clientSecret: 'dummy', authorizationUrl: 'https://auth.example.com/api/oauth/authorize', tokenUrl: 'https://auth.example.com/api/oauth/token', userInfoUrl: 'https://auth.example.com/api/oauth/userinfo', scopes: [], authorizationUrlParams: { tenant: `getTenantByHeaders(request.headers)`, product: 'productName' }, }, ]), }), ``` or set this via a additional option in the client side auth instance. ### Describe alternatives you've considered Sadly I did not find any way how to do this differently. I cannot just use your SSO/SAML setup as I already have multiple SSO providers. ### Additional context If you need any more context send me a message.
GiteaMirror added the locked label 2026-04-13 05:45:46 -05:00
GiteaMirror commented 2026-04-13 05:45:49 -05:00
Author
Owner
Copy Link

@dosubot[bot] commented on GitHub (Sep 5, 2025):

Hi @nachthammer! I'm Dosu and I’m helping the better-auth team.

Better Auth's Generic OAuth provider does not currently support dynamic (per-request or async) configuration of authorizationUrlParams—these parameters are set statically in the provider config and cannot be changed at runtime or based on request headers. There are no hooks, middleware, or extension points for dynamic modification, and the config is processed only at initialization source.

Other users have requested similar dynamic provider config features (like dynamic clientSecret, realmId, or per-tenant params), but maintainers have confirmed that only the SSO plugin supports dynamic, per-organization provider registration—Generic OAuth remains global and static discussion issue.

Workarounds include creating a custom API route to handle dynamic logic and setting that route as the tokenUrl or other endpoint in the config, but this adds complexity and network overhead issue. Supporting dynamic authorizationUrlParams would require a core change to Better Auth, such as allowing an async config function or a per-request config resolver.

If you need true per-request dynamic OAuth config (like for BoxyHQ SSO flows), you may need to extend Better Auth or use custom routing until this feature is supported. If you want to track or contribute to this feature, you can follow or join the related discussions linked above.

To reply, just mention @dosu.

How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3257415570 --> @dosubot[bot] commented on GitHub (Sep 5, 2025): <!-- Greeting --> Hi @nachthammer! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> Better Auth's Generic OAuth provider does not currently support dynamic (per-request or async) configuration of `authorizationUrlParams`—these parameters are set statically in the provider config and cannot be changed at runtime or based on request headers. There are no hooks, middleware, or extension points for dynamic modification, and the config is processed only at initialization [source](https://github.com/better-auth/better-auth/blob/e812142c6cb91a65bba022b77f1176f7cca6dff2/packages/better-auth/src/plugins/generic-oauth/index.ts). Other users have requested similar dynamic provider config features (like dynamic clientSecret, realmId, or per-tenant params), but maintainers have confirmed that only the SSO plugin supports dynamic, per-organization provider registration—Generic OAuth remains global and static [discussion](https://github.com/better-auth/better-auth/discussions/3721) [issue](https://github.com/better-auth/better-auth/issues/2199). Workarounds include creating a custom API route to handle dynamic logic and setting that route as the `tokenUrl` or other endpoint in the config, but this adds complexity and network overhead [issue](https://github.com/better-auth/better-auth/issues/1196). Supporting dynamic `authorizationUrlParams` would require a core change to Better Auth, such as allowing an async config function or a per-request config resolver. If you need true per-request dynamic OAuth config (like for BoxyHQ SSO flows), you may need to extend Better Auth or use custom routing until this feature is supported. If you want to track or contribute to this feature, you can follow or join the related discussions linked above. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/0a85f81b-e132-4e2f-8f73-7c37f417fa16?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/0a85f81b-e132-4e2f-8f73-7c37f417fa16?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/0a85f81b-e132-4e2f-8f73-7c37f417fa16?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/0a85f81b-e132-4e2f-8f73-7c37f417fa16?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/0a85f81b-e132-4e2f-8f73-7c37f417fa16?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/0a85f81b-e132-4e2f-8f73-7c37f417fa16?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/0a85f81b-e132-4e2f-8f73-7c37f417fa16?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/4453)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label locked
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#9935
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?