Skip to content

Enable single-strategy pluggable auth (Entra | Google | Github | Local | ...) #1

New issue
New issue
Closed
#2
Closed
Enable single-strategy pluggable auth (Entra | Google | Github | Local | ...)#1
#2
Assignees
MatthiasKainer
Milestone
Timetracking
@MatthiasKainer

Description

@MatthiasKainer
MatthiasKainer
opened on Oct 27, 2025

User story

As an operator I want select an arbitrary identity provider so users sign in consistently with that provider

Implementation approaches

Integrate external provider into Better Auth

Check Better Auth documentation for configuring OIDC/OAuth providers (many auth libs support providers by config). If Better Auth supports providers directly, add a provider configuration in lib/auth.ts.
On OAuth callback, exchange code for tokens and use provider id_token/sub to identify the user.
Upsert a local user in DB: users.external_provider + users.external_id (provider-sub), fill email/name from id_token claims.
Create a Better Auth session for that local user (so the rest of the app uses the same session code).
Ensure MCP tool endpoints continue to use withMcpAuth (no change), because sessions are local Better Auth sessions.
Provide admin/user pages to link external accounts to existing accounts if desired.

Advantages: single place to handle sessions & tokens, easier to inspect/refresh tokens if needed, simpler testing, consistent permissions.

Using our OAuth proxy and trust signed header (already set up for INXM)

Use the OAuth proxy in front of the Next.js app and send the signed header with HMAC.
Add code to the Next.js app that:

  • Verifies the JWT signature using the proxy.
  • Extracts user email / sub / name / provider.
  • Upserts a local user record (external_provider + external_id).
  • Creates a local session (Better Auth or internal cookie) for that user OR rely on verifying presence of valid JWT on each request, but mapping to local DB is still recommended.

Ensure networking rule: app is only reachable via proxy; drop direct internet access to app.
Let MCP endpoints be protected as before by verifying the established session or the same JWT. If we use the JWT directly for tool auth you must update withMcpAuth to accept JWT verification (but better to convert external login into a Better Auth session, so withMcpAuth remains unchanged).

Advantages: less code in app; delegation to proxy.
Disadvantages: more infrastructure coupling and security caveats.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions