- Home
- Skills
- Mjunaidca
- Mjs Agent Skills
- Better Auth Sso
better-auth-sso_skill
- Python
19
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill mjunaidca/mjs-agent-skills --skill better-auth-sso- SKILL.md17.5 KB
Overview
This skill integrates Next.js applications with Better Auth SSO using OAuth2/OIDC and PKCE. It provides reusable patterns for initiating PKCE flows, exchanging tokens, storing tokens in httpOnly cookies, verifying JWTs via JWKS, refreshing tokens, and performing global logout. Use it to implement secure SSO login and session management across tenant apps.
How this skill works
The skill offers client helpers to generate PKCE code verifiers and build the authorization URL, server routes to exchange authorization codes for tokens and set httpOnly cookies, and endpoints to verify id_tokens against the SSO JWKS. It includes a session route that decodes and validates id_tokens, a refresh endpoint to exchange refresh_tokens for new tokens, and a signout flow that clears cookies and optionally redirects to the central logout endpoint. A proxy/middleware pattern enforces protected routes by validating tokens and sending users to refresh or login when needed.
When to use it
- Building SSO login in Next.js with an external Better Auth server
- Implementing PKCE for public OAuth clients (single-page or browser apps)
- Storing access/refresh/id tokens securely in httpOnly cookies
- Verifying JWTs via remote JWKS and enforcing route protection
- Implementing global logout that coordinates with the central SSO server
Best practices
- Use PKCE (S256) for public clients and never store client secrets in browser code
- Keep tokens in httpOnly, secure cookies with appropriate SameSite and path settings
- Validate id_tokens with the SSO JWKS and check exp/iss/aud claims server-side
- Keep short access_token lifetimes and use refresh_token endpoints on the server
- Clear PKCE and temporary state after exchange to prevent replay and leakage
- Use a centralized proxy or middleware to gate protected routes and handle refresh redirects
Example use cases
- Add SSO sign-in to a Next.js dashboard using PKCE and redirect callbacks
- Protect tenant-specific pages with a proxy that verifies id_tokens via JWKS
- Server-side session endpoint that returns user profile by verifying id_token
- Automatic token refresh flow when access_token expires, redirecting to refresh endpoint
- Initiate global logout that clears cookies and redirects to Better Auth’s endsession endpoint
FAQ
No. With PKCE public clients (single-page / browser apps) do not use a client secret; use the code_verifier to complete the token exchange.
Where should tokens be stored?
Store access, refresh, and id tokens in httpOnly, secure cookies set from server responses to reduce XSS risk; do not store tokens in localStorage.