better-auth-sso_skill

This skill integrates Next.js apps with Better Auth SSO for PKCE OAuth2 and OIDC flows, token management, and global logout.
  • Python

19

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill mjunaidca/mjs-agent-skills --skill better-auth-sso

  • SKILL.md17.5 KB

Overview

This skill integrates Next.js applications with Better Auth SSO using OAuth2/OIDC and PKCE. It provides reusable patterns for initiating PKCE flows, exchanging tokens, storing tokens in httpOnly cookies, verifying JWTs via JWKS, refreshing tokens, and performing global logout. Use it to implement secure SSO login and session management across tenant apps.

How this skill works

The skill offers client helpers to generate PKCE code verifiers and build the authorization URL, server routes to exchange authorization codes for tokens and set httpOnly cookies, and endpoints to verify id_tokens against the SSO JWKS. It includes a session route that decodes and validates id_tokens, a refresh endpoint to exchange refresh_tokens for new tokens, and a signout flow that clears cookies and optionally redirects to the central logout endpoint. A proxy/middleware pattern enforces protected routes by validating tokens and sending users to refresh or login when needed.

When to use it

  • Building SSO login in Next.js with an external Better Auth server
  • Implementing PKCE for public OAuth clients (single-page or browser apps)
  • Storing access/refresh/id tokens securely in httpOnly cookies
  • Verifying JWTs via remote JWKS and enforcing route protection
  • Implementing global logout that coordinates with the central SSO server

Best practices

  • Use PKCE (S256) for public clients and never store client secrets in browser code
  • Keep tokens in httpOnly, secure cookies with appropriate SameSite and path settings
  • Validate id_tokens with the SSO JWKS and check exp/iss/aud claims server-side
  • Keep short access_token lifetimes and use refresh_token endpoints on the server
  • Clear PKCE and temporary state after exchange to prevent replay and leakage
  • Use a centralized proxy or middleware to gate protected routes and handle refresh redirects

Example use cases

  • Add SSO sign-in to a Next.js dashboard using PKCE and redirect callbacks
  • Protect tenant-specific pages with a proxy that verifies id_tokens via JWKS
  • Server-side session endpoint that returns user profile by verifying id_token
  • Automatic token refresh flow when access_token expires, redirecting to refresh endpoint
  • Initiate global logout that clears cookies and redirects to Better Auth’s endsession endpoint

FAQ

No. With PKCE public clients (single-page / browser apps) do not use a client secret; use the code_verifier to complete the token exchange.

Where should tokens be stored?

Store access, refresh, and id tokens in httpOnly, secure cookies set from server responses to reduce XSS risk; do not store tokens in localStorage.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational