Merge pull request #135 from RayLabsHQ/fix/authentik-issuer-mismatch

auth: preserve issuer formatting for OIDC

bun.lock

@@ -36,7 +36,7 @@
         "@types/react-dom": "^19.2.2",
         "astro": "^5.14.8",
         "bcryptjs": "^3.0.2",
-        "better-auth": "1.4.0-beta.12",
+        "better-auth": "1.4.0-beta.13",
         "buffer": "^6.0.3",
         "canvas-confetti": "^1.9.3",
         "class-variance-authority": "^0.7.1",
@@ -150,11 +150,11 @@
 
     "@babel/types": ["@babel/types@7.28.4", "", { "dependencies": { "@babel/helper-string-parser": "^7.27.1", "@babel/helper-validator-identifier": "^7.27.1" } }, "sha512-bkFqkLhh3pMBUQQkpVgWDWq/lqzc2678eUyDlTBhRqhCHFguYYGM0Efga7tYk4TogG/3x0EEl66/OQ+WGbWB/Q=="],
 
-    "@better-auth/core": ["@better-auth/core@1.4.0-beta.12", "", { "dependencies": { "zod": "^4.1.5" }, "peerDependencies": { "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.18", "better-call": "1.0.24", "better-sqlite3": "^12.4.1", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1" } }, "sha512-2GisAGuSVZS4gtnwP5Owk3RyC6GevZe9zcODTrtbwRCvBTrHUmu0j6bcklK9uNG8DaWDmzCK1+VGA5qIHzg5Pw=="],
+    "@better-auth/core": ["@better-auth/core@1.4.0-beta.13", "", { "dependencies": { "zod": "^4.1.5" }, "peerDependencies": { "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.18", "better-call": "1.0.24", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1" } }, "sha512-EGySsNv6HQYnlRQDIa7otIMrwFoC0gGLxBum9lC6C3wAsF4l4pn/ECcdIriFpc9ewLb8mGkeMSpvjVBUBND6ew=="],
 
     "@better-auth/sso": ["@better-auth/sso@1.4.0-beta.12", "", { "dependencies": { "@better-fetch/fetch": "1.1.18", "fast-xml-parser": "^5.2.5", "jose": "^6.1.0", "oauth2-mock-server": "^7.2.1", "samlify": "^2.10.1", "zod": "^4.1.5" }, "peerDependencies": { "better-auth": "1.4.0-beta.12" } }, "sha512-iuRuy59J3yXQihZJ34rqYClWyuVjSkxuBkdFblccKbOhNy7pmRO1lfmBMpyeth3ET5Cp0PDVV/z1XBbDcQp0LA=="],
 
-    "@better-auth/telemetry": ["@better-auth/telemetry@1.4.0-beta.12", "", { "dependencies": { "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.18" }, "peerDependencies": { "@better-auth/core": "1.4.0-beta.12" } }, "sha512-pQ5HITRGXMHQPcPCDnz0xlxFqqxvpD4kQMvY6cdt1vDsPVePHAj9R3S318XEfaw3NAgtw3af/wCN6eBt2u4Kew=="],
+    "@better-auth/telemetry": ["@better-auth/telemetry@1.4.0-beta.13", "", { "dependencies": { "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.18" }, "peerDependencies": { "@better-auth/core": "1.4.0-beta.13" } }, "sha512-910f+APALhhD79TiujzXp85Pnd2M3TlcTgBfiYF+mk3ouIkBJkl2N6D2ElcgwfiNTg50cFuTkP3AFPYioz8Arw=="],
 
     "@better-auth/utils": ["@better-auth/utils@0.3.0", "", {}, "sha512-W+Adw6ZA6mgvnSnhOki270rwJ42t4XzSK6YWGF//BbVXL6SwCLWfyzBc1lN2m/4RM28KubdBKQ4X5VMoLRNPQw=="],
 
@@ -698,7 +698,7 @@
 
     "before-after-hook": ["before-after-hook@4.0.0", "", {}, "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ=="],
 
-    "better-auth": ["better-auth@1.4.0-beta.12", "", { "dependencies": { "@better-auth/core": "1.4.0-beta.12", "@better-auth/telemetry": "1.4.0-beta.12", "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.18", "@noble/ciphers": "^2.0.0", "@noble/hashes": "^2.0.0", "@simplewebauthn/browser": "^13.1.2", "@simplewebauthn/server": "^13.1.2", "better-call": "1.0.24", "defu": "^6.1.4", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1", "zod": "^4.1.5" } }, "sha512-IvrSBmQkHgOinDh6JyJCoKwbMPmHpkmt98/0hBU9Nc0s7Y7u72AOx1Z35J2dRQxxX4SzvFQ9pHqlV6wPnm72Ww=="],
+    "better-auth": ["better-auth@1.4.0-beta.13", "", { "dependencies": { "@better-auth/core": "1.4.0-beta.13", "@better-auth/telemetry": "1.4.0-beta.13", "@better-auth/utils": "0.3.0", "@better-fetch/fetch": "1.1.18", "@noble/ciphers": "^2.0.0", "@noble/hashes": "^2.0.0", "@simplewebauthn/browser": "^13.1.2", "@simplewebauthn/server": "^13.1.2", "better-call": "1.0.24", "defu": "^6.1.4", "jose": "^6.1.0", "kysely": "^0.28.5", "nanostores": "^1.0.1", "zod": "^4.1.5" } }, "sha512-VOzbsCldupk2AdNfzDmpCVajX83nwITX8S9I8TdEUURgr3kB/CDVrsN6S8t0AClMnGgB4XaeKiXUNN30CCG4aA=="],
 
     "better-call": ["better-call@1.0.24", "", { "dependencies": { "@better-auth/utils": "^0.3.0", "@better-fetch/fetch": "^1.1.4", "rou3": "^0.5.1", "set-cookie-parser": "^2.7.1", "uncrypto": "^0.1.3" } }, "sha512-iGqL29cstPp4xLD2MjKL1EmyAqQHjYS+cBMt4W27rPs3vf+kuqkVPA0NYaf7JciBOzVsJdNj4cbZWXC5TardWQ=="],
 

drizzle/0006_military_la_nuit.sql

@@ -0,0 +1,4 @@
+ALTER TABLE `accounts` ADD `id_token` text;--> statement-breakpoint
+ALTER TABLE `accounts` ADD `access_token_expires_at` integer;--> statement-breakpoint
+ALTER TABLE `accounts` ADD `refresh_token_expires_at` integer;--> statement-breakpoint
+ALTER TABLE `accounts` ADD `scope` text;

drizzle/meta/_journal.json

@@ -43,6 +43,13 @@
       "when": 1757786449446,
       "tag": "0005_polite_preak",
       "breakpoints": true
+    },
+    {
+      "idx": 6,
+      "version": "6",
+      "when": 1761483928546,
+      "tag": "0006_military_la_nuit",
+      "breakpoints": true
     }
   ]
 }

package.json

@@ -75,7 +75,7 @@
     "astro": "^5.14.8",
     "bcryptjs": "^3.0.2",
     "buffer": "^6.0.3",
-    "better-auth": "1.4.0-beta.12",
+    "better-auth": "1.4.0-beta.13",
     "canvas-confetti": "^1.9.3",
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",

src/lib/auth.ts

@@ -166,6 +166,8 @@ export const auth = betterAuth({
       defaultOverrideUserInfo: true,
       // Allow implicit sign up for new users
       disableImplicitSignUp: false,
+      // Trust email_verified claims from the upstream provider so we can link by matching email
+      trustEmailVerified: true,
     }),
   ],
 });

src/lib/db/schema.ts

@@ -502,6 +502,10 @@ export const accounts = sqliteTable("accounts", {
   providerUserId: text("provider_user_id"), // Make nullable for email/password auth
   accessToken: text("access_token"),
   refreshToken: text("refresh_token"),
+  idToken: text("id_token"),
+  accessTokenExpiresAt: integer("access_token_expires_at", { mode: "timestamp" }),
+  refreshTokenExpiresAt: integer("refresh_token_expires_at", { mode: "timestamp" }),
+  scope: text("scope"),
   expiresAt: integer("expires_at", { mode: "timestamp" }),
   password: text("password"), // For credential provider
   createdAt: integer("created_at", { mode: "timestamp" })

src/lib/sso/oidc-config.test.ts

@@ -24,6 +24,7 @@ describe("normalizeOidcProviderConfig", () => {
     expect(result.oidcConfig.userInfoEndpoint).toBe("https://auth.example.com/userinfo");
     expect(result.oidcConfig.scopes).toEqual(["openid", "email"]);
     expect(result.oidcConfig.pkce).toBe(false);
+    expect(result.oidcConfig.discoveryEndpoint).toBe("https://auth.example.com/.well-known/openid-configuration");
   });
 
   it("derives missing fields from discovery", async () => {
@@ -46,6 +47,24 @@ describe("normalizeOidcProviderConfig", () => {
     expect(result.oidcConfig.jwksEndpoint).toBe("https://auth.example.com/jwks");
     expect(result.oidcConfig.userInfoEndpoint).toBe("https://auth.example.com/userinfo");
     expect(result.oidcConfig.scopes).toEqual(["openid", "email", "profile"]);
+    expect(result.oidcConfig.discoveryEndpoint).toBe("https://auth.example.com/.well-known/openid-configuration");
+  });
+
+  it("preserves trailing slash issuers when building discovery endpoints", async () => {
+    const trailingIssuer = "https://auth.example.com/application/o/example/";
+    const requestedUrls: string[] = [];
+    const fetchMock: typeof fetch = async (url) => {
+      requestedUrls.push(typeof url === "string" ? url : url.url);
+      return new Response(JSON.stringify({
+        authorization_endpoint: "https://auth.example.com/application/o/example/auth",
+        token_endpoint: "https://auth.example.com/application/o/example/token",
+      }));
+    };
+
+    const result = await normalizeOidcProviderConfig(trailingIssuer, {}, fetchMock);
+
+    expect(requestedUrls[0]).toBe("https://auth.example.com/application/o/example/.well-known/openid-configuration");
+    expect(result.oidcConfig.discoveryEndpoint).toBe("https://auth.example.com/application/o/example/.well-known/openid-configuration");
   });
 
   it("throws for invalid issuer URL", async () => {

src/lib/sso/oidc-config.ts

@@ -131,18 +131,21 @@ export async function normalizeOidcProviderConfig(
     throw new OidcConfigError("Issuer is required");
   }
 
-  let normalizedIssuer: string;
+  const trimmedIssuer = issuer.trim();
+
   try {
-    const issuerUrl = new URL(issuer.trim());
-    normalizedIssuer = issuerUrl.toString().replace(/\/$/, "");
+    // Validate issuer but keep caller-provided formatting so we don't break provider expectations
+    new URL(trimmedIssuer);
   } catch {
     throw new OidcConfigError(`Invalid issuer URL: ${issuer}`);
   }
 
+  const issuerForDiscovery = trimmedIssuer.replace(/\/$/, "");
+
   const discoveryEndpoint = cleanUrl(
     rawConfig.discoveryEndpoint,
     "discovery endpoint",
-  ) ?? `${normalizedIssuer}/.well-known/openid-configuration`;
+  ) ?? `${issuerForDiscovery}/.well-known/openid-configuration`;
 
   const authorizationEndpoint = cleanUrl(rawConfig.authorizationEndpoint, "authorization endpoint");
   const tokenEndpoint = cleanUrl(rawConfig.tokenEndpoint, "token endpoint");

src/pages/api/auth/sso/register.ts

@@ -29,12 +29,13 @@ export async function POST(context: APIContext) {
       );
     }
 
-    // Validate issuer URL format
+    // Validate issuer URL format while preserving trailing slash when provided
     let validatedIssuer = issuer;
     if (issuer && typeof issuer === 'string' && issuer.trim() !== '') {
       try {
-        const issuerUrl = new URL(issuer.trim());
-        validatedIssuer = issuerUrl.toString().replace(/\/$/, ''); // Remove trailing slash
+        const trimmedIssuer = issuer.trim();
+        new URL(trimmedIssuer);
+        validatedIssuer = trimmedIssuer;
       } catch (e) {
         return new Response(
           JSON.stringify({ error: `Invalid issuer URL format: ${issuer}` }),

src/pages/api/sso/discover.ts

@@ -17,11 +17,11 @@ export async function POST(context: APIContext) {
       });
     }
 
-    // Validate issuer URL format
-    let cleanIssuer: string;
+    // Validate issuer URL format while keeping trailing slash if provided
+    const trimmedIssuer = issuer.trim();
+    let parsedIssuer: URL;
     try {
-      const issuerUrl = new URL(issuer.trim());
-      cleanIssuer = issuerUrl.toString().replace(/\/$/, ""); // Remove trailing slash
+      parsedIssuer = new URL(trimmedIssuer);
     } catch (e) {
       return new Response(
         JSON.stringify({ 
@@ -35,7 +35,8 @@ export async function POST(context: APIContext) {
       );
     }
 
-    const discoveryUrl = `${cleanIssuer}/.well-known/openid-configuration`;
+    const issuerForDiscovery = trimmedIssuer.replace(/\/$/, "");
+    const discoveryUrl = `${issuerForDiscovery}/.well-known/openid-configuration`;
 
     try {
       // Fetch OIDC discovery document with timeout
@@ -52,9 +53,9 @@ export async function POST(context: APIContext) {
         });
       } catch (fetchError) {
         if (fetchError instanceof Error && fetchError.name === 'AbortError') {
-          throw new Error(`Request timeout: The OIDC provider at ${cleanIssuer} did not respond within 10 seconds`);
+          throw new Error(`Request timeout: The OIDC provider at ${trimmedIssuer} did not respond within 10 seconds`);
         }
-        throw new Error(`Network error: Could not connect to ${cleanIssuer}. Please verify the URL is correct and accessible.`);
+        throw new Error(`Network error: Could not connect to ${trimmedIssuer}. Please verify the URL is correct and accessible.`);
       } finally {
         clearTimeout(timeoutId);
       }
@@ -63,7 +64,7 @@ export async function POST(context: APIContext) {
         if (response.status === 404) {
           throw new Error(`OIDC discovery document not found at ${discoveryUrl}. For Authentik, ensure you're using the correct application slug in the URL.`);
         } else if (response.status >= 500) {
-          throw new Error(`OIDC provider error (${response.status}): The server at ${cleanIssuer} returned an error.`);
+          throw new Error(`OIDC provider error (${response.status}): The server at ${trimmedIssuer} returned an error.`);
         } else {
           throw new Error(`Failed to fetch discovery document (${response.status}): ${response.statusText}`);
         }
@@ -73,12 +74,12 @@ export async function POST(context: APIContext) {
       try {
         config = await response.json();
       } catch (parseError) {
-        throw new Error(`Invalid response: The discovery document from ${cleanIssuer} is not valid JSON.`);
+        throw new Error(`Invalid response: The discovery document from ${trimmedIssuer} is not valid JSON.`);
       }
 
       // Extract the essential endpoints
       const discoveredConfig = {
-        issuer: config.issuer || cleanIssuer,
+        issuer: config.issuer || trimmedIssuer,
         authorizationEndpoint: config.authorization_endpoint,
         tokenEndpoint: config.token_endpoint,
         userInfoEndpoint: config.userinfo_endpoint,
@@ -88,7 +89,7 @@ export async function POST(context: APIContext) {
         responseTypes: config.response_types_supported || ["code"],
         grantTypes: config.grant_types_supported || ["authorization_code"],
         // Suggested domain from issuer
-        suggestedDomain: new URL(cleanIssuer).hostname.replace("www.", ""),
+        suggestedDomain: parsedIssuer.hostname.replace("www.", ""),
       };
 
       return new Response(JSON.stringify(discoveredConfig), {

src/pages/api/sso/providers.ts

@@ -82,11 +82,10 @@ export async function POST(context: APIContext) {
       );
     }
 
-    // Clean issuer URL (remove trailing slash); validate format
-    let cleanIssuer = issuer;
+    // Validate issuer URL format but keep trailing slash if provided
+    const trimmedIssuer = issuer.toString().trim();
     try {
-      const issuerUrl = new URL(issuer.toString().trim());
-      cleanIssuer = issuerUrl.toString().replace(/\/$/, "");
+      new URL(trimmedIssuer);
     } catch {
       return new Response(
         JSON.stringify({ error: `Invalid issuer URL format: ${issuer}` }),
@@ -99,7 +98,7 @@ export async function POST(context: APIContext) {
 
     let normalized;
     try {
-      normalized = await normalizeOidcProviderConfig(cleanIssuer, {
+      normalized = await normalizeOidcProviderConfig(trimmedIssuer, {
         clientId,
         clientSecret,
         authorizationEndpoint,
@@ -134,7 +133,7 @@ export async function POST(context: APIContext) {
       .insert(ssoProviders)
       .values({
         id: nanoid(),
-        issuer: cleanIssuer,
+        issuer: trimmedIssuer,
         domain,
         oidcConfig: JSON.stringify(storedOidcConfig),
         userId: user.id,
@@ -213,12 +212,10 @@ export async function PUT(context: APIContext) {
 
     // Parse existing config
     const existingConfig = JSON.parse(existingProvider.oidcConfig);
-    const effectiveIssuer = issuer || existingProvider.issuer;
+    const effectiveIssuer = issuer?.toString().trim() || existingProvider.issuer;
 
-    let cleanIssuer = effectiveIssuer;
     try {
-      const issuerUrl = new URL(effectiveIssuer.toString().trim());
-      cleanIssuer = issuerUrl.toString().replace(/\/$/, "");
+      new URL(effectiveIssuer);
     } catch {
       return new Response(
         JSON.stringify({ error: `Invalid issuer URL format: ${effectiveIssuer}` }),
@@ -244,7 +241,7 @@ export async function PUT(context: APIContext) {
 
     let normalized;
     try {
-      normalized = await normalizeOidcProviderConfig(cleanIssuer, mergedConfig);
+      normalized = await normalizeOidcProviderConfig(effectiveIssuer, mergedConfig);
     } catch (error) {
       if (error instanceof OidcConfigError) {
         return new Response(
@@ -266,7 +263,7 @@ export async function PUT(context: APIContext) {
     const [updatedProvider] = await db
       .update(ssoProviders)
       .set({
-        issuer: cleanIssuer,
+        issuer: effectiveIssuer,
         domain: domain || existingProvider.domain,
         oidcConfig: JSON.stringify(storedOidcConfig),
         organizationId: organizationId !== undefined ? organizationId : existingProvider.organizationId,