Problem
Sign-in is effectively hardwired to Google. web/src/lib/auth.ts only wires socialProviders.google, gated on GOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET. When unconfigured, web/src/components/auth-config-needed.tsx (rendered on app/page.tsx) tells the operator to set up Google, and the only path to any other IdP is a "Prefer a different provider? Edit socialProviders in web/src/lib/auth.ts" escape hatch — i.e. edit source code.
For a self-hosted product where the operator's IdP is GitHub / Microsoft Entra / Okta / Auth0 / Keycloak, "go edit a TypeScript file and rebuild" is the wrong install experience.
(Bug to fix along the way: that component hardcodes http://localhost:3001/api/auth/callback/google as the redirect URI instead of deriving it from the actual origin / BETTER_AUTH_URL.)
Proposal
Let the operator choose and enable auth provider(s) at install/onboarding (config-driven, no source edits), then render provider-specific setup instructions for the chosen provider(s) on the configuration-needed screen.
Acceptance criteria
- A config-driven way to select enabled providers (e.g.
AUTH_PROVIDERS=google,github env, or an onboarding selection) — no editing auth.ts.
auth.ts builds socialProviders from the enabled set + each provider's env vars, generalized beyond Google.- The "configuration needed" screen renders instructions for the selected provider(s): the exact redirect URI (derived from the real origin, not hardcoded
localhost:3001), the env vars to set, and a link to that provider's docs.
- Cover better-auth's native providers (Google, GitHub, Microsoft/Entra, Apple, Discord, …) plus the generic OIDC adapter for Okta / Auth0 / Keycloak.
.env.example documents the provider-selection var + the per-provider env vars.
Pointers
web/src/lib/auth.ts (~L13–26) — current Google-only socialProviders.web/src/components/auth-config-needed.tsx — the Google-centric "Configuration needed" UI + the localhost:3001 redirect bug + the "edit source" fallback.web/src/app/page.tsx — renders the gate.
Surfaced standing up the internal instance: a healthy deploy is unusable until an IdP is configured, and only Google has a non-source-edit path.
Problem
Sign-in is effectively hardwired to Google.
web/src/lib/auth.tsonly wiressocialProviders.google, gated onGOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET. When unconfigured,web/src/components/auth-config-needed.tsx(rendered onapp/page.tsx) tells the operator to set up Google, and the only path to any other IdP is a "Prefer a different provider? EditsocialProvidersinweb/src/lib/auth.ts" escape hatch — i.e. edit source code.For a self-hosted product where the operator's IdP is GitHub / Microsoft Entra / Okta / Auth0 / Keycloak, "go edit a TypeScript file and rebuild" is the wrong install experience.
(Bug to fix along the way: that component hardcodes
http://localhost:3001/api/auth/callback/googleas the redirect URI instead of deriving it from the actual origin /BETTER_AUTH_URL.)Proposal
Let the operator choose and enable auth provider(s) at install/onboarding (config-driven, no source edits), then render provider-specific setup instructions for the chosen provider(s) on the configuration-needed screen.
Acceptance criteria
AUTH_PROVIDERS=google,githubenv, or an onboarding selection) — no editingauth.ts.auth.tsbuildssocialProvidersfrom the enabled set + each provider's env vars, generalized beyond Google.localhost:3001), the env vars to set, and a link to that provider's docs..env.exampledocuments the provider-selection var + the per-provider env vars.Pointers
web/src/lib/auth.ts(~L13–26) — current Google-onlysocialProviders.web/src/components/auth-config-needed.tsx— the Google-centric "Configuration needed" UI + thelocalhost:3001redirect bug + the "edit source" fallback.web/src/app/page.tsx— renders the gate.Surfaced standing up the internal instance: a healthy deploy is unusable until an IdP is configured, and only Google has a non-source-edit path.