OAuth Providers
Configure OAuth providers like Google and GitHub
Overview
This template supports OAuth authentication with Google and GitHub providers through Better-Auth.
Supported Providers
| Provider | Status | Setup Required |
|---|---|---|
| ✅ Active | Environment variables + OAuth app | |
| GitHub | ✅ Active | Environment variables + OAuth app |
Google OAuth Setup
1. Create Google OAuth App
Go to Google Cloud Console
Visit Google Cloud Console
Create or Select Project
Create a new project or select an existing one
Enable Google+ API
Navigate to APIs & Services → Enable APIs and Services → Search for "Google+ API" → Enable
Create OAuth Credentials
- Go to Credentials → Create Credentials → OAuth 2.0 Client ID
- Configure OAuth consent screen if prompted
- Application type: Web application
- Add authorized redirect URI:
https://your-app.com/api/auth/callback/google - For development, also add:
http://localhost:3000/api/auth/callback/google
Copy Credentials
Copy the Client ID and Client Secret
2. Configure Environment Variables
Add to .env.local:
GOOGLE_CLIENT_ID="your-google-client-id.apps.googleusercontent.com"
GOOGLE_CLIENT_SECRET="your-google-client-secret"3. Test Google Login
- Start your development server
- Navigate to the login page
- Click "Continue with Google"
- Authorize the application
- You should be redirected back and logged in
GitHub OAuth Setup
1. Create GitHub OAuth App
Go to GitHub Settings
Visit GitHub → Settings → Developer settings
Create OAuth App
- Navigate to OAuth Apps → New OAuth App
- Fill in the form:
- Application name: Your App Name
- Homepage URL:
https://your-app.com - Authorization callback URL:
https://your-app.com/api/auth/callback/github
- For development, use:
- Homepage URL:
http://localhost:3000 - Authorization callback URL:
http://localhost:3000/api/auth/callback/github
- Homepage URL:
Copy Credentials
Copy the Client ID and generate a new Client Secret
2. Configure Environment Variables
Add to .env.local:
GITHUB_CLIENT_ID="your-github-client-id"
GITHUB_CLIENT_SECRET="your-github-client-secret"3. Test GitHub Login
- Start your development server
- Navigate to the login page
- Click "Continue with GitHub"
- Authorize the application
- You should be redirected back and logged in
Using OAuth in Components
Login Form with Social Providers
import { FormLogin } from "@/features/auth/components";
<FormLogin
onSuccess={() => router.push(PageDashboard())}
showSocialProviders={true}
/>Manual OAuth Trigger
"use client";
import { authClient } from "@/lib/auth/client";
import { PageDashboard } from "@/routes";
import { Button } from "@/components/ui/button";
import { Icon } from "@/components/ui/icon";
export function SocialLogin() {
const handleGoogleLogin = async () => {
await authClient.signIn.social({
provider: "google",
callbackURL: PageDashboard(),
});
};
const handleGitHubLogin = async () => {
await authClient.signIn.social({
provider: "github",
callbackURL: PageDashboard(),
});
};
return (
<div className="space-y-2">
<Button onClick={handleGoogleLogin} variant="outline" className="w-full">
<Icon iconKey="BrandGoogle" className="mr-2" />
Continue with Google
</Button>
<Button onClick={handleGitHubLogin} variant="outline" className="w-full">
<Icon iconKey="BrandGithub" className="mr-2" />
Continue with GitHub
</Button>
</div>
);
}OAuth Flow
Authentication Flow
- User clicks "Continue with [Provider]"
- User redirected to provider's authorization page
- User authorizes the application
- Provider redirects back with authorization code
- Server exchanges code for access token
- User profile fetched from provider
- User account created or linked
- Session created and user logged in
- Redirect to callback URL
Account Linking
If a user signs in with OAuth and an account with that email already exists:
- Auto-link: Account is automatically linked if email is verified
- Manual link: User prompted to link accounts
OAuth Data Stored
When a user signs in with OAuth, the following data is stored:
| Field | Description |
|---|---|
providerId | Provider name (google, github) |
accountId | Provider's user ID |
email | User's email |
name | User's full name |
image | Profile picture URL |
Manage OAuth Connections
Link/Unlink Providers
import { FormManageProviders } from "@/features/auth/components";
<FormManageProviders />This component allows users to:
- View linked OAuth accounts
- Link new OAuth providers
- Unlink OAuth providers (if password is set)
Security Considerations
1. Callback URL Validation
Always validate callback URLs match your domain:
// In OAuth callback handler
const allowedCallbacks = [
"https://your-app.com",
"http://localhost:3000", // Dev only
];2. State Parameter
Better-Auth automatically handles CSRF protection via the state parameter.
3. Scope Limitations
Only request necessary scopes:
- Google:
email,profile - GitHub:
user:email
4. Email Verification
OAuth emails are automatically marked as verified since they're verified by the provider.
Troubleshooting
Redirect URI Mismatch
Error: redirect_uri_mismatch
Solution:
- Check the redirect URI in provider settings exactly matches
- Include protocol (http/https)
- No trailing slashes
- Match port number in development
Invalid Client
Error: invalid_client
Solution:
- Verify
CLIENT_IDandCLIENT_SECRETare correct - Check environment variables are loaded
- Restart development server after adding variables
OAuth Not Working in Production
Checklist:
- Update
BETTER_AUTH_URLto production domain - Add production callback URL to provider settings
- Use HTTPS in production
- Check environment variables are set in deployment
User Email Not Available
Some providers may not return email if:
- Email is not verified on provider
- Email permission not granted
- Email scope not requested
Adding More Providers
Better-Auth supports many OAuth providers. To add more:
- Install provider package if needed
- Add provider configuration to
src/lib/auth/server.ts - Add environment variables
- Update UI components to include new provider
See Better-Auth documentation for more providers.