oauth-provider: well-known endpoints should be mountable at origin root for spec compliance

[gustavovalverde]

The oauth-provider plugin mounts /.well-known/oauth-authorization-server and /.well-known/openid-configuration endpoints under the base path (e.g., /api/auth/.well-known/openid-configuration).

Per RFC 8414 Section 3 and OpenID Connect Discovery 1.0 Section 4, these endpoints must be located at the origin root when the issuer has no path component:

"Authorization servers supporting metadata MUST make a JSON document containing metadata [...] available at a path formed by inserting a well-known URI string into the authorization server's issuer identifier between the host component and the path component, if any."
— RFC 8414 Section 3

"OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer."
— OpenID Connect Discovery 1.0 Section 4

The current implementation uses SERVER_ONLY metadata and prints warnings asking developers to set up reverse-proxy rules manually.

Describe the solution you'd like

Add a publicEndpoints plugin feature that mounts endpoints at the origin root instead of under the base path.

This would require:

1. Add publicEndpoints field to the plugin type definition
2. Add a publicRouter that mounts at "/" instead of the base path
3. Migrate well-known endpoints from endpoints to publicEndpoints

// Current (mounted at /api/auth/.well-known/...)
endpoints: {
  getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", ...)
}

// Proposed (mounted at /.well-known/...)
publicEndpoints: {
  getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", ...)
}

Describe alternatives you've considered

1. Keep current approach - Developers manually configure nginx/proxy rules. Works but adds setup friction.

2. Configuration option - Add an option like mountWellKnownAtRoot: true (default false) to opt-in. Safest but requires explicit configuration.

Additional context

Affected endpoints:

• /.well-known/oauth-authorization-server (RFC 8414)
• /.well-known/openid-configuration (OpenID Connect Discovery)
• /.well-known/oauth-protected-resource (in mcp.ts)

References:

• RFC 8414 - OAuth 2.0 Authorization Server Metadata
• OpenID Connect Discovery 1.0
• RFC 5785 - Defining Well-Known URIs

[better-auth-agent]

It sounds like you're raising an important issue regarding the OAuth provider and well-known endpoints compliance with specifications. Currently, the oauth-provider plugin mounts endpoints such as /.well-known/oauth-authorization-server and /.well-known/openid-configuration under a base path instead of the origin root. As per RFC 8414 and OpenID Connect Discovery specifications, these must be located at the root when the issuer lacks a path component.

Your proposed solution to add a publicEndpoints field to mount these endpoints correctly is well-aligned with compliance needs. It’s a viable approach and addresses the friction in setup caused by requiring developers to configure manual reverse-proxy rules.

Next steps could include discussing this feature request with the team and gathering more feedback from the community on potential implications of this change or exploring how multiple configuration options might impact existing implementations.

In the meantime, would you like assistance with specific implementation details or perhaps exploring alternatives to your current setup?

If you need more help, tag @better-auth-agent in a comment so I can respond.

Diagram • Discord • GitHub

[Bekacru]

I think the best approach is to call auth.api under the root path. Mounting Better Auth at the root creates a lot of confusion, and since most users use Better Auth alongside an existing app, it’s likely to cause conflicts.

[himself65]

See our demo https://github.com/better-auth/better-auth/tree/canary/demo/nextjs/app/.well-known

Due to our design issue. We don't want to mount endpoints on the root level. So you should do that manually.

[gustavovalverde]

Mounting Better Auth at the root creates a lot of confusion

@Bekacru @himself65 What I'm proposing is not to mount Better Auth at root. Only /.well-known/* paths would be intercepted (per RFC 5785), and this would work transparently; without additional configurations. Consider this is just an option for plugins.

I'll open a PR so you can better visualize what I'm proposing (I already have this working without issues on my side, and not breaking changes were added to better auth).

[gustavovalverde]

Due to our design issue. We don't want to mount endpoints on the root level. So you should do that manually.

One side effect (and a great benefit) of this approach from #7524 is that users are not required to mount a reverse proxy just for the sake of having a spec compliant plugin for OIDC.

[gustavovalverde]

Just re-pinging here as a follow-up @himself65 @Bekacru

If needed, I can demo this or even hop on a call or open a discussion in Discord to better explain this. This has 0 impact in the existing better-auth behavior, and allows to create compliant plugins (which I have a few waiting for this)