[BUG] SSO module looking for non-existent ID claim

[steveiliop56]

Is this suited for github?

• Yes, this is suited for github

To Reproduce

Using an OIDC server like Tinyauth (which does not include the user-info claims in the ID token), set-up a demo application with SSO and try to login. You will be greeted with the error=invalid_provider&error_description=missing_user_info error.

Current vs. Expected behavior

Looking through the code, specifically here:

better-auth/packages/sso/src/routes/sso.ts

Lines 1714 to 1720 in 425c6ab

	if (!userInfo.email || !userInfo.id) {
	throw ctx.redirect(
	`${
	errorURL || callbackURL
	}?error=invalid_provider&error_description=missing_user_info`,
	);
	}

Seems like better-auth is trying to extract some id claim from the user-info endpoint. However, according to Section 5.1 of the OIDC specification, the OIDC server is not obligated to return such claim. Normally, better-auth should be looking for the sub claim (containing the ID of the user that remains static despite of profile changes) instead of an id one.

I am guessing that since most OIDC providers include the claims in the ID token (which is not required according to Section 2), the user-info extraction logic from the ID token happens first and thus there is no need to check the user-info endpoint which would most likely fail.

What version of Better Auth are you using?

1.5.0

System info

Not relevant to the issue.

Which area(s) are affected? (Select all that apply)

Client

Auth config (if applicable)

Not applicable.

Additional context

No response

[dosubot]

Hi @steveiliop56! I'm Dosu and I’m helping the better-auth team.

Your analysis is correct - this is a valid OIDC compliance bug. The issue is that Better Auth handles ID tokens and UserInfo endpoint responses inconsistently:

ID Token path (working correctly): Uses sub claim by default with configurable mapping:

id: idToken[mapping.id || "sub"],  // ✅ Correctly uses 'sub'

UserInfo endpoint path (the bug): Directly assigns the response without any mapping, then checks for userInfo.id which doesn't exist in standard OIDC responses that return sub.

Workaround: You can override getUserInfo in your provider configuration to map sub to id:

getUserInfo: async (token) => {
  const response = await fetch(providerConfig.userInfoEndpoint, {
    headers: { Authorization: `Bearer ${token.accessToken}` }
  });
  const data = await response.json();
  
  return {
    user: {
      id: data.sub,  // Map 'sub' to 'id'
      email: data.email,
      name: data.name,
      image: data.picture,
      emailVerified: data.email_verified ?? false,
    },
    data,
  };
}

Alternatively, if you can configure Tinyauth to include all claims in the ID token itself, Better Auth will use the ID token path (which handles sub correctly) and avoid this bug entirely.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}