fix(oauth-provider): customIdTokenClaims should override standard claims#7865
Merged
himself65 merged 3 commits intobetter-auth:canaryfrom Mar 3, 2026
Merged
Conversation
|
@gustavovalverde is attempting to deploy a commit to the better-auth Team on Vercel. A member of the Team first needs to authorize it. |
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes id_token claim merging so customIdTokenClaims correctly overrides overlapping standard OIDC profile claims, aligning createIdToken() behavior with the existing userinfo endpoint.
Changes:
- Swap spread order in
createIdToken()socustomIdTokenClaimstakes precedence overuserNormalClaims. - Add a regression test asserting custom
given_name/family_namevalues are preserved inid_tokenwhenprofilescope is requested.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
packages/oauth-provider/src/token.ts |
Adjusts id_token payload merge order so custom claims override standard derived claims. |
packages/oauth-provider/src/token.test.ts |
Adds a regression test covering custom-claim precedence for overlapping profile claims in id_token. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
@better-auth/api-key
better-auth
auth
@better-auth/core
@better-auth/drizzle-adapter
@better-auth/electron
@better-auth/expo
@better-auth/i18n
@better-auth/kysely-adapter
@better-auth/memory-adapter
@better-auth/mongo-adapter
@better-auth/oauth-provider
@better-auth/passkey
@better-auth/prisma-adapter
@better-auth/redis-storage
@better-auth/scim
@better-auth/sso
@better-auth/stripe
@better-auth/telemetry
@better-auth/test-utils
commit: |
Contributor
|
LGTM |
In createIdToken, the payload was built as { ...customClaims, ...userClaims },
causing userNormalClaims to overwrite values returned by customIdTokenClaims.
This is incorrect because custom claims should take precedence over auto-derived
standard claims (e.g., given_name/family_name derived from user.name).
Swap the spread order to { ...userClaims, ...customClaims } so that
customIdTokenClaims values win. The userinfo endpoint already had the correct
order ({ ...baseUserClaims, ...additionalInfoUserClaims }).
Adds a test verifying custom claims override profile-derived claims in id_token.
Add setup assertions for client_secret and redirect_uris in beforeAll. Add redirect URL and authorization code assertions before token exchange.
3b59fad to
a6e52e4
Compare
|
|
Contributor
Author
|
cc: @himself65 this one should be pretty straightforward |
Contributor
Author
|
@himself65 just in case, this is marking the PR as CLA pending, but it's signed. Also, this is technically a one liner, it's just a bigger PR because of the test |
Contributor
|
Closing: CLA has not been signed. Please sign the CLA and reopen or submit a new PR if you'd like to continue. Thanks! |
Contributor
Author
|
I did sign the CLA @himself65 Why close the PR? |
Contributor
|
Sorry, badge didn't update |
himself65
approved these changes
Mar 3, 2026
himself65
pushed a commit
that referenced
this pull request
Mar 3, 2026
5 tasks
himself65
pushed a commit
that referenced
this pull request
Mar 3, 2026
gustavovalverde
added a commit
to gustavovalverde/better-auth
that referenced
this pull request
Mar 16, 2026
Move auth_time and acr assignments before the customClaims spread in createIdToken, so that customIdTokenClaims can override these values. Follow-up to better-auth#7865 which fixed userClaims vs customClaims order but left acr/auth_time after the spread.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
customIdTokenClaimsvalues are overwritten by standarduserNormalClaimsin the id_token payload due to incorrect spread order increateIdToken().The
userInfoEndpointalready has the correct order ({ ...baseUserClaims, ...additionalInfoUserClaims }), butcreateIdToken()had them reversed ({ ...customClaims, ...userClaims }), making custom claims ineffective when they overlap with standard profile claims likegiven_nameorfamily_name.Fix
Swap the spread order in
createIdToken()so custom claims take precedence over auto-derived standard claims, matching the existinguserInfoEndpointbehavior.Test
Added a test that configures
customIdTokenClaimsreturning customgiven_name,family_name, andcustom_field, then verifies the id_token contains the custom values rather than the auto-derived ones.Fixes #7864
Summary by cubic
Fixes id_token claim precedence so customIdTokenClaims override standard profile claims. Matches userInfo endpoint behavior.
Written for commit 3f64dce. Summary will update on new commits.