From f6382ead872de3697995ccee05b6c51c8be8e834 Mon Sep 17 00:00:00 2001
From: Till-JS <101404291+Till-JS@users.noreply.github.com>
Date: Wed, 28 Jan 2026 17:10:41 +0100
Subject: [PATCH] fix(auth): map OIDC routes to Better Auth's
 /api/auth/oauth2/* paths
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Better Auth's OIDC Provider plugin uses routes under /api/auth/oauth2/
rather than /api/oidc/. This commit maps incoming routes correctly:
- /.well-known/openid-configuration → /api/auth/.well-known/openid-configuration
- /api/oidc/* → /api/auth/oauth2/*

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../src/auth/services/better-auth.service.ts  | 24 ++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/services/mana-core-auth/src/auth/services/better-auth.service.ts b/services/mana-core-auth/src/auth/services/better-auth.service.ts
index e8ce9274e..0943ee3d3 100644
--- a/services/mana-core-auth/src/auth/services/better-auth.service.ts
+++ b/services/mana-core-auth/src/auth/services/better-auth.service.ts
@@ -1195,6 +1195,14 @@ export class BetterAuthService {
 	 * This method converts an Express request to a Fetch Request,
 	 * passes it to Better Auth's handler, and returns the response.
 	 *
+	 * Better Auth's OIDC Provider uses routes under /api/auth/oauth2/
+	 * so we need to map incoming routes accordingly:
+	 * - /.well-known/openid-configuration → /api/auth/.well-known/openid-configuration
+	 * - /api/oidc/authorize → /api/auth/oauth2/authorize
+	 * - /api/oidc/token → /api/auth/oauth2/token
+	 * - /api/oidc/userinfo → /api/auth/oauth2/userinfo
+	 * - /api/oidc/jwks → /api/auth/oauth2/jwks
+	 *
 	 * @param req - Express request
 	 * @returns Response data from Better Auth
 	 */
@@ -1205,9 +1213,23 @@ export class BetterAuthService {
 	}> {
 		console.log('[handleOidcRequest] Received request:', req.method, req.originalUrl);
 		try {
+			// Map incoming paths to Better Auth's expected paths
+			let mappedPath = req.originalUrl;
+
+			// Map .well-known to Better Auth's basePath
+			if (mappedPath.startsWith('/.well-known/')) {
+				mappedPath = `/api/auth${mappedPath}`;
+			}
+			// Map /api/oidc/* to /api/auth/oauth2/*
+			else if (mappedPath.startsWith('/api/oidc/')) {
+				mappedPath = mappedPath.replace('/api/oidc/', '/api/auth/oauth2/');
+			}
+
+			console.log('[handleOidcRequest] Mapped path:', mappedPath);
+
 			// Convert Express request to Fetch Request
 			const url = new URL(
-				req.originalUrl,
+				mappedPath,
 				this.configService.get<string>('BASE_URL') ||
 					`http://localhost:${this.configService.get<number>('PORT') || 3001}`
 			);