u/pico2000

Lightweight alternative to better-auth for simple OIDC authentication + access tokens + sessions?

Typically, our apps look like this: SvelteKit as bff, .net backend that does the heavy lifting (Bearer token auth), Keycloak or Entra ID handling users and issuing ID/access/refresh tokens. The SvelteKit app authenticates users with Keycloak/Entra, creates a db backed session (session id in cookie) and stores encrypted access/refresh tokens that are used to access the .net API from the SK server side only.

Our implementation uses oidc-client for the critical OIDC stuff and hand rolls session management and race condition free token refresh. Maybe 400 lines of user land code including the Drizzle db schema.

While I don't mind the free hundred LOCs we basically copy over to the next project, I'm always looking to reduce boiler plate code.

So I had a look at better-auth, as it's a "blessed" lib in SvelteKit land. But man is it bloated for my use case. I don't need a client side lib and I certainly don't want all those API endpoint exposed without a simple way to disable them. I don't need user management, we have Keycloak for that. It does session management but is not able to refresh tokens in a way that handles race conditions when refresh tokens are single use. And instead you get dependencies to a lot of libraries of dubious necessity.

Arctic doesn't add much to what we can easily do with oidc-client. It does not add session management.

So is there something you people use that does this:

- implement OIDC login

- securely store access/refresh tokens

- implement sessions (db storage + cookie)

- handle token refresh with single use refresh tokens

Or am I better off rolling our own solution, which hands down works flawlessly and only adds oidc-client as a dependency?

reddit.com
u/pico2000 — 16 hours ago