Lightweight alternative to better-auth for simple OIDC authentication + access tokens + sessions?
Typically, our apps look like this: SvelteKit as bff, .net backend that does the heavy lifting (Bearer token auth), Keycloak or Entra ID handling users and issuing ID/access/refresh tokens. The SvelteKit app authenticates users with Keycloak/Entra, creates a db backed session (session id in cookie) and stores encrypted access/refresh tokens that are used to access the .net API from the SK server side only.
Our implementation uses oidc-client for the critical OIDC stuff and hand rolls session management and race condition free token refresh. Maybe 400 lines of user land code including the Drizzle db schema.
While I don't mind the free hundred LOCs we basically copy over to the next project, I'm always looking to reduce boiler plate code.
So I had a look at better-auth, as it's a "blessed" lib in SvelteKit land. But man is it bloated for my use case. I don't need a client side lib and I certainly don't want all those API endpoint exposed without a simple way to disable them. I don't need user management, we have Keycloak for that. It does session management but is not able to refresh tokens in a way that handles race conditions when refresh tokens are single use. And instead you get dependencies to a lot of libraries of dubious necessity.
Arctic doesn't add much to what we can easily do with oidc-client. It does not add session management.
So is there something you people use that does this:
- implement OIDC login
- securely store access/refresh tokens
- implement sessions (db storage + cookie)
- handle token refresh with single use refresh tokens
Or am I better off rolling our own solution, which hands down works flawlessly and only adds oidc-client as a dependency?