Highlights
🐛 Fixes #306 — SSO login bounce. OIDC sign-in (Authentik, Keycloak, etc.) now successfully links the SSO identity to an existing email/password account instead of bouncing to /login with ?error=UNKNOWN. See docs/SSO-OIDC-SETUP.md → Account Linking for the new trust model.
⚠️ Breaking — OAuth provider migration. The deprecated oidcProvider plugin has been replaced with @better-auth/oauth-provider. The migration preserves your registered OAuth clients but stores secrets hashed instead of plaintext. You must rotate the client secret of any OAuth application you registered before relying parties can authenticate again.
Upgrade notes
- SSO operators: in each SSO provider's settings, verify the Domain field matches the email domain your IdP issues identities for. Auto-linking is now scoped to that domain.
- OAuth provider users: after upgrade, rotate the client secret for any registered application via the provider settings, then update the relying party.
- Authentik with
email_verified: False(Authentik's default scope mapping) is now handled automatically — no scope-mapping change required on the Authentik side.
What's Changed
Full Changelog: v3.16.3...v3.17.0