acedergren/oracle-idcs-better-auth-setup
skills/oracle-idcs-better-auth-setup/SKILL.md
Use when setting up Better Auth with Oracle IDCS/OCI IAM, configuring OIDC callback URLs, trusted origins, provider bootstrap order, or sharing an auth model between Fastify and Next.js. Entry point for the full auth foundation — routes to bridge or provisioning skills when narrowed. Keywords: Oracle IDCS, OCI IAM, Better Auth, OIDC, Fastify auth, Next.js auth, callback URL, trusted origins, provider bootstrap.
$ install --global
skillsauthnpx skillsauth add acedergren/agentic-tools oracle-idcs-better-auth-setupInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
4 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
4
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 13, 2026, 4:11 AM149.0s4 files scanned
SKILL.md
- name:
- oracle-idcs-better-auth-setup
- description:
- Use when setting up Better Auth with Oracle IDCS/OCI IAM, configuring OIDC callback URLs, trusted origins, provider bootstrap order, or sharing an auth model between Fastify and Next.js. Entry point for the full auth foundation — routes to bridge or provisioning skills when narrowed. Keywords: Oracle IDCS, OCI IAM, Better Auth, OIDC, Fastify auth, Next.js auth, callback URL, trusted origins, provider bootstrap.
Oracle IDCS + Better Auth Setup
Entry skill for the full auth foundation: Oracle adapter, OIDC config, trusted origins, callback URLs, provider bootstrap, and cross-app consistency.
This is a router, not a deep implementation guide. Use it to diagnose where the problem lives, then hand off to the right skill.
NEVER
- Never mix full-stack setup guidance with Fastify bridge internals or org provisioning internals — each skill owns its domain.
- Never bootstrap providers from DB on cold-start — seed from env first, then reflect into Oracle provider tables for operator visibility.
- Never write provider bootstrap that overwrites existing operator-managed rows — idempotent create-if-missing only.
- Never skip
urn:opc:idm:__myscopes__from IDCS scopes — its absence silently removes thegroupsclaim from tokens, breaking all role-based logic downstream. - Never trust that OAuth success means local session success — wrong callback URL produces OAuth success followed by local session failure, a misleading failure mode.
Decision Tree: Which Skill Owns This?
Is the problem in the auth foundation (setup, config, bootstrap)?
├── Yes → Stay in this skill
Is the problem in runtime request/session handling in Fastify?
├── Yes → Switch to: fastify-better-auth-bridge
Is the problem in post-login membership, groups, or org_members writes?
├── Yes → Switch to: oracle-idcs-org-provisioning
Is the user unsure which layer the bug is in?
├── Yes → Use this skill to verify setup checklist first
Foundation Verification Order
When diagnosing setup issues, verify in this exact order (later items depend on earlier ones):
- Oracle adapter and Better Auth tables exist in DB
- IDCS confidential application uses the correct callback URL
- Scopes include
openid,email,profile,urn:opc:idm:__myscopes__ - Trusted origins and cookie attributes match the deployed app topology
- Env config can cold-start auth before DB-managed provider settings are edited
- Env-to-DB bootstrap is idempotent and never overwrites existing provider rows
Non-Obvious Setup Rules
Env-first bootstrap: Auth must be functional from env vars alone before provider rows exist in DB. Provider rows are for operator visibility, not for cold-start. If you invert this, auth breaks on first deploy before any DB seed runs.
Shared building blocks: Oracle adapter, cookie rules, IDCS profile mapper, and session hook behavior must be shared across Fastify and Next.js apps. Diverging these two causes subtle token/session inconsistencies that are hard to trace.
Naming stability: When the codebase already uses IDCS and OCI_IAM_* env var naming, keep it. Mixing naming schemes (e.g., introducing ORACLE_* vars) breaks scripts and makes the env matrix confusing.
Callback URL failure mode: A wrong callback URL looks like OAuth flow succeeds (IDCS redirects back) but local session creation fails immediately after. Check this before debugging anything else if login appears to "complete" but the user isn't authenticated.
Common Gotchas
| Symptom | Likely Cause |
|---------|-------------|
| No groups claim in token | Missing urn:opc:idm:__myscopes__ scope |
| OAuth succeeds, session fails | Wrong callback URL in IDCS app config |
| Provider rows wiped on deploy | Bootstrap logic not idempotent |
| Auth works locally, fails in prod | Trusted origins missing prod domain |
Scripts
# Validate all required env vars are set
node scripts/validate-idcs-env.js
# Print full setup checklist with current state
node scripts/print-auth-checklist.js
Arguments
$ARGUMENTS: Optional setup focus- Example:
/oracle-idcs-better-auth-setup callback-url - Example:
/oracle-idcs-better-auth-setup trusted-origins - If empty: audit the full shared auth setup flow
- Example:
Related Skills
acedergren/skills/api-audit
development
VerifiedTrustedCommunity
--- name: api-audit description: "Use when auditing API routes for schema drift, missing auth, or validation gaps. Scans routes against shared TypeScript types to find mismatches, missing middleware, and undocumented endpoints. Read-only — produces a severity-grouped report. Keywords: audit routes, schema drift, auth gaps, missing validation, type mismatch, orphaned schemas. Triggers on "audit API routes" or "find schema drift"." --- # API Route & Type Audit Skill ## When to Use Load this skil
14SKILL.mdUpdated Mar 26, 2026
acedergren/write-natural-swedish
development
VerifiedTrustedCommunity
Use when drafting, translating, polishing, or reviewing Swedish text so it sounds natural, fluent, contemporary, and appropriate for its audience. Triggers include "write better Swedish", "make this sound natural in Swedish", "translate into Swedish", "polish this Swedish", "tech company Swedish", "contemporary Swedish words", "Swedish developer docs", and "avoid Anglicisms".
13SKILL.mdUpdated May 13, 2026
acedergren/shadcn-svelte
development
VerifiedTrustedCommunity
Use when working with shadcn-svelte components, TanStack Table in Svelte 5, or Tailwind v4.1. Covers non-obvious reactivity bugs, library selection trade-offs, and migration pitfalls not in the official docs. Keywords: shadcn-svelte, TanStack Table, Tailwind v4.1, Svelte 5 runes, bits-ui, superforms, data table, svelte-check.
13SKILL.mdUpdated Mar 26, 2026
acedergren/oracle-idcs-org-provisioning
data-ai
VerifiedTrustedCommunity
Use when mapping IDCS claims to org membership after OAuth login succeeds. Covers mapProfileToUser, session.create.before, session.create.after hooks, MERGE INTO upserts, tenant-org mapping, and first-admin bootstrap. Keywords: IDCS groups, org_members, provisioning, session hooks, tenant map, MERGE INTO.
13SKILL.mdUpdated Mar 26, 2026