This is a demo application to show the usage of OIDC within Mumble.
This project uses Better Auth with the Generic OAuth plugin for authentication.
The following steps are necessary to authenticate against the Mumble API:
- A new organization for your team must be created within ZITADEL
- The API project must be granted from the ZITADEL admin
- Create your user within your own organization
- Create the project/application in your organization for your project(s) (e.g. Mumble NextJS Dev / Prod / Whatever)
npm installThis project uses Better Auth with a SQLite database adapter. The database is required to store OAuth account data, including access tokens from Zitadel.
Important: A database adapter is necessary to persist OAuth access tokens. The in-memory adapter will not work for retrieving access tokens as it doesn't persist account data across requests.
Run the Better Auth migration to create the required database tables:
npx better-auth migrateThis creates an auth.db file
The authentication is configured in lib/auth.ts using the Generic OAuth plugin with:
- PKCE enabled (
pkce: true) - no client secret required - Correct "audience" scope for Mumble API access:
scopes: [ "openid", "profile", "email", "urn:zitadel:iam:org:project:id:YOUR_PROJECT_ID:aud", ]
npm run devVisit http://localhost:3000 and log in with your ZITADEL user.
- Authentication: Uses Better Auth's Generic OAuth plugin with Zitadel OIDC
- Session Management: Sessions are stored in SQLite with a 12-hour expiry
- Access Token Retrieval: The
getAccessToken()function inlib/auth.tsretrieves the OAuth access token from the database - API Calls: The access token is used to authorize requests to the Mumble API
Why SQLite is needed:
Better Auth stores OAuth account information (including access tokens) in the database. When using the in-memory adapter, this data is not persisted, which causes the getAccessToken() API to fail with "Account not found" errors.