better_auth-oauth-provider 0.1.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7297666c2085bbacc7b4fbdd7d79c7abf8f34d53a1a4e5956a7ba47fc1572692
-  data.tar.gz: 35108fb4c887ba57d68a782b29abbac8fe6c192c229eebc8958029b37811d0b4
+  metadata.gz: 064ea232e262c58fa331b01d271cacace56d0787690411c0c10509573e97575c
+  data.tar.gz: fb803328e302b653dcdad4efbf0f40067a798964e0e0a6c3b830933eb297a942
 SHA512:
-  metadata.gz: e46b5e993d4df92e9722b9c69f11d9010f4ddb0ba4c9b5a4c5920aef38ebf89906c841669ba690b24ec7c2fb1bb444407d7047ebd47f8f5a08bdafab4a7af365
-  data.tar.gz: 92627c999ec60244099a2042e1259ddf44896f302db499fd40ebf32c1d317112e04d8f0543d83a336934b7032bbba42249af1931647dbea7832a78eb8f6ca034
+  metadata.gz: 531242dbca74547d088b8de6b7181a962e650725b6739743d1ccde257f28357f547b9f6d1c0fce32618dfaa74c94909a5fbeb8b86cb5bcc6e9a32bf585882b14
+  data.tar.gz: c3d2ad67c5e0ba91433f410accd11575a8e64f4057962c4217dfa591c14f73112fa87a382f5a2009b4427d45a67b964c2339350bcf8fb7d34613062c03e0c6c1

data/CHANGELOG.md

@@ -1,5 +1,19 @@
 # Changelog
 
+## Unreleased
+
+## 0.3.0 - 2026-04-30
+
+- Added upstream-parity support for provider init validation, request URI resolution, prompt handling, consent reference IDs, client references, custom token/id-token claims, scope-specific access-token expiry, M2M token defaults, userinfo JWT verification, and expanded introspection fields.
+- Aligned dynamic registration, admin client creation, authorization, consent, token, refresh, revoke, and userinfo behavior with upstream edge cases.
+- Expanded OAuth provider upstream parity tests across authorization, metadata, client privileges, pairwise endpoints, organization integration, prompts, rate limits, PKCE/token handling, and userinfo.
+
+## 0.2.0 - 2026-04-29
+
+- Aligned OAuth provider server behavior with upstream `@better-auth/oauth-provider` v1.6.9: upstream-shaped client and consent CRUD routes, server-only admin client routes, discovery metadata auth-method and signing-alg semantics, canonical access-token and consent schema, dynamic-registration PKCE defaults, refresh replay cascade revocation, rotate-secret response shape, and pairwise sector identifiers.
+- Added upstream-parity OAuth provider behavior for dynamic client registration controls, PKCE enforcement, consent management, client management, token prefixes, refresh rotation, JWT resource access tokens, pairwise subjects, userinfo claims, introspection/revocation hints, end-session, `/oauth2/continue`, metadata cache headers, conditional JWKS metadata, and rate limits.
+- Updated package and docs examples to use executable registration and token exchange flows.
+
 ## 0.1.0
 
 - Initial package skeleton for Better Auth OAuth provider.

data/README.md

@@ -2,17 +2,166 @@
 
 External OAuth provider plugin package for `better_auth`.
 
-Upstream ships OAuth provider as `@better-auth/oauth-provider`, separate from core plugin exports. This gem mirrors that boundary for Ruby.
+Upstream ships OAuth provider as `@better-auth/oauth-provider`, separate from core plugin exports. This gem mirrors that boundary for Ruby while keeping Ruby option names snake_case and upstream-compatible HTTP paths and JSON keys.
 
 ```ruby
 require "better_auth"
 require "better_auth/oauth_provider"
 
-BetterAuth.auth(
+auth = BetterAuth.auth(
+  secret: ENV.fetch("BETTER_AUTH_SECRET"),
+  base_url: "https://auth.example.com/api/auth",
   plugins: [
-    BetterAuth::Plugins.oauth_provider
+    BetterAuth::Plugins.oauth_provider(
+      scopes: ["openid", "profile", "email", "offline_access"],
+      consent_page: "/oauth2/consent",
+      allow_dynamic_client_registration: true
+    )
   ]
 )
 ```
 
+## Client Registration
+
+Dynamic registration is disabled by default. Enable it explicitly and call it with an authenticated session unless unauthenticated registration is also enabled.
+
+```ruby
+client = auth.api.register_o_auth_client(
+  headers: {"cookie" => session_cookie},
+  body: {
+    client_name: "Example Client",
+    redirect_uris: ["https://client.example.com/callback"],
+    token_endpoint_auth_method: "client_secret_post",
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    scope: "openid profile offline_access"
+  }
+)
+```
+
+## Authorization Code Token Exchange
+
+Authorization code clients use S256 PKCE by default.
+
+```ruby
+tokens = auth.api.o_auth2_token(
+  body: {
+    grant_type: "authorization_code",
+    code: params[:code],
+    redirect_uri: "https://client.example.com/callback",
+    client_id: client[:client_id],
+    client_secret: client[:client_secret],
+    code_verifier: verifier
+  }
+)
+```
+
+When `resource` is present and valid, access tokens are JWTs. Without `resource`, access tokens are opaque and introspectable.
+
+## Routes
+
+| Method | Path | Ruby API method |
+| --- | --- | --- |
+| `GET` | `/.well-known/oauth-authorization-server` | `auth.api.get_o_auth_server_config` |
+| `GET` | `/.well-known/openid-configuration` | `auth.api.get_open_id_config` |
+| `POST` | `/oauth2/register` | `auth.api.register_o_auth_client` |
+| `POST` | `/oauth2/create-client` | `auth.api.create_o_auth_client` |
+| `POST` | `/admin/oauth2/create-client` | `auth.api.admin_create_o_auth_client` |
+| `PATCH` | `/admin/oauth2/update-client` | `auth.api.admin_update_o_auth_client` |
+| `GET` | `/oauth2/get-client?client_id=...` | `auth.api.get_o_auth_client` |
+| `GET` | `/oauth2/get-clients` | `auth.api.get_o_auth_clients` |
+| `POST` | `/oauth2/update-client` | `auth.api.update_o_auth_client` |
+| `POST` | `/oauth2/delete-client` | `auth.api.delete_o_auth_client` |
+| `GET` | `/oauth2/public-client?client_id=...` | `auth.api.get_o_auth_client_public` |
+| `POST` | `/oauth2/public-client-prelogin` | `auth.api.get_o_auth_client_public_prelogin` |
+| `POST` | `/oauth2/client/rotate-secret` | `auth.api.rotate_o_auth_client_secret` |
+| `GET` | `/oauth2/authorize` | `auth.api.o_auth2_authorize` |
+| `POST` | `/oauth2/continue` | `auth.api.o_auth2_continue` |
+| `POST` | `/oauth2/consent` | `auth.api.o_auth2_consent` |
+| `GET` | `/oauth2/get-consent?id=...` | `auth.api.get_o_auth_consent` |
+| `GET` | `/oauth2/get-consents` | `auth.api.get_o_auth_consents` |
+| `POST` | `/oauth2/update-consent` | `auth.api.update_o_auth_consent` |
+| `POST` | `/oauth2/delete-consent` | `auth.api.delete_o_auth_consent` |
+| `POST` | `/oauth2/token` | `auth.api.o_auth2_token` |
+| `POST` | `/oauth2/introspect` | `auth.api.o_auth2_introspect` |
+| `POST` | `/oauth2/revoke` | `auth.api.o_auth2_revoke` |
+| `GET` | `/oauth2/userinfo` | `auth.api.o_auth2_user_info` |
+| `GET`, `POST` | `/oauth2/end-session` | `auth.api.o_auth2_end_session` |
+
+Deprecated aliases remain for one minor release: `GET /oauth2/client/:id` -> `/oauth2/get-client`, `GET /oauth2/clients` -> `/oauth2/get-clients`, `PATCH /oauth2/client` -> `/oauth2/update-client`, `DELETE /oauth2/client` -> `/oauth2/delete-client`, `GET /oauth2/client` -> `/oauth2/public-client`, and `GET/PATCH/DELETE /oauth2/consent` plus `GET /oauth2/consents` -> the `get/update/delete/get-consents` consent routes.
+
+Admin client routes are server-only. They are available through `auth.api.*` and return `403` through the Rack handler.
+
+## Options
+
+Common options accepted by `BetterAuth::Plugins.oauth_provider`:
+
+- `login_page`
+- `consent_page`
+- `scopes`
+- `claims`
+- `grant_types`
+- `allow_dynamic_client_registration`
+- `allow_unauthenticated_client_registration`
+- `client_registration_default_scopes`
+- `client_registration_allowed_scopes`
+- `store_client_secret`
+- `prefix`
+- `refresh_token_expires_in`
+- `advertised_metadata`
+- `valid_audiences`
+- `custom_token_response_fields`
+- `custom_access_token_claims`
+- `custom_user_info_claims`
+- `pairwise_secret`
+- `signup`
+- `select_account`
+- `post_login`
+- `client_privileges`
+- `rate_limit`
+- `jwks_uri`
+- `disable_jwt_plugin`
+- `store`
+
+`rate_limit` accepts per-route overrides:
+
+```ruby
+rate_limit: {
+  token: {window: 60, max: 20},
+  authorize: {window: 60, max: 30},
+  introspect: {window: 60, max: 100},
+  revoke: {window: 60, max: 30},
+  register: {window: 60, max: 5},
+  userinfo: false
+}
+```
+
+Use `false` to disable a route-specific rule.
+
+## Schema Migration
+
+`oauthAccessToken` now uses the upstream canonical columns `token`, `expiresAt`, `scopes`, `clientId`, `sessionId`, `userId`, `referenceId`, and `refreshId`. Legacy `access_token`, `refresh_token`, `access_token_expires_at`, and `scope` columns should be copied forward then dropped. `oauthConsent#consent_given` is also removed; a consent row means consent was granted.
+
+For non-Rails SQL apps, run the equivalent of:
+
+```sql
+UPDATE better_auth_oauth_access_tokens
+SET token = COALESCE(token, access_token),
+    expires_at = COALESCE(expires_at, access_token_expires_at),
+    scopes = COALESCE(scopes, scope)
+WHERE token IS NULL OR scopes IS NULL;
+
+DELETE FROM better_auth_oauth_consents WHERE consent_given = false;
+```
+
+Then drop the legacy access-token and consent columns. Rails apps using `better_auth-rails` generate migrations from the active plugin schema, so regenerating after this change emits only the canonical columns.
+
+## Ruby Adaptations
+
+When the JWT plugin is registered, OIDC metadata advertises its configured `jwks.key_pair_config.alg`, defaulting to `EdDSA` like upstream. If `disable_jwt_plugin: true` is set, Ruby intentionally falls back to HS256 ID tokens signed with the Better Auth secret.
+
+Route OpenAPI metadata blocks from upstream TypeScript are intentionally not ported into this package. Use the Ruby `open_api` plugin for generated OpenAPI output.
+
+The upstream `@better-auth/oauth-provider/client`, React/Solid client plugins, dashboard UI, and browser helpers are not ported. Ruby apps call the JSON endpoints directly or wrap `auth.api.*`.
+
 OIDC provider remains a core `better_auth` plugin because upstream still exposes it from `better-auth/plugins`. OAuth provider is the newer standalone provider package.

data/lib/better_auth/oauth_provider/version.rb

@@ -2,6 +2,6 @@
 
 module BetterAuth
   module OAuthProvider
-    VERSION = "0.1.0"
+    VERSION = "0.3.0"
   end
 end