better_auth 0.3.0 → 0.5.0

data/lib/better_auth/plugins/generic_oauth.rb

@@ -52,19 +52,7 @@ module BetterAuth
         data,
         provider_id: "auth0",
         discovery_url: "https://#{domain}/.well-known/openid-configuration",
-        scopes: ["openid", "profile", "email"],
-        get_user_info: ->(tokens) {
-          profile = generic_oauth_fetch_json("https://#{domain}/userinfo", authorization: "Bearer #{fetch_value(tokens, "accessToken")}")
-          return nil unless profile
-
-          {
-            id: fetch_value(profile, "sub"),
-            name: fetch_value(profile, "name") || fetch_value(profile, "nickname"),
-            email: fetch_value(profile, "email"),
-            image: fetch_value(profile, "picture"),
-            emailVerified: fetch_value(profile, "email_verified") || false
-          }
-        }
+        scopes: ["openid", "profile", "email"]
       )
     end
 
@@ -225,7 +213,19 @@ module BetterAuth
     end
 
     def sign_in_with_oauth2_endpoint(config)
-      Endpoint.new(path: "/sign-in/oauth2", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/sign-in/oauth2",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "signInOAuth2",
+            description: "Sign in with OAuth2",
+            responses: {
+              "200" => OpenAPI.json_response("Sign in with OAuth2", generic_oauth_url_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         provider_id = body[:provider_id].to_s
         provider = generic_oauth_provider!(config, provider_id)
@@ -235,7 +235,19 @@ module BetterAuth
     end
 
     def o_auth2_link_account_endpoint(config)
-      Endpoint.new(path: "/oauth2/link", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/oauth2/link",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "linkOAuth2",
+            description: "Link an OAuth2 account to the current user session",
+            responses: {
+              "200" => OpenAPI.json_response("Authorization URL generated successfully for linking an OAuth2 account", generic_oauth_url_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         session = Routes.current_session(ctx)
         body = normalize_hash(ctx.body)
         provider_id = body[:provider_id].to_s
@@ -255,8 +267,20 @@ module BetterAuth
     def o_auth2_callback_endpoint(config)
       Endpoint.new(
         path: "/oauth2/callback/:providerId",
-        method: ["GET", "POST"],
-        metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}
+        method: "GET",
+        metadata: {
+          allowed_media_types: ["application/x-www-form-urlencoded", "application/json"],
+          openapi: {
+            operationId: "oauth2Callback",
+            description: "OAuth2 callback",
+            responses: {
+              "200" => OpenAPI.json_response(
+                "OAuth2 callback",
+                OpenAPI.object_schema({url: {type: "string"}}, required: ["url"])
+              )
+            }
+          }
+        }
       ) do |ctx|
         query = normalize_hash(ctx.query)
         provider_id = (fetch_value(ctx.params, "providerId") || query[:provider_id]).to_s
@@ -318,6 +342,16 @@ module BetterAuth
       end
     end
 
+    def generic_oauth_url_response_schema
+      OpenAPI.object_schema(
+        {
+          url: {type: "string"},
+          redirect: {type: "boolean"}
+        },
+        required: ["url", "redirect"]
+      )
+    end
+
     def generic_oauth_authorization_url(ctx, provider, body, link:)
       authorization_url = provider[:authorization_url] || generic_oauth_discovery(provider)["authorization_endpoint"]
       token_url = provider[:token_url] || generic_oauth_discovery(provider)["token_endpoint"]
@@ -380,7 +414,7 @@ module BetterAuth
       state = Crypto.random_string(32)
       if strategy.to_s == "cookie"
         cookie = ctx.context.create_auth_cookie("oauth_state", max_age: 600)
-        encrypted = Crypto.symmetric_encrypt(key: ctx.context.secret, data: JSON.generate(state_data.merge("state" => state)))
+        encrypted = Crypto.symmetric_encrypt(key: ctx.context.secret_config, data: JSON.generate(state_data.merge("state" => state)))
         ctx.set_cookie(cookie.name, encrypted, cookie.attributes)
         return state
       end
@@ -428,7 +462,7 @@ module BetterAuth
         end
 
         begin
-          decrypted = Crypto.symmetric_decrypt(key: ctx.context.secret, data: encrypted)
+          decrypted = Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: encrypted)
           unless decrypted
             Cookies.expire_cookie(ctx, cookie)
             raise ctx.redirect(generic_oauth_error_url(generic_oauth_state_error_url(ctx), "please_restart_the_process"))
@@ -537,7 +571,7 @@ module BetterAuth
       return token if token.to_s.empty?
       return token unless ctx.context.options.account[:encrypt_oauth_tokens]
 
-      Crypto.symmetric_encrypt(key: ctx.context.secret, data: token)
+      Crypto.symmetric_encrypt(key: ctx.context.secret_config, data: token)
     end
 
     def generic_oauth_set_account_cookie(ctx, provider_id, account_id, user_id)
@@ -688,24 +722,12 @@ module BetterAuth
       nil
     end
 
-    def generic_oidc_helper_provider(options, provider_id, issuer, discovery_url, user_info_url)
+    def generic_oidc_helper_provider(options, provider_id, issuer, discovery_url, _user_info_url)
       generic_oauth_provider_config(
         options,
         provider_id: provider_id,
         discovery_url: discovery_url,
-        scopes: ["openid", "profile", "email"],
-        get_user_info: ->(tokens) {
-          profile = generic_oauth_fetch_json(user_info_url, authorization: "Bearer #{fetch_value(tokens, "accessToken")}")
-          return nil unless profile
-
-          {
-            id: fetch_value(profile, "sub"),
-            name: fetch_value(profile, "name") || fetch_value(profile, "preferred_username"),
-            email: fetch_value(profile, "email"),
-            image: fetch_value(profile, "picture"),
-            emailVerified: fetch_value(profile, "email_verified") || false
-          }
-        }
+        scopes: ["openid", "profile", "email"]
       )
     end
 
@@ -730,12 +752,22 @@ module BetterAuth
         result[provider_id.to_sym] = {
           id: provider_id,
           name: provider_id,
-          get_user_info: ->(tokens) { generic_oauth_user_info(provider, tokens) },
+          get_user_info: ->(tokens) { generic_oauth_provider_user_info(provider, tokens) },
           refresh_access_token: ->(refresh_token) { generic_oauth_refresh_access_token(context, provider, refresh_token) }
         }
       end
     end
 
+    def generic_oauth_provider_user_info(provider, tokens)
+      user_info = generic_oauth_user_info(provider, tokens)
+      return nil unless user_info
+
+      {
+        user: generic_oauth_map_user(provider, user_info),
+        data: user_info
+      }
+    end
+
     def generic_oauth_refresh_access_token(ctx, provider, refresh_token)
       token_url = provider[:token_url] || generic_oauth_discovery(provider)["token_endpoint"]
       raise APIError.new("BAD_REQUEST", message: GENERIC_OAUTH_ERROR_CODES["TOKEN_URL_NOT_FOUND"]) if token_url.to_s.empty?

data/lib/better_auth/plugins/jwt.rb

@@ -103,7 +103,25 @@ module BetterAuth
     end
 
     def get_jwks_endpoint(config, path)
-      Endpoint.new(path: path, method: "GET") do |ctx|
+      Endpoint.new(
+        path: path,
+        method: "GET",
+        metadata: {
+          openapi: {
+            operationId: "getJSONWebKeySet",
+            description: "Get the JSON Web Key Set",
+            responses: {
+              "200" => OpenAPI.json_response(
+                "JSON Web Key Set retrieved successfully",
+                OpenAPI.object_schema(
+                  {keys: {type: "array", description: "Array of public JSON Web Keys", items: {type: "object"}}},
+                  required: ["keys"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         raise APIError.new("NOT_FOUND") if config.dig(:jwks, :remote_url)
 
         create_jwk(ctx, config) if all_jwks(ctx, config).empty?
@@ -112,7 +130,22 @@ module BetterAuth
     end
 
     def get_token_endpoint(config)
-      Endpoint.new(path: "/token", method: "GET") do |ctx|
+      Endpoint.new(
+        path: "/token",
+        method: "GET",
+        metadata: {
+          openapi: {
+            operationId: "getJSONWebToken",
+            description: "Get a JWT token",
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Success",
+                OpenAPI.object_schema({token: {type: "string"}}, required: ["token"])
+              )
+            }
+          }
+        }
+      ) do |ctx|
         session = Session.find_current(ctx)
         raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["FAILED_TO_GET_SESSION"]) unless session
 
@@ -306,12 +339,12 @@ module BetterAuth
     def jwk_private_key_for_storage(ctx, private_key, config)
       return private_key if config.dig(:jwks, :disable_private_key_encryption)
 
-      Crypto.symmetric_encrypt(key: ctx.context.secret, data: private_key)
+      Crypto.symmetric_encrypt(key: ctx.context.secret_config, data: private_key)
     end
 
     def jwk_private_key_value(ctx, key, _config)
       value = key["privateKey"]
-      Crypto.symmetric_decrypt(key: ctx.context.secret, data: value) || value
+      Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: value) || value
     end
 
     def jwt_payload_valid?(payload)

data/lib/better_auth/plugins/last_login_method.rb

@@ -74,8 +74,8 @@ module BetterAuth
       case path
       when "/sign-in/email", "/sign-up/email"
         "email"
-      when "/callback/:providerId"
-        fetch_value(ctx.params, "providerId")
+      when "/callback/:id"
+        fetch_value(ctx.params, "id") || fetch_value(ctx.params, "providerId")
       when "/oauth2/callback/:providerId"
         fetch_value(ctx.params, "providerId")
       else

data/lib/better_auth/plugins/magic_link.rb

@@ -28,7 +28,32 @@ module BetterAuth
     end
 
     def sign_in_magic_link_endpoint(config)
-      Endpoint.new(path: "/sign-in/magic-link", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/sign-in/magic-link",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "signInMagicLink",
+            description: "Send a magic sign-in link",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  email: {type: "string", description: "The email address to sign in"},
+                  name: {type: ["string", "null"], description: "The user name to use when creating a new user"},
+                  callbackURL: {type: ["string", "null"]},
+                  errorCallbackURL: {type: ["string", "null"]},
+                  newUserCallbackURL: {type: ["string", "null"]},
+                  metadata: {type: ["object", "null"]}
+                },
+                required: ["email"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response("Magic link sent", OpenAPI.status_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         email = body[:email].to_s.downcase
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"]) unless Routes::EMAIL_PATTERN.match?(email)
@@ -51,7 +76,44 @@ module BetterAuth
     end
 
     def magic_link_verify_endpoint(config)
-      Endpoint.new(path: "/magic-link/verify", method: "GET") do |ctx|
+      Endpoint.new(
+        path: "/magic-link/verify",
+        method: "GET",
+        metadata: {
+          openapi: {
+            operationId: "magicLinkVerify",
+            description: "Verify a magic link token",
+            parameters: [
+              {
+                name: "token",
+                in: "query",
+                required: true,
+                schema: {type: "string"}
+              },
+              {
+                name: "callbackURL",
+                in: "query",
+                required: false,
+                schema: {type: "string"}
+              }
+            ],
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Magic link verified",
+                OpenAPI.object_schema(
+                  {
+                    token: {type: "string"},
+                    user: {type: "object", "$ref": "#/components/schemas/User"},
+                    session: {type: "object", "$ref": "#/components/schemas/Session"}
+                  },
+                  required: ["token", "user", "session"]
+                )
+              ),
+              "302" => {description: "Redirects to callback URL when callbackURL is provided"}
+            }
+          }
+        }
+      ) do |ctx|
         query = normalize_hash(ctx.query)
         token = query[:token].to_s
         callback_url = query[:callback_url] || "/"
@@ -97,7 +159,8 @@ module BetterAuth
           user = ctx.context.internal_adapter.create_user(
             email: email,
             emailVerified: true,
-            name: name || ""
+            name: name || "",
+            context: ctx
           )
           new_user = true
           redirect_with_error.call("failed_to_create_user") unless user

data/lib/better_auth/plugins/mcp/authorization.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def authorize(ctx, config)
+        set_cors_headers(ctx)
+        query = OAuthProtocol.stringify_keys(ctx.query)
+        session = Routes.current_session(ctx, allow_nil: true)
+        unless session
+          ctx.set_signed_cookie("oidc_login_prompt", JSON.generate(query), ctx.context.secret, max_age: 600, path: "/", same_site: "lax")
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(config[:login_page], query))
+        end
+
+        redirect_with_code(ctx, config, query, session)
+      end
+
+      def restore_login_prompt(ctx, config)
+        cookie = ctx.get_signed_cookie("oidc_login_prompt", ctx.context.secret)
+        return unless cookie
+
+        session = ctx.context.new_session
+        return unless session && session[:session] && ctx.response_headers["set-cookie"].to_s.include?(ctx.context.auth_cookies[:session_token].name)
+
+        query = parse_login_prompt(cookie)
+        return unless query
+
+        query["prompt"] = prompt_without_login(query["prompt"]) if query.key?("prompt")
+        ctx.set_cookie("oidc_login_prompt", "", path: "/", max_age: 0)
+        ctx.context.set_current_session(session) if ctx.context.respond_to?(:set_current_session)
+        [302, ctx.response_headers.merge("location" => authorization_redirect_uri(ctx, config, query, session)), [""]]
+      end
+
+      def redirect_with_code(ctx, config, query, session)
+        raise ctx.redirect(authorization_redirect_uri(ctx, config, query, session))
+      end
+
+      def authorization_redirect_uri(ctx, config, query, session)
+        query = OAuthProtocol.stringify_keys(query)
+        prompts = OAuthProtocol.parse_scopes(query["prompt"])
+        raise ctx.redirect("#{ctx.context.base_url}/error?error=invalid_client") if query["client_id"].to_s.empty?
+        unless query["response_type"]
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(ctx.context.base_url + "/error", error: "invalid_request", error_description: "response_type is required"))
+        end
+
+        client = OAuthProtocol.find_client(ctx, "oauthClient", query["client_id"])
+        raise ctx.redirect("#{ctx.context.base_url}/error?error=invalid_client") unless client
+        OAuthProtocol.validate_redirect_uri!(client, query["redirect_uri"])
+        client_data = OAuthProtocol.stringify_keys(client)
+        raise ctx.redirect("#{ctx.context.base_url}/error?error=client_disabled") if client_data["disabled"]
+        raise ctx.redirect("#{ctx.context.base_url}/error?error=unsupported_response_type") unless query["response_type"] == "code"
+
+        scopes = OAuthProtocol.parse_scopes(query["scope"] || "openid")
+        allowed_scopes = OAuthProtocol.parse_scopes(client_data["scopes"])
+        allowed_scopes = OAuthProtocol.parse_scopes(config[:scopes]) if allowed_scopes.empty?
+        invalid_scopes = scopes.reject { |scope| config[:scopes].include?(scope) && allowed_scopes.include?(scope) }
+        unless invalid_scopes.empty?
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "invalid_scope", error_description: "The following scopes are invalid: #{invalid_scopes.join(", ")}", state: query["state"]))
+        end
+
+        pkce_error = OAuthProtocol.validate_authorize_pkce(client_data, scopes, query["code_challenge"], query["code_challenge_method"])
+        if pkce_error
+          description = (pkce_error == "PKCE is required") ? "pkce is required" : pkce_error
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "invalid_request", error_description: description, state: query["state"]))
+        end
+
+        if prompts.include?("consent")
+          consent_code = Crypto.random_string(32)
+          config[:store][:consents][consent_code] = {
+            query: query,
+            session: session,
+            client: client,
+            scopes: scopes,
+            expires_at: Time.now + config[:code_expires_in].to_i
+          }
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(config[:consent_page], consent_code: consent_code, client_id: client_data["clientId"], scope: OAuthProtocol.scope_string(scopes)))
+        end
+
+        code = Crypto.random_string(32)
+        OAuthProtocol.store_code(
+          config[:store],
+          code: code,
+          client_id: query["client_id"],
+          redirect_uri: query["redirect_uri"],
+          session: session,
+          scopes: scopes,
+          code_challenge: query["code_challenge"],
+          code_challenge_method: query["code_challenge_method"],
+          nonce: query["nonce"],
+          reference_id: client_data["referenceId"]
+        )
+        OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], code: code, state: query["state"], iss: validate_issuer_url(OAuthProtocol.issuer(ctx)))
+      end
+
+      def prompt_without_login(value)
+        prompts = OAuthProtocol.parse_scopes(value)
+        prompts.delete("login")
+        OAuthProtocol.scope_string(prompts)
+      end
+
+      def parse_login_prompt(value)
+        parsed = JSON.parse(value.to_s)
+        parsed.is_a?(Hash) ? parsed : nil
+      rescue JSON::ParserError
+        nil
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/config.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      DEFAULT_SCOPES = %w[openid profile email offline_access].freeze
+      DEFAULT_GRANT_TYPES = [OAuthProtocol::AUTH_CODE_GRANT, OAuthProtocol::REFRESH_GRANT, OAuthProtocol::CLIENT_CREDENTIALS_GRANT].freeze
+
+      module_function
+
+      def normalize_config(options)
+        incoming = BetterAuth::Plugins.normalize_hash(options || {})
+        oidc = BetterAuth::Plugins.normalize_hash(incoming[:oidc_config] || {})
+        base = {
+          login_page: "/login",
+          consent_page: "/oauth2/consent",
+          resource: nil,
+          scopes: DEFAULT_SCOPES,
+          grant_types: DEFAULT_GRANT_TYPES,
+          allow_dynamic_client_registration: true,
+          allow_unauthenticated_client_registration: true,
+          require_pkce: true,
+          code_expires_in: 600,
+          access_token_expires_in: 3600,
+          refresh_token_expires_in: 604_800,
+          m2m_access_token_expires_in: 3600,
+          store_client_secret: "plain",
+          prefix: {},
+          store: OAuthProtocol.stores
+        }
+        config = base.merge(oidc.except(:metadata)).merge(incoming)
+        config[:oidc_config] = oidc
+        config[:scopes] = (Array(base[:scopes]) + Array(oidc[:scopes]) + Array(incoming[:scopes])).compact.map(&:to_s).uniq
+        config[:grant_types] = Array(config[:grant_types]).map(&:to_s)
+        config[:prefix] = BetterAuth::Plugins.normalize_hash(config[:prefix] || {})
+        config
+      end
+
+      def set_cors_headers(ctx)
+        ctx.set_header("Access-Control-Allow-Origin", "*")
+        ctx.set_header("Access-Control-Allow-Methods", "POST, OPTIONS")
+        ctx.set_header("Access-Control-Allow-Headers", "Content-Type, Authorization")
+        ctx.set_header("Access-Control-Max-Age", "86400")
+      end
+
+      def no_store_headers
+        {"Cache-Control" => "no-store", "Pragma" => "no-cache"}
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/consent.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def consent(ctx, config)
+        current_session = Routes.current_session(ctx)
+        body = OAuthProtocol.stringify_keys(ctx.body)
+        pending = config[:store][:consents].delete(body["consent_code"].to_s)
+        raise APIError.new("BAD_REQUEST", message: "invalid consent_code") unless pending
+        raise APIError.new("BAD_REQUEST", message: "expired consent_code") if pending[:expires_at] <= Time.now
+
+        query = pending[:query]
+        if body["accept"] == false || body["accept"].to_s == "false"
+          return {redirectURI: OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "access_denied", state: query["state"], iss: validate_issuer_url(OAuthProtocol.issuer(ctx)))}
+        end
+
+        granted_scopes = OAuthProtocol.parse_scopes(body["scope"] || body["scopes"])
+        granted_scopes = pending[:scopes] if granted_scopes.empty?
+        unless granted_scopes.all? { |scope| pending[:scopes].include?(scope) }
+          raise APIError.new("BAD_REQUEST", message: "invalid_scope")
+        end
+        pending[:session] = current_session if current_session
+        query = query.merge("scope" => OAuthProtocol.scope_string(granted_scopes)).except("prompt")
+        {redirectURI: authorization_redirect_uri(ctx, config, query, pending[:session])}
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/legacy_aliases.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def legacy_register_endpoint(config)
+        Endpoint.new(path: "/mcp/register", method: "POST") do |ctx|
+          ctx.json(register_client(ctx, config), status: 201, headers: no_store_headers)
+        end
+      end
+
+      def legacy_authorize_endpoint(config)
+        Endpoint.new(path: "/mcp/authorize", method: "GET") do |ctx|
+          authorize(ctx, config)
+        end
+      end
+
+      def legacy_token_endpoint(config)
+        Endpoint.new(path: "/mcp/token", method: "POST", metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}) do |ctx|
+          ctx.json(token(ctx, config), headers: no_store_headers)
+        end
+      end
+
+      def legacy_userinfo_endpoint(config)
+        Endpoint.new(path: "/mcp/userinfo", method: "GET") do |ctx|
+          ctx.json(userinfo(ctx, config))
+        end
+      end
+
+      def legacy_jwks_endpoint(config)
+        Endpoint.new(path: "/mcp/jwks", method: "GET") do |ctx|
+          ctx.json(jwks(ctx, config))
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/metadata.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def validate_issuer_url(value)
+        uri = URI.parse(value.to_s)
+        uri.query = nil
+        uri.fragment = nil
+        if uri.scheme == "http" && !["localhost", "127.0.0.1", "::1"].include?(uri.hostname || uri.host)
+          uri.scheme = "https"
+        end
+        uri.to_s.sub(%r{/+\z}, "")
+      rescue URI::InvalidURIError
+        value.to_s.split(/[?#]/).first.sub(%r{/+\z}, "")
+      end
+
+      def oauth_metadata(ctx, config)
+        base = OAuthProtocol.endpoint_base(ctx)
+        {
+          issuer: validate_issuer_url(OAuthProtocol.issuer(ctx)),
+          authorization_endpoint: "#{base}/oauth2/authorize",
+          token_endpoint: "#{base}/oauth2/token",
+          userinfo_endpoint: "#{base}/oauth2/userinfo",
+          registration_endpoint: "#{base}/oauth2/register",
+          introspection_endpoint: "#{base}/oauth2/introspect",
+          revocation_endpoint: "#{base}/oauth2/revoke",
+          jwks_uri: mcp_jwks_uri(ctx, config),
+          scopes_supported: config[:scopes],
+          response_types_supported: ["code"],
+          response_modes_supported: ["query"],
+          grant_types_supported: config[:grant_types],
+          subject_types_supported: ["public"],
+          id_token_signing_alg_values_supported: mcp_signing_algs(ctx, config),
+          token_endpoint_auth_methods_supported: ["none", "client_secret_basic", "client_secret_post"],
+          introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+          revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+          code_challenge_methods_supported: ["S256"],
+          authorization_response_iss_parameter_supported: true,
+          claims_supported: %w[sub iss aud exp iat sid scope azp email email_verified name picture family_name given_name]
+        }.merge(BetterAuth::Plugins.normalize_hash(config.dig(:oidc_config, :metadata) || {}))
+      end
+
+      def protected_resource_metadata(ctx, config)
+        base = OAuthProtocol.endpoint_base(ctx)
+        origin = OAuthProtocol.origin_for(base)
+        {
+          resource: config[:resource] || origin,
+          authorization_servers: [origin],
+          jwks_uri: mcp_jwks_uri(ctx, config),
+          scopes_supported: config[:scopes],
+          bearer_methods_supported: ["header"],
+          resource_signing_alg_values_supported: mcp_signing_algs(ctx, config)
+        }
+      end
+
+      def mcp_jwks_uri(ctx, config)
+        config.dig(:oidc_config, :metadata, :jwks_uri) ||
+          config.dig(:advertised_metadata, :jwks_uri) ||
+          "#{OAuthProtocol.endpoint_base(ctx)}/oauth2/jwks"
+      end
+
+      def mcp_signing_algs(ctx, config)
+        jwt_plugin = ctx.context.options.plugins.find { |plugin| plugin.id == "jwt" }
+        alg = config.dig(:jwt, :jwks, :key_pair_config, :alg) ||
+          jwt_plugin&.options&.dig(:jwks, :key_pair_config, :alg)
+        [alg || "EdDSA"]
+      end
+
+      def jwks(ctx, config)
+        jwt_config = config[:jwt] || {}
+        BetterAuth::Plugins.create_jwk(ctx, jwt_config) if BetterAuth::Plugins.all_jwks(ctx, jwt_config).empty?
+        {keys: BetterAuth::Plugins.public_jwks(ctx, jwt_config).map { |key| BetterAuth::Plugins.public_jwk(key, jwt_config) }}
+      end
+    end
+  end
+end