better_auth 0.4.0 → 0.6.0

data/lib/better_auth/plugins/jwt.rb

@@ -103,7 +103,25 @@ module BetterAuth
     end
 
     def get_jwks_endpoint(config, path)
-      Endpoint.new(path: path, method: "GET") do |ctx|
+      Endpoint.new(
+        path: path,
+        method: "GET",
+        metadata: {
+          openapi: {
+            operationId: "getJSONWebKeySet",
+            description: "Get the JSON Web Key Set",
+            responses: {
+              "200" => OpenAPI.json_response(
+                "JSON Web Key Set retrieved successfully",
+                OpenAPI.object_schema(
+                  {keys: {type: "array", description: "Array of public JSON Web Keys", items: {type: "object"}}},
+                  required: ["keys"]
+                )
+              )
+            }
+          }
+        }
+      ) do |ctx|
         raise APIError.new("NOT_FOUND") if config.dig(:jwks, :remote_url)
 
         create_jwk(ctx, config) if all_jwks(ctx, config).empty?
@@ -112,7 +130,22 @@ module BetterAuth
     end
 
     def get_token_endpoint(config)
-      Endpoint.new(path: "/token", method: "GET") do |ctx|
+      Endpoint.new(
+        path: "/token",
+        method: "GET",
+        metadata: {
+          openapi: {
+            operationId: "getJSONWebToken",
+            description: "Get a JWT token",
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Success",
+                OpenAPI.object_schema({token: {type: "string"}}, required: ["token"])
+              )
+            }
+          }
+        }
+      ) do |ctx|
         session = Session.find_current(ctx)
         raise APIError.new("UNAUTHORIZED", message: BASE_ERROR_CODES["FAILED_TO_GET_SESSION"]) unless session
 
@@ -306,12 +339,12 @@ module BetterAuth
     def jwk_private_key_for_storage(ctx, private_key, config)
       return private_key if config.dig(:jwks, :disable_private_key_encryption)
 
-      Crypto.symmetric_encrypt(key: ctx.context.secret, data: private_key)
+      Crypto.symmetric_encrypt(key: ctx.context.secret_config, data: private_key)
     end
 
     def jwk_private_key_value(ctx, key, _config)
       value = key["privateKey"]
-      Crypto.symmetric_decrypt(key: ctx.context.secret, data: value) || value
+      Crypto.symmetric_decrypt(key: ctx.context.secret_config, data: value) || value
     end
 
     def jwt_payload_valid?(payload)

data/lib/better_auth/plugins/last_login_method.rb

@@ -74,8 +74,8 @@ module BetterAuth
       case path
       when "/sign-in/email", "/sign-up/email"
         "email"
-      when "/callback/:providerId"
-        fetch_value(ctx.params, "providerId")
+      when "/callback/:id"
+        fetch_value(ctx.params, "id") || fetch_value(ctx.params, "providerId")
       when "/oauth2/callback/:providerId"
         fetch_value(ctx.params, "providerId")
       else

data/lib/better_auth/plugins/magic_link.rb

@@ -28,7 +28,32 @@ module BetterAuth
     end
 
     def sign_in_magic_link_endpoint(config)
-      Endpoint.new(path: "/sign-in/magic-link", method: "POST") do |ctx|
+      Endpoint.new(
+        path: "/sign-in/magic-link",
+        method: "POST",
+        metadata: {
+          openapi: {
+            operationId: "signInMagicLink",
+            description: "Send a magic sign-in link",
+            requestBody: OpenAPI.json_request_body(
+              OpenAPI.object_schema(
+                {
+                  email: {type: "string", description: "The email address to sign in"},
+                  name: {type: ["string", "null"], description: "The user name to use when creating a new user"},
+                  callbackURL: {type: ["string", "null"]},
+                  errorCallbackURL: {type: ["string", "null"]},
+                  newUserCallbackURL: {type: ["string", "null"]},
+                  metadata: {type: ["object", "null"]}
+                },
+                required: ["email"]
+              )
+            ),
+            responses: {
+              "200" => OpenAPI.json_response("Magic link sent", OpenAPI.status_response_schema)
+            }
+          }
+        }
+      ) do |ctx|
         body = normalize_hash(ctx.body)
         email = body[:email].to_s.downcase
         raise APIError.new("BAD_REQUEST", message: BASE_ERROR_CODES["INVALID_EMAIL"]) unless Routes::EMAIL_PATTERN.match?(email)
@@ -51,7 +76,44 @@ module BetterAuth
     end
 
     def magic_link_verify_endpoint(config)
-      Endpoint.new(path: "/magic-link/verify", method: "GET") do |ctx|
+      Endpoint.new(
+        path: "/magic-link/verify",
+        method: "GET",
+        metadata: {
+          openapi: {
+            operationId: "magicLinkVerify",
+            description: "Verify a magic link token",
+            parameters: [
+              {
+                name: "token",
+                in: "query",
+                required: true,
+                schema: {type: "string"}
+              },
+              {
+                name: "callbackURL",
+                in: "query",
+                required: false,
+                schema: {type: "string"}
+              }
+            ],
+            responses: {
+              "200" => OpenAPI.json_response(
+                "Magic link verified",
+                OpenAPI.object_schema(
+                  {
+                    token: {type: "string"},
+                    user: {type: "object", "$ref": "#/components/schemas/User"},
+                    session: {type: "object", "$ref": "#/components/schemas/Session"}
+                  },
+                  required: ["token", "user", "session"]
+                )
+              ),
+              "302" => {description: "Redirects to callback URL when callbackURL is provided"}
+            }
+          }
+        }
+      ) do |ctx|
         query = normalize_hash(ctx.query)
         token = query[:token].to_s
         callback_url = query[:callback_url] || "/"
@@ -97,7 +159,8 @@ module BetterAuth
           user = ctx.context.internal_adapter.create_user(
             email: email,
             emailVerified: true,
-            name: name || ""
+            name: name || "",
+            context: ctx
           )
           new_user = true
           redirect_with_error.call("failed_to_create_user") unless user

data/lib/better_auth/plugins/mcp/authorization.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def authorize(ctx, config)
+        set_cors_headers(ctx)
+        query = OAuthProtocol.stringify_keys(ctx.query)
+        session = Routes.current_session(ctx, allow_nil: true)
+        unless session
+          ctx.set_signed_cookie("oidc_login_prompt", JSON.generate(query), ctx.context.secret, max_age: 600, path: "/", same_site: "lax")
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(config[:login_page], query))
+        end
+
+        redirect_with_code(ctx, config, query, session)
+      end
+
+      def restore_login_prompt(ctx, config)
+        cookie = ctx.get_signed_cookie("oidc_login_prompt", ctx.context.secret)
+        return unless cookie
+
+        session = ctx.context.new_session
+        return unless session && session[:session] && ctx.response_headers["set-cookie"].to_s.include?(ctx.context.auth_cookies[:session_token].name)
+
+        query = parse_login_prompt(cookie)
+        return unless query
+
+        query["prompt"] = prompt_without_login(query["prompt"]) if query.key?("prompt")
+        ctx.set_cookie("oidc_login_prompt", "", path: "/", max_age: 0)
+        ctx.context.set_current_session(session) if ctx.context.respond_to?(:set_current_session)
+        [302, ctx.response_headers.merge("location" => authorization_redirect_uri(ctx, config, query, session)), [""]]
+      end
+
+      def redirect_with_code(ctx, config, query, session)
+        raise ctx.redirect(authorization_redirect_uri(ctx, config, query, session))
+      end
+
+      def authorization_redirect_uri(ctx, config, query, session)
+        query = OAuthProtocol.stringify_keys(query)
+        prompts = OAuthProtocol.parse_scopes(query["prompt"])
+        raise ctx.redirect("#{ctx.context.base_url}/error?error=invalid_client") if query["client_id"].to_s.empty?
+        unless query["response_type"]
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(ctx.context.base_url + "/error", error: "invalid_request", error_description: "response_type is required"))
+        end
+
+        client = OAuthProtocol.find_client(ctx, "oauthClient", query["client_id"])
+        raise ctx.redirect("#{ctx.context.base_url}/error?error=invalid_client") unless client
+        OAuthProtocol.validate_redirect_uri!(client, query["redirect_uri"])
+        client_data = OAuthProtocol.stringify_keys(client)
+        raise ctx.redirect("#{ctx.context.base_url}/error?error=client_disabled") if client_data["disabled"]
+        raise ctx.redirect("#{ctx.context.base_url}/error?error=unsupported_response_type") unless query["response_type"] == "code"
+
+        scopes = OAuthProtocol.parse_scopes(query["scope"] || "openid")
+        allowed_scopes = OAuthProtocol.parse_scopes(client_data["scopes"])
+        allowed_scopes = OAuthProtocol.parse_scopes(config[:scopes]) if allowed_scopes.empty?
+        invalid_scopes = scopes.reject { |scope| config[:scopes].include?(scope) && allowed_scopes.include?(scope) }
+        unless invalid_scopes.empty?
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "invalid_scope", error_description: "The following scopes are invalid: #{invalid_scopes.join(", ")}", state: query["state"]))
+        end
+
+        pkce_error = OAuthProtocol.validate_authorize_pkce(client_data, scopes, query["code_challenge"], query["code_challenge_method"])
+        if pkce_error
+          description = (pkce_error == "PKCE is required") ? "pkce is required" : pkce_error
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "invalid_request", error_description: description, state: query["state"]))
+        end
+
+        if prompts.include?("consent")
+          consent_code = Crypto.random_string(32)
+          config[:store][:consents][consent_code] = {
+            query: query,
+            session: session,
+            client: client,
+            scopes: scopes,
+            expires_at: Time.now + config[:code_expires_in].to_i
+          }
+          raise ctx.redirect(OAuthProtocol.redirect_uri_with_params(config[:consent_page], consent_code: consent_code, client_id: client_data["clientId"], scope: OAuthProtocol.scope_string(scopes)))
+        end
+
+        code = Crypto.random_string(32)
+        OAuthProtocol.store_code(
+          config[:store],
+          code: code,
+          client_id: query["client_id"],
+          redirect_uri: query["redirect_uri"],
+          session: session,
+          scopes: scopes,
+          code_challenge: query["code_challenge"],
+          code_challenge_method: query["code_challenge_method"],
+          nonce: query["nonce"],
+          reference_id: client_data["referenceId"]
+        )
+        OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], code: code, state: query["state"], iss: validate_issuer_url(OAuthProtocol.issuer(ctx)))
+      end
+
+      def prompt_without_login(value)
+        prompts = OAuthProtocol.parse_scopes(value)
+        prompts.delete("login")
+        OAuthProtocol.scope_string(prompts)
+      end
+
+      def parse_login_prompt(value)
+        parsed = JSON.parse(value.to_s)
+        parsed.is_a?(Hash) ? parsed : nil
+      rescue JSON::ParserError
+        nil
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/config.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      DEFAULT_SCOPES = %w[openid profile email offline_access].freeze
+      DEFAULT_GRANT_TYPES = [OAuthProtocol::AUTH_CODE_GRANT, OAuthProtocol::REFRESH_GRANT, OAuthProtocol::CLIENT_CREDENTIALS_GRANT].freeze
+
+      module_function
+
+      def normalize_config(options)
+        incoming = BetterAuth::Plugins.normalize_hash(options || {})
+        oidc = BetterAuth::Plugins.normalize_hash(incoming[:oidc_config] || {})
+        base = {
+          login_page: "/login",
+          consent_page: "/oauth2/consent",
+          resource: nil,
+          scopes: DEFAULT_SCOPES,
+          grant_types: DEFAULT_GRANT_TYPES,
+          allow_dynamic_client_registration: true,
+          allow_unauthenticated_client_registration: true,
+          require_pkce: true,
+          code_expires_in: 600,
+          access_token_expires_in: 3600,
+          refresh_token_expires_in: 604_800,
+          m2m_access_token_expires_in: 3600,
+          store_client_secret: "plain",
+          prefix: {},
+          store: OAuthProtocol.stores
+        }
+        config = base.merge(oidc.except(:metadata)).merge(incoming)
+        config[:oidc_config] = oidc
+        config[:scopes] = (Array(base[:scopes]) + Array(oidc[:scopes]) + Array(incoming[:scopes])).compact.map(&:to_s).uniq
+        config[:grant_types] = Array(config[:grant_types]).map(&:to_s)
+        config[:prefix] = BetterAuth::Plugins.normalize_hash(config[:prefix] || {})
+        config
+      end
+
+      def set_cors_headers(ctx)
+        ctx.set_header("Access-Control-Allow-Origin", "*")
+        ctx.set_header("Access-Control-Allow-Methods", "POST, OPTIONS")
+        ctx.set_header("Access-Control-Allow-Headers", "Content-Type, Authorization")
+        ctx.set_header("Access-Control-Max-Age", "86400")
+      end
+
+      def no_store_headers
+        {"Cache-Control" => "no-store", "Pragma" => "no-cache"}
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/consent.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def consent(ctx, config)
+        current_session = Routes.current_session(ctx)
+        body = OAuthProtocol.stringify_keys(ctx.body)
+        pending = config[:store][:consents].delete(body["consent_code"].to_s)
+        raise APIError.new("BAD_REQUEST", message: "invalid consent_code") unless pending
+        raise APIError.new("BAD_REQUEST", message: "expired consent_code") if pending[:expires_at] <= Time.now
+
+        query = pending[:query]
+        if body["accept"] == false || body["accept"].to_s == "false"
+          return {redirectURI: OAuthProtocol.redirect_uri_with_params(query["redirect_uri"], error: "access_denied", state: query["state"], iss: validate_issuer_url(OAuthProtocol.issuer(ctx)))}
+        end
+
+        granted_scopes = OAuthProtocol.parse_scopes(body["scope"] || body["scopes"])
+        granted_scopes = pending[:scopes] if granted_scopes.empty?
+        unless granted_scopes.all? { |scope| pending[:scopes].include?(scope) }
+          raise APIError.new("BAD_REQUEST", message: "invalid_scope")
+        end
+        pending[:session] = current_session if current_session
+        query = query.merge("scope" => OAuthProtocol.scope_string(granted_scopes)).except("prompt")
+        {redirectURI: authorization_redirect_uri(ctx, config, query, pending[:session])}
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/legacy_aliases.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def legacy_register_endpoint(config)
+        Endpoint.new(path: "/mcp/register", method: "POST") do |ctx|
+          ctx.json(register_client(ctx, config), status: 201, headers: no_store_headers)
+        end
+      end
+
+      def legacy_authorize_endpoint(config)
+        Endpoint.new(path: "/mcp/authorize", method: "GET") do |ctx|
+          authorize(ctx, config)
+        end
+      end
+
+      def legacy_token_endpoint(config)
+        Endpoint.new(path: "/mcp/token", method: "POST", metadata: {allowed_media_types: ["application/x-www-form-urlencoded", "application/json"]}) do |ctx|
+          ctx.json(token(ctx, config), headers: no_store_headers)
+        end
+      end
+
+      def legacy_userinfo_endpoint(config)
+        Endpoint.new(path: "/mcp/userinfo", method: "GET") do |ctx|
+          ctx.json(userinfo(ctx, config))
+        end
+      end
+
+      def legacy_jwks_endpoint(config)
+        Endpoint.new(path: "/mcp/jwks", method: "GET") do |ctx|
+          ctx.json(jwks(ctx, config))
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/metadata.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require "uri"
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def validate_issuer_url(value)
+        uri = URI.parse(value.to_s)
+        uri.query = nil
+        uri.fragment = nil
+        if uri.scheme == "http" && !["localhost", "127.0.0.1", "::1"].include?(uri.hostname || uri.host)
+          uri.scheme = "https"
+        end
+        uri.to_s.sub(%r{/+\z}, "")
+      rescue URI::InvalidURIError
+        value.to_s.split(/[?#]/).first.sub(%r{/+\z}, "")
+      end
+
+      def oauth_metadata(ctx, config)
+        base = OAuthProtocol.endpoint_base(ctx)
+        {
+          issuer: validate_issuer_url(OAuthProtocol.issuer(ctx)),
+          authorization_endpoint: "#{base}/oauth2/authorize",
+          token_endpoint: "#{base}/oauth2/token",
+          userinfo_endpoint: "#{base}/oauth2/userinfo",
+          registration_endpoint: "#{base}/oauth2/register",
+          introspection_endpoint: "#{base}/oauth2/introspect",
+          revocation_endpoint: "#{base}/oauth2/revoke",
+          jwks_uri: mcp_jwks_uri(ctx, config),
+          scopes_supported: config[:scopes],
+          response_types_supported: ["code"],
+          response_modes_supported: ["query"],
+          grant_types_supported: config[:grant_types],
+          subject_types_supported: ["public"],
+          id_token_signing_alg_values_supported: mcp_signing_algs(ctx, config),
+          token_endpoint_auth_methods_supported: ["none", "client_secret_basic", "client_secret_post"],
+          introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+          revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+          code_challenge_methods_supported: ["S256"],
+          authorization_response_iss_parameter_supported: true,
+          claims_supported: %w[sub iss aud exp iat sid scope azp email email_verified name picture family_name given_name]
+        }.merge(BetterAuth::Plugins.normalize_hash(config.dig(:oidc_config, :metadata) || {}))
+      end
+
+      def protected_resource_metadata(ctx, config)
+        base = OAuthProtocol.endpoint_base(ctx)
+        origin = OAuthProtocol.origin_for(base)
+        {
+          resource: config[:resource] || origin,
+          authorization_servers: [origin],
+          jwks_uri: mcp_jwks_uri(ctx, config),
+          scopes_supported: config[:scopes],
+          bearer_methods_supported: ["header"],
+          resource_signing_alg_values_supported: mcp_signing_algs(ctx, config)
+        }
+      end
+
+      def mcp_jwks_uri(ctx, config)
+        config.dig(:oidc_config, :metadata, :jwks_uri) ||
+          config.dig(:advertised_metadata, :jwks_uri) ||
+          "#{OAuthProtocol.endpoint_base(ctx)}/oauth2/jwks"
+      end
+
+      def mcp_signing_algs(ctx, config)
+        jwt_plugin = ctx.context.options.plugins.find { |plugin| plugin.id == "jwt" }
+        alg = config.dig(:jwt, :jwks, :key_pair_config, :alg) ||
+          jwt_plugin&.options&.dig(:jwks, :key_pair_config, :alg)
+        [alg || "EdDSA"]
+      end
+
+      def jwks(ctx, config)
+        jwt_config = config[:jwt] || {}
+        BetterAuth::Plugins.create_jwk(ctx, jwt_config) if BetterAuth::Plugins.all_jwks(ctx, jwt_config).empty?
+        {keys: BetterAuth::Plugins.public_jwks(ctx, jwt_config).map { |key| BetterAuth::Plugins.public_jwk(key, jwt_config) }}
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/registration.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def register_client(ctx, config)
+        set_cors_headers(ctx)
+        body = OAuthProtocol.stringify_keys(ctx.body)
+        body["token_endpoint_auth_method"] ||= "none"
+        body["grant_types"] ||= [OAuthProtocol::AUTH_CODE_GRANT, OAuthProtocol::REFRESH_GRANT]
+        body["response_types"] ||= ["code"]
+        body["require_pkce"] = true unless body.key?("require_pkce") || body.key?("requirePKCE")
+
+        OAuthProtocol.create_client(
+          ctx,
+          model: "oauthClient",
+          body: body,
+          default_auth_method: "none",
+          store_client_secret: config[:store_client_secret],
+          default_scopes: config[:scopes],
+          allowed_scopes: config[:scopes],
+          prefix: config[:prefix],
+          dynamic_registration: true,
+          strip_client_metadata: true
+        )
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/resource_handler.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module ResourceHandler
+        module_function
+
+        def with_mcp_auth(app, resource_metadata_url:, auth: nil, resource_metadata_mappings: {})
+          lambda do |env|
+            authorization = env["HTTP_AUTHORIZATION"].to_s
+            return unauthorized(resource_metadata_url) unless authorization.start_with?("Bearer ")
+
+            session = auth&.api&.get_mcp_session(headers: {"authorization" => authorization})
+            return unauthorized(resource_metadata_url) unless session
+
+            env["better_auth.mcp_session"] = session
+            app.call(env)
+          rescue APIError
+            unauthorized(resource_metadata_url)
+          end
+        end
+
+        def unauthorized(resource_metadata_url)
+          [
+            401,
+            {
+              "www-authenticate" => %(Bearer resource_metadata="#{resource_metadata_url}"),
+              "access-control-expose-headers" => "WWW-Authenticate"
+            },
+            ["unauthorized"]
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/better_auth/plugins/mcp/schema.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module BetterAuth
+  module Plugins
+    module MCP
+      module_function
+
+      def schema
+        {
+          oauthClient: {
+            modelName: "oauthClient",
+            fields: {
+              clientId: {type: "string", unique: true, required: true},
+              clientSecret: {type: "string", required: false},
+              disabled: {type: "boolean", default_value: false, required: false},
+              skipConsent: {type: "boolean", required: false},
+              enableEndSession: {type: "boolean", required: false},
+              clientSecretExpiresAt: {type: "number", required: false},
+              scopes: {type: "string[]", required: false},
+              userId: {type: "string", required: false},
+              createdAt: {type: "date", required: true, default_value: -> { Time.now }},
+              updatedAt: {type: "date", required: true, default_value: -> { Time.now }, on_update: -> { Time.now }},
+              name: {type: "string", required: false},
+              uri: {type: "string", required: false},
+              icon: {type: "string", required: false},
+              contacts: {type: "string[]", required: false},
+              tos: {type: "string", required: false},
+              policy: {type: "string", required: false},
+              softwareId: {type: "string", required: false},
+              softwareVersion: {type: "string", required: false},
+              softwareStatement: {type: "string", required: false},
+              redirectUris: {type: "string[]", required: true},
+              postLogoutRedirectUris: {type: "string[]", required: false},
+              tokenEndpointAuthMethod: {type: "string", required: false},
+              grantTypes: {type: "string[]", required: false},
+              responseTypes: {type: "string[]", required: false},
+              public: {type: "boolean", required: false},
+              type: {type: "string", required: false},
+              requirePKCE: {type: "boolean", required: false},
+              subjectType: {type: "string", required: false},
+              referenceId: {type: "string", required: false},
+              metadata: {type: "json", required: false}
+            }
+          },
+          oauthRefreshToken: {
+            fields: {
+              token: {type: "string", required: true},
+              clientId: {type: "string", required: true},
+              sessionId: {type: "string", required: false},
+              userId: {type: "string", required: false},
+              referenceId: {type: "string", required: false},
+              authTime: {type: "date", required: false},
+              expiresAt: {type: "date", required: false},
+              createdAt: {type: "date", required: true, default_value: -> { Time.now }},
+              revoked: {type: "date", required: false},
+              scopes: {type: "string[]", required: true}
+            }
+          },
+          oauthAccessToken: {
+            modelName: "oauthAccessToken",
+            fields: {
+              token: {type: "string", unique: true, required: true},
+              expiresAt: {type: "date", required: true},
+              clientId: {type: "string", required: true},
+              userId: {type: "string", required: false},
+              sessionId: {type: "string", required: false},
+              scopes: {type: "string[]", required: true},
+              revoked: {type: "date", required: false},
+              referenceId: {type: "string", required: false},
+              authTime: {type: "date", required: false},
+              refreshId: {type: "string", required: false},
+              createdAt: {type: "date", required: true, default_value: -> { Time.now }},
+              updatedAt: {type: "date", required: true, default_value: -> { Time.now }, on_update: -> { Time.now }}
+            }
+          },
+          oauthConsent: {
+            modelName: "oauthConsent",
+            fields: {
+              clientId: {type: "string", required: true},
+              userId: {type: "string", required: false},
+              referenceId: {type: "string", required: false},
+              scopes: {type: "string[]", required: true},
+              createdAt: {type: "date", required: true, default_value: -> { Time.now }},
+              updatedAt: {type: "date", required: true, default_value: -> { Time.now }, on_update: -> { Time.now }}
+            }
+          }
+        }
+      end
+    end
+  end
+end