@better-auth/core 1.5.0-beta.2 → 1.5.0-beta.20

package/dist/social-providers/linear.d.mts

@@ -0,0 +1,71 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/linear.d.ts
+interface LinearUser {
+  id: string;
+  name: string;
+  email: string;
+  avatarUrl?: string | undefined;
+  active: boolean;
+  createdAt: string;
+  updatedAt: string;
+}
+interface LinearProfile {
+  data: {
+    viewer: LinearUser;
+  };
+}
+interface LinearOptions extends ProviderOptions<LinearUser> {
+  clientId: string;
+}
+declare const linear: (options: LinearOptions) => {
+  id: "linear";
+  name: string;
+  createAuthorizationURL({
+    state,
+    scopes,
+    loginHint,
+    redirectURI
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: LinearOptions;
+};
+//#endregion
+export { LinearOptions, LinearProfile, LinearUser, linear };
+//# sourceMappingURL=linear.d.mts.map

package/dist/social-providers/linear.mjs

@@ -0,0 +1,89 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/linear.ts
+const linear = (options) => {
+	const tokenEndpoint = "https://api.linear.app/oauth/token";
+	return {
+		id: "linear",
+		name: "Linear",
+		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return createAuthorizationURL({
+				id: "linear",
+				options,
+				authorizationEndpoint: "https://linear.app/oauth/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				loginHint
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.linear.app/graphql", {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Authorization: `Bearer ${token.accessToken}`
+				},
+				body: JSON.stringify({ query: `
+							query {
+								viewer {
+									id
+									name
+									email
+									avatarUrl
+									active
+									createdAt
+									updatedAt
+								}
+							}
+						` })
+			});
+			if (error || !profile?.data?.viewer) return null;
+			const userData = profile.data.viewer;
+			const userMap = await options.mapProfileToUser?.(userData);
+			return {
+				user: {
+					id: profile.data.viewer.id,
+					name: profile.data.viewer.name,
+					email: profile.data.viewer.email,
+					image: profile.data.viewer.avatarUrl,
+					emailVerified: false,
+					...userMap
+				},
+				data: userData
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { linear };
+//# sourceMappingURL=linear.mjs.map

package/dist/social-providers/linear.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"linear.mjs","names":[],"sources":["../../src/social-providers/linear.ts"],"sourcesContent":["import { betterFetch } from \"@better-fetch/fetch\";\nimport type { OAuthProvider, ProviderOptions } from \"../oauth2\";\nimport {\n\tcreateAuthorizationURL,\n\trefreshAccessToken,\n\tvalidateAuthorizationCode,\n} from \"../oauth2\";\n\nexport interface LinearUser {\n\tid: string;\n\tname: string;\n\temail: string;\n\tavatarUrl?: string | undefined;\n\tactive: boolean;\n\tcreatedAt: string;\n\tupdatedAt: string;\n}\n\nexport interface LinearProfile {\n\tdata: {\n\t\tviewer: LinearUser;\n\t};\n}\n\nexport interface LinearOptions extends ProviderOptions<LinearUser> {\n\tclientId: string;\n}\n\nexport const linear = (options: LinearOptions) => {\n\tconst tokenEndpoint = \"https://api.linear.app/oauth/token\";\n\treturn {\n\t\tid: \"linear\",\n\t\tname: \"Linear\",\n\t\tcreateAuthorizationURL({ state, scopes, loginHint, redirectURI }) {\n\t\t\tconst _scopes = options.disableDefaultScope ? [] : [\"read\"];\n\t\t\tif (options.scope) _scopes.push(...options.scope);\n\t\t\tif (scopes) _scopes.push(...scopes);\n\t\t\treturn createAuthorizationURL({\n\t\t\t\tid: \"linear\",\n\t\t\t\toptions,\n\t\t\t\tauthorizationEndpoint: \"https://linear.app/oauth/authorize\",\n\t\t\t\tscopes: _scopes,\n\t\t\t\tstate,\n\t\t\t\tredirectURI,\n\t\t\t\tloginHint,\n\t\t\t});\n\t\t},\n\t\tvalidateAuthorizationCode: async ({ code, redirectURI }) => {\n\t\t\treturn validateAuthorizationCode({\n\t\t\t\tcode,\n\t\t\t\tredirectURI,\n\t\t\t\toptions,\n\t\t\t\ttokenEndpoint,\n\t\t\t});\n\t\t},\n\t\trefreshAccessToken: options.refreshAccessToken\n\t\t\t? options.refreshAccessToken\n\t\t\t: async (refreshToken) => {\n\t\t\t\t\treturn refreshAccessToken({\n\t\t\t\t\t\trefreshToken,\n\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\tclientId: options.clientId,\n\t\t\t\t\t\t\tclientKey: options.clientKey,\n\t\t\t\t\t\t\tclientSecret: options.clientSecret,\n\t\t\t\t\t\t},\n\t\t\t\t\t\ttokenEndpoint,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\tasync getUserInfo(token) {\n\t\t\tif (options.getUserInfo) {\n\t\t\t\treturn options.getUserInfo(token);\n\t\t\t}\n\n\t\t\tconst { data: profile, error } = await betterFetch<LinearProfile>(\n\t\t\t\t\"https://api.linear.app/graphql\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"POST\",\n\t\t\t\t\theaders: {\n\t\t\t\t\t\t\"Content-Type\": \"application/json\",\n\t\t\t\t\t\tAuthorization: `Bearer ${token.accessToken}`,\n\t\t\t\t\t},\n\t\t\t\t\tbody: JSON.stringify({\n\t\t\t\t\t\tquery: `\n\t\t\t\t\t\t\tquery {\n\t\t\t\t\t\t\t\tviewer {\n\t\t\t\t\t\t\t\t\tid\n\t\t\t\t\t\t\t\t\tname\n\t\t\t\t\t\t\t\t\temail\n\t\t\t\t\t\t\t\t\tavatarUrl\n\t\t\t\t\t\t\t\t\tactive\n\t\t\t\t\t\t\t\t\tcreatedAt\n\t\t\t\t\t\t\t\t\tupdatedAt\n\t\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t`,\n\t\t\t\t\t}),\n\t\t\t\t},\n\t\t\t);\n\t\t\tif (error || !profile?.data?.viewer) {\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\tconst userData = profile.data.viewer;\n\t\t\tconst userMap = await options.mapProfileToUser?.(userData);\n\t\t\t// Linear does not provide email_verified claim.\n\t\t\t// We default to false for security consistency.\n\t\t\treturn {\n\t\t\t\tuser: {\n\t\t\t\t\tid: profile.data.viewer.id,\n\t\t\t\t\tname: profile.data.viewer.name,\n\t\t\t\t\temail: profile.data.viewer.email,\n\t\t\t\t\timage: profile.data.viewer.avatarUrl,\n\t\t\t\t\temailVerified: false,\n\t\t\t\t\t...userMap,\n\t\t\t\t},\n\t\t\t\tdata: userData,\n\t\t\t};\n\t\t},\n\t\toptions,\n\t} satisfies OAuthProvider<LinearUser>;\n};\n"],"mappings":";;;;;;;AA4BA,MAAa,UAAU,YAA2B;CACjD,MAAM,gBAAgB;AACtB,QAAO;EACN,IAAI;EACJ,MAAM;EACN,uBAAuB,EAAE,OAAO,QAAQ,WAAW,eAAe;GACjE,MAAM,UAAU,QAAQ,sBAAsB,EAAE,GAAG,CAAC,OAAO;AAC3D,OAAI,QAAQ,MAAO,SAAQ,KAAK,GAAG,QAAQ,MAAM;AACjD,OAAI,OAAQ,SAAQ,KAAK,GAAG,OAAO;AACnC,UAAO,uBAAuB;IAC7B,IAAI;IACJ;IACA,uBAAuB;IACvB,QAAQ;IACR;IACA;IACA;IACA,CAAC;;EAEH,2BAA2B,OAAO,EAAE,MAAM,kBAAkB;AAC3D,UAAO,0BAA0B;IAChC;IACA;IACA;IACA;IACA,CAAC;;EAEH,oBAAoB,QAAQ,qBACzB,QAAQ,qBACR,OAAO,iBAAiB;AACxB,UAAO,mBAAmB;IACzB;IACA,SAAS;KACR,UAAU,QAAQ;KAClB,WAAW,QAAQ;KACnB,cAAc,QAAQ;KACtB;IACD;IACA,CAAC;;EAEL,MAAM,YAAY,OAAO;AACxB,OAAI,QAAQ,YACX,QAAO,QAAQ,YAAY,MAAM;GAGlC,MAAM,EAAE,MAAM,SAAS,UAAU,MAAM,YACtC,kCACA;IACC,QAAQ;IACR,SAAS;KACR,gBAAgB;KAChB,eAAe,UAAU,MAAM;KAC/B;IACD,MAAM,KAAK,UAAU,EACpB,OAAO;;;;;;;;;;;;SAaP,CAAC;IACF,CACD;AACD,OAAI,SAAS,CAAC,SAAS,MAAM,OAC5B,QAAO;GAGR,MAAM,WAAW,QAAQ,KAAK;GAC9B,MAAM,UAAU,MAAM,QAAQ,mBAAmB,SAAS;AAG1D,UAAO;IACN,MAAM;KACL,IAAI,QAAQ,KAAK,OAAO;KACxB,MAAM,QAAQ,KAAK,OAAO;KAC1B,OAAO,QAAQ,KAAK,OAAO;KAC3B,OAAO,QAAQ,KAAK,OAAO;KAC3B,eAAe;KACf,GAAG;KACH;IACD,MAAM;IACN;;EAEF;EACA"}

package/dist/social-providers/linkedin.d.mts

@@ -0,0 +1,70 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/linkedin.d.ts
+interface LinkedInProfile {
+  sub: string;
+  name: string;
+  given_name: string;
+  family_name: string;
+  picture: string;
+  locale: {
+    country: string;
+    language: string;
+  };
+  email: string;
+  email_verified: boolean;
+}
+interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
+  clientId: string;
+}
+declare const linkedin: (options: LinkedInOptions) => {
+  id: "linkedin";
+  name: string;
+  createAuthorizationURL: ({
+    state,
+    scopes,
+    redirectURI,
+    loginHint
+  }: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }) => Promise<URL>;
+  validateAuthorizationCode: ({
+    code,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }) => Promise<OAuth2Tokens>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  options: LinkedInOptions;
+};
+//#endregion
+export { LinkedInOptions, LinkedInProfile, linkedin };
+//# sourceMappingURL=linkedin.d.mts.map

package/dist/social-providers/linkedin.mjs

@@ -0,0 +1,77 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { betterFetch } from "@better-fetch/fetch";
+
+//#region src/social-providers/linkedin.ts
+const linkedin = (options) => {
+	const authorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
+	const tokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
+	return {
+		id: "linkedin",
+		name: "Linkedin",
+		createAuthorizationURL: async ({ state, scopes, redirectURI, loginHint }) => {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"profile",
+				"email",
+				"openid"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
+				id: "linkedin",
+				options,
+				authorizationEndpoint,
+				scopes: _scopes,
+				state,
+				loginHint,
+				redirectURI
+			});
+		},
+		validateAuthorizationCode: async ({ code, redirectURI }) => {
+			return await validateAuthorizationCode({
+				code,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientKey: options.clientKey,
+					clientSecret: options.clientSecret
+				},
+				tokenEndpoint
+			});
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			const { data: profile, error } = await betterFetch("https://api.linkedin.com/v2/userinfo", {
+				method: "GET",
+				headers: { Authorization: `Bearer ${token.accessToken}` }
+			});
+			if (error) return null;
+			const userMap = await options.mapProfileToUser?.(profile);
+			return {
+				user: {
+					id: profile.sub,
+					name: profile.name,
+					email: profile.email,
+					emailVerified: profile.email_verified || false,
+					image: profile.picture,
+					...userMap
+				},
+				data: profile
+			};
+		},
+		options
+	};
+};
+
+//#endregion
+export { linkedin };
+//# sourceMappingURL=linkedin.mjs.map

package/dist/social-providers/linkedin.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"linkedin.mjs","names":[],"sources":["../../src/social-providers/linkedin.ts"],"sourcesContent":["import { betterFetch } from \"@better-fetch/fetch\";\nimport type { OAuthProvider, ProviderOptions } from \"../oauth2\";\nimport {\n\tcreateAuthorizationURL,\n\trefreshAccessToken,\n\tvalidateAuthorizationCode,\n} from \"../oauth2\";\n\nexport interface LinkedInProfile {\n\tsub: string;\n\tname: string;\n\tgiven_name: string;\n\tfamily_name: string;\n\tpicture: string;\n\tlocale: {\n\t\tcountry: string;\n\t\tlanguage: string;\n\t};\n\temail: string;\n\temail_verified: boolean;\n}\n\nexport interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {\n\tclientId: string;\n}\n\nexport const linkedin = (options: LinkedInOptions) => {\n\tconst authorizationEndpoint =\n\t\t\"https://www.linkedin.com/oauth/v2/authorization\";\n\tconst tokenEndpoint = \"https://www.linkedin.com/oauth/v2/accessToken\";\n\n\treturn {\n\t\tid: \"linkedin\",\n\t\tname: \"Linkedin\",\n\t\tcreateAuthorizationURL: async ({\n\t\t\tstate,\n\t\t\tscopes,\n\t\t\tredirectURI,\n\t\t\tloginHint,\n\t\t}) => {\n\t\t\tconst _scopes = options.disableDefaultScope\n\t\t\t\t? []\n\t\t\t\t: [\"profile\", \"email\", \"openid\"];\n\t\t\tif (options.scope) _scopes.push(...options.scope);\n\t\t\tif (scopes) _scopes.push(...scopes);\n\t\t\treturn await createAuthorizationURL({\n\t\t\t\tid: \"linkedin\",\n\t\t\t\toptions,\n\t\t\t\tauthorizationEndpoint,\n\t\t\t\tscopes: _scopes,\n\t\t\t\tstate,\n\t\t\t\tloginHint,\n\t\t\t\tredirectURI,\n\t\t\t});\n\t\t},\n\t\tvalidateAuthorizationCode: async ({ code, redirectURI }) => {\n\t\t\treturn await validateAuthorizationCode({\n\t\t\t\tcode,\n\t\t\t\tredirectURI,\n\t\t\t\toptions,\n\t\t\t\ttokenEndpoint,\n\t\t\t});\n\t\t},\n\t\trefreshAccessToken: options.refreshAccessToken\n\t\t\t? options.refreshAccessToken\n\t\t\t: async (refreshToken) => {\n\t\t\t\t\treturn refreshAccessToken({\n\t\t\t\t\t\trefreshToken,\n\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\tclientId: options.clientId,\n\t\t\t\t\t\t\tclientKey: options.clientKey,\n\t\t\t\t\t\t\tclientSecret: options.clientSecret,\n\t\t\t\t\t\t},\n\t\t\t\t\t\ttokenEndpoint,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\tasync getUserInfo(token) {\n\t\t\tif (options.getUserInfo) {\n\t\t\t\treturn options.getUserInfo(token);\n\t\t\t}\n\t\t\tconst { data: profile, error } = await betterFetch<LinkedInProfile>(\n\t\t\t\t\"https://api.linkedin.com/v2/userinfo\",\n\t\t\t\t{\n\t\t\t\t\tmethod: \"GET\",\n\t\t\t\t\theaders: {\n\t\t\t\t\t\tAuthorization: `Bearer ${token.accessToken}`,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t);\n\n\t\t\tif (error) {\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\tconst userMap = await options.mapProfileToUser?.(profile);\n\t\t\treturn {\n\t\t\t\tuser: {\n\t\t\t\t\tid: profile.sub,\n\t\t\t\t\tname: profile.name,\n\t\t\t\t\temail: profile.email,\n\t\t\t\t\temailVerified: profile.email_verified || false,\n\t\t\t\t\timage: profile.picture,\n\t\t\t\t\t...userMap,\n\t\t\t\t},\n\t\t\t\tdata: profile,\n\t\t\t};\n\t\t},\n\t\toptions,\n\t} satisfies OAuthProvider<LinkedInProfile>;\n};\n"],"mappings":";;;;;;;AA0BA,MAAa,YAAY,YAA6B;CACrD,MAAM,wBACL;CACD,MAAM,gBAAgB;AAEtB,QAAO;EACN,IAAI;EACJ,MAAM;EACN,wBAAwB,OAAO,EAC9B,OACA,QACA,aACA,gBACK;GACL,MAAM,UAAU,QAAQ,sBACrB,EAAE,GACF;IAAC;IAAW;IAAS;IAAS;AACjC,OAAI,QAAQ,MAAO,SAAQ,KAAK,GAAG,QAAQ,MAAM;AACjD,OAAI,OAAQ,SAAQ,KAAK,GAAG,OAAO;AACnC,UAAO,MAAM,uBAAuB;IACnC,IAAI;IACJ;IACA;IACA,QAAQ;IACR;IACA;IACA;IACA,CAAC;;EAEH,2BAA2B,OAAO,EAAE,MAAM,kBAAkB;AAC3D,UAAO,MAAM,0BAA0B;IACtC;IACA;IACA;IACA;IACA,CAAC;;EAEH,oBAAoB,QAAQ,qBACzB,QAAQ,qBACR,OAAO,iBAAiB;AACxB,UAAO,mBAAmB;IACzB;IACA,SAAS;KACR,UAAU,QAAQ;KAClB,WAAW,QAAQ;KACnB,cAAc,QAAQ;KACtB;IACD;IACA,CAAC;;EAEL,MAAM,YAAY,OAAO;AACxB,OAAI,QAAQ,YACX,QAAO,QAAQ,YAAY,MAAM;GAElC,MAAM,EAAE,MAAM,SAAS,UAAU,MAAM,YACtC,wCACA;IACC,QAAQ;IACR,SAAS,EACR,eAAe,UAAU,MAAM,eAC/B;IACD,CACD;AAED,OAAI,MACH,QAAO;GAGR,MAAM,UAAU,MAAM,QAAQ,mBAAmB,QAAQ;AACzD,UAAO;IACN,MAAM;KACL,IAAI,QAAQ;KACZ,MAAM,QAAQ;KACd,OAAO,QAAQ;KACf,eAAe,QAAQ,kBAAkB;KACzC,OAAO,QAAQ;KACf,GAAG;KACH;IACD,MAAM;IACN;;EAEF;EACA"}

package/dist/social-providers/microsoft-entra-id.d.mts

@@ -0,0 +1,177 @@
+import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import "../oauth2/index.mjs";
+
+//#region src/social-providers/microsoft-entra-id.d.ts
+/**
+ * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
+ */
+interface MicrosoftEntraIDProfile extends Record<string, any> {
+  /** Identifies the intended recipient of the token */
+  aud: string;
+  /** Identifies the issuer, or "authorization server" that constructs and returns the token */
+  iss: string;
+  /** Indicates when the authentication for the token occurred */
+  iat: Date;
+  /** Records the identity provider that authenticated the subject of the token */
+  idp: string;
+  /** Identifies the time before which the JWT can't be accepted for processing */
+  nbf: Date;
+  /** Identifies the expiration time on or after which the JWT can't be accepted for processing */
+  exp: Date;
+  /** Code hash included in ID tokens when issued with an OAuth 2.0 authorization code */
+  c_hash: string;
+  /** Access token hash included in ID tokens when issued with an OAuth 2.0 access token */
+  at_hash: string;
+  /** Internal claim used to record data for token reuse */
+  aio: string;
+  /** The primary username that represents the user */
+  preferred_username: string;
+  /** User's email address */
+  email: string;
+  /** Human-readable value that identifies the subject of the token */
+  name: string;
+  /** Matches the parameter included in the original authorize request */
+  nonce: string;
+  /** User's profile picture */
+  picture: string;
+  /** Immutable identifier for the user account */
+  oid: string;
+  /** Set of roles assigned to the user */
+  roles: string[];
+  /** Internal claim used to revalidate tokens */
+  rh: string;
+  /** Subject identifier - unique to application ID */
+  sub: string;
+  /** Tenant ID the user is signing in to */
+  tid: string;
+  /** Unique identifier for a session */
+  sid: string;
+  /** Token identifier claim */
+  uti: string;
+  /** Indicates if user is in at least one group */
+  hasgroups: boolean;
+  /** User account status in tenant (0 = member, 1 = guest) */
+  acct: 0 | 1;
+  /** Auth Context IDs */
+  acrs: string;
+  /** Time when the user last authenticated */
+  auth_time: Date;
+  /** User's country/region */
+  ctry: string;
+  /** IP address of requesting client when inside VNET */
+  fwd: string;
+  /** Group claims */
+  groups: string;
+  /** Login hint for SSO */
+  login_hint: string;
+  /** Resource tenant's country/region */
+  tenant_ctry: string;
+  /** Region of the resource tenant */
+  tenant_region_scope: string;
+  /** UserPrincipalName */
+  upn: string;
+  /** User's verified primary email addresses */
+  verified_primary_email: string[];
+  /** User's verified secondary email addresses */
+  verified_secondary_email: string[];
+  /** Whether the user's email is verified (optional claim, must be configured in app registration) */
+  email_verified?: boolean | undefined;
+  /** VNET specifier information */
+  vnet: string;
+  /** Client Capabilities */
+  xms_cc: string;
+  /** Whether user's email domain is verified */
+  xms_edov: boolean;
+  /** Preferred data location for Multi-Geo tenants */
+  xms_pdl: string;
+  /** User preferred language */
+  xms_pl: string;
+  /** Tenant preferred language */
+  xms_tpl: string;
+  /** Zero-touch Deployment ID */
+  ztdid: string;
+  /** IP Address */
+  ipaddr: string;
+  /** On-premises Security Identifier */
+  onprem_sid: string;
+  /** Password Expiration Time */
+  pwd_exp: number;
+  /** Change Password URL */
+  pwd_url: string;
+  /** Inside Corporate Network flag */
+  in_corp: string;
+  /** User's family name/surname */
+  family_name: string;
+  /** User's given/first name */
+  given_name: string;
+}
+interface MicrosoftOptions extends ProviderOptions<MicrosoftEntraIDProfile> {
+  clientId: string;
+  /**
+   * The tenant ID of the Microsoft account
+   * @default "common"
+   */
+  tenantId?: string | undefined;
+  /**
+   * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
+   * @default "https://login.microsoftonline.com"
+   */
+  authority?: string | undefined;
+  /**
+   * The size of the profile photo
+   * @default 48
+   */
+  profilePhotoSize?: (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648) | undefined;
+  /**
+   * Disable profile photo
+   */
+  disableProfilePhoto?: boolean | undefined;
+}
+declare const microsoft: (options: MicrosoftOptions) => {
+  id: "microsoft";
+  name: string;
+  createAuthorizationURL(data: {
+    state: string;
+    codeVerifier: string;
+    scopes?: string[] | undefined;
+    redirectURI: string;
+    display?: string | undefined;
+    loginHint?: string | undefined;
+  }): Promise<URL>;
+  validateAuthorizationCode({
+    code,
+    codeVerifier,
+    redirectURI
+  }: {
+    code: string;
+    redirectURI: string;
+    codeVerifier?: string | undefined;
+    deviceId?: string | undefined;
+  }): Promise<OAuth2Tokens>;
+  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  getUserInfo(token: OAuth2Tokens & {
+    user?: {
+      name?: {
+        firstName?: string;
+        lastName?: string;
+      };
+      email?: string;
+    } | undefined;
+  }): Promise<{
+    user: {
+      id: string;
+      name?: string;
+      email?: string | null;
+      image?: string;
+      emailVerified: boolean;
+      [key: string]: any;
+    };
+    data: any;
+  } | null>;
+  refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
+  options: MicrosoftOptions;
+};
+declare const getMicrosoftPublicKey: (kid: string, tenant: string, authority: string) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+//#endregion
+export { MicrosoftEntraIDProfile, MicrosoftOptions, getMicrosoftPublicKey, microsoft };
+//# sourceMappingURL=microsoft-entra-id.d.mts.map

package/dist/social-providers/microsoft-entra-id.mjs

@@ -0,0 +1,140 @@
+import { logger } from "../env/logger.mjs";
+import "../env/index.mjs";
+import { APIError } from "../error/index.mjs";
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
+import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
+import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
+import "../oauth2/index.mjs";
+import { base64 } from "@better-auth/utils/base64";
+import { betterFetch } from "@better-fetch/fetch";
+import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+
+//#region src/social-providers/microsoft-entra-id.ts
+const microsoft = (options) => {
+	const tenant = options.tenantId || "common";
+	const authority = options.authority || "https://login.microsoftonline.com";
+	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
+	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	return {
+		id: "microsoft",
+		name: "Microsoft EntraID",
+		createAuthorizationURL(data) {
+			const scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email",
+				"User.Read",
+				"offline_access"
+			];
+			if (options.scope) scopes.push(...options.scope);
+			if (data.scopes) scopes.push(...data.scopes);
+			return createAuthorizationURL({
+				id: "microsoft",
+				options,
+				authorizationEndpoint,
+				state: data.state,
+				codeVerifier: data.codeVerifier,
+				scopes,
+				redirectURI: data.redirectURI,
+				prompt: options.prompt,
+				loginHint: data.loginHint
+			});
+		},
+		validateAuthorizationCode({ code, codeVerifier, redirectURI }) {
+			return validateAuthorizationCode({
+				code,
+				codeVerifier,
+				redirectURI,
+				options,
+				tokenEndpoint
+			});
+		},
+		async verifyIdToken(token, nonce) {
+			if (options.disableIdTokenSignIn) return false;
+			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+			try {
+				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
+				if (!kid || !jwtAlg) return false;
+				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
+				const verifyOptions = {
+					algorithms: [jwtAlg],
+					audience: options.clientId,
+					maxTokenAge: "1h"
+				};
+				/**
+				* Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
+				* @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+				*/
+				if (tenant !== "common" && tenant !== "organizations" && tenant !== "consumers") verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
+				const { payload: jwtClaims } = await jwtVerify(token, publicKey, verifyOptions);
+				if (nonce && jwtClaims.nonce !== nonce) return false;
+				return true;
+			} catch (error) {
+				logger.error("Failed to verify ID token:", error);
+				return false;
+			}
+		},
+		async getUserInfo(token) {
+			if (options.getUserInfo) return options.getUserInfo(token);
+			if (!token.idToken) return null;
+			const user = decodeJwt(token.idToken);
+			const profilePhotoSize = options.profilePhotoSize || 48;
+			await betterFetch(`https://graph.microsoft.com/v1.0/me/photos/${profilePhotoSize}x${profilePhotoSize}/$value`, {
+				headers: { Authorization: `Bearer ${token.accessToken}` },
+				async onResponse(context) {
+					if (options.disableProfilePhoto || !context.response.ok) return;
+					try {
+						const pictureBuffer = await context.response.clone().arrayBuffer();
+						user.picture = `data:image/jpeg;base64, ${base64.encode(pictureBuffer)}`;
+					} catch (e) {
+						logger.error(e && typeof e === "object" && "name" in e ? e.name : "", e);
+					}
+				}
+			});
+			const userMap = await options.mapProfileToUser?.(user);
+			const emailVerified = user.email_verified !== void 0 ? user.email_verified : user.email && (user.verified_primary_email?.includes(user.email) || user.verified_secondary_email?.includes(user.email)) ? true : false;
+			return {
+				user: {
+					id: user.sub,
+					name: user.name,
+					email: user.email,
+					image: user.picture,
+					emailVerified,
+					...userMap
+				},
+				data: user
+			};
+		},
+		refreshAccessToken: options.refreshAccessToken ? options.refreshAccessToken : async (refreshToken) => {
+			const scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email",
+				"User.Read",
+				"offline_access"
+			];
+			if (options.scope) scopes.push(...options.scope);
+			return refreshAccessToken({
+				refreshToken,
+				options: {
+					clientId: options.clientId,
+					clientSecret: options.clientSecret
+				},
+				extraParams: { scope: scopes.join(" ") },
+				tokenEndpoint
+			});
+		},
+		options
+	};
+};
+const getMicrosoftPublicKey = async (kid, tenant, authority) => {
+	const { data } = await betterFetch(`${authority}/${tenant}/discovery/v2.0/keys`);
+	if (!data?.keys) throw new APIError("BAD_REQUEST", { message: "Keys not found" });
+	const jwk = data.keys.find((key) => key.kid === kid);
+	if (!jwk) throw new Error(`JWK with kid ${kid} not found`);
+	return await importJWK(jwk, jwk.alg);
+};
+
+//#endregion
+export { getMicrosoftPublicKey, microsoft };
+//# sourceMappingURL=microsoft-entra-id.mjs.map

package/dist/social-providers/microsoft-entra-id.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"microsoft-entra-id.mjs","names":[],"sources":["../../src/social-providers/microsoft-entra-id.ts"],"sourcesContent":["import { base64 } from \"@better-auth/utils/base64\";\nimport { betterFetch } from \"@better-fetch/fetch\";\nimport { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from \"jose\";\nimport { logger } from \"../env\";\nimport { APIError } from \"../error\";\nimport type { OAuthProvider, ProviderOptions } from \"../oauth2\";\nimport {\n\tcreateAuthorizationURL,\n\trefreshAccessToken,\n\tvalidateAuthorizationCode,\n} from \"../oauth2\";\n\n/**\n * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)\n */\nexport interface MicrosoftEntraIDProfile extends Record<string, any> {\n\t/** Identifies the intended recipient of the token */\n\taud: string;\n\t/** Identifies the issuer, or \"authorization server\" that constructs and returns the token */\n\tiss: string;\n\t/** Indicates when the authentication for the token occurred */\n\tiat: Date;\n\t/** Records the identity provider that authenticated the subject of the token */\n\tidp: string;\n\t/** Identifies the time before which the JWT can't be accepted for processing */\n\tnbf: Date;\n\t/** Identifies the expiration time on or after which the JWT can't be accepted for processing */\n\texp: Date;\n\t/** Code hash included in ID tokens when issued with an OAuth 2.0 authorization code */\n\tc_hash: string;\n\t/** Access token hash included in ID tokens when issued with an OAuth 2.0 access token */\n\tat_hash: string;\n\t/** Internal claim used to record data for token reuse */\n\taio: string;\n\t/** The primary username that represents the user */\n\tpreferred_username: string;\n\t/** User's email address */\n\temail: string;\n\t/** Human-readable value that identifies the subject of the token */\n\tname: string;\n\t/** Matches the parameter included in the original authorize request */\n\tnonce: string;\n\t/** User's profile picture */\n\tpicture: string;\n\t/** Immutable identifier for the user account */\n\toid: string;\n\t/** Set of roles assigned to the user */\n\troles: string[];\n\t/** Internal claim used to revalidate tokens */\n\trh: string;\n\t/** Subject identifier - unique to application ID */\n\tsub: string;\n\t/** Tenant ID the user is signing in to */\n\ttid: string;\n\t/** Unique identifier for a session */\n\tsid: string;\n\t/** Token identifier claim */\n\tuti: string;\n\t/** Indicates if user is in at least one group */\n\thasgroups: boolean;\n\t/** User account status in tenant (0 = member, 1 = guest) */\n\tacct: 0 | 1;\n\t/** Auth Context IDs */\n\tacrs: string;\n\t/** Time when the user last authenticated */\n\tauth_time: Date;\n\t/** User's country/region */\n\tctry: string;\n\t/** IP address of requesting client when inside VNET */\n\tfwd: string;\n\t/** Group claims */\n\tgroups: string;\n\t/** Login hint for SSO */\n\tlogin_hint: string;\n\t/** Resource tenant's country/region */\n\ttenant_ctry: string;\n\t/** Region of the resource tenant */\n\ttenant_region_scope: string;\n\t/** UserPrincipalName */\n\tupn: string;\n\t/** User's verified primary email addresses */\n\tverified_primary_email: string[];\n\t/** User's verified secondary email addresses */\n\tverified_secondary_email: string[];\n\t/** Whether the user's email is verified (optional claim, must be configured in app registration) */\n\temail_verified?: boolean | undefined;\n\t/** VNET specifier information */\n\tvnet: string;\n\t/** Client Capabilities */\n\txms_cc: string;\n\t/** Whether user's email domain is verified */\n\txms_edov: boolean;\n\t/** Preferred data location for Multi-Geo tenants */\n\txms_pdl: string;\n\t/** User preferred language */\n\txms_pl: string;\n\t/** Tenant preferred language */\n\txms_tpl: string;\n\t/** Zero-touch Deployment ID */\n\tztdid: string;\n\t/** IP Address */\n\tipaddr: string;\n\t/** On-premises Security Identifier */\n\tonprem_sid: string;\n\t/** Password Expiration Time */\n\tpwd_exp: number;\n\t/** Change Password URL */\n\tpwd_url: string;\n\t/** Inside Corporate Network flag */\n\tin_corp: string;\n\t/** User's family name/surname */\n\tfamily_name: string;\n\t/** User's given/first name */\n\tgiven_name: string;\n}\n\nexport interface MicrosoftOptions\n\textends ProviderOptions<MicrosoftEntraIDProfile> {\n\tclientId: string;\n\t/**\n\t * The tenant ID of the Microsoft account\n\t * @default \"common\"\n\t */\n\ttenantId?: string | undefined;\n\t/**\n\t * The authentication authority URL. Use the default \"https://login.microsoftonline.com\" for standard Entra ID or \"https://<tenant-id>.ciamlogin.com\" for CIAM scenarios.\n\t * @default \"https://login.microsoftonline.com\"\n\t */\n\tauthority?: string | undefined;\n\t/**\n\t * The size of the profile photo\n\t * @default 48\n\t */\n\tprofilePhotoSize?:\n\t\t| (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648)\n\t\t| undefined;\n\t/**\n\t * Disable profile photo\n\t */\n\tdisableProfilePhoto?: boolean | undefined;\n}\n\nexport const microsoft = (options: MicrosoftOptions) => {\n\tconst tenant = options.tenantId || \"common\";\n\tconst authority = options.authority || \"https://login.microsoftonline.com\";\n\tconst authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;\n\tconst tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;\n\treturn {\n\t\tid: \"microsoft\",\n\t\tname: \"Microsoft EntraID\",\n\t\tcreateAuthorizationURL(data) {\n\t\t\tconst scopes = options.disableDefaultScope\n\t\t\t\t? []\n\t\t\t\t: [\"openid\", \"profile\", \"email\", \"User.Read\", \"offline_access\"];\n\t\t\tif (options.scope) scopes.push(...options.scope);\n\t\t\tif (data.scopes) scopes.push(...data.scopes);\n\t\t\treturn createAuthorizationURL({\n\t\t\t\tid: \"microsoft\",\n\t\t\t\toptions,\n\t\t\t\tauthorizationEndpoint,\n\t\t\t\tstate: data.state,\n\t\t\t\tcodeVerifier: data.codeVerifier,\n\t\t\t\tscopes,\n\t\t\t\tredirectURI: data.redirectURI,\n\t\t\t\tprompt: options.prompt,\n\t\t\t\tloginHint: data.loginHint,\n\t\t\t});\n\t\t},\n\t\tvalidateAuthorizationCode({ code, codeVerifier, redirectURI }) {\n\t\t\treturn validateAuthorizationCode({\n\t\t\t\tcode,\n\t\t\t\tcodeVerifier,\n\t\t\t\tredirectURI,\n\t\t\t\toptions,\n\t\t\t\ttokenEndpoint,\n\t\t\t});\n\t\t},\n\t\tasync verifyIdToken(token, nonce) {\n\t\t\tif (options.disableIdTokenSignIn) {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tif (options.verifyIdToken) {\n\t\t\t\treturn options.verifyIdToken(token, nonce);\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\tconst { kid, alg: jwtAlg } = decodeProtectedHeader(token);\n\t\t\t\tif (!kid || !jwtAlg) return false;\n\n\t\t\t\tconst publicKey = await getMicrosoftPublicKey(kid, tenant, authority);\n\t\t\t\tconst verifyOptions: {\n\t\t\t\t\talgorithms: [string];\n\t\t\t\t\taudience: string;\n\t\t\t\t\tmaxTokenAge: string;\n\t\t\t\t\tissuer?: string;\n\t\t\t\t} = {\n\t\t\t\t\talgorithms: [jwtAlg],\n\t\t\t\t\taudience: options.clientId,\n\t\t\t\t\tmaxTokenAge: \"1h\",\n\t\t\t\t};\n\t\t\t\t/**\n\t\t\t\t * Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.\n\t\t\t\t * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints\n\t\t\t\t */\n\t\t\t\tif (\n\t\t\t\t\ttenant !== \"common\" &&\n\t\t\t\t\ttenant !== \"organizations\" &&\n\t\t\t\t\ttenant !== \"consumers\"\n\t\t\t\t) {\n\t\t\t\t\tverifyOptions.issuer = `${authority}/${tenant}/v2.0`;\n\t\t\t\t}\n\t\t\t\tconst { payload: jwtClaims } = await jwtVerify(\n\t\t\t\t\ttoken,\n\t\t\t\t\tpublicKey,\n\t\t\t\t\tverifyOptions,\n\t\t\t\t);\n\n\t\t\t\tif (nonce && jwtClaims.nonce !== nonce) {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\n\t\t\t\treturn true;\n\t\t\t} catch (error) {\n\t\t\t\tlogger.error(\"Failed to verify ID token:\", error);\n\t\t\t\treturn false;\n\t\t\t}\n\t\t},\n\t\tasync getUserInfo(token) {\n\t\t\tif (options.getUserInfo) {\n\t\t\t\treturn options.getUserInfo(token);\n\t\t\t}\n\t\t\tif (!token.idToken) {\n\t\t\t\treturn null;\n\t\t\t}\n\t\t\tconst user = decodeJwt(token.idToken) as MicrosoftEntraIDProfile;\n\t\t\tconst profilePhotoSize = options.profilePhotoSize || 48;\n\t\t\tawait betterFetch<ArrayBuffer>(\n\t\t\t\t`https://graph.microsoft.com/v1.0/me/photos/${profilePhotoSize}x${profilePhotoSize}/$value`,\n\t\t\t\t{\n\t\t\t\t\theaders: {\n\t\t\t\t\t\tAuthorization: `Bearer ${token.accessToken}`,\n\t\t\t\t\t},\n\t\t\t\t\tasync onResponse(context) {\n\t\t\t\t\t\tif (options.disableProfilePhoto || !context.response.ok) {\n\t\t\t\t\t\t\treturn;\n\t\t\t\t\t\t}\n\t\t\t\t\t\ttry {\n\t\t\t\t\t\t\tconst response = context.response.clone();\n\t\t\t\t\t\t\tconst pictureBuffer = await response.arrayBuffer();\n\t\t\t\t\t\t\tconst pictureBase64 = base64.encode(pictureBuffer);\n\t\t\t\t\t\t\tuser.picture = `data:image/jpeg;base64, ${pictureBase64}`;\n\t\t\t\t\t\t} catch (e) {\n\t\t\t\t\t\t\tlogger.error(\n\t\t\t\t\t\t\t\te && typeof e === \"object\" && \"name\" in e\n\t\t\t\t\t\t\t\t\t? (e.name as string)\n\t\t\t\t\t\t\t\t\t: \"\",\n\t\t\t\t\t\t\t\te,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t}\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t);\n\t\t\tconst userMap = await options.mapProfileToUser?.(user);\n\t\t\t// Microsoft Entra ID does NOT include email_verified claim by default.\n\t\t\t// It must be configured as an optional claim in the app registration.\n\t\t\t// We default to false when not provided for security consistency.\n\t\t\t// We can also check verified_primary_email/verified_secondary_email arrays as fallback.\n\t\t\tconst emailVerified =\n\t\t\t\tuser.email_verified !== undefined\n\t\t\t\t\t? user.email_verified\n\t\t\t\t\t: user.email &&\n\t\t\t\t\t\t\t(user.verified_primary_email?.includes(user.email) ||\n\t\t\t\t\t\t\t\tuser.verified_secondary_email?.includes(user.email))\n\t\t\t\t\t\t? true\n\t\t\t\t\t\t: false;\n\t\t\treturn {\n\t\t\t\tuser: {\n\t\t\t\t\tid: user.sub,\n\t\t\t\t\tname: user.name,\n\t\t\t\t\temail: user.email,\n\t\t\t\t\timage: user.picture,\n\t\t\t\t\temailVerified,\n\t\t\t\t\t...userMap,\n\t\t\t\t},\n\t\t\t\tdata: user,\n\t\t\t};\n\t\t},\n\t\trefreshAccessToken: options.refreshAccessToken\n\t\t\t? options.refreshAccessToken\n\t\t\t: async (refreshToken) => {\n\t\t\t\t\tconst scopes = options.disableDefaultScope\n\t\t\t\t\t\t? []\n\t\t\t\t\t\t: [\"openid\", \"profile\", \"email\", \"User.Read\", \"offline_access\"];\n\t\t\t\t\tif (options.scope) scopes.push(...options.scope);\n\n\t\t\t\t\treturn refreshAccessToken({\n\t\t\t\t\t\trefreshToken,\n\t\t\t\t\t\toptions: {\n\t\t\t\t\t\t\tclientId: options.clientId,\n\t\t\t\t\t\t\tclientSecret: options.clientSecret,\n\t\t\t\t\t\t},\n\t\t\t\t\t\textraParams: {\n\t\t\t\t\t\t\tscope: scopes.join(\" \"), // Include the scopes in request to microsoft\n\t\t\t\t\t\t},\n\t\t\t\t\t\ttokenEndpoint,\n\t\t\t\t\t});\n\t\t\t\t},\n\t\toptions,\n\t} satisfies OAuthProvider;\n};\n\nexport const getMicrosoftPublicKey = async (\n\tkid: string,\n\ttenant: string,\n\tauthority: string,\n) => {\n\tconst { data } = await betterFetch<{\n\t\tkeys: Array<{\n\t\t\tkid: string;\n\t\t\talg: string;\n\t\t\tkty: string;\n\t\t\tuse: string;\n\t\t\tn: string;\n\t\t\te: string;\n\t\t\tx5c?: string[];\n\t\t\tx5t?: string;\n\t\t}>;\n\t}>(`${authority}/${tenant}/discovery/v2.0/keys`);\n\n\tif (!data?.keys) {\n\t\tthrow new APIError(\"BAD_REQUEST\", {\n\t\t\tmessage: \"Keys not found\",\n\t\t});\n\t}\n\n\tconst jwk = data.keys.find((key) => key.kid === kid);\n\tif (!jwk) {\n\t\tthrow new Error(`JWK with kid ${kid} not found`);\n\t}\n\n\treturn await importJWK(jwk, jwk.alg);\n};\n"],"mappings":";;;;;;;;;;;;AA8IA,MAAa,aAAa,YAA8B;CACvD,MAAM,SAAS,QAAQ,YAAY;CACnC,MAAM,YAAY,QAAQ,aAAa;CACvC,MAAM,wBAAwB,GAAG,UAAU,GAAG,OAAO;CACrD,MAAM,gBAAgB,GAAG,UAAU,GAAG,OAAO;AAC7C,QAAO;EACN,IAAI;EACJ,MAAM;EACN,uBAAuB,MAAM;GAC5B,MAAM,SAAS,QAAQ,sBACpB,EAAE,GACF;IAAC;IAAU;IAAW;IAAS;IAAa;IAAiB;AAChE,OAAI,QAAQ,MAAO,QAAO,KAAK,GAAG,QAAQ,MAAM;AAChD,OAAI,KAAK,OAAQ,QAAO,KAAK,GAAG,KAAK,OAAO;AAC5C,UAAO,uBAAuB;IAC7B,IAAI;IACJ;IACA;IACA,OAAO,KAAK;IACZ,cAAc,KAAK;IACnB;IACA,aAAa,KAAK;IAClB,QAAQ,QAAQ;IAChB,WAAW,KAAK;IAChB,CAAC;;EAEH,0BAA0B,EAAE,MAAM,cAAc,eAAe;AAC9D,UAAO,0BAA0B;IAChC;IACA;IACA;IACA;IACA;IACA,CAAC;;EAEH,MAAM,cAAc,OAAO,OAAO;AACjC,OAAI,QAAQ,qBACX,QAAO;AAER,OAAI,QAAQ,cACX,QAAO,QAAQ,cAAc,OAAO,MAAM;AAG3C,OAAI;IACH,MAAM,EAAE,KAAK,KAAK,WAAW,sBAAsB,MAAM;AACzD,QAAI,CAAC,OAAO,CAAC,OAAQ,QAAO;IAE5B,MAAM,YAAY,MAAM,sBAAsB,KAAK,QAAQ,UAAU;IACrE,MAAM,gBAKF;KACH,YAAY,CAAC,OAAO;KACpB,UAAU,QAAQ;KAClB,aAAa;KACb;;;;;AAKD,QACC,WAAW,YACX,WAAW,mBACX,WAAW,YAEX,eAAc,SAAS,GAAG,UAAU,GAAG,OAAO;IAE/C,MAAM,EAAE,SAAS,cAAc,MAAM,UACpC,OACA,WACA,cACA;AAED,QAAI,SAAS,UAAU,UAAU,MAChC,QAAO;AAGR,WAAO;YACC,OAAO;AACf,WAAO,MAAM,8BAA8B,MAAM;AACjD,WAAO;;;EAGT,MAAM,YAAY,OAAO;AACxB,OAAI,QAAQ,YACX,QAAO,QAAQ,YAAY,MAAM;AAElC,OAAI,CAAC,MAAM,QACV,QAAO;GAER,MAAM,OAAO,UAAU,MAAM,QAAQ;GACrC,MAAM,mBAAmB,QAAQ,oBAAoB;AACrD,SAAM,YACL,8CAA8C,iBAAiB,GAAG,iBAAiB,UACnF;IACC,SAAS,EACR,eAAe,UAAU,MAAM,eAC/B;IACD,MAAM,WAAW,SAAS;AACzB,SAAI,QAAQ,uBAAuB,CAAC,QAAQ,SAAS,GACpD;AAED,SAAI;MAEH,MAAM,gBAAgB,MADL,QAAQ,SAAS,OAAO,CACJ,aAAa;AAElD,WAAK,UAAU,2BADO,OAAO,OAAO,cAAc;cAE1C,GAAG;AACX,aAAO,MACN,KAAK,OAAO,MAAM,YAAY,UAAU,IACpC,EAAE,OACH,IACH,EACA;;;IAGH,CACD;GACD,MAAM,UAAU,MAAM,QAAQ,mBAAmB,KAAK;GAKtD,MAAM,gBACL,KAAK,mBAAmB,SACrB,KAAK,iBACL,KAAK,UACJ,KAAK,wBAAwB,SAAS,KAAK,MAAM,IACjD,KAAK,0BAA0B,SAAS,KAAK,MAAM,IACnD,OACA;AACL,UAAO;IACN,MAAM;KACL,IAAI,KAAK;KACT,MAAM,KAAK;KACX,OAAO,KAAK;KACZ,OAAO,KAAK;KACZ;KACA,GAAG;KACH;IACD,MAAM;IACN;;EAEF,oBAAoB,QAAQ,qBACzB,QAAQ,qBACR,OAAO,iBAAiB;GACxB,MAAM,SAAS,QAAQ,sBACpB,EAAE,GACF;IAAC;IAAU;IAAW;IAAS;IAAa;IAAiB;AAChE,OAAI,QAAQ,MAAO,QAAO,KAAK,GAAG,QAAQ,MAAM;AAEhD,UAAO,mBAAmB;IACzB;IACA,SAAS;KACR,UAAU,QAAQ;KAClB,cAAc,QAAQ;KACtB;IACD,aAAa,EACZ,OAAO,OAAO,KAAK,IAAI,EACvB;IACD;IACA,CAAC;;EAEL;EACA;;AAGF,MAAa,wBAAwB,OACpC,KACA,QACA,cACI;CACJ,MAAM,EAAE,SAAS,MAAM,YAWpB,GAAG,UAAU,GAAG,OAAO,sBAAsB;AAEhD,KAAI,CAAC,MAAM,KACV,OAAM,IAAI,SAAS,eAAe,EACjC,SAAS,kBACT,CAAC;CAGH,MAAM,MAAM,KAAK,KAAK,MAAM,QAAQ,IAAI,QAAQ,IAAI;AACpD,KAAI,CAAC,IACJ,OAAM,IAAI,MAAM,gBAAgB,IAAI,YAAY;AAGjD,QAAO,MAAM,UAAU,KAAK,IAAI,IAAI"}