@better-auth/core 1.7.0-beta.3 → 1.7.0-beta.4

package/dist/oauth2/validate-authorization-code.d.mts

@@ -1,64 +1,41 @@
-import { ClientAssertionConfig } from "./client-assertion.mjs";
 import { AwaitableFunction } from "../types/helper.mjs";
 import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+import { TokenEndpointAuth, TokenEndpointSecretAuthentication } from "./token-endpoint-auth.mjs";
 import * as jose from "jose";
 
 //#region src/oauth2/validate-authorization-code.d.ts
-declare function authorizationCodeRequest({
-  code,
-  codeVerifier,
-  redirectURI,
-  options,
-  authentication,
-  clientAssertion,
-  tokenEndpoint,
-  deviceId,
-  headers,
-  additionalParams,
-  resource
-}: {
+interface AuthorizationCodeRequestInput {
   code: string;
   redirectURI: string;
   options: AwaitableFunction<Partial<ProviderOptions>>;
   codeVerifier?: string | undefined;
   deviceId?: string | undefined;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  clientAssertion?: ClientAssertionConfig | undefined; /** Token endpoint URL. Used as the JWT `aud` claim when signing assertions. */
+  authentication?: TokenEndpointSecretAuthentication | undefined;
+  tokenEndpointAuth?: TokenEndpointAuth | undefined;
   tokenEndpoint?: string | undefined;
   headers?: Record<string, string> | undefined;
   additionalParams?: Record<string, string> | undefined;
   resource?: (string | string[]) | undefined;
-}): Promise<{
-  body: URLSearchParams;
-  headers: Record<string, any>;
-}>;
-/**
- * @deprecated use async'd authorizationCodeRequest instead
- */
-declare function createAuthorizationCodeRequest({
+}
+interface ValidateAuthorizationCodeInput extends AuthorizationCodeRequestInput {
+  tokenEndpoint: string;
+}
+declare function authorizationCodeRequest({
   code,
   codeVerifier,
   redirectURI,
   options,
   authentication,
+  tokenEndpointAuth,
+  tokenEndpoint,
   deviceId,
   headers,
   additionalParams,
   resource
-}: {
-  code: string;
-  redirectURI: string;
-  options: Partial<ProviderOptions>;
-  codeVerifier?: string | undefined;
-  deviceId?: string | undefined;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  headers?: Record<string, string> | undefined;
-  additionalParams?: Record<string, string> | undefined;
-  resource?: (string | string[]) | undefined;
-}): {
+}: AuthorizationCodeRequestInput): Promise<{
   body: URLSearchParams;
-  headers: Record<string, any>;
-};
+  headers: Record<string, string>;
+}>;
 declare function validateAuthorizationCode({
   code,
   codeVerifier,
@@ -66,27 +43,15 @@ declare function validateAuthorizationCode({
   options,
   tokenEndpoint,
   authentication,
-  clientAssertion,
+  tokenEndpointAuth,
   deviceId,
   headers,
   additionalParams,
   resource
-}: {
-  code: string;
-  redirectURI: string;
-  options: AwaitableFunction<Partial<ProviderOptions>>;
-  codeVerifier?: string | undefined;
-  deviceId?: string | undefined;
-  tokenEndpoint: string;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  clientAssertion?: ClientAssertionConfig | undefined;
-  headers?: Record<string, string> | undefined;
-  additionalParams?: Record<string, string> | undefined;
-  resource?: (string | string[]) | undefined;
-}): Promise<OAuth2Tokens>;
+}: ValidateAuthorizationCodeInput): Promise<OAuth2Tokens>;
 declare function validateToken(token: string, jwksEndpoint: string, options?: {
   audience?: string | string[];
   issuer?: string | string[];
 }): Promise<jose.JWTVerifyResult<jose.JWTPayload> & jose.ResolvedKey>;
 //#endregion
-export { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };
+export { authorizationCodeRequest, validateAuthorizationCode, validateToken };

package/dist/oauth2/validate-authorization-code.mjs

@@ -1,39 +1,32 @@
-import { resolveAssertionParams } from "./client-assertion.mjs";
 import { getOAuth2Tokens } from "./utils.mjs";
+import { applyTokenEndpointAuth } from "./token-endpoint-auth.mjs";
 import { createRemoteJWKSet, jwtVerify } from "jose";
-import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/oauth2/validate-authorization-code.ts
-async function authorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, clientAssertion, tokenEndpoint, deviceId, headers, additionalParams = {}, resource }) {
+async function authorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, tokenEndpointAuth, tokenEndpoint, deviceId, headers, additionalParams = {}, resource }) {
 	options = typeof options === "function" ? await options() : options;
-	if (authentication === "private_key_jwt") {
-		if (!clientAssertion) throw new Error("private_key_jwt authentication requires a clientAssertion configuration");
-		const assertionParams = await resolveAssertionParams({
-			clientAssertion,
-			clientId: Array.isArray(options.clientId) ? options.clientId[0] : options.clientId,
-			tokenEndpoint
-		});
-		additionalParams = {
-			...additionalParams,
-			...assertionParams
-		};
-	}
-	return createAuthorizationCodeRequest({
+	const request = buildAuthorizationCodeRequest({
 		code,
 		codeVerifier,
 		redirectURI,
 		options,
-		authentication,
 		deviceId,
 		headers,
 		additionalParams,
 		resource
 	});
+	await applyTokenEndpointAuth({
+		body: request.body,
+		headers: request.headers,
+		options,
+		tokenEndpoint: tokenEndpoint ?? "",
+		grantType: "authorization_code",
+		tokenEndpointAuth,
+		authentication
+	});
+	return request;
 }
-/**
-* @deprecated use async'd authorizationCodeRequest instead
-*/
-function createAuthorizationCodeRequest({ code, codeVerifier, redirectURI, options, authentication, deviceId, headers, additionalParams = {}, resource }) {
+function buildAuthorizationCodeRequest({ code, codeVerifier, redirectURI, options, deviceId, headers, additionalParams = {}, resource }) {
 	const body = new URLSearchParams();
 	const requestHeaders = {
 		"content-type": "application/x-www-form-urlencoded",
@@ -48,26 +41,20 @@ function createAuthorizationCodeRequest({ code, codeVerifier, redirectURI, optio
 	body.set("redirect_uri", options.redirectURI || redirectURI);
 	if (resource) if (typeof resource === "string") body.append("resource", resource);
 	else for (const _resource of resource) body.append("resource", _resource);
-	const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
-	if (authentication === "basic") requestHeaders["authorization"] = `Basic ${base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`)}`;
-	else {
-		body.set("client_id", primaryClientId);
-		if (authentication !== "private_key_jwt" && options.clientSecret) body.set("client_secret", options.clientSecret);
-	}
 	for (const [key, value] of Object.entries(additionalParams)) if (!body.has(key)) body.append(key, value);
 	return {
 		body,
 		headers: requestHeaders
 	};
 }
-async function validateAuthorizationCode({ code, codeVerifier, redirectURI, options, tokenEndpoint, authentication, clientAssertion, deviceId, headers, additionalParams = {}, resource }) {
+async function validateAuthorizationCode({ code, codeVerifier, redirectURI, options, tokenEndpoint, authentication, tokenEndpointAuth, deviceId, headers, additionalParams = {}, resource }) {
 	const { body, headers: requestHeaders } = await authorizationCodeRequest({
 		code,
 		codeVerifier,
 		redirectURI,
 		options,
 		authentication,
-		clientAssertion,
+		tokenEndpointAuth,
 		tokenEndpoint,
 		deviceId,
 		headers,
@@ -89,4 +76,4 @@ async function validateToken(token, jwksEndpoint, options) {
 	});
 }
 //#endregion
-export { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };
+export { authorizationCodeRequest, validateAuthorizationCode, validateToken };

package/dist/oauth2/verify.mjs

@@ -1,8 +1,16 @@
 import { logger } from "../env/logger.mjs";
 import { APIError } from "better-call";
-import { UnsecuredJWT, createLocalJWKSet, decodeProtectedHeader, jwtVerify } from "jose";
+import { UnsecuredJWT, createLocalJWKSet, decodeProtectedHeader, errors, jwtVerify } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/oauth2/verify.ts
+const joseInfrastructureErrorCodes = new Set([
+	errors.JWKSTimeout.code,
+	errors.JWKSInvalid.code,
+	errors.JWKSMultipleMatchingKeys.code
+]);
+function isJoseInfrastructureError(error) {
+	return joseInfrastructureErrorCodes.has(error.code);
+}
 /** Last fetched jwks used locally in getJwks @internal */
 let jwks;
 /**
@@ -28,7 +36,7 @@ async function getJwks(token, opts) {
 		if (error instanceof Error) throw error;
 		throw new Error(error);
 	}
-	if (!jwtHeaders.kid) throw new Error("Missing jwt kid");
+	if (!jwtHeaders.kid) throw new APIError("UNAUTHORIZED", { message: "invalid access token" });
 	if (!jwks || !jwks.keys.find((jwk) => jwk.kid === jwtHeaders.kid)) {
 		jwks = typeof opts.jwksFetch === "string" ? await betterFetch(opts.jwksFetch, { headers: { Accept: "application/json" } }).then(async (res) => {
 			if (res.error) throw new Error(`Jwks failed: ${res.error.message ?? res.error.statusText}`);
@@ -51,9 +59,11 @@ async function verifyAccessToken(token, opts) {
 			verifyOptions: opts.verifyOptions
 		});
 	} catch (error) {
-		if (error instanceof Error) if (error.name === "TypeError" || error.name === "JWSInvalid") {} else if (error.name === "JWTExpired") throw new APIError("UNAUTHORIZED", { message: "token expired" });
-		else if (error.name === "JWTInvalid") throw new APIError("UNAUTHORIZED", { message: "token invalid" });
-		else throw error;
+		if (error instanceof Error) if (error.name === "TypeError" || error.name === "JWSInvalid") {} else if (error instanceof errors.JWTExpired) throw new APIError("UNAUTHORIZED", { message: "token expired" });
+		else if (error instanceof errors.JOSEError) {
+			if (isJoseInfrastructureError(error)) throw error;
+			throw new APIError("UNAUTHORIZED", { message: "invalid access token" });
+		} else throw error;
 		else throw new Error(error);
 	}
 	if (opts?.remoteVerify) {

package/dist/social-providers/apple.d.mts

@@ -70,7 +70,8 @@ declare const apple: (options: AppleOptions) => {
   createAuthorizationURL({
     state,
     scopes,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -78,6 +79,7 @@ declare const apple: (options: AppleOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
@@ -93,23 +95,7 @@ declare const apple: (options: AppleOptions) => {
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
     user?: {
-      name /**
-            * An Integer value that indicates whether the user appears to be a real
-            * person. Use the value of this claim to mitigate fraud. The possible
-            * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
-            * more information, see ASUserDetectionStatus. This claim is present only
-            * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
-            * and later. The claim isn’t present or supported for web-based apps.
-            */?
-      /**
-      * An Integer value that indicates whether the user appears to be a real
-      * person. Use the value of this claim to mitigate fraud. The possible
-      * values are: 0 (or Unsupported), 1 (or Unknown), 2 (or LikelyReal). For
-      * more information, see ASUserDetectionStatus. This claim is present only
-      * in iOS 14 and later, macOS 11 and later, watchOS 7 and later, tvOS 14
-      * and later. The claim isn’t present or supported for web-based apps.
-      */
-      : {
+      name?: {
         firstName?: string;
         lastName?: string;
       };

package/dist/social-providers/apple.mjs

@@ -7,12 +7,22 @@ import { validateAuthorizationCode } from "../oauth2/validate-authorization-code
 import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/apple.ts
+async function sha256Hex(value) {
+	const data = new TextEncoder().encode(value);
+	const digest = await crypto.subtle.digest("SHA-256", data);
+	return Array.from(new Uint8Array(digest)).map((byte) => byte.toString(16).padStart(2, "0")).join("");
+}
+async function nonceMatches(jwtNonce, nonce) {
+	if (typeof jwtNonce !== "string") return false;
+	if (jwtNonce === nonce) return true;
+	return jwtNonce === await sha256Hex(nonce);
+}
 const apple = (options) => {
 	const tokenEndpoint = "https://appleid.apple.com/auth/token";
 	return {
 		id: "apple",
 		name: "Apple",
-		async createAuthorizationURL({ state, scopes, redirectURI }) {
+		async createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client ID and client secret are required for Apple. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
@@ -28,7 +38,8 @@ const apple = (options) => {
 				state,
 				redirectURI,
 				responseMode: "form_post",
-				responseType: "code id_token"
+				responseType: "code id_token",
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
@@ -55,7 +66,7 @@ const apple = (options) => {
 				["email_verified", "is_private_email"].forEach((field) => {
 					if (jwtClaims[field] !== void 0) jwtClaims[field] = Boolean(jwtClaims[field]);
 				});
-				if (nonce && jwtClaims.nonce !== nonce) return false;
+				if (nonce && !await nonceMatches(jwtClaims.nonce, nonce)) return false;
 				return !!jwtClaims;
 			} catch {
 				return false;

package/dist/social-providers/atlassian.d.mts

@@ -25,7 +25,8 @@ declare const atlassian: (options: AtlassianOptions) => {
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -33,6 +34,7 @@ declare const atlassian: (options: AtlassianOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/atlassian.mjs

@@ -10,7 +10,7 @@ const atlassian = (options) => {
 	return {
 		id: "atlassian",
 		name: "Atlassian",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Secret are required for Atlassian");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
@@ -27,7 +27,10 @@ const atlassian = (options) => {
 				state,
 				codeVerifier,
 				redirectURI,
-				additionalParams: { audience: "api.atlassian.com" },
+				additionalParams: {
+					...additionalParams ?? {},
+					audience: "api.atlassian.com"
+				},
 				prompt: options.prompt
 			});
 		},

package/dist/social-providers/cognito.d.mts

@@ -30,6 +30,19 @@ interface CognitoOptions extends ProviderOptions<CognitoProfile> {
   region: string;
   userPoolId: string;
   requireClientSecret?: boolean | undefined;
+  /**
+   * Skip the Cognito hosted-UI identity-provider picker by preselecting an
+   * IdP (maps to the `identity_provider` query parameter on the authorize
+   * request). Accepts `"COGNITO"`, a SAML/OIDC provider name configured on
+   * the User Pool, or one of the social providers (`"Google"`, `"Facebook"`,
+   * `"LoginWithAmazon"`, `"SignInWithApple"`).
+   *
+   * Per-request overrides via `signIn.social({ additionalParams: { identity_provider } })`
+   * take precedence over this value.
+   *
+   * @see https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
+   */
+  identityProvider?: string | undefined;
 }
 declare const cognito: (options: CognitoOptions) => {
   id: "cognito";
@@ -38,7 +51,8 @@ declare const cognito: (options: CognitoOptions) => {
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -46,6 +60,7 @@ declare const cognito: (options: CognitoOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/cognito.mjs

@@ -19,7 +19,7 @@ const cognito = (options) => {
 	return {
 		id: "cognito",
 		name: "Cognito",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("ClientId is required for Amazon Cognito. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
@@ -43,7 +43,11 @@ const cognito = (options) => {
 				state,
 				codeVerifier,
 				redirectURI,
-				prompt: options.prompt
+				prompt: options.prompt,
+				additionalParams: {
+					...options.identityProvider ? { identity_provider: options.identityProvider } : {},
+					...additionalParams ?? {}
+				}
 			});
 			const scopeValue = url.searchParams.get("scope");
 			if (scopeValue) {

package/dist/social-providers/discord.d.mts

@@ -80,7 +80,8 @@ declare const discord: (options: DiscordOptions) => {
   createAuthorizationURL({
     state,
     scopes,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -88,7 +89,8 @@ declare const discord: (options: DiscordOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
-  }): URL;
+    additionalParams?: Record<string, string> | undefined;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/discord.mjs

@@ -1,3 +1,4 @@
+import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
@@ -7,12 +8,24 @@ const discord = (options) => {
 	return {
 		id: "discord",
 		name: "Discord",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
 			if (scopes) _scopes.push(...scopes);
 			if (options.scope) _scopes.push(...options.scope);
-			const permissionsParam = _scopes.includes("bot") && options.permissions !== void 0 ? `&permissions=${options.permissions}` : "";
-			return new URL(`https://discord.com/api/oauth2/authorize?scope=${_scopes.join("+")}&response_type=code&client_id=${options.clientId}&redirect_uri=${encodeURIComponent(options.redirectURI || redirectURI)}&state=${state}&prompt=${options.prompt || "none"}${permissionsParam}`);
+			const hasBotScope = _scopes.includes("bot");
+			return createAuthorizationURL({
+				id: "discord",
+				options,
+				authorizationEndpoint: "https://discord.com/api/oauth2/authorize",
+				scopes: _scopes,
+				state,
+				redirectURI,
+				prompt: options.prompt || "none",
+				additionalParams: {
+					...hasBotScope && options.permissions !== void 0 ? { permissions: String(options.permissions) } : {},
+					...additionalParams ?? {}
+				}
+			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
 			return validateAuthorizationCode({

package/dist/social-providers/dropbox.d.mts

@@ -24,7 +24,8 @@ declare const dropbox: (options: DropboxOptions) => {
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -32,6 +33,7 @@ declare const dropbox: (options: DropboxOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }) => Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/dropbox.mjs

@@ -8,12 +8,10 @@ const dropbox = (options) => {
 	return {
 		id: "dropbox",
 		name: "Dropbox",
-		createAuthorizationURL: async ({ state, scopes, codeVerifier, redirectURI }) => {
+		createAuthorizationURL: async ({ state, scopes, codeVerifier, redirectURI, additionalParams }) => {
 			const _scopes = options.disableDefaultScope ? [] : ["account_info.read"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
-			const additionalParams = {};
-			if (options.accessType) additionalParams.token_access_type = options.accessType;
 			return await createAuthorizationURL({
 				id: "dropbox",
 				options,
@@ -22,7 +20,10 @@ const dropbox = (options) => {
 				state,
 				redirectURI,
 				codeVerifier,
-				additionalParams
+				additionalParams: {
+					...options.accessType ? { token_access_type: options.accessType } : {},
+					...additionalParams ?? {}
+				}
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/facebook.d.mts

@@ -34,7 +34,8 @@ declare const facebook: (options: FacebookOptions) => {
     state,
     scopes,
     redirectURI,
-    loginHint
+    loginHint,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -42,6 +43,7 @@ declare const facebook: (options: FacebookOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/facebook.mjs

@@ -11,7 +11,7 @@ const facebook = (options) => {
 	return {
 		id: "facebook",
 		name: "Facebook",
-		async createAuthorizationURL({ state, scopes, redirectURI, loginHint }) {
+		async createAuthorizationURL({ state, scopes, redirectURI, loginHint, additionalParams }) {
 			if (!getPrimaryClientId(options.clientId) || !options.clientSecret) {
 				logger.error("Client ID and client secret are required for Facebook. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
@@ -27,7 +27,10 @@ const facebook = (options) => {
 				state,
 				redirectURI,
 				loginHint,
-				additionalParams: options.configId ? { config_id: options.configId } : {}
+				additionalParams: {
+					...options.configId ? { config_id: options.configId } : {},
+					...additionalParams ?? {}
+				}
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {

package/dist/social-providers/figma.d.mts

@@ -16,7 +16,8 @@ declare const figma: (options: FigmaOptions) => {
     state,
     scopes,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -24,6 +25,7 @@ declare const figma: (options: FigmaOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/figma.mjs

@@ -10,7 +10,7 @@ const figma = (options) => {
 	return {
 		id: "figma",
 		name: "Figma",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI }) {
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret are required for Figma. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
@@ -26,7 +26,8 @@ const figma = (options) => {
 				scopes: _scopes,
 				state,
 				codeVerifier,
-				redirectURI
+				redirectURI,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {

package/dist/social-providers/github.d.mts

@@ -57,7 +57,8 @@ declare const github: (options: GithubOptions) => {
     scopes,
     loginHint,
     codeVerifier,
-    redirectURI
+    redirectURI,
+    additionalParams
   }: {
     state: string;
     codeVerifier: string;
@@ -65,6 +66,7 @@ declare const github: (options: GithubOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    additionalParams?: Record<string, string> | undefined;
   }): Promise<URL>;
   validateAuthorizationCode: ({
     code,

package/dist/social-providers/github.mjs

@@ -2,7 +2,7 @@ import { logger } from "../env/logger.mjs";
 import { getOAuth2Tokens } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
-import { createAuthorizationCodeRequest } from "../oauth2/validate-authorization-code.mjs";
+import { authorizationCodeRequest } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/github.ts
 const github = (options) => {
@@ -10,7 +10,7 @@ const github = (options) => {
 	return {
 		id: "github",
 		name: "GitHub",
-		createAuthorizationURL({ state, scopes, loginHint, codeVerifier, redirectURI }) {
+		createAuthorizationURL({ state, scopes, loginHint, codeVerifier, redirectURI, additionalParams }) {
 			const _scopes = options.disableDefaultScope ? [] : ["read:user", "user:email"];
 			if (options.scope) _scopes.push(...options.scope);
 			if (scopes) _scopes.push(...scopes);
@@ -23,11 +23,12 @@ const github = (options) => {
 				codeVerifier,
 				redirectURI,
 				loginHint,
-				prompt: options.prompt
+				prompt: options.prompt,
+				additionalParams
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
-			const { body, headers: requestHeaders } = createAuthorizationCodeRequest({
+			const { body, headers: requestHeaders } = await authorizationCodeRequest({
 				code,
 				codeVerifier,
 				redirectURI,