@better-auth/core 1.7.0-beta.3 → 1.7.0-beta.4

package/src/oauth2/client-assertion.ts

@@ -1,8 +1,9 @@
 import type { JWTHeaderParameters } from "jose";
 import { importJWK, importPKCS8, SignJWT } from "jose";
+import type { Awaitable } from "../types";
 
 /** Asymmetric signing algorithms compatible with private_key_jwt (RFC 7523). */
-export const ASSERTION_SIGNING_ALGORITHMS = [
+export const PRIVATE_KEY_JWT_SIGNING_ALGORITHMS = [
 	"RS256",
 	"RS384",
 	"RS512",
@@ -15,15 +16,79 @@ export const ASSERTION_SIGNING_ALGORITHMS = [
 	"EdDSA",
 ] as const;
 
-export type AssertionSigningAlgorithm =
-	(typeof ASSERTION_SIGNING_ALGORITHMS)[number];
+export type PrivateKeyJwtSigningAlgorithm =
+	(typeof PRIVATE_KEY_JWT_SIGNING_ALGORITHMS)[number];
+
+function assertSupportedPrivateKeyJwtAlgorithm(
+	candidate: string,
+): asserts candidate is PrivateKeyJwtSigningAlgorithm {
+	if (
+		!(PRIVATE_KEY_JWT_SIGNING_ALGORITHMS as readonly string[]).includes(
+			candidate,
+		)
+	) {
+		throw new Error(
+			`Unsupported private_key_jwt signing algorithm: ${candidate}. Use one of ${PRIVATE_KEY_JWT_SIGNING_ALGORITHMS.join(", ")}.`,
+		);
+	}
+}
+
+/**
+ * Validates `private_key_jwt` options eagerly and returns the algorithm to
+ * use for signing.
+ *
+ * Asserts that key material is configured, that any explicit `algorithm` is
+ * supported, that any JWK-embedded `alg` is supported, and that the two
+ * agree when both are set.
+ */
+function resolveValidPrivateKeyJwtOptions(options: {
+	privateKeyJwk?: JsonWebKey;
+	privateKeyPem?: string;
+	algorithm?: PrivateKeyJwtSigningAlgorithm;
+}): PrivateKeyJwtSigningAlgorithm {
+	if (!options.privateKeyJwk && !options.privateKeyPem) {
+		throw new Error(
+			"private_key_jwt requires either privateKeyJwk or privateKeyPem",
+		);
+	}
+	if (options.algorithm) {
+		assertSupportedPrivateKeyJwtAlgorithm(options.algorithm);
+	}
+	const jwkAlg = options.privateKeyJwk?.alg;
+	if (typeof jwkAlg === "string") {
+		assertSupportedPrivateKeyJwtAlgorithm(jwkAlg);
+	}
+	if (
+		options.algorithm &&
+		typeof jwkAlg === "string" &&
+		options.algorithm !== jwkAlg
+	) {
+		throw new Error(
+			`JWK alg "${jwkAlg}" does not match configured algorithm "${options.algorithm}". Remove the JWK alg field, or pass an algorithm that matches the JWK.`,
+		);
+	}
+	return options.algorithm ?? (typeof jwkAlg === "string" ? jwkAlg : "RS256");
+}
 
 export const CLIENT_ASSERTION_TYPE =
 	"urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
 
-export interface ClientAssertionConfig {
-	/** Pre-signed JWT assertion string. If provided, signing is skipped. */
-	assertion?: string;
+export type ClientAssertionGrantType =
+	| "authorization_code"
+	| "refresh_token"
+	| "client_credentials";
+
+export interface ClientAssertionContext {
+	clientId: string;
+	tokenEndpoint: string;
+	grantType: ClientAssertionGrantType;
+}
+
+export type ClientAssertionGetter = (
+	context: ClientAssertionContext,
+) => Awaitable<string>;
+
+export interface PrivateKeyJwtClientAssertionGetterOptions {
 	/** Private key in JWK format for signing. */
 	privateKeyJwk?: JsonWebKey;
 	/** Private key in PKCS#8 PEM format for signing. */
@@ -31,9 +96,7 @@ export interface ClientAssertionConfig {
 	/** Key ID to include in the JWT header. */
 	kid?: string;
 	/** Asymmetric signing algorithm. Symmetric algorithms (HS256) and "none" are not allowed. @default "RS256" */
-	algorithm?: AssertionSigningAlgorithm;
-	/** Token endpoint URL (used as the JWT `aud` claim). */
-	tokenEndpoint?: string;
+	algorithm?: PrivateKeyJwtSigningAlgorithm;
 	/** Assertion lifetime in seconds. @default 120 */
 	expiresIn?: number;
 }
@@ -41,10 +104,16 @@ export interface ClientAssertionConfig {
 /**
  * Signs an RFC 7523 client assertion JWT for `private_key_jwt` authentication.
  *
- * The JWT contains: iss=clientId, sub=clientId, aud=tokenEndpoint,
- * exp=now+120s, jti=unique, iat=now.
+ * The JWT contains these claims:
+ *
+ * - iss=clientId
+ * - sub=clientId
+ * - aud=tokenEndpoint
+ * - exp=now + 120s
+ * - jti=unique
+ * - iat=now
  */
-export async function signClientAssertion({
+export async function signPrivateKeyJwtClientAssertion({
 	clientId,
 	tokenEndpoint,
 	privateKeyJwk,
@@ -58,34 +127,30 @@ export async function signClientAssertion({
 	privateKeyJwk?: JsonWebKey;
 	privateKeyPem?: string;
 	kid?: string;
-	algorithm?: AssertionSigningAlgorithm;
+	algorithm?: PrivateKeyJwtSigningAlgorithm;
 	expiresIn?: number;
 }): Promise<string> {
-	// Fall back to JWK-embedded kid/alg when not explicitly provided (RFC 7517).
-	// JsonWebKey includes alg but not kid; access kid via index.
+	const resolvedAlg = resolveValidPrivateKeyJwtOptions({
+		privateKeyJwk,
+		privateKeyPem,
+		algorithm,
+	});
+	// Fall back to the JWK-embedded kid when not explicitly provided (RFC 7517).
+	// JsonWebKey types include alg but not kid; access kid via index.
 	const jwk = privateKeyJwk as Record<string, unknown> | undefined;
 	const resolvedKid = kid ?? (jwk?.kid as string | undefined);
-	const resolvedAlg =
-		algorithm ??
-		(privateKeyJwk?.alg as AssertionSigningAlgorithm | undefined) ??
-		"RS256";
-
-	let key: Awaited<ReturnType<typeof importJWK>>;
-	if (privateKeyJwk) {
-		key = await importJWK(privateKeyJwk, resolvedAlg);
-	} else if (privateKeyPem) {
-		key = await importPKCS8(privateKeyPem, resolvedAlg);
-	} else {
-		throw new Error(
-			"private_key_jwt requires either privateKeyJwk or privateKeyPem",
-		);
-	}
+
+	const key: Awaited<ReturnType<typeof importJWK>> = privateKeyJwk
+		? await importJWK(privateKeyJwk, resolvedAlg)
+		: await importPKCS8(privateKeyPem as string, resolvedAlg);
 
 	const now = Math.floor(Date.now() / 1000);
 	const jti = crypto.randomUUID();
 
 	const header: JWTHeaderParameters = { alg: resolvedAlg, typ: "JWT" };
-	if (resolvedKid) header.kid = resolvedKid;
+	if (resolvedKid) {
+		header.kid = resolvedKid;
+	}
 
 	return new SignJWT({})
 		.setProtectedHeader(header)
@@ -99,36 +164,44 @@ export async function signClientAssertion({
 }
 
 /**
- * Resolves a ClientAssertionConfig into `client_assertion` + `client_assertion_type`
- * params for injection into a token request body.
+ * Creates a client assertion getter for `private_key_jwt` authentication.
+ *
+ * Validates options eagerly (key material, supported algorithm, JWK alg
+ * agreement) so misconfiguration surfaces at construction rather than on the
+ * first token request. The returned function signs a fresh RFC 7523 JWT
+ * assertion for every token endpoint request.
  */
-export async function resolveAssertionParams({
-	clientAssertion,
-	clientId,
-	tokenEndpoint,
-}: {
-	clientAssertion: ClientAssertionConfig;
-	clientId: string;
-	tokenEndpoint?: string;
-}): Promise<Record<string, string>> {
-	let assertion = clientAssertion.assertion;
-	if (!assertion) {
-		const audEndpoint = tokenEndpoint ?? clientAssertion.tokenEndpoint;
-		if (!audEndpoint) {
-			throw new Error(
-				"private_key_jwt requires a tokenEndpoint for the JWT audience claim",
-			);
-		}
-		assertion = await signClientAssertion({
+export function createPrivateKeyJwtClientAssertionGetter(
+	options: PrivateKeyJwtClientAssertionGetterOptions,
+): ClientAssertionGetter {
+	resolveValidPrivateKeyJwtOptions({
+		privateKeyJwk: options.privateKeyJwk,
+		privateKeyPem: options.privateKeyPem,
+		algorithm: options.algorithm,
+	});
+	return ({ clientId, tokenEndpoint }) =>
+		signPrivateKeyJwtClientAssertion({
 			clientId,
-			tokenEndpoint: audEndpoint,
-			privateKeyJwk: clientAssertion.privateKeyJwk,
-			privateKeyPem: clientAssertion.privateKeyPem,
-			kid: clientAssertion.kid,
-			algorithm: clientAssertion.algorithm,
-			expiresIn: clientAssertion.expiresIn,
+			tokenEndpoint,
+			privateKeyJwk: options.privateKeyJwk,
+			privateKeyPem: options.privateKeyPem,
+			kid: options.kid,
+			algorithm: options.algorithm,
+			expiresIn: options.expiresIn,
 		});
-	}
+}
+
+/**
+ * Resolves a client assertion getter into `client_assertion` + `client_assertion_type` params for injection into a token request body.
+ */
+export async function resolveClientAssertionParams({
+	getClientAssertion,
+	context,
+}: {
+	getClientAssertion: ClientAssertionGetter;
+	context: ClientAssertionContext;
+}): Promise<Record<string, string>> {
+	const assertion = await getClientAssertion(context);
 	return {
 		client_assertion: assertion,
 		client_assertion_type: CLIENT_ASSERTION_TYPE,

package/src/oauth2/client-credentials-token.ts

@@ -1,72 +1,70 @@
-import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
 import type { AwaitableFunction } from "../types";
-import type { ClientAssertionConfig } from "./client-assertion";
-import { resolveAssertionParams } from "./client-assertion";
 import type { OAuth2Tokens, ProviderOptions } from "./oauth-provider";
+import type {
+	TokenEndpointAuth,
+	TokenEndpointSecretAuthentication,
+} from "./token-endpoint-auth";
+import { applyTokenEndpointAuth } from "./token-endpoint-auth";
+
+interface ClientCredentialsTokenRequestInput {
+	options: AwaitableFunction<ProviderOptions>;
+	scope?: string | undefined;
+	authentication?: TokenEndpointSecretAuthentication | undefined;
+	tokenEndpointAuth?: TokenEndpointAuth | undefined;
+	tokenEndpoint?: string | undefined;
+	resource?: (string | string[]) | undefined;
+}
+
+interface ClientCredentialsTokenRequestBaseInput {
+	options: ProviderOptions;
+	scope?: string | undefined;
+	resource?: (string | string[]) | undefined;
+	extraParams?: Record<string, string> | undefined;
+}
+
+interface ClientCredentialsTokenInput
+	extends ClientCredentialsTokenRequestInput {
+	tokenEndpoint: string;
+	scope: string;
+}
 
 export async function clientCredentialsTokenRequest({
 	options,
 	scope,
 	authentication,
-	clientAssertion,
+	tokenEndpointAuth,
 	tokenEndpoint,
 	resource,
-}: {
-	options: AwaitableFunction<ProviderOptions>;
-	scope?: string | undefined;
-	authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-	clientAssertion?: ClientAssertionConfig | undefined;
-	/** Token endpoint URL. Used as the JWT `aud` claim when signing assertions. */
-	tokenEndpoint?: string | undefined;
-	resource?: (string | string[]) | undefined;
-}) {
+}: ClientCredentialsTokenRequestInput) {
 	options = typeof options === "function" ? await options() : options;
-
-	let extraParams: Record<string, string> | undefined;
-	if (authentication === "private_key_jwt") {
-		if (!clientAssertion) {
-			throw new Error(
-				"private_key_jwt authentication requires a clientAssertion configuration",
-			);
-		}
-		const primaryClientId = Array.isArray(options.clientId)
-			? options.clientId[0]
-			: options.clientId;
-		extraParams = await resolveAssertionParams({
-			clientAssertion,
-			clientId: primaryClientId,
-			tokenEndpoint,
-		});
-	}
-
-	return createClientCredentialsTokenRequest({
+	const request = buildClientCredentialsTokenRequest({
 		options,
 		scope,
-		authentication,
 		resource,
-		extraParams,
 	});
+
+	await applyTokenEndpointAuth({
+		body: request.body,
+		headers: request.headers,
+		options,
+		tokenEndpoint: tokenEndpoint ?? "",
+		grantType: "client_credentials",
+		tokenEndpointAuth,
+		authentication,
+	});
+
+	return request;
 }
 
-/**
- * @deprecated use async'd clientCredentialsTokenRequest instead
- */
-export function createClientCredentialsTokenRequest({
+function buildClientCredentialsTokenRequest({
 	options,
 	scope,
-	authentication,
 	resource,
 	extraParams,
-}: {
-	options: ProviderOptions;
-	scope?: string | undefined;
-	authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-	resource?: (string | string[]) | undefined;
-	extraParams?: Record<string, string> | undefined;
-}) {
+}: ClientCredentialsTokenRequestBaseInput) {
 	const body = new URLSearchParams();
-	const headers: Record<string, any> = {
+	const headers: Record<string, string> = {
 		"content-type": "application/x-www-form-urlencoded",
 		accept: "application/json",
 	};
@@ -82,21 +80,6 @@ export function createClientCredentialsTokenRequest({
 			}
 		}
 	}
-	const primaryClientId = Array.isArray(options.clientId)
-		? options.clientId[0]
-		: options.clientId;
-	if (authentication === "basic") {
-		const encodedCredentials = base64.encode(
-			`${primaryClientId}:${options.clientSecret ?? ""}`,
-		);
-		headers["authorization"] = `Basic ${encodedCredentials}`;
-	} else {
-		body.set("client_id", primaryClientId);
-		if (authentication !== "private_key_jwt" && options.clientSecret) {
-			body.set("client_secret", options.clientSecret);
-		}
-	}
-
 	if (extraParams) {
 		for (const [key, value] of Object.entries(extraParams)) {
 			if (!body.has(key)) body.append(key, value);
@@ -114,21 +97,14 @@ export async function clientCredentialsToken({
 	tokenEndpoint,
 	scope,
 	authentication,
-	clientAssertion,
+	tokenEndpointAuth,
 	resource,
-}: {
-	options: AwaitableFunction<ProviderOptions>;
-	tokenEndpoint: string;
-	scope: string;
-	authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-	clientAssertion?: ClientAssertionConfig | undefined;
-	resource?: (string | string[]) | undefined;
-}): Promise<OAuth2Tokens> {
+}: ClientCredentialsTokenInput): Promise<OAuth2Tokens> {
 	const { body, headers } = await clientCredentialsTokenRequest({
 		options,
 		scope,
 		authentication,
-		clientAssertion,
+		tokenEndpointAuth,
 		tokenEndpoint,
 		resource,
 	});

package/src/oauth2/create-authorization-url.ts

@@ -1,6 +1,26 @@
 import type { AwaitableFunction } from "../types";
 import type { ProviderOptions } from "./index";
-import { generateCodeChallenge } from "./utils";
+import { generateCodeChallenge, getPrimaryClientId } from "./utils";
+
+/**
+ * Query-parameter names that are populated by the framework as part of the
+ * authorization request and must not be overridden by caller-supplied
+ * `additionalParams`. Overriding `state`, PKCE, or `redirect_uri` would
+ * break the callback correlation and session pinning guarantees.
+ */
+export const RESERVED_AUTHORIZATION_PARAMS = [
+	"state",
+	"client_id",
+	"redirect_uri",
+	"response_type",
+	"code_challenge",
+	"code_challenge_method",
+	"scope",
+] as const;
+
+export const RESERVED_AUTHORIZATION_PARAMS_SET: ReadonlySet<string> = new Set(
+	RESERVED_AUTHORIZATION_PARAMS,
+);
 
 export async function createAuthorizationURL({
 	id,
@@ -44,9 +64,10 @@ export async function createAuthorizationURL({
 	options = typeof options === "function" ? await options() : options;
 	const url = new URL(options.authorizationEndpoint || authorizationEndpoint);
 	url.searchParams.set("response_type", responseType || "code");
-	const primaryClientId = Array.isArray(options.clientId)
-		? options.clientId[0]
-		: options.clientId;
+	const primaryClientId = getPrimaryClientId(options.clientId);
+	if (!primaryClientId) {
+		throw new Error("OAuth provider requires clientId");
+	}
 	url.searchParams.set("client_id", primaryClientId);
 	url.searchParams.set("state", state);
 	if (scopes) {
@@ -81,9 +102,10 @@ export async function createAuthorizationURL({
 		);
 	}
 	if (additionalParams) {
-		Object.entries(additionalParams).forEach(([key, value]) => {
+		for (const [key, value] of Object.entries(additionalParams)) {
+			if (RESERVED_AUTHORIZATION_PARAMS_SET.has(key)) continue;
 			url.searchParams.set(key, value);
-		});
+		}
 	}
 	return url;
 }

package/src/oauth2/index.ts

@@ -1,19 +1,31 @@
+export { additionalAuthorizationParamsSchema } from "./authorization-params";
+export {
+	decodeBasicCredentials,
+	encodeBasicCredentials,
+} from "./basic-credentials";
 export type {
-	AssertionSigningAlgorithm,
-	ClientAssertionConfig,
+	ClientAssertionContext,
+	ClientAssertionGetter,
+	ClientAssertionGrantType,
+	PrivateKeyJwtClientAssertionGetterOptions,
+	PrivateKeyJwtSigningAlgorithm,
 } from "./client-assertion";
 export {
-	ASSERTION_SIGNING_ALGORITHMS,
 	CLIENT_ASSERTION_TYPE,
-	resolveAssertionParams,
-	signClientAssertion,
+	createPrivateKeyJwtClientAssertionGetter,
+	PRIVATE_KEY_JWT_SIGNING_ALGORITHMS,
+	resolveClientAssertionParams,
+	signPrivateKeyJwtClientAssertion,
 } from "./client-assertion";
 export {
 	clientCredentialsToken,
 	clientCredentialsTokenRequest,
-	createClientCredentialsTokenRequest,
 } from "./client-credentials-token";
-export { createAuthorizationURL } from "./create-authorization-url";
+export {
+	createAuthorizationURL,
+	RESERVED_AUTHORIZATION_PARAMS,
+	RESERVED_AUTHORIZATION_PARAMS_SET,
+} from "./create-authorization-url";
 export type {
 	OAuth2Tokens,
 	OAuth2UserInfo,
@@ -21,18 +33,22 @@ export type {
 	ProviderOptions,
 } from "./oauth-provider";
 export {
-	createRefreshAccessTokenRequest,
 	refreshAccessToken,
 	refreshAccessTokenRequest,
 } from "./refresh-access-token";
+export type {
+	TokenEndpointAuth,
+	TokenEndpointAuthMethod,
+	TokenEndpointSecretAuthentication,
+} from "./token-endpoint-auth";
 export {
+	applyDefaultAccessTokenExpiry,
 	generateCodeChallenge,
 	getOAuth2Tokens,
 	getPrimaryClientId,
 } from "./utils";
 export {
 	authorizationCodeRequest,
-	createAuthorizationCodeRequest,
 	validateAuthorizationCode,
 	validateToken,
 } from "./validate-authorization-code";

package/src/oauth2/oauth-provider.ts

@@ -35,6 +35,13 @@ export interface OAuthProvider<
 		redirectURI: string;
 		display?: string | undefined;
 		loginHint?: string | undefined;
+		/**
+		 * Extra query parameters to append to the authorization URL.
+		 * Providers forward these to the shared `createAuthorizationURL` helper,
+		 * which drops any keys present in `RESERVED_AUTHORIZATION_PARAMS`
+		 * before applying them.
+		 */
+		additionalParams?: Record<string, string> | undefined;
 	}) => Awaitable<URL>;
 	name: string;
 	validateAuthorizationCode: (data: {
@@ -94,6 +101,17 @@ export interface OAuthProvider<
 	 * Disable sign up for new users.
 	 */
 	disableSignUp?: boolean | undefined;
+	/**
+	 * Accept callbacks that arrive without a `state` parameter. When true,
+	 * the shared OAuth callback handler restarts the flow server-side with
+	 * fresh `state` and PKCE instead of rejecting the request. Intended for
+	 * providers that initiate OAuth without RP-side flow kickoff (e.g.
+	 * Clever). Leave unset for any provider that always initiates from the
+	 * RP.
+	 *
+	 * @default false
+	 */
+	allowIdpInitiated?: boolean | undefined;
 	/**
 	 * Options for the provider
 	 */
@@ -104,9 +122,10 @@ export type ProviderOptions<Profile extends Record<string, any> = any> = {
 	/**
 	 * The client ID of your application.
 	 *
-	 * This is usually a string but can be any type depending on the provider.
+	 * Some providers accept multiple platform client IDs. The first entry is the
+	 * primary client ID used for token endpoint client authentication.
 	 */
-	clientId?: unknown | undefined;
+	clientId?: LiteralString | string[] | undefined;
 	/**
 	 * The client secret of your application
 	 */