@better-auth/core 1.7.0-beta.3 → 1.7.0-beta.5

package/src/social-providers/kakao.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -101,24 +102,32 @@ export interface KakaoOptions extends ProviderOptions<KakaoProfile> {
 	clientId: string;
 }
 
+const KAKAO_DEFAULT_SCOPES = [
+	"account_email",
+	"profile_image",
+	"profile_nickname",
+];
+
 export const kakao = (options: KakaoOptions) => {
 	const tokenEndpoint = "https://kauth.kakao.com/oauth/token";
 	return {
 		id: "kakao",
 		name: "Kakao",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["account_email", "profile_image", "profile_nickname"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/kakao",
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				KAKAO_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "kakao",
 				options,
 				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -175,5 +184,5 @@ export const kakao = (options: KakaoOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<KakaoProfile>;
+	} satisfies UpstreamProvider<KakaoProfile>;
 };

package/src/social-providers/kick.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -29,23 +30,34 @@ export interface KickOptions extends ProviderOptions<KickProfile> {
 	clientId: string;
 }
 
+const KICK_DEFAULT_SCOPES = ["user:read"];
+
 export const kick = (options: KickOptions) => {
 	return {
 		id: "kick",
 		name: "Kick",
-		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-
+		callbackPath: "/callback/kick",
+		createAuthorizationURL({
+			state,
+			scopes,
+			redirectURI,
+			codeVerifier,
+			additionalParams,
+		}) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				KICK_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "kick",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				codeVerifier,
 				state,
+				additionalParams,
 			});
 		},
 		async validateAuthorizationCode({ code, redirectURI, codeVerifier }) {
@@ -105,5 +117,5 @@ export const kick = (options: KickOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<KickProfile>;
+	} satisfies UpstreamProvider<KickProfile>;
 };

package/src/social-providers/line.ts

@@ -1,9 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt } from "jose";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -32,6 +33,8 @@ export interface LineOptions
 	clientId: string;
 }
 
+const LINE_DEFAULT_SCOPES = ["openid", "profile", "email"];
+
 /**
  * LINE Login v2.1
  * - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
@@ -50,27 +53,30 @@ export const line = (options: LineOptions) => {
 	return {
 		id: "line",
 		name: "LINE",
-		async createAuthorizationURL({
+		callbackPath: "/callback/line",
+		createAuthorizationURL({
 			state,
 			scopes,
 			codeVerifier,
 			redirectURI,
 			loginHint,
+			additionalParams,
 		}) {
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["openid", "profile", "email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				LINE_DEFAULT_SCOPES,
+				scopes,
+			);
+			return createAuthorizationURL({
 				id: "line",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				codeVerifier,
 				redirectURI,
 				loginHint,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
@@ -94,34 +100,30 @@ export const line = (options: LineOptions) => {
 						tokenEndpoint,
 					});
 				},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) {
-				return false;
-			}
-			if (options.verifyIdToken) {
-				return options.verifyIdToken(token, nonce);
-			}
-			const body = new URLSearchParams();
-			body.set("id_token", token);
-			body.set("client_id", options.clientId);
-			if (nonce) body.set("nonce", nonce);
-			const { data, error } = await betterFetch<LineIdTokenPayload>(
-				verifyIdTokenEndpoint,
-				{
-					method: "POST",
-					headers: {
-						"content-type": "application/x-www-form-urlencoded",
+		idToken: {
+			verify: async (token, nonce) => {
+				const body = new URLSearchParams();
+				body.set("id_token", token);
+				body.set("client_id", options.clientId);
+				if (nonce) body.set("nonce", nonce);
+				const { data, error } = await betterFetch<LineIdTokenPayload>(
+					verifyIdTokenEndpoint,
+					{
+						method: "POST",
+						headers: {
+							"content-type": "application/x-www-form-urlencoded",
+						},
+						body,
 					},
-					body,
-				},
-			);
-			if (error || !data) {
-				return false;
-			}
-			// aud must match clientId; nonce (if provided) must also match nonce
-			if (data.aud !== options.clientId) return false;
-			if (data.nonce && data.nonce !== nonce) return false;
-			return true;
+				);
+				if (error || !data) {
+					return false;
+				}
+				// aud must match clientId; nonce (if provided) must also match nonce
+				if (data.aud !== options.clientId) return false;
+				if (data.nonce && data.nonce !== nonce) return false;
+				return true;
+			},
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {
@@ -165,5 +167,5 @@ export const line = (options: LineOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<LineUserInfo | LineIdTokenPayload, LineOptions>;
+	} satisfies UpstreamProvider<LineUserInfo | LineIdTokenPayload, LineOptions>;
 };

package/src/social-providers/linear.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -26,23 +27,35 @@ export interface LinearOptions extends ProviderOptions<LinearUser> {
 	clientId: string;
 }
 
+const LINEAR_DEFAULT_SCOPES = ["read"];
+
 export const linear = (options: LinearOptions) => {
 	const tokenEndpoint = "https://api.linear.app/oauth/token";
 	return {
 		id: "linear",
 		name: "Linear",
-		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/linear",
+		createAuthorizationURL({
+			state,
+			scopes,
+			loginHint,
+			redirectURI,
+			additionalParams,
+		}) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				LINEAR_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "linear",
 				options,
 				authorizationEndpoint: "https://linear.app/oauth/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				loginHint,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -117,5 +130,5 @@ export const linear = (options: LinearOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<LinearUser>;
+	} satisfies UpstreamProvider<LinearUser>;
 };

package/src/social-providers/linkedin.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -24,6 +25,8 @@ export interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
 	clientId: string;
 }
 
+const LINKEDIN_DEFAULT_SCOPES = ["profile", "email", "openid"];
+
 export const linkedin = (options: LinkedInOptions) => {
 	const authorizationEndpoint =
 		"https://www.linkedin.com/oauth/v2/authorization";
@@ -32,25 +35,28 @@ export const linkedin = (options: LinkedInOptions) => {
 	return {
 		id: "linkedin",
 		name: "Linkedin",
-		createAuthorizationURL: async ({
+		callbackPath: "/callback/linkedin",
+		createAuthorizationURL: ({
 			state,
 			scopes,
 			redirectURI,
 			loginHint,
+			additionalParams,
 		}) => {
-			const _scopes = options.disableDefaultScope
-				? []
-				: ["profile", "email", "openid"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				LINKEDIN_DEFAULT_SCOPES,
+				scopes,
+			);
+			return createAuthorizationURL({
 				id: "linkedin",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				loginHint,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -106,5 +112,5 @@ export const linkedin = (options: LinkedInOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<LinkedInProfile>;
+	} satisfies UpstreamProvider<LinkedInProfile>;
 };

package/src/social-providers/microsoft-entra-id.ts

@@ -1,13 +1,19 @@
 import { base64 } from "@better-auth/utils/base64";
 import { betterFetch } from "@better-fetch/fetch";
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type {
+	ClientAssertionGetter,
+	ProviderOptions,
+	TokenEndpointAuth,
+	UpstreamProvider,
+} from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -122,33 +128,60 @@ export interface MicrosoftOptions
 	 * The tenant ID of the Microsoft account
 	 * @default "common"
 	 */
-	tenantId?: string | undefined;
+	tenantId?: string;
 	/**
 	 * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
 	 * @default "https://login.microsoftonline.com"
 	 */
-	authority?: string | undefined;
+	authority?: string;
+	/**
+	 * Function that returns a JWT client assertion for token endpoint authentication.
+	 *
+	 * Use this instead of `clientSecret` when your Microsoft Entra ID app is
+	 * configured for client authentication with assertions (private_key_jwt or
+	 * workload identity federation).
+	 */
+	clientAssertion?: ClientAssertionGetter;
 	/**
 	 * The size of the profile photo
 	 * @default 48
 	 */
-	profilePhotoSize?:
-		| (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648)
-		| undefined;
+	profilePhotoSize?: 48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648;
 	/**
 	 * Disable profile photo
 	 */
-	disableProfilePhoto?: boolean | undefined;
+	disableProfilePhoto?: boolean;
 }
 
+const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email",
+	"User.Read",
+	"offline_access",
+];
+
 export const microsoft = (options: MicrosoftOptions) => {
 	const tenant = options.tenantId || "common";
 	const authority = options.authority || "https://login.microsoftonline.com";
 	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
 	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	if (options.clientSecret && options.clientAssertion) {
+		throw new BetterAuthError(
+			"Microsoft Entra ID clientAssertion cannot be combined with clientSecret",
+		);
+	}
+	const tokenEndpointAuth: TokenEndpointAuth | undefined =
+		options.clientAssertion
+			? {
+					method: "private_key_jwt",
+					getClientAssertion: options.clientAssertion,
+				}
+			: undefined;
 	return {
 		id: "microsoft",
 		name: "Microsoft EntraID",
+		callbackPath: "/callback/microsoft",
 		createAuthorizationURL(data) {
 			// Microsoft Entra supports public clients (SPA / native apps with
 			// PKCE only), so clientSecret is intentionally not required here.
@@ -159,21 +192,22 @@ export const microsoft = (options: MicrosoftOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const scopes = options.disableDefaultScope
-				? []
-				: ["openid", "profile", "email", "User.Read", "offline_access"];
-			if (options.scope) scopes.push(...options.scope);
-			if (data.scopes) scopes.push(...data.scopes);
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				MICROSOFT_ENTRA_ID_DEFAULT_SCOPES,
+				data.scopes,
+			);
 			return createAuthorizationURL({
 				id: "microsoft",
 				options,
 				authorizationEndpoint,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
-				scopes,
+				scopes: requestedScopes,
 				redirectURI: data.redirectURI,
 				prompt: options.prompt,
 				loginHint: data.loginHint,
+				additionalParams: data.additionalParams,
 			});
 		},
 		validateAuthorizationCode({ code, codeVerifier, redirectURI }) {
@@ -183,57 +217,24 @@ export const microsoft = (options: MicrosoftOptions) => {
 				redirectURI,
 				options,
 				tokenEndpoint,
+				tokenEndpointAuth,
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) {
-				return false;
-			}
-			if (options.verifyIdToken) {
-				return options.verifyIdToken(token, nonce);
-			}
-
-			try {
-				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-				if (!kid || !jwtAlg) return false;
-
-				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
-				const verifyOptions: {
-					algorithms: [string];
-					audience: string | string[];
-					maxTokenAge: string;
-					issuer?: string;
-				} = {
-					algorithms: [jwtAlg],
-					audience: options.clientId,
-					maxTokenAge: "1h",
-				};
-				/**
-				 * Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
-				 * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
-				 */
-				if (
-					tenant !== "common" &&
-					tenant !== "organizations" &&
-					tenant !== "consumers"
-				) {
-					verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
-				}
-				const { payload: jwtClaims } = await jwtVerify(
-					token,
-					publicKey,
-					verifyOptions,
-				);
-
-				if (nonce && jwtClaims.nonce !== nonce) {
-					return false;
-				}
-
-				return true;
-			} catch (error) {
-				logger.error("Failed to verify ID token:", error);
-				return false;
-			}
+		idToken: {
+			jwks: (header) => getMicrosoftPublicKey(header.kid!, tenant, authority),
+			audience: options.clientId,
+			maxTokenAge: "1h",
+			/**
+			 * Issuer varies per tenant for multi-tenant endpoints, so only validate it for
+			 * specific tenants.
+			 * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+			 */
+			issuer:
+				tenant !== "common" &&
+				tenant !== "organizations" &&
+				tenant !== "consumers"
+					? `${authority}/${tenant}/v2.0`
+					: undefined,
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) {
@@ -313,10 +314,11 @@ export const microsoft = (options: MicrosoftOptions) => {
 							scope: scopes.join(" "), // Include the scopes in request to microsoft
 						},
 						tokenEndpoint,
+						tokenEndpointAuth,
 					});
 				},
 		options,
-	} satisfies OAuthProvider;
+	} satisfies UpstreamProvider;
 };
 
 export const getMicrosoftPublicKey = async (

package/src/social-providers/naver.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -39,22 +40,28 @@ export interface NaverOptions extends ProviderOptions<NaverProfile> {
 	clientId: string;
 }
 
+const NAVER_DEFAULT_SCOPES = ["profile", "email"];
+
 export const naver = (options: NaverOptions) => {
 	const tokenEndpoint = "https://nid.naver.com/oauth2.0/token";
 	return {
 		id: "naver",
 		name: "Naver",
-		createAuthorizationURL({ state, scopes, redirectURI }) {
-			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/naver",
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				NAVER_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "naver",
 				options,
 				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
+				additionalParams,
 			});
 		},
 		validateAuthorizationCode: async ({ code, redirectURI }) => {
@@ -109,5 +116,5 @@ export const naver = (options: NaverOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<NaverProfile>;
+	} satisfies UpstreamProvider<NaverProfile>;
 };

package/src/social-providers/notion.ts

@@ -1,8 +1,9 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { OAuthProvider, ProviderOptions } from "../oauth2";
+import type { ProviderOptions, UpstreamProvider } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
+	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -23,24 +24,36 @@ export interface NotionOptions extends ProviderOptions<NotionProfile> {
 	clientId: string;
 }
 
+const NOTION_DEFAULT_SCOPES: string[] = [];
+
 export const notion = (options: NotionOptions) => {
 	const tokenEndpoint = "https://api.notion.com/v1/oauth/token";
 	return {
 		id: "notion",
 		name: "Notion",
-		createAuthorizationURL({ state, scopes, loginHint, redirectURI }) {
-			const _scopes: string[] = options.disableDefaultScope ? [] : [];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
+		callbackPath: "/callback/notion",
+		createAuthorizationURL({
+			state,
+			scopes,
+			loginHint,
+			redirectURI,
+			additionalParams,
+		}) {
+			const requestedScopes = resolveRequestedScopes(
+				options,
+				NOTION_DEFAULT_SCOPES,
+				scopes,
+			);
 			return createAuthorizationURL({
 				id: "notion",
 				options,
 				authorizationEndpoint: "https://api.notion.com/v1/oauth/authorize",
-				scopes: _scopes,
+				scopes: requestedScopes,
 				state,
 				redirectURI,
 				loginHint,
 				additionalParams: {
+					...(additionalParams ?? {}),
 					owner: "user",
 				},
 			});
@@ -104,5 +117,5 @@ export const notion = (options: NotionOptions) => {
 			};
 		},
 		options,
-	} satisfies OAuthProvider<NotionProfile>;
+	} satisfies UpstreamProvider<NotionProfile>;
 };