@better-auth/core 1.7.0-beta.3 → 1.7.0-beta.5

package/dist/oauth2/refresh-access-token.d.mts

@@ -1,61 +1,41 @@
-import { ClientAssertionConfig } from "./client-assertion.mjs";
 import { AwaitableFunction } from "../types/helper.mjs";
 import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+import { TokenEndpointAuth, TokenEndpointSecretAuthentication } from "./token-endpoint-auth.mjs";
 
 //#region src/oauth2/refresh-access-token.d.ts
-declare function refreshAccessTokenRequest({
-  refreshToken,
-  options,
-  authentication,
-  clientAssertion,
-  tokenEndpoint,
-  extraParams,
-  resource
-}: {
+interface RefreshAccessTokenRequestInput {
   refreshToken: string;
   options: AwaitableFunction<Partial<ProviderOptions>>;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  clientAssertion?: ClientAssertionConfig | undefined; /** Token endpoint URL. Used as the JWT `aud` claim when signing assertions. */
+  authentication?: TokenEndpointSecretAuthentication | undefined;
+  tokenEndpointAuth?: TokenEndpointAuth | undefined;
   tokenEndpoint?: string | undefined;
   extraParams?: Record<string, string> | undefined;
   resource?: (string | string[]) | undefined;
-}): Promise<{
-  body: URLSearchParams;
-  headers: Record<string, any>;
-}>;
-/**
- * @deprecated use async'd refreshAccessTokenRequest instead
- */
-declare function createRefreshAccessTokenRequest({
+}
+interface RefreshAccessTokenInput extends RefreshAccessTokenRequestInput {
+  options: Partial<ProviderOptions>;
+  tokenEndpoint: string;
+}
+declare function refreshAccessTokenRequest({
   refreshToken,
   options,
   authentication,
+  tokenEndpointAuth,
+  tokenEndpoint,
   extraParams,
   resource
-}: {
-  refreshToken: string;
-  options: ProviderOptions;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  extraParams?: Record<string, string> | undefined;
-  resource?: (string | string[]) | undefined;
-}): {
+}: RefreshAccessTokenRequestInput): Promise<{
   body: URLSearchParams;
-  headers: Record<string, any>;
-};
+  headers: Record<string, string>;
+}>;
 declare function refreshAccessToken({
   refreshToken,
   options,
   tokenEndpoint,
   authentication,
-  clientAssertion,
-  extraParams
-}: {
-  refreshToken: string;
-  options: Partial<ProviderOptions>;
-  tokenEndpoint: string;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  clientAssertion?: ClientAssertionConfig | undefined;
-  extraParams?: Record<string, string> | undefined;
-}): Promise<OAuth2Tokens>;
+  tokenEndpointAuth,
+  extraParams,
+  resource
+}: RefreshAccessTokenInput): Promise<OAuth2Tokens>;
 //#endregion
-export { createRefreshAccessTokenRequest, refreshAccessToken, refreshAccessTokenRequest };
+export { refreshAccessToken, refreshAccessTokenRequest };

package/dist/oauth2/refresh-access-token.mjs

@@ -1,33 +1,26 @@
-import { resolveAssertionParams } from "./client-assertion.mjs";
-import { base64 } from "@better-auth/utils/base64";
+import { applyTokenEndpointAuth } from "./token-endpoint-auth.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/oauth2/refresh-access-token.ts
-async function refreshAccessTokenRequest({ refreshToken, options, authentication, clientAssertion, tokenEndpoint, extraParams, resource }) {
+async function refreshAccessTokenRequest({ refreshToken, options, authentication, tokenEndpointAuth, tokenEndpoint, extraParams, resource }) {
 	options = typeof options === "function" ? await options() : options;
-	if (authentication === "private_key_jwt") {
-		if (!clientAssertion) throw new Error("private_key_jwt authentication requires a clientAssertion configuration");
-		const assertionParams = await resolveAssertionParams({
-			clientAssertion,
-			clientId: Array.isArray(options.clientId) ? options.clientId[0] : options.clientId,
-			tokenEndpoint
-		});
-		extraParams = {
-			...extraParams,
-			...assertionParams
-		};
-	}
-	return createRefreshAccessTokenRequest({
+	const request = buildRefreshAccessTokenRequest({
 		refreshToken,
 		options,
-		authentication,
 		extraParams,
 		resource
 	});
+	await applyTokenEndpointAuth({
+		body: request.body,
+		headers: request.headers,
+		options,
+		tokenEndpoint: tokenEndpoint ?? "",
+		grantType: "refresh_token",
+		tokenEndpointAuth,
+		authentication
+	});
+	return request;
 }
-/**
-* @deprecated use async'd refreshAccessTokenRequest instead
-*/
-function createRefreshAccessTokenRequest({ refreshToken, options, authentication, extraParams, resource }) {
+function buildRefreshAccessTokenRequest({ refreshToken, options, extraParams, resource }) {
 	const body = new URLSearchParams();
 	const headers = {
 		"content-type": "application/x-www-form-urlencoded",
@@ -35,13 +28,6 @@ function createRefreshAccessTokenRequest({ refreshToken, options, authentication
 	};
 	body.set("grant_type", "refresh_token");
 	body.set("refresh_token", refreshToken);
-	const primaryClientId = Array.isArray(options.clientId) ? options.clientId[0] : options.clientId;
-	if (authentication === "basic") if (primaryClientId) headers["authorization"] = "Basic " + base64.encode(`${primaryClientId}:${options.clientSecret ?? ""}`);
-	else headers["authorization"] = "Basic " + base64.encode(`:${options.clientSecret ?? ""}`);
-	else {
-		body.set("client_id", primaryClientId);
-		if (authentication !== "private_key_jwt" && options.clientSecret) body.set("client_secret", options.clientSecret);
-	}
 	if (resource) if (typeof resource === "string") body.append("resource", resource);
 	else for (const _resource of resource) body.append("resource", _resource);
 	if (extraParams) for (const [key, value] of Object.entries(extraParams)) body.set(key, value);
@@ -50,14 +36,15 @@ function createRefreshAccessTokenRequest({ refreshToken, options, authentication
 		headers
 	};
 }
-async function refreshAccessToken({ refreshToken, options, tokenEndpoint, authentication, clientAssertion, extraParams }) {
+async function refreshAccessToken({ refreshToken, options, tokenEndpoint, authentication, tokenEndpointAuth, extraParams, resource }) {
 	const { body, headers } = await refreshAccessTokenRequest({
 		refreshToken,
 		options,
 		authentication,
-		clientAssertion,
+		tokenEndpointAuth,
 		tokenEndpoint,
-		extraParams
+		extraParams,
+		resource
 	});
 	const { data, error } = await betterFetch(tokenEndpoint, {
 		method: "POST",
@@ -69,7 +56,7 @@ async function refreshAccessToken({ refreshToken, options, tokenEndpoint, authen
 		accessToken: data.access_token,
 		refreshToken: data.refresh_token,
 		tokenType: data.token_type,
-		scopes: data.scope?.split(" "),
+		scopes: Array.isArray(data.scope) ? data.scope : data.scope?.split(" "),
 		idToken: data.id_token
 	};
 	if (data.expires_in) {
@@ -83,4 +70,4 @@ async function refreshAccessToken({ refreshToken, options, tokenEndpoint, authen
 	return tokens;
 }
 //#endregion
-export { createRefreshAccessTokenRequest, refreshAccessToken, refreshAccessTokenRequest };
+export { refreshAccessToken, refreshAccessTokenRequest };

package/dist/oauth2/scopes.d.mts

@@ -0,0 +1,76 @@
+import { ProviderOptions } from "./oauth-provider.mjs";
+
+//#region src/oauth2/scopes.d.ts
+/**
+ * Parse a provider's `scope` token-response field into a string array.
+ *
+ * RFC 6749 §3.3 defines `scope` as a space-delimited string, but providers
+ * vary: some (e.g. Twitch) return an already-split array. Accept both, plus the
+ * omitted/empty case, without ever calling `.split` on a non-string. Returns
+ * `[]` when no scope is present.
+ *
+ * @see https://github.com/better-auth/better-auth/issues/9076
+ */
+declare function parseScopeField(scope: unknown): string[];
+/**
+ * Normalize a scope set into a single deduped, sorted array.
+ *
+ * Scope order is insignificant per RFC 6749 §3.3, so normalize for idempotent
+ * writes and trivial comparisons: trim each token, drop empties, dedupe, and
+ * sort ascending. Returns `[]` when the union is empty.
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
+ */
+declare function normalizeScopes(stored: string[] | null | undefined, incoming?: string[] | undefined): string[];
+/**
+ * Union the stored granted-scope set with the scopes observed on an
+ * authorization or token exchange.
+ *
+ * The provider's echoed `scope` is authoritative when present. RFC 6749 §3.3
+ * and §5.1 say an omitted or empty echo means the grant equals what was
+ * requested, so fall back to `requested` in that case. The result unions onto
+ * the stored grant (never narrows on a normal write) and is normalized per
+ * {@link normalizeScopes}.
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
+ */
+declare function unionGrantedScopes(stored: string[] | null | undefined, echoed: string[] | undefined, requested: string[] | undefined): string[];
+/**
+ * Coerce a stored granted-scope value into a usable array.
+ *
+ * `account.grantedScopes` is nullable (legacy rows and non-OAuth accounts read
+ * as unset), and on dialects that store the array as a JSON string a malformed
+ * operator backfill could deserialize to a non-array. Both collapse to `[]`
+ * here so every reader works against a real `string[]` without re-deriving the
+ * guard.
+ */
+declare function readGrantedScopes(stored: string[] | null | undefined): string[];
+/**
+ * Test whether a normalized granted-scope set contains a specific scope.
+ *
+ * Matching is exact and case-sensitive per RFC 6749 §3.3. The argument is the
+ * normalized `account.grantedScopes` array; a raw provider `scope` string must
+ * be run through {@link parseScopeField} first.
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
+ */
+declare function includesGrantedScope(granted: string[] | null | undefined, scope: string): boolean;
+/**
+ * Compose the effective scope set to encode in a single authorization URL.
+ *
+ * Precedence: the provider's built-in defaults (unless `disableDefaultScope`),
+ * then the integrator's configured `options.scope`, then the per-request
+ * `scopes`. The result is the value persisted into OAuth state as the RFC 6749
+ * §5.1 fallback, so it is preserved verbatim (not normalized) to match what is
+ * sent to the provider.
+ *
+ * `defaultScopes` is a parameter rather than a provider-contract field so the
+ * runtime-synthesized generic OAuth provider, which has no static default set,
+ * can pass its configured scopes here.
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
+ */
+declare function resolveRequestedScopes(options: Pick<ProviderOptions, "scope" | "disableDefaultScope"> | undefined, defaultScopes: string[], perRequestScopes: string[] | undefined): string[];
+//#endregion
+export { includesGrantedScope, normalizeScopes, parseScopeField, readGrantedScopes, resolveRequestedScopes, unionGrantedScopes };

package/dist/oauth2/scopes.mjs

@@ -0,0 +1,96 @@
+//#region src/oauth2/scopes.ts
+/**
+* Parse a provider's `scope` token-response field into a string array.
+*
+* RFC 6749 §3.3 defines `scope` as a space-delimited string, but providers
+* vary: some (e.g. Twitch) return an already-split array. Accept both, plus the
+* omitted/empty case, without ever calling `.split` on a non-string. Returns
+* `[]` when no scope is present.
+*
+* @see https://github.com/better-auth/better-auth/issues/9076
+*/
+function parseScopeField(scope) {
+	if (Array.isArray(scope)) return scope.filter((s) => typeof s === "string" && s !== "");
+	if (typeof scope === "string") return scope.split(" ").filter(Boolean);
+	return [];
+}
+/**
+* Normalize a scope set into a single deduped, sorted array.
+*
+* Scope order is insignificant per RFC 6749 §3.3, so normalize for idempotent
+* writes and trivial comparisons: trim each token, drop empties, dedupe, and
+* sort ascending. Returns `[]` when the union is empty.
+*
+* @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
+*/
+function normalizeScopes(stored, incoming) {
+	const normalized = /* @__PURE__ */ new Set();
+	for (const scope of [...stored ?? [], ...incoming ?? []]) {
+		const trimmed = scope.trim();
+		if (trimmed) normalized.add(trimmed);
+	}
+	return [...normalized].sort();
+}
+/**
+* Union the stored granted-scope set with the scopes observed on an
+* authorization or token exchange.
+*
+* The provider's echoed `scope` is authoritative when present. RFC 6749 §3.3
+* and §5.1 say an omitted or empty echo means the grant equals what was
+* requested, so fall back to `requested` in that case. The result unions onto
+* the stored grant (never narrows on a normal write) and is normalized per
+* {@link normalizeScopes}.
+*
+* @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
+* @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
+*/
+function unionGrantedScopes(stored, echoed, requested) {
+	return normalizeScopes(stored, echoed?.length ? echoed : requested);
+}
+/**
+* Coerce a stored granted-scope value into a usable array.
+*
+* `account.grantedScopes` is nullable (legacy rows and non-OAuth accounts read
+* as unset), and on dialects that store the array as a JSON string a malformed
+* operator backfill could deserialize to a non-array. Both collapse to `[]`
+* here so every reader works against a real `string[]` without re-deriving the
+* guard.
+*/
+function readGrantedScopes(stored) {
+	return Array.isArray(stored) ? stored : [];
+}
+/**
+* Test whether a normalized granted-scope set contains a specific scope.
+*
+* Matching is exact and case-sensitive per RFC 6749 §3.3. The argument is the
+* normalized `account.grantedScopes` array; a raw provider `scope` string must
+* be run through {@link parseScopeField} first.
+*
+* @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
+*/
+function includesGrantedScope(granted, scope) {
+	return granted?.includes(scope) ?? false;
+}
+/**
+* Compose the effective scope set to encode in a single authorization URL.
+*
+* Precedence: the provider's built-in defaults (unless `disableDefaultScope`),
+* then the integrator's configured `options.scope`, then the per-request
+* `scopes`. The result is the value persisted into OAuth state as the RFC 6749
+* §5.1 fallback, so it is preserved verbatim (not normalized) to match what is
+* sent to the provider.
+*
+* `defaultScopes` is a parameter rather than a provider-contract field so the
+* runtime-synthesized generic OAuth provider, which has no static default set,
+* can pass its configured scopes here.
+*
+* @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
+*/
+function resolveRequestedScopes(options, defaultScopes, perRequestScopes) {
+	const scopes = options?.disableDefaultScope ? [] : [...defaultScopes];
+	if (options?.scope) scopes.push(...options.scope);
+	if (perRequestScopes) scopes.push(...perRequestScopes);
+	return scopes;
+}
+//#endregion
+export { includesGrantedScope, normalizeScopes, parseScopeField, readGrantedScopes, resolveRequestedScopes, unionGrantedScopes };

package/dist/oauth2/token-endpoint-auth.d.mts

@@ -0,0 +1,17 @@
+import { ClientAssertionGetter } from "./client-assertion.mjs";
+
+//#region src/oauth2/token-endpoint-auth.d.ts
+type TokenEndpointAuth = {
+  method: "none";
+} | {
+  method: "client_secret_basic";
+} | {
+  method: "client_secret_post";
+} | {
+  method: "private_key_jwt";
+  getClientAssertion: ClientAssertionGetter;
+};
+type TokenEndpointAuthMethod = TokenEndpointAuth["method"];
+type TokenEndpointSecretAuthentication = "basic" | "post";
+//#endregion
+export { TokenEndpointAuth, TokenEndpointAuthMethod, TokenEndpointSecretAuthentication };

package/dist/oauth2/token-endpoint-auth.mjs

@@ -0,0 +1,89 @@
+import { getPrimaryClientId } from "./utils.mjs";
+import { encodeBasicCredentials } from "./basic-credentials.mjs";
+import { resolveClientAssertionParams } from "./client-assertion.mjs";
+//#region src/oauth2/token-endpoint-auth.ts
+function getDefaultTokenEndpointAuth(options, authentication) {
+	if (authentication === "basic") return { method: "client_secret_basic" };
+	if (options.clientSecret) return { method: "client_secret_post" };
+	return { method: "none" };
+}
+function assertNoClientSecret(method, options, body) {
+	if (options.clientSecret || body.has("client_secret")) throw new Error(`${method} token endpoint authentication cannot be combined with clientSecret`);
+}
+function setClientId(body, clientId) {
+	if (clientId) body.set("client_id", clientId);
+}
+function assertClientSecretConfigured(method, options) {
+	if (!options.clientSecret) throw new Error(`${method} token endpoint authentication requires clientSecret`);
+}
+function assertClientIdConfigured(method, clientId) {
+	if (!clientId) throw new Error(`${method} token endpoint authentication requires clientId`);
+}
+function setClientSecretPostAuth({ body, options, clientId, requireClientSecret }) {
+	if (requireClientSecret) assertClientSecretConfigured("client_secret_post", options);
+	if (options.clientSecret) {
+		assertClientIdConfigured("client_secret_post", clientId);
+		setClientId(body, clientId);
+		body.set("client_secret", options.clientSecret);
+	}
+}
+function setClientSecretBasicAuth({ headers, options, clientId, body }) {
+	if (body.has("client_secret")) throw new Error("client_secret_basic token endpoint authentication cannot be combined with client_secret body parameters");
+	assertClientSecretConfigured("client_secret_basic", options);
+	assertClientIdConfigured("client_secret_basic", clientId);
+	headers.authorization = encodeBasicCredentials(clientId, options.clientSecret);
+}
+function assertCompleteManualClientAssertion(body) {
+	if (body.has("client_assertion") !== body.has("client_assertion_type")) throw new Error("client_assertion and client_assertion_type must both be provided");
+}
+async function applyTokenEndpointAuth({ body, headers, options, tokenEndpoint, grantType, tokenEndpointAuth, authentication }) {
+	assertCompleteManualClientAssertion(body);
+	const clientId = getPrimaryClientId(options.clientId);
+	if (body.has("client_assertion")) {
+		if (tokenEndpointAuth) throw new Error("client_assertion body parameters cannot be combined with tokenEndpointAuth");
+		assertNoClientSecret("private_key_jwt", options, body);
+		setClientId(body, clientId);
+		return;
+	}
+	const auth = tokenEndpointAuth ?? getDefaultTokenEndpointAuth(options, authentication);
+	if (auth.method === "private_key_jwt") {
+		assertNoClientSecret(auth.method, options, body);
+		assertClientIdConfigured(auth.method, clientId);
+		if (!tokenEndpoint) throw new Error("private_key_jwt token endpoint authentication requires tokenEndpoint");
+		const assertionParams = await resolveClientAssertionParams({
+			getClientAssertion: auth.getClientAssertion,
+			context: {
+				clientId,
+				tokenEndpoint,
+				grantType
+			}
+		});
+		setClientId(body, clientId);
+		for (const [key, value] of Object.entries(assertionParams)) body.set(key, value);
+		return;
+	}
+	if (auth.method === "none") {
+		assertNoClientSecret(auth.method, options, body);
+		if (grantType === "client_credentials") throw new Error("none token endpoint authentication cannot be used with client_credentials grant");
+		assertClientIdConfigured(auth.method, clientId);
+		setClientId(body, clientId);
+		return;
+	}
+	if (auth.method === "client_secret_basic") {
+		setClientSecretBasicAuth({
+			headers,
+			options,
+			clientId,
+			body
+		});
+		return;
+	}
+	setClientSecretPostAuth({
+		body,
+		options,
+		clientId,
+		requireClientSecret: tokenEndpointAuth?.method === "client_secret_post"
+	});
+}
+//#endregion
+export { applyTokenEndpointAuth };

package/dist/oauth2/utils.d.mts

@@ -2,6 +2,14 @@ import { OAuth2Tokens } from "./oauth-provider.mjs";
 
 //#region src/oauth2/utils.d.ts
 declare function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens;
+/**
+ * Fill in `accessTokenExpiresAt` from the provider's configured
+ * `accessTokenExpiresIn` when the token response omitted `expires_in`. Without a
+ * known expiry, `getAccessToken` cannot tell the token is expired and never
+ * refreshes it. No-op when the provider already supplied an expiry or no
+ * fallback is configured.
+ */
+declare function applyDefaultAccessTokenExpiry(tokens: OAuth2Tokens, accessTokenExpiresIn: number | undefined): OAuth2Tokens;
 /**
  * Return the provider's primary Client ID: the single string, or the entry at
  * array index 0 for the cross-platform form used by ID token audience
@@ -13,4 +21,4 @@ declare function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens;
 declare function getPrimaryClientId(clientId: unknown): string | undefined;
 declare function generateCodeChallenge(codeVerifier: string): Promise<string>;
 //#endregion
-export { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };
+export { applyDefaultAccessTokenExpiry, generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };

package/dist/oauth2/utils.mjs

@@ -1,3 +1,4 @@
+import { parseScopeField } from "./scopes.mjs";
 import { base64Url } from "@better-auth/utils/base64";
 //#region src/oauth2/utils.ts
 function getOAuth2Tokens(data) {
@@ -11,12 +12,23 @@ function getOAuth2Tokens(data) {
 		refreshToken: data.refresh_token,
 		accessTokenExpiresAt: data.expires_in ? getDate(data.expires_in) : void 0,
 		refreshTokenExpiresAt: data.refresh_token_expires_in ? getDate(data.refresh_token_expires_in) : void 0,
-		scopes: data?.scope ? typeof data.scope === "string" ? data.scope.split(" ") : data.scope : [],
+		scopes: parseScopeField(data.scope),
 		idToken: data.id_token,
 		raw: data
 	};
 }
 /**
+* Fill in `accessTokenExpiresAt` from the provider's configured
+* `accessTokenExpiresIn` when the token response omitted `expires_in`. Without a
+* known expiry, `getAccessToken` cannot tell the token is expired and never
+* refreshes it. No-op when the provider already supplied an expiry or no
+* fallback is configured.
+*/
+function applyDefaultAccessTokenExpiry(tokens, accessTokenExpiresIn) {
+	if (!tokens.accessTokenExpiresAt && accessTokenExpiresIn) tokens.accessTokenExpiresAt = new Date(Date.now() + accessTokenExpiresIn * 1e3);
+	return tokens;
+}
+/**
 * Return the provider's primary Client ID: the single string, or the entry at
 * array index 0 for the cross-platform form used by ID token audience
 * verification. Index 0 is the designated primary and pairs with
@@ -34,4 +46,4 @@ async function generateCodeChallenge(codeVerifier) {
 	return base64Url.encode(new Uint8Array(hash), { padding: false });
 }
 //#endregion
-export { generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };
+export { applyDefaultAccessTokenExpiry, generateCodeChallenge, getOAuth2Tokens, getPrimaryClientId };

package/dist/oauth2/validate-authorization-code.d.mts

@@ -1,64 +1,41 @@
-import { ClientAssertionConfig } from "./client-assertion.mjs";
 import { AwaitableFunction } from "../types/helper.mjs";
 import { OAuth2Tokens, ProviderOptions } from "./oauth-provider.mjs";
+import { TokenEndpointAuth, TokenEndpointSecretAuthentication } from "./token-endpoint-auth.mjs";
 import * as jose from "jose";
 
 //#region src/oauth2/validate-authorization-code.d.ts
-declare function authorizationCodeRequest({
-  code,
-  codeVerifier,
-  redirectURI,
-  options,
-  authentication,
-  clientAssertion,
-  tokenEndpoint,
-  deviceId,
-  headers,
-  additionalParams,
-  resource
-}: {
+interface AuthorizationCodeRequestInput {
   code: string;
   redirectURI: string;
   options: AwaitableFunction<Partial<ProviderOptions>>;
   codeVerifier?: string | undefined;
   deviceId?: string | undefined;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  clientAssertion?: ClientAssertionConfig | undefined; /** Token endpoint URL. Used as the JWT `aud` claim when signing assertions. */
+  authentication?: TokenEndpointSecretAuthentication | undefined;
+  tokenEndpointAuth?: TokenEndpointAuth | undefined;
   tokenEndpoint?: string | undefined;
   headers?: Record<string, string> | undefined;
   additionalParams?: Record<string, string> | undefined;
   resource?: (string | string[]) | undefined;
-}): Promise<{
-  body: URLSearchParams;
-  headers: Record<string, any>;
-}>;
-/**
- * @deprecated use async'd authorizationCodeRequest instead
- */
-declare function createAuthorizationCodeRequest({
+}
+interface ValidateAuthorizationCodeInput extends AuthorizationCodeRequestInput {
+  tokenEndpoint: string;
+}
+declare function authorizationCodeRequest({
   code,
   codeVerifier,
   redirectURI,
   options,
   authentication,
+  tokenEndpointAuth,
+  tokenEndpoint,
   deviceId,
   headers,
   additionalParams,
   resource
-}: {
-  code: string;
-  redirectURI: string;
-  options: Partial<ProviderOptions>;
-  codeVerifier?: string | undefined;
-  deviceId?: string | undefined;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  headers?: Record<string, string> | undefined;
-  additionalParams?: Record<string, string> | undefined;
-  resource?: (string | string[]) | undefined;
-}): {
+}: AuthorizationCodeRequestInput): Promise<{
   body: URLSearchParams;
-  headers: Record<string, any>;
-};
+  headers: Record<string, string>;
+}>;
 declare function validateAuthorizationCode({
   code,
   codeVerifier,
@@ -66,27 +43,15 @@ declare function validateAuthorizationCode({
   options,
   tokenEndpoint,
   authentication,
-  clientAssertion,
+  tokenEndpointAuth,
   deviceId,
   headers,
   additionalParams,
   resource
-}: {
-  code: string;
-  redirectURI: string;
-  options: AwaitableFunction<Partial<ProviderOptions>>;
-  codeVerifier?: string | undefined;
-  deviceId?: string | undefined;
-  tokenEndpoint: string;
-  authentication?: ("basic" | "post" | "private_key_jwt") | undefined;
-  clientAssertion?: ClientAssertionConfig | undefined;
-  headers?: Record<string, string> | undefined;
-  additionalParams?: Record<string, string> | undefined;
-  resource?: (string | string[]) | undefined;
-}): Promise<OAuth2Tokens>;
+}: ValidateAuthorizationCodeInput): Promise<OAuth2Tokens>;
 declare function validateToken(token: string, jwksEndpoint: string, options?: {
   audience?: string | string[];
   issuer?: string | string[];
 }): Promise<jose.JWTVerifyResult<jose.JWTPayload> & jose.ResolvedKey>;
 //#endregion
-export { authorizationCodeRequest, createAuthorizationCodeRequest, validateAuthorizationCode, validateToken };
+export { authorizationCodeRequest, validateAuthorizationCode, validateToken };