@better-auth/core 1.7.0-beta.4 → 1.7.0-beta.5

package/dist/social-providers/kakao.d.mts

@@ -93,6 +93,7 @@ interface KakaoOptions extends ProviderOptions<KakaoProfile> {
 declare const kakao: (options: KakaoOptions) => {
   id: "kakao";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -106,7 +107,10 @@ declare const kakao: (options: KakaoOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/kakao.mjs

@@ -1,26 +1,26 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/kakao.ts
+const KAKAO_DEFAULT_SCOPES = [
+	"account_email",
+	"profile_image",
+	"profile_nickname"
+];
 const kakao = (options) => {
 	const tokenEndpoint = "https://kauth.kakao.com/oauth/token";
 	return {
 		id: "kakao",
 		name: "Kakao",
+		callbackPath: "/callback/kakao",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"account_email",
-				"profile_image",
-				"profile_nickname"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kakao",
 				options,
 				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, KAKAO_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				additionalParams

package/dist/social-providers/kick.d.mts

@@ -24,6 +24,7 @@ interface KickOptions extends ProviderOptions<KickProfile> {
 declare const kick: (options: KickOptions) => {
   id: "kick";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -38,7 +39,10 @@ declare const kick: (options: KickOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode({
     code,
     redirectURI,

package/dist/social-providers/kick.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/kick.ts
+const KICK_DEFAULT_SCOPES = ["user:read"];
 const kick = (options) => {
 	return {
 		id: "kick",
 		name: "Kick",
+		callbackPath: "/callback/kick",
 		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kick",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, KICK_DEFAULT_SCOPES, scopes),
 				codeVerifier,
 				state,
 				additionalParams

package/dist/social-providers/line.d.mts

@@ -33,6 +33,7 @@ interface LineOptions extends ProviderOptions<LineUserInfo | LineIdTokenPayload>
 declare const line: (options: LineOptions) => {
   id: "line";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -48,7 +49,10 @@ declare const line: (options: LineOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -60,7 +64,9 @@ declare const line: (options: LineOptions) => {
     deviceId?: string | undefined;
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
-  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  idToken: {
+    verify: (token: string, nonce: string | undefined) => Promise<boolean>;
+  };
   getUserInfo(token: OAuth2Tokens & {
     user?: {
       name?: {

package/dist/social-providers/line.mjs

@@ -1,9 +1,15 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { decodeJwt } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/line.ts
+const LINE_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email"
+];
 /**
 * LINE Login v2.1
 * - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
@@ -21,19 +27,13 @@ const line = (options) => {
 	return {
 		id: "line",
 		name: "LINE",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"profile",
-				"email"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+		callbackPath: "/callback/line",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
+			return createAuthorizationURL({
 				id: "line",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, LINE_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,
@@ -60,9 +60,7 @@ const line = (options) => {
 				tokenEndpoint
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) return false;
-			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
+		idToken: { verify: async (token, nonce) => {
 			const body = new URLSearchParams();
 			body.set("id_token", token);
 			body.set("client_id", options.clientId);
@@ -76,7 +74,7 @@ const line = (options) => {
 			if (data.aud !== options.clientId) return false;
 			if (data.nonce && data.nonce !== nonce) return false;
 			return true;
-		},
+		} },
 		async getUserInfo(token) {
 			if (options.getUserInfo) return options.getUserInfo(token);
 			let profile = null;

package/dist/social-providers/linear.d.mts

@@ -20,6 +20,7 @@ interface LinearOptions extends ProviderOptions<LinearUser> {
 declare const linear: (options: LinearOptions) => {
   id: "linear";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -34,7 +35,10 @@ declare const linear: (options: LinearOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/linear.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/linear.ts
+const LINEAR_DEFAULT_SCOPES = ["read"];
 const linear = (options) => {
 	const tokenEndpoint = "https://api.linear.app/oauth/token";
 	return {
 		id: "linear",
 		name: "Linear",
+		callbackPath: "/callback/linear",
 		createAuthorizationURL({ state, scopes, loginHint, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["read"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "linear",
 				options,
 				authorizationEndpoint: "https://linear.app/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, LINEAR_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				loginHint,

package/dist/social-providers/linkedin.d.mts

@@ -19,6 +19,7 @@ interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
 declare const linkedin: (options: LinkedInOptions) => {
   id: "linkedin";
   name: string;
+  callbackPath: string;
   createAuthorizationURL: ({
     state,
     scopes,
@@ -33,7 +34,10 @@ declare const linkedin: (options: LinkedInOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }) => Promise<URL>;
+  }) => Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/linkedin.mjs

@@ -1,27 +1,27 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/linkedin.ts
+const LINKEDIN_DEFAULT_SCOPES = [
+	"profile",
+	"email",
+	"openid"
+];
 const linkedin = (options) => {
 	const authorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
 	const tokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
 	return {
 		id: "linkedin",
 		name: "Linkedin",
-		createAuthorizationURL: async ({ state, scopes, redirectURI, loginHint, additionalParams }) => {
-			const _scopes = options.disableDefaultScope ? [] : [
-				"profile",
-				"email",
-				"openid"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+		callbackPath: "/callback/linkedin",
+		createAuthorizationURL: ({ state, scopes, redirectURI, loginHint, additionalParams }) => {
+			return createAuthorizationURL({
 				id: "linkedin",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, LINKEDIN_DEFAULT_SCOPES, scopes),
 				state,
 				loginHint,
 				redirectURI,

package/dist/social-providers/microsoft-entra-id.d.mts

@@ -1,4 +1,7 @@
+import { ClientAssertionGetter } from "../oauth2/client-assertion.mjs";
 import { OAuth2Tokens, ProviderOptions } from "../oauth2/oauth-provider.mjs";
+import * as jose from "jose";
+
 //#region src/social-providers/microsoft-entra-id.d.ts
 /**
  * @see [Microsoft Identity Platform - Optional claims reference](https://learn.microsoft.com/en-us/entra/identity-platform/optional-claims-reference)
@@ -109,25 +112,34 @@ interface MicrosoftOptions extends ProviderOptions<MicrosoftEntraIDProfile> {
    * The tenant ID of the Microsoft account
    * @default "common"
    */
-  tenantId?: string | undefined;
+  tenantId?: string;
   /**
    * The authentication authority URL. Use the default "https://login.microsoftonline.com" for standard Entra ID or "https://<tenant-id>.ciamlogin.com" for CIAM scenarios.
    * @default "https://login.microsoftonline.com"
    */
-  authority?: string | undefined;
+  authority?: string;
+  /**
+   * Function that returns a JWT client assertion for token endpoint authentication.
+   *
+   * Use this instead of `clientSecret` when your Microsoft Entra ID app is
+   * configured for client authentication with assertions (private_key_jwt or
+   * workload identity federation).
+   */
+  clientAssertion?: ClientAssertionGetter;
   /**
    * The size of the profile photo
    * @default 48
    */
-  profilePhotoSize?: (48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648) | undefined;
+  profilePhotoSize?: 48 | 64 | 96 | 120 | 240 | 360 | 432 | 504 | 648;
   /**
    * Disable profile photo
    */
-  disableProfilePhoto?: boolean | undefined;
+  disableProfilePhoto?: boolean;
 }
 declare const microsoft: (options: MicrosoftOptions) => {
   id: "microsoft";
   name: string;
+  callbackPath: string;
   createAuthorizationURL(data: {
     state: string;
     codeVerifier: string;
@@ -136,7 +148,10 @@ declare const microsoft: (options: MicrosoftOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode({
     code,
     codeVerifier,
@@ -147,7 +162,17 @@ declare const microsoft: (options: MicrosoftOptions) => {
     codeVerifier?: string | undefined;
     deviceId?: string | undefined;
   }): Promise<OAuth2Tokens>;
-  verifyIdToken(token: string, nonce: string | undefined): Promise<boolean>;
+  idToken: {
+    jwks: (header: jose.JWTHeaderParameters) => Promise<Uint8Array<ArrayBufferLike> | CryptoKey>;
+    audience: string | string[];
+    maxTokenAge: string;
+    /**
+     * Issuer varies per tenant for multi-tenant endpoints, so only validate it for
+     * specific tenants.
+     * @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
+     */
+    issuer: string | undefined;
+  };
   getUserInfo(token: OAuth2Tokens & {
     user?: {
       name?: {

package/dist/social-providers/microsoft-entra-id.mjs

@@ -1,42 +1,48 @@
 import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { base64 } from "@better-auth/utils/base64";
-import { decodeJwt, decodeProtectedHeader, importJWK, jwtVerify } from "jose";
+import { decodeJwt, importJWK } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/microsoft-entra-id.ts
+const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
+	"openid",
+	"profile",
+	"email",
+	"User.Read",
+	"offline_access"
+];
 const microsoft = (options) => {
 	const tenant = options.tenantId || "common";
 	const authority = options.authority || "https://login.microsoftonline.com";
 	const authorizationEndpoint = `${authority}/${tenant}/oauth2/v2.0/authorize`;
 	const tokenEndpoint = `${authority}/${tenant}/oauth2/v2.0/token`;
+	if (options.clientSecret && options.clientAssertion) throw new BetterAuthError("Microsoft Entra ID clientAssertion cannot be combined with clientSecret");
+	const tokenEndpointAuth = options.clientAssertion ? {
+		method: "private_key_jwt",
+		getClientAssertion: options.clientAssertion
+	} : void 0;
 	return {
 		id: "microsoft",
 		name: "Microsoft EntraID",
+		callbackPath: "/callback/microsoft",
 		createAuthorizationURL(data) {
 			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"profile",
-				"email",
-				"User.Read",
-				"offline_access"
-			];
-			if (options.scope) scopes.push(...options.scope);
-			if (data.scopes) scopes.push(...data.scopes);
+			const requestedScopes = resolveRequestedScopes(options, MICROSOFT_ENTRA_ID_DEFAULT_SCOPES, data.scopes);
 			return createAuthorizationURL({
 				id: "microsoft",
 				options,
 				authorizationEndpoint,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
-				scopes,
+				scopes: requestedScopes,
 				redirectURI: data.redirectURI,
 				prompt: options.prompt,
 				loginHint: data.loginHint,
@@ -49,33 +55,15 @@ const microsoft = (options) => {
 				codeVerifier,
 				redirectURI,
 				options,
-				tokenEndpoint
+				tokenEndpoint,
+				tokenEndpointAuth
 			});
 		},
-		async verifyIdToken(token, nonce) {
-			if (options.disableIdTokenSignIn) return false;
-			if (options.verifyIdToken) return options.verifyIdToken(token, nonce);
-			try {
-				const { kid, alg: jwtAlg } = decodeProtectedHeader(token);
-				if (!kid || !jwtAlg) return false;
-				const publicKey = await getMicrosoftPublicKey(kid, tenant, authority);
-				const verifyOptions = {
-					algorithms: [jwtAlg],
-					audience: options.clientId,
-					maxTokenAge: "1h"
-				};
-				/**
-				* Issuer varies per user's tenant for multi-tenant endpoints, so only validate for specific tenants.
-				* @see https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols#endpoints
-				*/
-				if (tenant !== "common" && tenant !== "organizations" && tenant !== "consumers") verifyOptions.issuer = `${authority}/${tenant}/v2.0`;
-				const { payload: jwtClaims } = await jwtVerify(token, publicKey, verifyOptions);
-				if (nonce && jwtClaims.nonce !== nonce) return false;
-				return true;
-			} catch (error) {
-				logger.error("Failed to verify ID token:", error);
-				return false;
-			}
+		idToken: {
+			jwks: (header) => getMicrosoftPublicKey(header.kid, tenant, authority),
+			audience: options.clientId,
+			maxTokenAge: "1h",
+			issuer: tenant !== "common" && tenant !== "organizations" && tenant !== "consumers" ? `${authority}/${tenant}/v2.0` : void 0
 		},
 		async getUserInfo(token) {
 			if (options.getUserInfo) return options.getUserInfo(token);
@@ -124,7 +112,8 @@ const microsoft = (options) => {
 					clientSecret: options.clientSecret
 				},
 				extraParams: { scope: scopes.join(" ") },
-				tokenEndpoint
+				tokenEndpoint,
+				tokenEndpointAuth
 			});
 		},
 		options

package/dist/social-providers/naver.d.mts

@@ -24,6 +24,7 @@ interface NaverOptions extends ProviderOptions<NaverProfile> {
 declare const naver: (options: NaverOptions) => {
   id: "naver";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -37,7 +38,10 @@ declare const naver: (options: NaverOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/naver.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/naver.ts
+const NAVER_DEFAULT_SCOPES = ["profile", "email"];
 const naver = (options) => {
 	const tokenEndpoint = "https://nid.naver.com/oauth2.0/token";
 	return {
 		id: "naver",
 		name: "Naver",
+		callbackPath: "/callback/naver",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "naver",
 				options,
 				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, NAVER_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				additionalParams

package/dist/social-providers/notion.d.mts

@@ -16,6 +16,7 @@ interface NotionOptions extends ProviderOptions<NotionProfile> {
 declare const notion: (options: NotionOptions) => {
   id: "notion";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -30,7 +31,10 @@ declare const notion: (options: NotionOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     redirectURI

package/dist/social-providers/notion.mjs

@@ -1,22 +1,22 @@
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/notion.ts
+const NOTION_DEFAULT_SCOPES = [];
 const notion = (options) => {
 	const tokenEndpoint = "https://api.notion.com/v1/oauth/token";
 	return {
 		id: "notion",
 		name: "Notion",
+		callbackPath: "/callback/notion",
 		createAuthorizationURL({ state, scopes, loginHint, redirectURI, additionalParams }) {
-			const _scopes = options.disableDefaultScope ? [] : [];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "notion",
 				options,
 				authorizationEndpoint: "https://api.notion.com/v1/oauth/authorize",
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, NOTION_DEFAULT_SCOPES, scopes),
 				state,
 				redirectURI,
 				loginHint,

package/dist/social-providers/paybin.d.mts

@@ -21,6 +21,7 @@ interface PaybinOptions extends ProviderOptions<PaybinProfile> {
 declare const paybin: (options: PaybinOptions) => {
   id: "paybin";
   name: string;
+  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -36,7 +37,10 @@ declare const paybin: (options: PaybinOptions) => {
     display?: string | undefined;
     loginHint?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<URL>;
+  }): Promise<{
+    url: URL;
+    requestedScopes: string[];
+  }>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,

package/dist/social-providers/paybin.mjs

@@ -1,10 +1,16 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
+import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { decodeJwt } from "jose";
 //#region src/social-providers/paybin.ts
+const PAYBIN_DEFAULT_SCOPES = [
+	"openid",
+	"email",
+	"profile"
+];
 const paybin = (options) => {
 	const issuer = options.issuer || "https://idp.paybin.io";
 	const authorizationEndpoint = `${issuer}/oauth2/authorize`;
@@ -12,24 +18,18 @@ const paybin = (options) => {
 	return {
 		id: "paybin",
 		name: "Paybin",
-		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
+		callbackPath: "/callback/paybin",
+		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for Paybin. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Paybin");
-			const _scopes = options.disableDefaultScope ? [] : [
-				"openid",
-				"email",
-				"profile"
-			];
-			if (options.scope) _scopes.push(...options.scope);
-			if (scopes) _scopes.push(...scopes);
-			return await createAuthorizationURL({
+			return createAuthorizationURL({
 				id: "paybin",
 				options,
 				authorizationEndpoint,
-				scopes: _scopes,
+				scopes: resolveRequestedScopes(options, PAYBIN_DEFAULT_SCOPES, scopes),
 				state,
 				codeVerifier,
 				redirectURI,