@better-auth/core 1.7.0-beta.6 → 1.7.0-beta.8

package/dist/social-providers/kakao.d.mts

@@ -93,7 +93,6 @@ interface KakaoOptions extends ProviderOptions<KakaoProfile> {
 declare const kakao: (options: KakaoOptions) => {
   id: "kakao";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -106,11 +105,9 @@ declare const kakao: (options: KakaoOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -122,6 +119,7 @@ declare const kakao: (options: KakaoOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/kakao.mjs

@@ -1,26 +1,26 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/kakao.ts
-const KAKAO_DEFAULT_SCOPES = [
-	"account_email",
-	"profile_image",
-	"profile_nickname"
-];
 const kakao = (options) => {
 	const tokenEndpoint = "https://kauth.kakao.com/oauth/token";
 	return {
 		id: "kakao",
 		name: "Kakao",
-		callbackPath: "/callback/kakao",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"account_email",
+				"profile_image",
+				"profile_nickname"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kakao",
 				options,
 				authorizationEndpoint: "https://kauth.kakao.com/oauth/authorize",
-				scopes: resolveRequestedScopes(options, KAKAO_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				redirectURI,
 				additionalParams

package/dist/social-providers/kick.d.mts

@@ -24,7 +24,6 @@ interface KickOptions extends ProviderOptions<KickProfile> {
 declare const kick: (options: KickOptions) => {
   id: "kick";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -38,11 +37,9 @@ declare const kick: (options: KickOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode({
     code,
     redirectURI,
@@ -55,6 +52,7 @@ declare const kick: (options: KickOptions) => {
   }): Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/kick.mjs

@@ -1,22 +1,22 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/kick.ts
-const KICK_DEFAULT_SCOPES = ["user:read"];
 const kick = (options) => {
 	return {
 		id: "kick",
 		name: "Kick",
-		callbackPath: "/callback/kick",
 		createAuthorizationURL({ state, scopes, redirectURI, codeVerifier, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : ["user:read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "kick",
 				redirectURI,
 				options,
 				authorizationEndpoint: "https://id.kick.com/oauth/authorize",
-				scopes: resolveRequestedScopes(options, KICK_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				codeVerifier,
 				state,
 				additionalParams

package/dist/social-providers/line.d.mts

@@ -33,7 +33,6 @@ interface LineOptions extends ProviderOptions<LineUserInfo | LineIdTokenPayload>
 declare const line: (options: LineOptions) => {
   id: "line";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -48,11 +47,9 @@ declare const line: (options: LineOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -68,6 +65,7 @@ declare const line: (options: LineOptions) => {
     verify: (token: string, nonce: string | undefined) => Promise<boolean>;
   };
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/line.mjs

@@ -1,15 +1,9 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { decodeJwt } from "jose";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/line.ts
-const LINE_DEFAULT_SCOPES = [
-	"openid",
-	"profile",
-	"email"
-];
 /**
 * LINE Login v2.1
 * - Authorization endpoint: https://access.line.me/oauth2/v2.1/authorize
@@ -27,13 +21,19 @@ const line = (options) => {
 	return {
 		id: "line",
 		name: "LINE",
-		callbackPath: "/callback/line",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
-			return createAuthorizationURL({
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "line",
 				options,
 				authorizationEndpoint,
-				scopes: resolveRequestedScopes(options, LINE_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/linear.d.mts

@@ -20,7 +20,6 @@ interface LinearOptions extends ProviderOptions<LinearUser> {
 declare const linear: (options: LinearOptions) => {
   id: "linear";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -34,11 +33,9 @@ declare const linear: (options: LinearOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -50,6 +47,7 @@ declare const linear: (options: LinearOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/linear.mjs

@@ -1,22 +1,22 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/linear.ts
-const LINEAR_DEFAULT_SCOPES = ["read"];
 const linear = (options) => {
 	const tokenEndpoint = "https://api.linear.app/oauth/token";
 	return {
 		id: "linear",
 		name: "Linear",
-		callbackPath: "/callback/linear",
 		createAuthorizationURL({ state, scopes, loginHint, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : ["read"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "linear",
 				options,
 				authorizationEndpoint: "https://linear.app/oauth/authorize",
-				scopes: resolveRequestedScopes(options, LINEAR_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				redirectURI,
 				loginHint,

package/dist/social-providers/linkedin.d.mts

@@ -19,7 +19,6 @@ interface LinkedInOptions extends ProviderOptions<LinkedInProfile> {
 declare const linkedin: (options: LinkedInOptions) => {
   id: "linkedin";
   name: string;
-  callbackPath: string;
   createAuthorizationURL: ({
     state,
     scopes,
@@ -33,11 +32,9 @@ declare const linkedin: (options: LinkedInOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }) => Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }) => Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -49,6 +46,7 @@ declare const linkedin: (options: LinkedInOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/linkedin.mjs

@@ -1,27 +1,27 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/linkedin.ts
-const LINKEDIN_DEFAULT_SCOPES = [
-	"profile",
-	"email",
-	"openid"
-];
 const linkedin = (options) => {
 	const authorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
 	const tokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
 	return {
 		id: "linkedin",
 		name: "Linkedin",
-		callbackPath: "/callback/linkedin",
-		createAuthorizationURL: ({ state, scopes, redirectURI, loginHint, additionalParams }) => {
-			return createAuthorizationURL({
+		createAuthorizationURL: async ({ state, scopes, redirectURI, loginHint, additionalParams }) => {
+			const _scopes = options.disableDefaultScope ? [] : [
+				"profile",
+				"email",
+				"openid"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "linkedin",
 				options,
 				authorizationEndpoint,
-				scopes: resolveRequestedScopes(options, LINKEDIN_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				loginHint,
 				redirectURI,

package/dist/social-providers/microsoft-entra-id.d.mts

@@ -139,7 +139,6 @@ interface MicrosoftOptions extends ProviderOptions<MicrosoftEntraIDProfile> {
 declare const microsoft: (options: MicrosoftOptions) => {
   id: "microsoft";
   name: string;
-  callbackPath: string;
   createAuthorizationURL(data: {
     state: string;
     codeVerifier: string;
@@ -147,11 +146,9 @@ declare const microsoft: (options: MicrosoftOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode({
     code,
     codeVerifier,
@@ -184,6 +181,7 @@ declare const microsoft: (options: MicrosoftOptions) => {
     verifyClaims: (claims: Record<string, unknown>) => boolean;
   };
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/microsoft-entra-id.mjs

@@ -1,6 +1,5 @@
 import { APIError, BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { getPrimaryClientId } from "../oauth2/utils.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
@@ -16,13 +15,6 @@ import { betterFetch } from "@better-fetch/fetch";
 * @see https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference
 */
 const MICROSOFT_CONSUMER_TENANT_ID = "9188040d-6c67-4c5b-b112-36a304b66dad";
-const MICROSOFT_ENTRA_ID_DEFAULT_SCOPES = [
-	"openid",
-	"profile",
-	"email",
-	"User.Read",
-	"offline_access"
-];
 const microsoft = (options) => {
 	const tenant = options.tenantId || "common";
 	let authority = options.authority || "https://login.microsoftonline.com";
@@ -37,20 +29,27 @@ const microsoft = (options) => {
 	return {
 		id: "microsoft",
 		name: "Microsoft EntraID",
-		callbackPath: "/callback/microsoft",
 		createAuthorizationURL(data) {
 			if (!getPrimaryClientId(options.clientId)) {
 				logger.error("Client Id is required for Microsoft Entra ID. Make sure to provide it in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(options, MICROSOFT_ENTRA_ID_DEFAULT_SCOPES, data.scopes);
+			const scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"profile",
+				"email",
+				"User.Read",
+				"offline_access"
+			];
+			if (options.scope) scopes.push(...options.scope);
+			if (data.scopes) scopes.push(...data.scopes);
 			return createAuthorizationURL({
 				id: "microsoft",
 				options,
 				authorizationEndpoint,
 				state: data.state,
 				codeVerifier: data.codeVerifier,
-				scopes: requestedScopes,
+				scopes,
 				redirectURI: data.redirectURI,
 				prompt: options.prompt,
 				loginHint: data.loginHint,

package/dist/social-providers/naver.d.mts

@@ -24,7 +24,6 @@ interface NaverOptions extends ProviderOptions<NaverProfile> {
 declare const naver: (options: NaverOptions) => {
   id: "naver";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -37,11 +36,9 @@ declare const naver: (options: NaverOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -53,6 +50,7 @@ declare const naver: (options: NaverOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/naver.mjs

@@ -1,22 +1,22 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/naver.ts
-const NAVER_DEFAULT_SCOPES = ["profile", "email"];
 const naver = (options) => {
 	const tokenEndpoint = "https://nid.naver.com/oauth2.0/token";
 	return {
 		id: "naver",
 		name: "Naver",
-		callbackPath: "/callback/naver",
 		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : ["profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "naver",
 				options,
 				authorizationEndpoint: "https://nid.naver.com/oauth2.0/authorize",
-				scopes: resolveRequestedScopes(options, NAVER_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				redirectURI,
 				additionalParams

package/dist/social-providers/notion.d.mts

@@ -16,7 +16,6 @@ interface NotionOptions extends ProviderOptions<NotionProfile> {
 declare const notion: (options: NotionOptions) => {
   id: "notion";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -30,11 +29,9 @@ declare const notion: (options: NotionOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -46,6 +43,7 @@ declare const notion: (options: NotionOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/notion.mjs

@@ -1,22 +1,22 @@
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { betterFetch } from "@better-fetch/fetch";
 //#region src/social-providers/notion.ts
-const NOTION_DEFAULT_SCOPES = [];
 const notion = (options) => {
 	const tokenEndpoint = "https://api.notion.com/v1/oauth/token";
 	return {
 		id: "notion",
 		name: "Notion",
-		callbackPath: "/callback/notion",
 		createAuthorizationURL({ state, scopes, loginHint, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : [];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 			return createAuthorizationURL({
 				id: "notion",
 				options,
 				authorizationEndpoint: "https://api.notion.com/v1/oauth/authorize",
-				scopes: resolveRequestedScopes(options, NOTION_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				redirectURI,
 				loginHint,

package/dist/social-providers/paybin.d.mts

@@ -21,7 +21,6 @@ interface PaybinOptions extends ProviderOptions<PaybinProfile> {
 declare const paybin: (options: PaybinOptions) => {
   id: "paybin";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     scopes,
@@ -36,11 +35,9 @@ declare const paybin: (options: PaybinOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     codeVerifier,
@@ -53,6 +50,7 @@ declare const paybin: (options: PaybinOptions) => {
   }) => Promise<OAuth2Tokens>;
   refreshAccessToken: (refreshToken: string) => Promise<OAuth2Tokens>;
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/paybin.mjs

@@ -1,16 +1,10 @@
 import { BetterAuthError } from "../error/index.mjs";
 import { logger } from "../env/logger.mjs";
-import { resolveRequestedScopes } from "../oauth2/scopes.mjs";
 import { createAuthorizationURL } from "../oauth2/create-authorization-url.mjs";
 import { refreshAccessToken } from "../oauth2/refresh-access-token.mjs";
 import { validateAuthorizationCode } from "../oauth2/validate-authorization-code.mjs";
 import { decodeJwt } from "jose";
 //#region src/social-providers/paybin.ts
-const PAYBIN_DEFAULT_SCOPES = [
-	"openid",
-	"email",
-	"profile"
-];
 const paybin = (options) => {
 	const issuer = options.issuer || "https://idp.paybin.io";
 	const authorizationEndpoint = `${issuer}/oauth2/authorize`;
@@ -18,18 +12,24 @@ const paybin = (options) => {
 	return {
 		id: "paybin",
 		name: "Paybin",
-		callbackPath: "/callback/paybin",
-		createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
+		async createAuthorizationURL({ state, scopes, codeVerifier, redirectURI, loginHint, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for Paybin. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
 			if (!codeVerifier) throw new BetterAuthError("codeVerifier is required for Paybin");
-			return createAuthorizationURL({
+			const _scopes = options.disableDefaultScope ? [] : [
+				"openid",
+				"email",
+				"profile"
+			];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
+			return await createAuthorizationURL({
 				id: "paybin",
 				options,
 				authorizationEndpoint,
-				scopes: resolveRequestedScopes(options, PAYBIN_DEFAULT_SCOPES, scopes),
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,

package/dist/social-providers/paypal.d.mts

@@ -51,7 +51,6 @@ interface PayPalOptions extends ProviderOptions<PayPalProfile> {
 declare const paypal: (options: PayPalOptions) => {
   id: "paypal";
   name: string;
-  callbackPath: string;
   createAuthorizationURL({
     state,
     codeVerifier,
@@ -64,11 +63,9 @@ declare const paypal: (options: PayPalOptions) => {
     redirectURI: string;
     display?: string | undefined;
     loginHint?: string | undefined;
+    idTokenNonce?: string | undefined;
     additionalParams?: Record<string, string> | undefined;
-  }): Promise<{
-    url: URL;
-    requestedScopes: string[];
-  }>;
+  }): Promise<URL>;
   validateAuthorizationCode: ({
     code,
     redirectURI
@@ -89,6 +86,7 @@ declare const paypal: (options: PayPalOptions) => {
     accessTokenExpiresAt: Date | undefined;
   }>);
   getUserInfo(token: OAuth2Tokens & {
+    expectedIdTokenNonce?: string | undefined;
     user?: {
       name?: {
         firstName?: string;

package/dist/social-providers/paypal.mjs

@@ -12,18 +12,12 @@ const paypal = (options) => {
 	return {
 		id: "paypal",
 		name: "PayPal",
-		callbackPath: "/callback/paypal",
-		createAuthorizationURL({ state, codeVerifier, redirectURI, additionalParams }) {
+		async createAuthorizationURL({ state, codeVerifier, redirectURI, additionalParams }) {
 			if (!options.clientId || !options.clientSecret) {
 				logger.error("Client Id and Client Secret is required for PayPal. Make sure to provide them in the options.");
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			/**
-			* Log in with PayPal doesn't use traditional OAuth2 scopes
-			* Instead, permissions are configured in the PayPal Developer Dashboard
-			* We don't pass any scopes to avoid "invalid scope" errors
-			**/
-			return createAuthorizationURL({
+			return await createAuthorizationURL({
 				id: "paypal",
 				options,
 				authorizationEndpoint,