@better-auth/core 1.7.0-beta.7 → 1.7.0-beta.9

package/dist/types/context.d.mts

@@ -10,7 +10,7 @@ import { BetterAuthOptions, BetterAuthRateLimitOptions, UserProvisioningSource }
 import { Account } from "../db/schema/account.mjs";
 import { BetterAuthCookie, BetterAuthCookies } from "./cookie.mjs";
 import { SecretConfig } from "./secret.mjs";
-import { UpstreamProvider } from "../oauth2/oauth-provider.mjs";
+import { OAuthProvider } from "../oauth2/oauth-provider.mjs";
 import { CookieOptions, EndpointContext } from "better-call";
 
 //#region src/types/context.d.ts
@@ -54,6 +54,10 @@ type GenericEndpointContext<Options extends BetterAuthOptions = BetterAuthOption
   context: AuthContext<Options>;
 };
 interface InternalAdapter<_Options extends BetterAuthOptions = BetterAuthOptions> {
+  createOAuthUser(user: Omit<User, "id" | "createdAt" | "updatedAt">, account: Omit<Account, "userId" | "id" | "createdAt" | "updatedAt"> & Partial<Account>): Promise<{
+    user: User;
+    account: Account;
+  }>;
   createUser<T extends Record<string, any>>(user: Omit<User, "id" | "createdAt" | "updatedAt" | "emailVerified"> & Partial<User> & Record<string, any>,
   /**
    * Provisioning source. The creation seam adds `action: "create-user"` and
@@ -232,7 +236,7 @@ type AuthContext<Options extends BetterAuthOptions = BetterAuthOptions> = Plugin
     session: Session & Record<string, any>;
     user: User & Record<string, any>;
   } | null) => void;
-  socialProviders: UpstreamProvider[];
+  socialProviders: OAuthProvider[];
   authCookies: BetterAuthCookies;
   logger: ReturnType<typeof createLogger>;
   rateLimit: {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/core",
-  "version": "1.7.0-beta.7",
+  "version": "1.7.0-beta.9",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",

package/src/db/get-tables.ts

@@ -261,15 +261,10 @@ export const getAuthTables = (
 						options.account?.fields?.refreshTokenExpiresAt ||
 						"refreshTokenExpiresAt",
 				},
-				// Renamed from the legacy `scope` column. The migration generator
-				// only adds this column; it does not transform the legacy `scope`
-				// value. Upgrading installs need a manual data migration (split
-				// legacy `scope` on comma/space, trim, drop empties, dedupe). Order
-				// is insignificant per RFC 6749 §3.3.
-				grantedScopes: {
-					type: "string[]",
+				scope: {
+					type: "string",
 					required: false,
-					fieldName: options.account?.fields?.grantedScopes || "grantedScopes",
+					fieldName: options.account?.fields?.scope || "scope",
 				},
 				password: {
 					type: "string",

package/src/db/schema/account.ts

@@ -23,21 +23,12 @@ export const accountSchema = coreSchema.extend({
 	 */
 	refreshTokenExpiresAt: z.date().nullish(),
 	/**
-	 * The scopes the user has granted, as last observed (durable, per-account,
-	 * the unit of revocation and the refresh ceiling). A native array, not a
-	 * delimited string: scope order is insignificant per RFC 6749 §3.3, so the
-	 * value is normalized (trimmed, deduped, sorted) on write.
-	 *
-	 * Renamed from the legacy comma-joined `scope` string. Breaking, with no
-	 * automatic data migration (and no read-time shim): the migration generator
-	 * only adds the new `grantedScopes` column, so legacy accounts read as empty
-	 * here until an upgrade backfills `grantedScopes` from the old `scope` values
-	 * (split on comma/space, trim, drop empties, dedupe). See the release
-	 * changeset for the backfill.
-	 *
-	 * @see https://www.rfc-editor.org/rfc/rfc6749#section-3.3
+	 * The set of OAuth scopes the user has granted to this account, stored
+	 * as a comma-separated list. Represents the accumulated grant rather
+	 * than the latest token's `scope` claim, since per RFC 6749 Section 1.5 a
+	 * token's scope may be narrower than the user's grant.
 	 */
-	grantedScopes: z.array(z.string()).nullish(),
+	scope: z.string().nullish(),
 	/**
 	 * Password is only stored in the credential provider
 	 */

package/src/error/codes.ts

@@ -29,11 +29,6 @@ export const BASE_ERROR_CODES = defineErrorCodes({
 	TOKEN_EXPIRED: "Token expired",
 	ID_TOKEN_NOT_SUPPORTED: "id_token not supported",
 	FAILED_TO_GET_USER_INFO: "Failed to get user info",
-	PROVIDER_NOT_SUPPORTED: "Provider not supported",
-	TOKEN_REFRESH_NOT_SUPPORTED: "Token refresh not supported",
-	REFRESH_TOKEN_NOT_FOUND: "Refresh token not found",
-	FAILED_TO_GET_ACCESS_TOKEN: "Failed to get a valid access token",
-	FAILED_TO_REFRESH_ACCESS_TOKEN: "Failed to refresh access token",
 	USER_EMAIL_NOT_FOUND: "User email not found",
 	EMAIL_NOT_VERIFIED: "Email not verified",
 	PASSWORD_TOO_SHORT: "Password too short",

package/src/oauth2/create-authorization-url.ts

@@ -111,5 +111,5 @@ export async function createAuthorizationURL({
 			url.searchParams.set(key, value);
 		}
 	}
-	return { url, requestedScopes: scopes ?? [] };
+	return url;
 }

package/src/oauth2/index.ts

@@ -63,28 +63,17 @@ export {
 	verifyDpopProof,
 } from "./dpop";
 export type {
-	AuthorizationURLResult,
-	GrantAuthority,
 	OAuth2Tokens,
 	OAuth2UserInfo,
 	OAuthIdTokenConfig,
+	OAuthProvider,
 	OAuthRefreshContext,
-	ProviderGrantAuthority,
 	ProviderOptions,
-	UpstreamProvider,
 } from "./oauth-provider";
 export {
 	refreshAccessToken,
 	refreshAccessTokenRequest,
 } from "./refresh-access-token";
-export {
-	includesGrantedScope,
-	normalizeScopes,
-	parseScopeField,
-	readGrantedScopes,
-	resolveRequestedScopes,
-	unionGrantedScopes,
-} from "./scopes";
 export type {
 	TokenEndpointAuth,
 	TokenEndpointAuthMethod,
@@ -95,6 +84,7 @@ export {
 	generateCodeChallenge,
 	getOAuth2Tokens,
 	getPrimaryClientId,
+	mergeScopes,
 } from "./utils";
 export {
 	authorizationCodeRequest,

package/src/oauth2/oauth-provider.ts

@@ -89,64 +89,22 @@ export interface OAuthRefreshContext {
 	request?: Request | undefined;
 }
 
-/**
- * The result of building a provider authorization URL.
- *
- * `requestedScopes` is the effective set of scopes encoded in the URL (the
- * provider's built-in defaults + configured `options.scope` + per-request
- * `scopes`, composed by `resolveRequestedScopes`). Callers persist it so the
- * callback can fall back to the request when the provider omits `scope` from
- * its token response (RFC 6749 §5.1).
- */
-export interface AuthorizationURLResult {
-	url: URL;
-	requestedScopes: string[];
-}
-
-/**
- * How much an RP trusts a provider's echoed token-response `scope` when
- * persisting `account.grantedScopes`.
- *
- * - `"full-grant"`: the echo is the user's complete current grant, so the seam
- *   replaces the stored grant with it. This is the only path that may narrow
- *   the grant. Declare it only for providers whose token response reports the
- *   full combined grant, e.g. Google with `include_granted_scopes`.
- * - `"projection"`: the echo is this request's subset, so the seam unions it
- *   onto the stored grant. The safe default for every provider.
- * - `"absent-echo"`: the provider omitted `scope`, so the grant equals what was
- *   requested (RFC 6749 §5.1) and the seam unions the requested set. Resolved
- *   at runtime by the persistence seam, never declared by a provider.
- *
- * @see https://www.rfc-editor.org/rfc/rfc6749#section-5.1
- */
-export type GrantAuthority = "full-grant" | "projection" | "absent-echo";
-
-/**
- * The authority a provider may declare for its own echoed scope. `"absent-echo"`
- * is excluded because it is a runtime condition (an omitted echo), not a
- * provider trait.
- */
-export type ProviderGrantAuthority = Exclude<GrantAuthority, "absent-echo">;
-
-export interface UpstreamProvider<
+export interface OAuthProvider<
 	T extends Record<string, any> = Record<string, any>,
 	O extends Record<string, any> = Partial<ProviderOptions>,
 > {
 	id: LiteralString;
 	/**
-	 * The path the provider redirects back to, relative to the app base URL,
-	 * e.g. `/callback/google`.
-	 */
-	callbackPath: string;
-	/**
-	 * How the persistence seam treats this provider's echoed token-response
-	 * `scope`. Declare `"full-grant"` only when the echo is the user's complete
-	 * current grant (e.g. Google with `include_granted_scopes`); otherwise the
-	 * echo is unioned onto the stored grant.
+	 * Optional path under the resolved per-request `baseURL` where this
+	 * provider's OAuth callback handler is mounted. Providers that use the
+	 * shared `/callback/<id>` route can omit this.
+	 *
+	 * Custom paths must start with `/`.
 	 *
-	 * @default "projection"
+	 * Endpoints compose `redirectURI = ctx.context.baseURL + callbackPath` per
+	 * request, so the provider must not hardcode an origin or `baseURL` here.
 	 */
-	grantAuthority?: ProviderGrantAuthority | undefined;
+	callbackPath?: string | undefined;
 	createAuthorizationURL: (data: {
 		state: string;
 		codeVerifier: string;
@@ -167,7 +125,7 @@ export interface UpstreamProvider<
 		 * before applying them.
 		 */
 		additionalParams?: Record<string, string> | undefined;
-	}) => Awaitable<AuthorizationURLResult>;
+	}) => Awaitable<URL>;
 	name: string;
 	validateAuthorizationCode: (data: {
 		code: string;
@@ -214,6 +172,7 @@ export interface UpstreamProvider<
 				ctx?: OAuthRefreshContext,
 		  ) => Promise<OAuth2Tokens>)
 		| undefined;
+	revokeToken?: ((token: string) => Promise<void>) | undefined;
 	/**
 	 * Declarative id_token verification config consumed by the shared
 	 * `verifyProviderIdToken` verifier. Providers set this instead of implementing a boolean
@@ -321,10 +280,6 @@ export type ProviderOptions<Profile extends Record<string, any> = any> = {
 					emailVerified: boolean;
 					[key: string]: any;
 				};
-				// TODO: type as `Profile` once provider getUserInfo paths that return a
-				// narrower data shape than their declared profile are reconciled; today
-				// `any` is load-bearing for those (e.g. facebook) and tightening it ripples
-				// across ~10 providers, out of scope for the grant refactor.
 				data: any;
 		  } | null>)
 		| undefined;

package/src/oauth2/refresh-access-token.ts

@@ -6,6 +6,7 @@ import type {
 	TokenEndpointSecretAuthentication,
 } from "./token-endpoint-auth";
 import { applyTokenEndpointAuth } from "./token-endpoint-auth";
+import { parseScopeField } from "./utils";
 
 interface RefreshAccessTokenRequestInput {
 	refreshToken: string;
@@ -143,7 +144,7 @@ export async function refreshAccessToken({
 		expires_in?: number | undefined;
 		refresh_token_expires_in?: number | undefined;
 		token_type?: string | undefined;
-		scope?: (string | string[]) | undefined;
+		scope?: unknown;
 		id_token?: string | undefined;
 	}>(tokenEndpoint, {
 		method: "POST",
@@ -157,7 +158,7 @@ export async function refreshAccessToken({
 		accessToken: data.access_token,
 		refreshToken: data.refresh_token,
 		tokenType: data.token_type,
-		scopes: Array.isArray(data.scope) ? data.scope : data.scope?.split(" "),
+		scopes: parseScopeField(data.scope),
 		idToken: data.id_token,
 	};
 

package/src/oauth2/utils.ts

@@ -1,6 +1,26 @@
 import { base64Url } from "@better-auth/utils/base64";
 import type { OAuth2Tokens } from "./oauth-provider";
-import { parseScopeField } from "./scopes";
+
+/**
+ * Parse a provider's `scope` token-response field into a string array.
+ *
+ * RFC 6749 Section 3.3 defines `scope` as a space-delimited string, but
+ * providers vary: some return an already-split array. Accept both forms and
+ * drop empty or non-string entries.
+ *
+ * @see https://github.com/better-auth/better-auth/issues/9076
+ */
+export function parseScopeField(scope: unknown): string[] {
+	if (Array.isArray(scope)) {
+		return scope
+			.map((s) => (typeof s === "string" ? s.trim() : ""))
+			.filter(Boolean);
+	}
+	if (typeof scope === "string") {
+		return scope.trim().split(/\s+/).filter(Boolean);
+	}
+	return [];
+}
 
 export function getOAuth2Tokens(data: Record<string, any>): OAuth2Tokens {
 	const getDate = (seconds: number) => {
@@ -44,6 +64,24 @@ export function applyDefaultAccessTokenExpiry(
 	return tokens;
 }
 
+/**
+ * Compute the union of stored and incoming OAuth scopes, preserving
+ * stored insertion order and dropping duplicates.
+ */
+export function mergeScopes(
+	stored: string | null | undefined,
+	incoming: string[] | undefined,
+): string {
+	const existing = stored
+		? stored
+				.split(",")
+				.map((scope) => scope.trim())
+				.filter(Boolean)
+		: [];
+	const next = (incoming ?? []).map((scope) => scope.trim()).filter(Boolean);
+	return [...new Set([...existing, ...next])].join(",");
+}
+
 /**
  * Return the provider's primary Client ID: the single string, or the entry at
  * array index 0 for the cross-platform form used by ID token audience

package/src/oauth2/verify-id-token.ts

@@ -1,5 +1,7 @@
 import { decodeProtectedHeader, jwtVerify } from "jose";
-import type { ProviderOptions, UpstreamProvider } from "./oauth-provider";
+import type { OAuthProvider, ProviderOptions } from "./oauth-provider";
+
+type ProviderWithIdTokenConfig = Pick<OAuthProvider, "idToken" | "options">;
 
 async function sha256Hex(value: string) {
 	const data = new TextEncoder().encode(value);
@@ -29,12 +31,12 @@ async function nonceMatches(
 /**
  * Whether a provider can verify a client-submitted id_token.
  *
- * A provider supports id_token sign-in when it declares an {@link UpstreamProvider.idToken}
+ * A provider supports id_token sign-in when it declares an {@link OAuthProvider.idToken}
  * verification config, or when the integrator supplies a `verifyIdToken` override on the
  * provider options. A provider whose options set `disableIdTokenSignIn`, or that declares
  * neither, rejects the client id_token sign-in path with `ID_TOKEN_NOT_SUPPORTED`.
  */
-export function supportsIdTokenSignIn(provider: UpstreamProvider<any, any>) {
+export function supportsIdTokenSignIn(provider: ProviderWithIdTokenConfig) {
 	const options = (provider.options ?? {}) as Partial<ProviderOptions>;
 	if (options.disableIdTokenSignIn) {
 		return false;
@@ -46,7 +48,7 @@ export function supportsIdTokenSignIn(provider: UpstreamProvider<any, any>) {
  * Verify a client-submitted id_token against a provider's verification config.
  *
  * This is the single id_token verifier for every social provider. Providers no longer
- * implement their own boolean `verifyIdToken`; they declare an {@link UpstreamProvider.idToken}
+ * implement their own boolean `verifyIdToken`; they declare an {@link OAuthProvider.idToken}
  * config and this function performs the cryptographic check. The contract is fail-closed: a
  * provider without a config (and without an integrator `verifyIdToken` override) returns
  * `false`, so a forged token can never be accepted by omission.
@@ -54,7 +56,7 @@ export function supportsIdTokenSignIn(provider: UpstreamProvider<any, any>) {
  * @returns `true` only when the token is authentic for the provider.
  */
 export async function verifyProviderIdToken(
-	provider: UpstreamProvider<any, any>,
+	provider: ProviderWithIdTokenConfig,
 	token: string,
 	nonce?: string,
 ): Promise<boolean> {

package/src/social-providers/apple.ts

@@ -3,12 +3,11 @@ import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 export interface AppleProfile {
@@ -78,14 +77,11 @@ export interface AppleOptions extends ProviderOptions<AppleProfile> {
 	audience?: (string | string[]) | undefined;
 }
 
-const APPLE_DEFAULT_SCOPES = ["email", "name"];
-
 export const apple = (options: AppleOptions) => {
 	const tokenEndpoint = "https://appleid.apple.com/auth/token";
 	return {
 		id: "apple",
 		name: "Apple",
-		callbackPath: "/callback/apple",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -98,22 +94,21 @@ export const apple = (options: AppleOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_ID_AND_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				APPLE_DEFAULT_SCOPES,
-				scopes,
-			);
-			return createAuthorizationURL({
+			const _scope = options.disableDefaultScope ? [] : ["email", "name"];
+			if (options.scope) _scope.push(...options.scope);
+			if (scopes) _scope.push(...scopes);
+			const url = await createAuthorizationURL({
 				id: "apple",
 				options,
 				authorizationEndpoint: "https://appleid.apple.com/auth/authorize",
-				scopes: requestedScopes,
+				scopes: _scope,
 				state,
 				redirectURI,
 				responseMode: "form_post",
 				responseType: "code id_token",
 				additionalParams,
 			});
+			return url;
 		},
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
 			return validateAuthorizationCode({
@@ -189,7 +184,7 @@ export const apple = (options: AppleOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<AppleProfile>;
+	} satisfies OAuthProvider<AppleProfile>;
 };
 
 export const getApplePublicKey = async (kid: string) => {

package/src/social-providers/atlassian.ts

@@ -1,11 +1,10 @@
 import { betterFetch } from "@better-fetch/fetch";
 import { logger } from "../env";
 import { BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -30,14 +29,11 @@ export interface AtlassianOptions extends ProviderOptions<AtlassianProfile> {
 	clientId: string;
 }
 
-const ATLASSIAN_DEFAULT_SCOPES = ["read:jira-user", "offline_access"];
-
 export const atlassian = (options: AtlassianOptions) => {
 	const tokenEndpoint = "https://auth.atlassian.com/oauth/token";
 	return {
 		id: "atlassian",
 		name: "Atlassian",
-		callbackPath: "/callback/atlassian",
 
 		async createAuthorizationURL({
 			state,
@@ -54,17 +50,17 @@ export const atlassian = (options: AtlassianOptions) => {
 				throw new BetterAuthError("codeVerifier is required for Atlassian");
 			}
 
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				ATLASSIAN_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["read:jira-user", "offline_access"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
 			return createAuthorizationURL({
 				id: "atlassian",
 				options,
 				authorizationEndpoint: "https://auth.atlassian.com/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -140,5 +136,5 @@ export const atlassian = (options: AtlassianOptions) => {
 		},
 
 		options,
-	} satisfies UpstreamProvider<AtlassianProfile>;
+	} satisfies OAuthProvider<AtlassianProfile>;
 };

package/src/social-providers/cognito.ts

@@ -2,12 +2,11 @@ import { betterFetch } from "@better-fetch/fetch";
 import { decodeJwt, importJWK } from "jose";
 import { logger } from "../env";
 import { APIError, BetterAuthError } from "../error";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	getPrimaryClientId,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 
@@ -58,8 +57,6 @@ export interface CognitoOptions extends ProviderOptions<CognitoProfile> {
 	identityProvider?: string | undefined;
 }
 
-const COGNITO_DEFAULT_SCOPES = ["openid", "profile", "email"];
-
 export const cognito = (options: CognitoOptions) => {
 	if (!options.domain || !options.region || !options.userPoolId) {
 		logger.error(
@@ -76,7 +73,6 @@ export const cognito = (options: CognitoOptions) => {
 	return {
 		id: "cognito",
 		name: "Cognito",
-		callbackPath: "/callback/cognito",
 		async createAuthorizationURL({
 			state,
 			scopes,
@@ -97,19 +93,19 @@ export const cognito = (options: CognitoOptions) => {
 				);
 				throw new BetterAuthError("CLIENT_SECRET_REQUIRED");
 			}
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				COGNITO_DEFAULT_SCOPES,
-				scopes,
-			);
+			const _scopes = options.disableDefaultScope
+				? []
+				: ["openid", "profile", "email"];
+			if (options.scope) _scopes.push(...options.scope);
+			if (scopes) _scopes.push(...scopes);
 
-			const { url } = await createAuthorizationURL({
+			const url = await createAuthorizationURL({
 				id: "cognito",
 				options: {
 					...options,
 				},
 				authorizationEndpoint,
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				codeVerifier,
 				redirectURI,
@@ -130,12 +126,9 @@ export const cognito = (options: CognitoOptions) => {
 				// Manually append the scope with proper encoding to the URL
 				const urlString = url.toString();
 				const separator = urlString.includes("?") ? "&" : "?";
-				return {
-					url: new URL(`${urlString}${separator}scope=${encodedScope}`),
-					requestedScopes,
-				};
+				return new URL(`${urlString}${separator}scope=${encodedScope}`);
 			}
-			return { url, requestedScopes };
+			return url;
 		},
 
 		validateAuthorizationCode: async ({ code, codeVerifier, redirectURI }) => {
@@ -243,7 +236,7 @@ export const cognito = (options: CognitoOptions) => {
 		},
 
 		options,
-	} satisfies UpstreamProvider<CognitoProfile>;
+	} satisfies OAuthProvider<CognitoProfile>;
 };
 
 export const getCognitoPublicKey = async (

package/src/social-providers/discord.ts

@@ -1,9 +1,8 @@
 import { betterFetch } from "@better-fetch/fetch";
-import type { ProviderOptions, UpstreamProvider } from "../oauth2";
+import type { OAuthProvider, ProviderOptions } from "../oauth2";
 import {
 	createAuthorizationURL,
 	refreshAccessToken,
-	resolveRequestedScopes,
 	validateAuthorizationCode,
 } from "../oauth2";
 export interface DiscordProfile extends Record<string, any> {
@@ -84,31 +83,21 @@ export interface DiscordOptions extends ProviderOptions<DiscordProfile> {
 	permissions?: number | undefined;
 }
 
-const DISCORD_DEFAULT_SCOPES = ["identify", "email"];
-
 export const discord = (options: DiscordOptions) => {
 	const tokenEndpoint = "https://discord.com/api/oauth2/token";
 	return {
 		id: "discord",
 		name: "Discord",
-		callbackPath: "/callback/discord",
-		async createAuthorizationURL({
-			state,
-			scopes,
-			redirectURI,
-			additionalParams,
-		}) {
-			const requestedScopes = resolveRequestedScopes(
-				options,
-				DISCORD_DEFAULT_SCOPES,
-				scopes,
-			);
-			const hasBotScope = requestedScopes.includes("bot");
+		createAuthorizationURL({ state, scopes, redirectURI, additionalParams }) {
+			const _scopes = options.disableDefaultScope ? [] : ["identify", "email"];
+			if (scopes) _scopes.push(...scopes);
+			if (options.scope) _scopes.push(...options.scope);
+			const hasBotScope = _scopes.includes("bot");
 			return createAuthorizationURL({
 				id: "discord",
 				options,
 				authorizationEndpoint: "https://discord.com/api/oauth2/authorize",
-				scopes: requestedScopes,
+				scopes: _scopes,
 				state,
 				redirectURI,
 				prompt: options.prompt || "none",
@@ -181,5 +170,5 @@ export const discord = (options: DiscordOptions) => {
 			};
 		},
 		options,
-	} satisfies UpstreamProvider<DiscordProfile>;
+	} satisfies OAuthProvider<DiscordProfile>;
 };