@better-auth/oauth-provider 1.5.0-beta.1 → 1.5.0-beta.3

package/LICENSE.md

@@ -1,17 +1,20 @@
 The MIT License (MIT)
 Copyright (c) 2024 - present, Bereket Engida
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software
-and associated documentation files (the "Software"), to deal in the Software without restriction,
-including without limitation the rights to use, copy, modify, merge, publish, distribute,
-sublicense, and/or sell copies of the Software, and to permit persons to whom the Software
-is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or
-substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
-BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-kjs13QN6.mjs";
+import { a as ResourceServerMetadata } from "./oauth-BrFoF22H.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,4 +1,4 @@
-import { a as getJwtPlugin, f as handleMcpErrors, o as getOAuthProviderPlugin } from "./utils-CSiY9oUk.mjs";
+import { a as getJwtPlugin, o as getOAuthProviderPlugin, p as handleMcpErrors } from "./utils-CAYiYjbw.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { BetterAuthError } from "@better-auth/core/error";
@@ -6,21 +6,32 @@ import { logger } from "@better-auth/core/env";
 
 //#region src/client-resource.ts
 const oauthProviderResourceClient = (auth) => {
-	const oauthProviderOptions = (auth ? getOAuthProviderPlugin(auth) : void 0)?.options;
-	const jwtPluginOptions = (auth && !oauthProviderOptions?.disableJwtPlugin ? getJwtPlugin(auth) : void 0)?.options;
+	let oauthProviderPlugin;
+	const getOauthProviderPlugin = async () => {
+		if (!oauthProviderPlugin) oauthProviderPlugin = auth ? getOAuthProviderPlugin(await auth.$context) : void 0;
+		return oauthProviderPlugin;
+	};
+	let jwtPlugin;
+	const getJwtPluginOptions = async () => {
+		if (!jwtPlugin) jwtPlugin = auth && !(await getOauthProviderPlugin())?.options?.disableJwtPlugin ? getJwtPlugin(await auth.$context) : void 0;
+		return jwtPlugin?.options;
+	};
+	const getAuthorizationServer = async () => {
+		return (await getJwtPluginOptions())?.jwt?.issuer ?? authServerBaseUrl;
+	};
 	const authServerBaseUrl = auth?.options.baseURL;
 	const authServerBasePath = auth?.options.basePath;
-	const authorizationServer = jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
 	return {
 		id: "oauth-provider-resource-client",
 		getActions() {
 			return {
 				verifyAccessToken: (async (token, opts) => {
+					const jwtPluginOptions = await getJwtPluginOptions();
 					const audience = opts?.verifyOptions?.audience ?? authServerBaseUrl;
 					const issuer = opts?.verifyOptions?.issuer ?? jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
 					if (!audience) throw Error("please define opts.verifyOptions.audience");
 					if (!issuer) throw Error("please define opts.verifyOptions.issuer");
-					const jwksUrl = opts?.jwksUrl ?? jwtPluginOptions?.jwks?.remoteUrl ?? (authServerBaseUrl ? `${authServerBaseUrl + (authServerBasePath ?? "")}/jwks` : void 0);
+					const jwksUrl = opts?.jwksUrl ?? jwtPluginOptions?.jwks?.remoteUrl ?? (authServerBaseUrl ? `${authServerBaseUrl + (authServerBasePath ?? "")}${jwtPluginOptions?.jwks?.jwksPath ?? "/jwks"}` : void 0);
 					const introspectUrl = opts?.remoteVerify?.introspectUrl ?? (authServerBaseUrl ? `${authServerBaseUrl}${authServerBasePath ?? ""}/oauth2/introspect` : void 0);
 					try {
 						if (!token?.length) throw new APIError("UNAUTHORIZED", { message: "missing authorization header" });
@@ -43,6 +54,7 @@ const oauthProviderResourceClient = (auth) => {
 				}),
 				getProtectedResourceMetadata: (async (overrides, opts) => {
 					const resource = overrides?.resource ?? authServerBaseUrl;
+					const oauthProviderOptions = (await getOauthProviderPlugin())?.options;
 					if (!resource) throw Error("missing required resource");
 					if (oauthProviderOptions?.scopes && opts?.externalScopes && (overrides?.authorization_servers?.length ?? 0) <= 1) throw new BetterAuthError("external scopes should not be provided with one authorization server");
 					if (overrides?.scopes_supported) {
@@ -60,6 +72,7 @@ const oauthProviderResourceClient = (auth) => {
 							if (!allValidScopes.has(sc)) throw new BetterAuthError(`Unsupported scope ${sc}. If external, please add to "externalScopes"`);
 						}
 					}
+					const authorizationServer = await getAuthorizationServer();
 					return {
 						resource,
 						authorization_servers: authorizationServer ? [authorizationServer] : void 0,

package/dist/client.d.mts

@@ -1,5 +1,5 @@
-import "./oauth-kjs13QN6.mjs";
-import { t as oauthProvider } from "./oauth-Cex7QJsW.mjs";
+import "./oauth-BrFoF22H.mjs";
+import { t as oauthProvider } from "./oauth-BW67CKnu.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/index.d.mts

@@ -1,7 +1,7 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-kjs13QN6.mjs";
-import { t as oauthProvider } from "./oauth-Cex7QJsW.mjs";
+import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-BrFoF22H.mjs";
+import { t as oauthProvider } from "./oauth-BW67CKnu.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
-import { JWSAlgorithms, JwtOptions } from "better-auth/plugins/jwt";
+import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { GenericEndpointContext } from "@better-auth/core";
 

package/dist/index.mjs

@@ -1,8 +1,7 @@
-import { a as getJwtPlugin, c as parsePrompt, d as validateClientCredentials, i as getClient, l as storeClientSecret, n as decryptStoredClientSecret, p as mcpHandler, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as storeToken } from "./utils-CSiY9oUk.mjs";
+import { a as getJwtPlugin, c as parseClientMetadata, d as storeToken, f as validateClientCredentials, i as getClient, l as parsePrompt, m as mcpHandler, n as decryptStoredClientSecret, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as storeClientSecret } from "./utils-CAYiYjbw.mjs";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { BetterAuthError } from "@better-auth/core/error";
-import { createHash } from "@better-auth/utils/hash";
 import { constantTimeEqual, generateRandomString, makeSignature } from "better-auth/crypto";
 import { defineRequestState } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
@@ -10,11 +9,8 @@ import { APIError as APIError$1, createAuthEndpoint, createAuthMiddleware, getOA
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
-import { signJWT, toExpJWT } from "better-auth/plugins/jwt";
+import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
-import "@better-auth/utils";
-import "@better-auth/utils/hex";
-import { createRandomStringGenerator } from "@better-auth/utils/random";
 
 //#region src/metadata.ts
 function authServerMetadata(ctx, opts, overrides) {
@@ -24,7 +20,7 @@ function authServerMetadata(ctx, opts, overrides) {
 		issuer: opts?.jwt?.issuer ?? baseURL,
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
 		token_endpoint: `${baseURL}/oauth2/token`,
-		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}/jwks`,
+		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
 		registration_endpoint: `${baseURL}/oauth2/register`,
 		introspection_endpoint: `${baseURL}/oauth2/introspect`,
 		revocation_endpoint: `${baseURL}/oauth2/revoke`,
@@ -520,7 +516,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		scopes,
 		resource: ctx.body.resource,
 		referenceId,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = getJwtPlugin(ctx.context).options;
 	return signJWT(ctx, {
@@ -551,7 +547,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId)
 	const customClaims = opts.customIdTokenClaims ? await opts.customIdTokenClaims({
 		user,
 		scopes,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
 	const payload = {
@@ -861,7 +857,7 @@ async function handleClientCredentialsGrant(ctx, opts) {
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		scopes: requestedScopes,
 		resource: ctx.body.resource,
-		metadata: client.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const accessToken = audience && !opts.disableJwtPlugin ? await signJWT(ctx, {
 		options: jwtPluginOptions,
@@ -1073,7 +1069,7 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		user,
 		scopes: accessToken.scopes,
 		referenceId: accessToken?.referenceId,
-		metadata: client?.metadata ? JSON.parse(client.metadata) : void 0
+		metadata: parseClientMetadata(client?.metadata)
 	}) : {};
 	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
 	return {
@@ -1223,7 +1219,7 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 	const { id_token_hint, client_id, post_logout_redirect_uri, state } = ctx.query;
 	const baseURL = ctx.context.baseURL;
 	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
-	const jwksUrl = jwtPluginOptions?.jwks?.remoteUrl ?? `${baseURL}/jwks`;
+	const jwksUrl = jwtPluginOptions?.jwks?.remoteUrl ?? `${baseURL}${jwtPluginOptions?.jwks?.jwksPath ?? "/jwks"}`;
 	let clientId = client_id;
 	if (!clientId) {
 		let decoded;
@@ -1323,152 +1319,6 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 	}
 }
 
-//#endregion
-//#region ../better-auth/src/crypto/jwt.ts
-const info = new Uint8Array([
-	66,
-	101,
-	116,
-	116,
-	101,
-	114,
-	65,
-	117,
-	116,
-	104,
-	46,
-	106,
-	115,
-	32,
-	71,
-	101,
-	110,
-	101,
-	114,
-	97,
-	116,
-	101,
-	100,
-	32,
-	69,
-	110,
-	99,
-	114,
-	121,
-	112,
-	116,
-	105,
-	111,
-	110,
-	32,
-	75,
-	101,
-	121
-]);
-
-//#endregion
-//#region ../better-auth/src/crypto/random.ts
-const generateRandomString$1 = createRandomStringGenerator("a-z", "0-9", "A-Z", "-_");
-
-//#endregion
-//#region ../better-auth/src/utils/time.ts
-const SEC = 1e3;
-const MIN = SEC * 60;
-const HOUR = MIN * 60;
-const DAY = HOUR * 24;
-const WEEK = DAY * 7;
-const MONTH = DAY * 30;
-const YEAR = DAY * 365.25;
-const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|months?|mo|years?|yrs?|y)(?: (ago|from now))?$/i;
-function parse(value) {
-	const match = REGEX.exec(value);
-	if (!match || match[4] && match[1]) throw new TypeError(`Invalid time string format: "${value}". Use formats like "7d", "30m", "1 hour", etc.`);
-	const n = parseFloat(match[2]);
-	const unit = match[3].toLowerCase();
-	let result;
-	switch (unit) {
-		case "years":
-		case "year":
-		case "yrs":
-		case "yr":
-		case "y":
-			result = n * YEAR;
-			break;
-		case "months":
-		case "month":
-		case "mo":
-			result = n * MONTH;
-			break;
-		case "weeks":
-		case "week":
-		case "w":
-			result = n * WEEK;
-			break;
-		case "days":
-		case "day":
-		case "d":
-			result = n * DAY;
-			break;
-		case "hours":
-		case "hour":
-		case "hrs":
-		case "hr":
-		case "h":
-			result = n * HOUR;
-			break;
-		case "minutes":
-		case "minute":
-		case "mins":
-		case "min":
-		case "m":
-			result = n * MIN;
-			break;
-		case "seconds":
-		case "second":
-		case "secs":
-		case "sec":
-		case "s":
-			result = n * SEC;
-			break;
-		default: throw new TypeError(`Unknown time unit: "${unit}"`);
-	}
-	if (match[1] === "-" || match[4] === "ago") return -result;
-	return result;
-}
-/**
-* Parse a time string and return the value in seconds.
-*
-* @param value - A time string like "7d", "30m", "1 hour", "2 hours ago"
-* @returns The parsed value in seconds (rounded)
-* @throws TypeError if the string format is invalid
-*
-* @example
-* sec("1d")          // 86400
-* sec("2 hours")     // 7200
-* sec("-30s")        // -30
-* sec("2 hours ago") // -7200
-*/
-function sec(value) {
-	return Math.round(parse(value) / 1e3);
-}
-
-//#endregion
-//#region ../better-auth/src/plugins/jwt/utils.ts
-/**
-* Converts an expirationTime to ISO seconds expiration time (the format of JWT exp)
-*
-* See https://github.com/panva/jose/blob/main/src/lib/jwt_claims_set.ts#L245
-*
-* @param expirationTime - see options.jwt.expirationTime
-* @param iat - the iat time to consolidate on
-* @returns
-*/
-function toExpJWT$1(expirationTime, iat) {
-	if (typeof expirationTime === "number") return expirationTime;
-	else if (expirationTime instanceof Date) return Math.floor(expirationTime.getTime() / 1e3);
-	else return iat + sec(expirationTime);
-}
-
 //#endregion
 //#region src/register.ts
 async function registerEndpoint(ctx, opts) {
@@ -1540,7 +1390,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 		disabled: void 0,
 		jwks: void 0,
 		jwks_uri: void 0,
-		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT$1(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
+		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
 		client_id: clientId,
 		client_secret: storedClientSecret,
 		client_id_issued_at: iat,
@@ -1570,14 +1420,19 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, reference_id: referenceId, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
+	const scopes = _scope?.split(" ");
+	const metadataObj = {
+		...rest && Object.keys(rest).length ? rest : {},
+		...inputMetadata && typeof inputMetadata === "object" ? inputMetadata : {}
+	};
 	return {
 		clientId,
 		clientSecret,
 		disabled,
-		scopes: _scope?.split(" "),
+		scopes,
 		userId,
 		createdAt,
 		expiresAt,
@@ -1600,7 +1455,7 @@ function oauthToSchema(input) {
 		skipConsent,
 		enableEndSession,
 		referenceId,
-		metadata: rest && Object.keys(rest).length ? JSON.stringify(rest) : void 0
+		metadata: Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0
 	};
 }
 /**
@@ -1615,7 +1470,7 @@ function schemaToOAuth(input) {
 	const _createdAt = createdAt ? Math.round(createdAt.getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
 	return {
-		...metadata ? JSON.parse(metadata) : void 0,
+		...parseClientMetadata(metadata),
 		client_id: clientId,
 		client_secret: clientSecret ?? void 0,
 		client_secret_expires_at: clientSecret ? _expiresAt ?? 0 : void 0,
@@ -3007,11 +2862,12 @@ const oauthProvider = (options) => {
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
 	return {
-		id: "oauthProvider",
+		id: "oauth-provider",
 		options: opts,
 		init: (ctx) => {
+			if (ctx.options.session && !ctx.options.session.storeSessionInDatabase) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
 			if (!opts.disableJwtPlugin) {
-				const issuer = getJwtPlugin(ctx).options?.jwt?.issuer ?? ctx.baseURL;
+				const issuer = (getJwtPlugin(ctx)?.options)?.jwt?.issuer ?? ctx.baseURL;
 				const issuerPath = new URL(issuer).pathname;
 				if (!opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
 				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
@@ -3064,7 +2920,7 @@ const oauthProvider = (options) => {
 				metadata: { SERVER_ONLY: true }
 			}, async (ctx) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
-				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options, { scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes });
+				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, { scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes });
 			}),
 			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
 				method: "GET",

package/dist/{oauth-Cex7QJsW.d.mts → oauth-BW67CKnu.d.mts}

@@ -1,13 +1,19 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-kjs13QN6.mjs";
+import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-BrFoF22H.mjs";
 import * as better_call0 from "better-call";
 import "@better-auth/core/context";
 import * as z from "zod";
+import * as better_auth_plugins0 from "better-auth/plugins";
 import * as jose0 from "jose";
 import * as better_auth0 from "better-auth";
-import * as better_auth_plugins0 from "better-auth/plugins";
 
 //#region src/oauth.d.ts
-
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<Auth, Context> {
+    "oauth-provider": {
+      creator: typeof oauthProvider;
+    };
+  }
+}
 /**
  * oAuth 2.1 provider plugin for Better Auth.
  *
@@ -16,10 +22,8 @@ import * as better_auth_plugins0 from "better-auth/plugins";
  * @returns A Better Auth plugin.
  */
 declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
-  id: "oauthProvider";
-  options: O & {
-    claims?: string[];
-  };
+  id: "oauth-provider";
+  options: NoInfer<O>;
   init: (ctx: better_auth0.AuthContext) => void;
   hooks: {
     before: {

package/dist/{oauth-kjs13QN6.d.mts → oauth-BrFoF22H.d.mts}

@@ -1,4 +1,4 @@
-import { JWSAlgorithms } from "better-auth/plugins/jwt";
+import { JWSAlgorithms } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { InferOptionSchema, Session, User } from "better-auth/types";
 import { LiteralString } from "@better-auth/core";

package/dist/{utils-CSiY9oUk.mjs → utils-CAYiYjbw.mjs}

@@ -80,14 +80,14 @@ var TTLCache = class {
 * @internal
 */
 const getOAuthProviderPlugin = (ctx) => {
-	return ctx.options.plugins?.find((plugin) => plugin.id === "oauthProvider");
+	return ctx.getPlugin("oauth-provider");
 };
 /**
 * Gets the JWT Plugin
 * @internal
 */
 const getJwtPlugin = (ctx) => {
-	const plugin = ctx.options.plugins?.find((plugin$1) => plugin$1.id === "jwt");
+	const plugin = ctx.getPlugin("jwt");
 	if (!plugin) throw new BetterAuthError("jwt_config", "jwt plugin not found");
 	return plugin;
 };
@@ -256,6 +256,16 @@ async function validateClientCredentials(ctx, options, clientId, clientSecret, s
 	return client;
 }
 /**
+* Parse client metadata that may be stored as JSON string or already parsed object.
+* Handles database adapters that auto-parse JSON columns.
+*
+* @internal
+*/
+function parseClientMetadata(metadata) {
+	if (!metadata) return void 0;
+	return typeof metadata === "string" ? JSON.parse(metadata) : metadata;
+}
+/**
 * Parse space-separated prompt string into a set of prompts
 *
 * @param prompt
@@ -283,4 +293,4 @@ function deleteFromPrompt(query, prompt) {
 }
 
 //#endregion
-export { getJwtPlugin as a, parsePrompt as c, validateClientCredentials as d, handleMcpErrors as f, getClient as i, storeClientSecret as l, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, mcpHandler as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, storeToken as u };
+export { getJwtPlugin as a, parseClientMetadata as c, storeToken as d, validateClientCredentials as f, getClient as i, parsePrompt as l, mcpHandler as m, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, handleMcpErrors as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, storeClientSecret as u };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.5.0-beta.1",
+  "version": "1.5.0-beta.3",
   "type": "module",
   "description": "An oauth provider plugin for Better Auth",
   "main": "dist/index.mjs",
@@ -42,8 +42,8 @@
     "@modelcontextprotocol/sdk": "^1.24.2",
     "listhen": "^1.9.0",
     "tsdown": "^0.17.2",
-    "@better-auth/core": "1.5.0-beta.1",
-    "better-auth": "1.5.0-beta.1"
+    "@better-auth/core": "1.5.0-beta.3",
+    "better-auth": "1.5.0-beta.3"
   },
   "dependencies": {
     "jose": "^6.1.0",
@@ -52,9 +52,9 @@
   "peerDependencies": {
     "@better-auth/utils": "0.3.0",
     "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.1.7",
-    "@better-auth/core": "1.5.0-beta.1",
-    "better-auth": "1.5.0-beta.1"
+    "better-call": "1.1.8",
+    "@better-auth/core": "1.5.0-beta.3",
+    "better-auth": "1.5.0-beta.3"
   },
   "files": [
     "dist"