@better-auth/oauth-provider 1.6.1 → 1.7.0-beta.0

package/dist/client-assertion-DZqo-L5j.mjs

@@ -0,0 +1,272 @@
+import { a as getClient } from "./utils-CIbcUsZ5.mjs";
+import { APIError } from "better-call";
+import { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE } from "@better-auth/core/oauth2";
+import { createLocalJWKSet, decodeJwt, decodeProtectedHeader, jwtVerify } from "jose";
+//#region \0rolldown/runtime.js
+var __defProp = Object.defineProperty;
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+//#endregion
+//#region src/utils/client-assertion.ts
+var client_assertion_exports = /* @__PURE__ */ __exportAll({
+	isPrivateHostname: () => isPrivateHostname,
+	verifyClientAssertion: () => verifyClientAssertion
+});
+const jwksCache = /* @__PURE__ */ new Map();
+const JWKS_CACHE_TTL_MS = 300 * 1e3;
+const JWKS_CACHE_MAX_ENTRIES = 500;
+const JWKS_FETCH_TIMEOUT_MS = 5e3;
+function setJwksCache(uri, jwks, fetchedAt) {
+	jwksCache.set(uri, {
+		jwks,
+		fetchedAt
+	});
+	if (jwksCache.size > JWKS_CACHE_MAX_ENTRIES) {
+		const oldest = jwksCache.keys().next().value;
+		if (oldest !== void 0) jwksCache.delete(oldest);
+	}
+}
+const ALGORITHMS_LIST = [...ASSERTION_SIGNING_ALGORITHMS];
+const pendingAssertionIds = /* @__PURE__ */ new Set();
+/**
+* Block SSRF: reject jwks_uri pointing at private/reserved IP ranges.
+* Only HTTPS with public hostnames is allowed.
+*/
+function isPrivateIpv4(hostname) {
+	const parts = hostname.split(".");
+	if (parts.length !== 4 || parts.some((p) => !/^\d{1,3}$/.test(p))) return false;
+	const octets = parts.map(Number);
+	const a = octets[0];
+	const b = octets[1];
+	return a === 10 || a === 0 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 169 && b === 254 || a === 127;
+}
+function isPrivateHostname(hostname) {
+	const lower = hostname.toLowerCase();
+	const host = lower.startsWith("[") && lower.endsWith("]") ? lower.slice(1, -1) : lower;
+	if (host === "localhost" || host === "::1") return true;
+	if (isPrivateIpv4(host)) return true;
+	if (host.includes(":")) {
+		const v4MappedMatch = host.match(/^(?:0{0,4}:){0,4}:?(?:0{0,4}:)?ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
+		if (v4MappedMatch && isPrivateIpv4(v4MappedMatch[1])) return true;
+		const isLinkLocal = host.startsWith("fe8") || host.startsWith("fe9") || host.startsWith("fea") || host.startsWith("feb");
+		const isUniqueLocal = host.startsWith("fc") || host.startsWith("fd");
+		if (isLinkLocal || isUniqueLocal) return true;
+	}
+	if (host === "metadata.google.internal") return true;
+	return false;
+}
+function validateJwksUri(ctx, jwksUri) {
+	const parsed = new URL(jwksUri);
+	if (parsed.protocol !== "https:") throw new APIError("BAD_REQUEST", {
+		error_description: "jwks_uri must use HTTPS",
+		error: "invalid_client"
+	});
+	if (isPrivateHostname(parsed.hostname)) throw new APIError("BAD_REQUEST", {
+		error_description: "jwks_uri must not point to a private or reserved address",
+		error: "invalid_client"
+	});
+	if (!ctx.context.isTrustedOrigin(parsed.href)) throw new APIError("BAD_REQUEST", {
+		error_description: "client jwks_uri is not trusted",
+		error: "invalid_client"
+	});
+}
+async function fetchJwksFromUri(jwksUri) {
+	const controller = new AbortController();
+	const timeout = setTimeout(() => controller.abort(), JWKS_FETCH_TIMEOUT_MS);
+	try {
+		const response = await fetch(jwksUri, {
+			signal: controller.signal,
+			headers: { accept: "application/json" },
+			redirect: "error"
+		});
+		if (!response.ok) throw new Error(`JWKS fetch returned ${response.status}`);
+		const jwks = await response.json();
+		if (!jwks.keys || !Array.isArray(jwks.keys)) throw new Error("JWKS response missing keys array");
+		return jwks;
+	} finally {
+		clearTimeout(timeout);
+	}
+}
+async function fetchClientJwks(ctx, client) {
+	if (client.jwks) return JSON.parse(client.jwks);
+	if (!client.jwksUri) throw new APIError("BAD_REQUEST", {
+		error_description: "client has no JWKS configured",
+		error: "invalid_client"
+	});
+	validateJwksUri(ctx, client.jwksUri);
+	const now = Date.now();
+	const cached = jwksCache.get(client.jwksUri);
+	if (cached && now - cached.fetchedAt < JWKS_CACHE_TTL_MS) return cached.jwks;
+	try {
+		const jwks = await fetchJwksFromUri(client.jwksUri);
+		setJwksCache(client.jwksUri, jwks, now);
+		return jwks;
+	} catch {
+		const staleLimitMs = JWKS_CACHE_TTL_MS * 2;
+		if (cached && now - cached.fetchedAt < staleLimitMs) return cached.jwks;
+		throw new APIError("BAD_REQUEST", {
+			error_description: "failed to fetch client JWKS",
+			error: "invalid_client"
+		});
+	}
+}
+/**
+* Refetch JWKS from jwks_uri when signature verification fails with cached keys.
+* Handles key rotation: the client may have published a new key that isn't in our cache yet.
+*/
+async function refetchClientJwks(client) {
+	if (!client.jwksUri) return null;
+	try {
+		const jwks = await fetchJwksFromUri(client.jwksUri);
+		setJwksCache(client.jwksUri, jwks, Date.now());
+		return jwks;
+	} catch {
+		return null;
+	}
+}
+/**
+* Verifies a client assertion JWT for `private_key_jwt` authentication.
+*
+* Validates: signature, iss=client_id, sub=client_id, aud=token_endpoint,
+* exp, assertion max lifetime, jti uniqueness (replay prevention).
+*/
+async function verifyClientAssertion(ctx, opts, clientAssertion, clientAssertionType, clientIdHint, expectedAudience) {
+	if (clientAssertionType !== CLIENT_ASSERTION_TYPE) throw new APIError("BAD_REQUEST", {
+		error_description: "unsupported client_assertion_type",
+		error: "invalid_client"
+	});
+	let header;
+	try {
+		header = decodeProtectedHeader(clientAssertion);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			error_description: "malformed client assertion: invalid JWT header",
+			error: "invalid_client"
+		});
+	}
+	if (!header.alg || !ASSERTION_SIGNING_ALGORITHMS.includes(header.alg)) throw new APIError("BAD_REQUEST", {
+		error_description: `unsupported assertion signing algorithm: ${header.alg}`,
+		error: "invalid_client"
+	});
+	let unverified;
+	try {
+		unverified = decodeJwt(clientAssertion);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			error_description: "malformed client assertion: invalid JWT payload",
+			error: "invalid_client"
+		});
+	}
+	const clientId = unverified.sub ?? unverified.iss;
+	if (!clientId) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion must contain sub or iss claim identifying the client",
+		error: "invalid_client"
+	});
+	if (clientIdHint && clientIdHint !== clientId) throw new APIError("BAD_REQUEST", {
+		error_description: "client_id in body does not match assertion sub/iss",
+		error: "invalid_client"
+	});
+	const client = await getClient(ctx, opts, clientId);
+	if (!client) throw new APIError("BAD_REQUEST", {
+		error_description: "unknown client",
+		error: "invalid_client"
+	});
+	if (client.disabled) throw new APIError("BAD_REQUEST", {
+		error_description: "client is disabled",
+		error: "invalid_client"
+	});
+	if (client.tokenEndpointAuthMethod !== "private_key_jwt") throw new APIError("BAD_REQUEST", {
+		error_description: "client is not registered for private_key_jwt authentication",
+		error: "invalid_client"
+	});
+	const jwks = await fetchClientJwks(ctx, client);
+	const audience = expectedAudience ?? `${ctx.context.baseURL}/oauth2/token`;
+	const maxLifetime = opts.assertionMaxLifetime ?? 300;
+	const verifyOpts = {
+		issuer: clientId,
+		subject: clientId,
+		audience,
+		algorithms: ALGORITHMS_LIST
+	};
+	let payload;
+	try {
+		({payload} = await jwtVerify(clientAssertion, createLocalJWKSet(jwks), verifyOpts));
+	} catch (verifyErr) {
+		if (verifyErr instanceof Error && /no matching key|no applicable key/i.test(verifyErr.message)) {
+			const refreshed = await refetchClientJwks(client);
+			if (refreshed) try {
+				({payload} = await jwtVerify(clientAssertion, createLocalJWKSet(refreshed), verifyOpts));
+			} catch {
+				throw new APIError("UNAUTHORIZED", {
+					error_description: "client assertion signature verification failed",
+					error: "invalid_client"
+				});
+			}
+			else throw new APIError("UNAUTHORIZED", {
+				error_description: "client assertion signature verification failed",
+				error: "invalid_client"
+			});
+		} else throw new APIError("UNAUTHORIZED", {
+			error_description: "client assertion signature verification failed",
+			error: "invalid_client"
+		});
+	}
+	const now = Math.floor(Date.now() / 1e3);
+	if (typeof payload.exp !== "number") throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion must include exp claim",
+		error: "invalid_client"
+	});
+	if (payload.exp - now > maxLifetime) throw new APIError("BAD_REQUEST", {
+		error_description: `client assertion exp is too far in the future (max ${maxLifetime}s)`,
+		error: "invalid_client"
+	});
+	if (typeof payload.iat === "number" && now - payload.iat > maxLifetime) throw new APIError("BAD_REQUEST", {
+		error_description: `client assertion iat is too far in the past (max ${maxLifetime}s)`,
+		error: "invalid_client"
+	});
+	if (!payload.jti) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion must include jti claim",
+		error: "invalid_client"
+	});
+	const jtiIdentifier = `private_key_jwt:${clientId}:${payload.jti}`;
+	if (pendingAssertionIds.has(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion jti has already been used",
+		error: "invalid_client"
+	});
+	pendingAssertionIds.add(jtiIdentifier);
+	try {
+		if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
+			error_description: "client assertion jti has already been used",
+			error: "invalid_client"
+		});
+		const jtiExpiry = /* @__PURE__ */ new Date(payload.exp * 1e3);
+		try {
+			await ctx.context.internalAdapter.createVerificationValue({
+				identifier: jtiIdentifier,
+				value: clientId,
+				expiresAt: jtiExpiry
+			});
+		} catch (createErr) {
+			if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
+				error_description: "client assertion jti has already been used",
+				error: "invalid_client"
+			});
+			throw createErr;
+		}
+	} finally {
+		pendingAssertionIds.delete(jtiIdentifier);
+	}
+	return {
+		clientId,
+		client
+	};
+}
+//#endregion
+export { isPrivateHostname as n, client_assertion_exports as t };

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-Cc0nzj5Q.mjs";
+import { a as ResourceServerMetadata } from "./oauth-C8aTlaAC.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,5 +1,6 @@
-import { a as getJwtPlugin, o as getOAuthProviderPlugin, v as handleMcpErrors } from "./utils-sQ4gYeh3.mjs";
-import { t as PACKAGE_VERSION } from "./version-xqVKoocI.mjs";
+import { t as handleMcpErrors } from "./mcp-CYnz-MXn.mjs";
+import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-CIbcUsZ5.mjs";
+import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-CYgzO8Am.mjs";
+import { n as oauthProvider } from "./oauth-Dh4YXCXY.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-xqVKoocI.mjs";
+import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-Cc0nzj5Q.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CYgzO8Am.mjs";
+import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-C8aTlaAC.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-Dh4YXCXY.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";

package/dist/index.mjs

@@ -1,8 +1,11 @@
-import { _ as verifyOAuthQueryParams, a as getJwtPlugin, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as validateClientCredentials, h as storeToken, i as getClient, l as normalizeTimestampValue, m as storeClientSecret, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, y as mcpHandler } from "./utils-sQ4gYeh3.mjs";
-import { t as PACKAGE_VERSION } from "./version-xqVKoocI.mjs";
+import { n as isPrivateHostname } from "./client-assertion-DZqo-L5j.mjs";
+import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
+import { _ as storeToken, a as getClient, c as getStoredToken, d as parseClientMetadata, f as parsePrompt, g as storeClientSecret, h as searchParamsToQuery, i as extractClientCredentials, l as isPKCERequired, m as resolveSubjectIdentifier, n as deleteFromPrompt, o as getJwtPlugin, p as resolveSessionAuthTime, r as destructureCredentials, t as decryptStoredClientSecret, u as normalizeTimestampValue, v as validateClientCredentials, y as verifyOAuthQueryParams } from "./utils-CIbcUsZ5.mjs";
+import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
+import { ASSERTION_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
 import { defineRequestState } from "@better-auth/core/context";
@@ -145,7 +148,7 @@ async function postLogin(ctx, opts) {
 	});
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = Object.fromEntries(query);
+	ctx.query = searchParamsToQuery(query);
 	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: true });
 	return {
 		redirect: true,
@@ -483,13 +486,8 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 * Obtains new Session Jwt and Refresh Tokens using a code
 */
 async function handleAuthorizationCodeGrant(ctx, opts) {
-	let { client_id, client_secret, code, code_verifier, redirect_uri } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
+	const { code, code_verifier, redirect_uri } = ctx.body;
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "client_id is required",
 		error: "invalid_request"
@@ -504,7 +502,7 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 	});
 	const isAuthCodeWithSecret = client_id && client_secret;
 	const isAuthCodeWithPkce = client_id && code && code_verifier;
-	if (!isAuthCodeWithSecret && !isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
+	if (!isAuthCodeWithSecret && !isAuthCodeWithPkce && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
 		error_description: "Either code_verifier or client_secret is required",
 		error: "invalid_request"
 	});
@@ -516,14 +514,14 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_scope"
 	});
 	/** Verify Client */
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, preVerifiedClient);
 	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
 		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
 			error_description: "PKCE is required for this client",
 			error: "invalid_request"
 		});
-	} else if (!(isAuthCodeWithPkce || isAuthCodeWithSecret)) throw new APIError("BAD_REQUEST", {
-		error_description: "Either PKCE (code_verifier) or client authentication (client_secret) is required",
+	} else if (!(isAuthCodeWithPkce || isAuthCodeWithSecret || preVerifiedClient)) throw new APIError("BAD_REQUEST", {
+		error_description: "Either PKCE (code_verifier) or client authentication (client_secret or client_assertion) is required",
 		error: "invalid_request"
 	});
 	/** Check PKCE challenge if verifier is provided */
@@ -574,22 +572,17 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 * MUST follow https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
 */
 async function handleClientCredentialsGrant(ctx, opts) {
-	let { client_id, client_secret, scope } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
+	const { scope } = ctx.body;
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
 	});
-	if (!client_secret) throw new APIError("BAD_REQUEST", {
+	if (!client_secret && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing a required client_secret",
 		error: "invalid_grant"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
 	let requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -653,13 +646,8 @@ async function handleClientCredentialsGrant(ctx, opts) {
 * To add scopes, you must restart the authorize process again.
 */
 async function handleRefreshTokenGrant(ctx, opts) {
-	let { client_id, client_secret, refresh_token, scope } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
+	const { refresh_token, scope } = ctx.body;
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
@@ -713,7 +701,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 			error: "invalid_scope"
 		});
 	}
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, preVerifiedClient);
 	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
 	if (!user) throw new APIError("BAD_REQUEST", {
 		error_description: "user not found",
@@ -931,14 +919,9 @@ async function resolveIntrospectionSub(opts, payload, client) {
 	return payload;
 }
 async function introspectEndpoint(ctx, opts) {
-	let { client_id, client_secret, token, token_type_hint } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
-	if (!client_id || !client_secret) throw new APIError$1("UNAUTHORIZED", {
+	let { token, token_type_hint } = ctx.body;
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/introspect`));
+	if (!client_id || !client_secret && !preVerifiedClient) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
 		error: "invalid_client"
 	});
@@ -947,7 +930,7 @@ async function introspectEndpoint(ctx, opts) {
 		error_description: "missing a required token for introspection",
 		error: "invalid_request"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
 	try {
 		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
 			return resolveIntrospectionSub(opts, await validateAccessToken(ctx, opts, token, client.clientId), client);
@@ -1172,18 +1155,59 @@ async function checkOAuthClient(client, opts, settings) {
 		error: "invalid_client_metadata",
 		error_description: `pkce is required for registered clients.`
 	});
-	if (settings?.isRegister && client.skip_consent) throw new APIError("BAD_REQUEST", {
+	if (client.token_endpoint_auth_method === "private_key_jwt") {
+		if (client.jwks && client.jwks_uri) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "jwks and jwks_uri are mutually exclusive"
+		});
+		if (!client.jwks && !client.jwks_uri) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "private_key_jwt requires either jwks or jwks_uri"
+		});
+		if (client.jwks_uri) try {
+			const uri = new URL(client.jwks_uri);
+			if (uri.protocol !== "https:") throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks_uri must use HTTPS"
+			});
+			if (isPrivateHostname(uri.hostname)) throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks_uri must not point to a private or reserved address"
+			});
+			if (settings?.ctx && !settings.ctx.context.isTrustedOrigin(uri.href)) throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks_uri must belong to a trusted origin"
+			});
+		} catch (e) {
+			if (e instanceof APIError) throw e;
+			throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks_uri must be a valid URL"
+			});
+		}
+		if (client.jwks) {
+			const keys = Array.isArray(client.jwks) ? client.jwks : client.jwks.keys;
+			if (!Array.isArray(keys) || keys.length === 0) throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks must be a non-empty array of JWK objects or a JWKS document {keys:[...]}"
+			});
+		}
+	} else if (client.jwks || client.jwks_uri) throw new APIError("BAD_REQUEST", {
 		error: "invalid_client_metadata",
-		error_description: "skip_consent cannot be set during dynamic client registration"
+		error_description: "jwks and jwks_uri are only allowed with private_key_jwt authentication"
 	});
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
 	const session = await getSessionFromCtx(ctx);
 	const isPublic = body.token_endpoint_auth_method === "none";
-	await checkOAuthClient(ctx.body, opts, settings);
+	const isPrivateKeyJwt = body.token_endpoint_auth_method === "private_key_jwt";
+	await checkOAuthClient(ctx.body, opts, {
+		...settings,
+		ctx
+	});
 	const clientId = opts.generateClientId?.() || generateRandomString(32, "a-z", "A-Z");
-	const clientSecret = isPublic ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
+	const clientSecret = isPublic || isPrivateKeyJwt ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
 	const storedClientSecret = clientSecret ? await storeClientSecret(ctx, opts, clientSecret) : void 0;
 	const iat = Math.floor(Date.now() / 1e3);
 	const referenceId = opts.clientReference ? await opts.clientReference({
@@ -1193,8 +1217,6 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const schema = oauthToSchema({
 		...body ?? {},
 		disabled: void 0,
-		jwks: void 0,
-		jwks_uri: void 0,
 		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
 		client_id: clientId,
 		client_secret: storedClientSecret,
@@ -1229,7 +1251,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
 	const scopes = _scope?.split(" ");
@@ -1237,6 +1259,7 @@ function oauthToSchema(input) {
 		...rest && Object.keys(rest).length ? rest : {},
 		...inputMetadata && typeof inputMetadata === "object" ? inputMetadata : {}
 	};
+	const metadata = Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0;
 	return {
 		clientId,
 		clientSecret,
@@ -1259,6 +1282,8 @@ function oauthToSchema(input) {
 		tokenEndpointAuthMethod,
 		grantTypes,
 		responseTypes,
+		jwks: inputJwks ? JSON.stringify({ keys: Array.isArray(inputJwks) ? inputJwks : inputJwks.keys }) : void 0,
+		jwksUri,
 		public: _public,
 		type,
 		skipConsent,
@@ -1266,7 +1291,7 @@ function oauthToSchema(input) {
 		requirePKCE,
 		subjectType,
 		referenceId,
-		metadata: Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0
+		metadata
 	};
 }
 /**
@@ -1276,7 +1301,7 @@ function oauthToSchema(input) {
 * @returns
 */
 function schemaToOAuth(input) {
-	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
 	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
 	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
@@ -1294,6 +1319,8 @@ function schemaToOAuth(input) {
 		contacts: contacts ?? void 0,
 		tos_uri: tos ?? void 0,
 		policy_uri: policy ?? void 0,
+		jwks: jwks ? JSON.parse(jwks).keys : void 0,
+		jwks_uri: jwksUri ?? void 0,
 		software_id: softwareId ?? void 0,
 		software_version: softwareVersion ?? void 0,
 		software_statement: softwareStatement ?? void 0,
@@ -1510,7 +1537,13 @@ async function updateClientEndpoint(ctx, opts) {
 	await checkOAuthClient({
 		...schemaToOAuth(client),
 		...updates
-	}, opts);
+	}, opts, { ctx });
+	const schemaUpdates = { ...oauthToSchema(updates) };
+	if (updates.token_endpoint_auth_method) if (updates.token_endpoint_auth_method === "private_key_jwt") schemaUpdates.clientSecret = null;
+	else {
+		schemaUpdates.jwks = null;
+		schemaUpdates.jwksUri = null;
+	}
 	const updatedClient = await ctx.context.adapter.update({
 		model: "oauthClient",
 		where: [{
@@ -1518,7 +1551,7 @@ async function updateClientEndpoint(ctx, opts) {
 			value: clientId
 		}],
 		update: {
-			...oauthToSchema(updates),
+			...schemaUpdates,
 			updatedAt: /* @__PURE__ */ new Date(Math.floor(Date.now() / 1e3) * 1e3)
 		}
 	});
@@ -1556,7 +1589,7 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		if (client.referenceId !== await opts.clientReference(session)) throw new APIError("UNAUTHORIZED");
 	} else throw new APIError("UNAUTHORIZED");
 	if (client.public || !client.clientSecret) throw new APIError("BAD_REQUEST", {
-		error_description: "public clients cannot be updated",
+		error_description: "secret rotation is only available for clients using client_secret authentication",
 		error: "invalid_client"
 	});
 	const clientSecret = opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
@@ -1601,8 +1634,11 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		token_endpoint_auth_method: z.enum([
 			"none",
 			"client_secret_basic",
-			"client_secret_post"
+			"client_secret_post",
+			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
 			"client_credentials",
@@ -1784,8 +1820,11 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		token_endpoint_auth_method: z.enum([
 			"none",
 			"client_secret_basic",
-			"client_secret_post"
+			"client_secret_post",
+			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
 			"client_credentials",
@@ -2343,13 +2382,8 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 	});
 }
 async function revokeEndpoint(ctx, opts) {
-	let { client_id, client_secret, token, token_type_hint } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
+	let { token, token_type_hint } = ctx.body;
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/revoke`));
 	if (!client_id) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
 		error: "invalid_client"
@@ -2359,7 +2393,7 @@ async function revokeEndpoint(ctx, opts) {
 		error_description: "missing a required token for introspection",
 		error: "invalid_request"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
 	try {
 		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
 			return await revokeAccessToken(ctx, opts, client.clientId, token);
@@ -2494,6 +2528,14 @@ const schema = {
 				type: "string",
 				required: false
 			},
+			jwks: {
+				type: "string",
+				required: false
+			},
+			jwksUri: {
+				type: "string",
+				required: false
+			},
 			grantTypes: {
 				type: "string[]",
 				required: false
@@ -2996,6 +3038,8 @@ const oauthProvider = (options) => {
 					]),
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
+					client_assertion: z.string().optional(),
+					client_assertion_type: z.string().optional(),
 					code: z.string().optional(),
 					code_verifier: z.string().optional(),
 					redirect_uri: SafeUrlSchema.optional(),
@@ -3120,6 +3164,8 @@ const oauthProvider = (options) => {
 				body: z.object({
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
+					client_assertion: z.string().optional(),
+					client_assertion_type: z.string().optional(),
 					token: z.string(),
 					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
 				}),
@@ -3238,6 +3284,8 @@ const oauthProvider = (options) => {
 				body: z.object({
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
+					client_assertion: z.string().optional(),
+					client_assertion_type: z.string().optional(),
 					token: z.string(),
 					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
 				}),
@@ -3435,8 +3483,11 @@ const oauthProvider = (options) => {
 					token_endpoint_auth_method: z.enum([
 						"none",
 						"client_secret_basic",
-						"client_secret_post"
+						"client_secret_post",
+						"private_key_jwt"
 					]).default("client_secret_basic").optional(),
+					jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+					jwks_uri: z.string().optional(),
 					grant_types: z.array(z.enum([
 						"authorization_code",
 						"client_credentials",
@@ -3449,7 +3500,7 @@ const oauthProvider = (options) => {
 						"user-agent-based"
 					]).optional(),
 					subject_type: z.enum(["public", "pairwise"]).optional(),
-					skip_consent: z.boolean().optional()
+					skip_consent: z.never({ error: "skip_consent cannot be set during dynamic client registration" }).optional()
 				}),
 				metadata: { openapi: {
 					description: "Register an OAuth2 application",
@@ -3541,7 +3592,8 @@ const oauthProvider = (options) => {
 									enum: [
 										"none",
 										"client_secret_basic",
-										"client_secret_post"
+										"client_secret_post",
+										"private_key_jwt"
 									]
 								},
 								grant_types: {
@@ -3850,7 +3902,11 @@ async function authorizeEndpoint(ctx, opts, settings) {
 }
 function serializeAuthorizationQuery(query) {
 	const params = new URLSearchParams();
-	for (const [key, value] of Object.entries(query)) if (value != null) params.set(key, String(value));
+	for (const [key, value] of Object.entries(query)) {
+		if (value == null) continue;
+		if (Array.isArray(value)) for (const v of value) params.append(key, String(v));
+		else params.set(key, String(value));
+	}
 	return params;
 }
 async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
@@ -3922,10 +3978,22 @@ function authServerMetadata(ctx, opts, overrides) {
 		token_endpoint_auth_methods_supported: [
 			...overrides?.public_client_supported ? ["none"] : [],
 			"client_secret_basic",
-			"client_secret_post"
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		token_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		introspection_endpoint_auth_methods_supported: [
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		introspection_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		revocation_endpoint_auth_methods_supported: [
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
 		],
-		introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-		revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+		revocation_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
 		code_challenge_methods_supported: ["S256"],
 		authorization_response_iss_parameter_supported: true
 	};

package/dist/mcp-CYnz-MXn.mjs

@@ -0,0 +1,56 @@
+import { isAPIError } from "better-auth/api";
+import { verifyAccessToken } from "better-auth/oauth2";
+import { APIError as APIError$1 } from "better-call";
+//#region src/mcp.ts
+/**
+* A request middleware handler that checks and responds with
+* a WWW-Authenticate header for unauthenticated responses.
+*
+* @external
+*/
+const mcpHandler = (verifyOptions, handler, opts) => {
+	return async (req) => {
+		const authorization = req.headers?.get("authorization") ?? void 0;
+		const accessToken = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : authorization;
+		try {
+			if (!accessToken?.length) throw new APIError$1("UNAUTHORIZED", { message: "missing authorization header" });
+			return handler(req, await verifyAccessToken(accessToken, verifyOptions));
+		} catch (error) {
+			try {
+				handleMcpErrors(error, verifyOptions.verifyOptions.audience, opts);
+			} catch (err) {
+				if (err instanceof APIError$1) return new Response(err.message, {
+					...err,
+					status: err.statusCode
+				});
+				throw new Error(String(err));
+			}
+			throw new Error(String(error));
+		}
+	};
+};
+/**
+* The following handles all MCP errors and API errors
+*
+* @internal
+*/
+function handleMcpErrors(error, resource, opts) {
+	if (isAPIError(error) && error.status === "UNAUTHORIZED") {
+		const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((v) => {
+			let audiencePath;
+			if (URL.canParse?.(v)) {
+				const url = new URL(v);
+				audiencePath = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
+				return `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${audiencePath}"`;
+			} else {
+				const resourceMetadata = opts?.resourceMetadataMappings?.[v];
+				if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${v}` });
+				return `Bearer resource_metadata=${resourceMetadata}`;
+			}
+		}).join(", ");
+		throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
+	} else if (error instanceof Error) throw error;
+	else throw new Error(error);
+}
+//#endregion
+export { mcpHandler as n, handleMcpErrors as t };

package/dist/{oauth-Cc0nzj5Q.d.mts → oauth-C8aTlaAC.d.mts}

@@ -1,3 +1,4 @@
+import { AssertionSigningAlgorithm } from "@better-auth/core/oauth2";
 import { JWSAlgorithms } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { InferOptionSchema, Session, User } from "better-auth/types";
@@ -102,6 +103,14 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      jwks: {
+        type: "string";
+        required: false;
+      };
+      jwksUri: {
+        type: "string";
+        required: false;
+      };
       grantTypes: {
         type: "string[]";
         required: false;
@@ -388,6 +397,13 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * { "write:payments": "5m", "read:payments": "30m" }
    */
   scopeExpirations?: { [K in Scopes[number]]?: number | string | Date };
+  /**
+   * Maximum lifetime in seconds for client assertion JWTs
+   * used with `private_key_jwt` authentication.
+   *
+   * @default 300 (5 minutes)
+   */
+  assertionMaxLifetime?: number;
   /**
    * Allows /oauth2/public-client-prelogin endpoint to be
    * requestable prior to login via a valid oauth_query.
@@ -1158,9 +1174,13 @@ interface SchemaClient<Scopes extends readonly Scope[] = InternallySupportedScop
    * For example, `https://example.com/logout/callback`
    */
   postLogoutRedirectUris?: string[];
-  tokenEndpointAuthMethod?: "none" | "client_secret_basic" | "client_secret_post";
+  tokenEndpointAuthMethod?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   grantTypes?: GrantType[];
   responseTypes?: "code"[];
+  /** Client's JSON Web Key Set for `private_key_jwt` authentication. Mutually exclusive with `jwksUri`. */
+  jwks?: string;
+  /** URI for the client's JSON Web Key Set. Mutually exclusive with `jwks`. Must be HTTPS. */
+  jwksUri?: string;
   /**
    * Indicates whether the client is public or confidential.
    * If public, refreshing tokens doesn't require
@@ -1297,7 +1317,7 @@ type OAuthConsent<Scopes extends readonly Scope[] = InternallySupportedScopes[]>
  * Supported grant types of the token endpoint
  */
 type GrantType = "authorization_code" | "client_credentials" | "refresh_token";
-type AuthMethod = "client_secret_basic" | "client_secret_post";
+type AuthMethod = "client_secret_basic" | "client_secret_post" | "private_key_jwt";
 type TokenEndpointAuthMethod = AuthMethod | "none";
 type BearerMethodsSupported = "header" | "body";
 /**
@@ -1374,7 +1394,7 @@ interface AuthServerMetadata {
    * token endpoint for the "private_key_jwt" and "client_secret_jwt"
    * authentication methods (see field token_endpoint_auth_methods_supported).
    */
-  token_endpoint_auth_signing_alg_values_supported?: JWSAlgorithms[];
+  token_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
   /**
    * URL of a page containing human-readable information
    * that developers might want or need to know when using the
@@ -1420,7 +1440,7 @@ interface AuthServerMetadata {
    * token endpoint for the "private_key_jwt" and "client_secret_jwt"
    * authentication methods (see field revocation_endpoint_auth_methods_supported).
    */
-  revocation_endpoint_auth_signing_alg_values_supported?: JWSAlgorithms[];
+  revocation_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
   /**
    * URL of the authorization server's OAuth 2.0
    * introspection endpoint [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662)
@@ -1441,7 +1461,7 @@ interface AuthServerMetadata {
    * the "private_key_jwt" and "client_secret_jwt" authentication methods
    * (see field introspection_endpoint_auth_methods_supported).
    */
-  introspection_endpoint_auth_signing_alg_values_supported?: JWSAlgorithms[];
+  introspection_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
   /**
    * Supported code challenge methods.
    *
@@ -1548,14 +1568,17 @@ interface OAuthClient {
   contacts?: string[];
   tos_uri?: string;
   policy_uri?: string;
-  jwks?: string[];
+  /** JWK Set — accepts either a bare key array or an RFC 7517 JWKS object `{"keys":[...]}` */
+  jwks?: Record<string, unknown>[] | {
+    keys: Record<string, unknown>[];
+  };
   jwks_uri?: string;
   software_id?: string;
   software_version?: string;
   software_statement?: string;
   redirect_uris: string[];
   post_logout_redirect_uris?: string[];
-  token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post";
+  token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   grant_types?: GrantType[];
   response_types?: "code"[];
   public?: boolean;

package/dist/{oauth-CYgzO8Am.d.mts → oauth-Dh4YXCXY.d.mts}

@@ -1,4 +1,4 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-Cc0nzj5Q.mjs";
+import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-C8aTlaAC.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -298,6 +298,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         }>;
         client_id: z.ZodOptional<z.ZodString>;
         client_secret: z.ZodOptional<z.ZodString>;
+        client_assertion: z.ZodOptional<z.ZodString>;
+        client_assertion_type: z.ZodOptional<z.ZodString>;
         code: z.ZodOptional<z.ZodString>;
         code_verifier: z.ZodOptional<z.ZodString>;
         redirect_uri: z.ZodOptional<z.ZodURL>;
@@ -436,6 +438,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       body: z.ZodObject<{
         client_id: z.ZodOptional<z.ZodString>;
         client_secret: z.ZodOptional<z.ZodString>;
+        client_assertion: z.ZodOptional<z.ZodString>;
+        client_assertion_type: z.ZodOptional<z.ZodString>;
         token: z.ZodString;
         token_type_hint: z.ZodOptional<z.ZodEnum<{
           refresh_token: "refresh_token";
@@ -573,6 +577,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       body: z.ZodObject<{
         client_id: z.ZodOptional<z.ZodString>;
         client_secret: z.ZodOptional<z.ZodString>;
+        client_assertion: z.ZodOptional<z.ZodString>;
+        client_assertion_type: z.ZodOptional<z.ZodString>;
         token: z.ZodString;
         token_type_hint: z.ZodOptional<z.ZodEnum<{
           refresh_token: "refresh_token";
@@ -831,7 +837,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
+          private_key_jwt: "private_key_jwt";
         }>>>;
+        jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
+          keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strip>]>>;
+        jwks_uri: z.ZodOptional<z.ZodString>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
           client_credentials: "client_credentials";
@@ -849,7 +860,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           public: "public";
           pairwise: "pairwise";
         }>>;
-        skip_consent: z.ZodOptional<z.ZodBoolean>;
+        skip_consent: z.ZodOptional<z.ZodNever>;
       }, z.core.$strip>;
       metadata: {
         openapi: {
@@ -1004,7 +1015,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
+          private_key_jwt: "private_key_jwt";
         }>>>;
+        jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
+          keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strip>]>>;
+        jwks_uri: z.ZodOptional<z.ZodString>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
           client_credentials: "client_credentials";
@@ -1208,7 +1224,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
+          private_key_jwt: "private_key_jwt";
         }>>>;
+        jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
+          keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strip>]>>;
+        jwks_uri: z.ZodOptional<z.ZodString>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
           client_credentials: "client_credentials";
@@ -1874,6 +1895,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string";
           required: false;
         };
+        jwks: {
+          type: "string";
+          required: false;
+        };
+        jwksUri: {
+          type: "string";
+          required: false;
+        };
         grantTypes: {
           type: "string[]";
           required: false;

package/dist/{utils-sQ4gYeh3.mjs → utils-CIbcUsZ5.mjs}

@@ -1,62 +1,8 @@
-import { isAPIError } from "better-auth/api";
-import { verifyAccessToken } from "better-auth/oauth2";
-import { APIError as APIError$1 } from "better-call";
+import { APIError } from "better-call";
 import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
 import { BetterAuthError } from "@better-auth/core/error";
 import { base64, base64Url } from "@better-auth/utils/base64";
 import { createHash } from "@better-auth/utils/hash";
-//#region src/mcp.ts
-/**
-* A request middleware handler that checks and responds with
-* a WWW-Authenticate header for unauthenticated responses.
-*
-* @external
-*/
-const mcpHandler = (verifyOptions, handler, opts) => {
-	return async (req) => {
-		const authorization = req.headers?.get("authorization") ?? void 0;
-		const accessToken = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : authorization;
-		try {
-			if (!accessToken?.length) throw new APIError$1("UNAUTHORIZED", { message: "missing authorization header" });
-			return handler(req, await verifyAccessToken(accessToken, verifyOptions));
-		} catch (error) {
-			try {
-				handleMcpErrors(error, verifyOptions.verifyOptions.audience, opts);
-			} catch (err) {
-				if (err instanceof APIError$1) return new Response(err.message, {
-					...err,
-					status: err.statusCode
-				});
-				throw new Error(String(err));
-			}
-			throw new Error(String(error));
-		}
-	};
-};
-/**
-* The following handles all MCP errors and API errors
-*
-* @internal
-*/
-function handleMcpErrors(error, resource, opts) {
-	if (isAPIError(error) && error.status === "UNAUTHORIZED") {
-		const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((v) => {
-			let audiencePath;
-			if (URL.canParse?.(v)) {
-				const url = new URL(v);
-				audiencePath = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
-				return `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${audiencePath}"`;
-			} else {
-				const resourceMetadata = opts?.resourceMetadataMappings?.[v];
-				if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${v}` });
-				return `Bearer resource_metadata=${resourceMetadata}`;
-			}
-		}).join(", ");
-		throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
-	} else if (error instanceof Error) throw error;
-	else throw new Error(error);
-}
-//#endregion
 //#region src/utils/index.ts
 var TTLCache = class {
 	cache = /* @__PURE__ */ new Map();
@@ -183,7 +129,7 @@ async function decryptStoredClientSecret(ctx, storageMethod, storedClientSecret)
 async function verifyStoredClientSecret(ctx, opts, storedClientSecret, clientSecret) {
 	const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
 	if (clientSecret && opts.prefix?.clientSecret) if (clientSecret.startsWith(opts.prefix?.clientSecret)) clientSecret = clientSecret.replace(opts.prefix.clientSecret, "");
-	else throw new APIError$1("UNAUTHORIZED", {
+	else throw new APIError("UNAUTHORIZED", {
 		error_description: "invalid client_secret",
 		error: "invalid_client"
 	});
@@ -254,12 +200,12 @@ function basicToClientCredentials(authorization) {
 	if (authorization.startsWith("Basic ")) {
 		const encoded = authorization.replace("Basic ", "");
 		const decoded = new TextDecoder().decode(base64.decode(encoded));
-		if (!decoded.includes(":")) throw new APIError$1("BAD_REQUEST", {
+		if (!decoded.includes(":")) throw new APIError("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
 		const [id, secret] = decoded.split(":", 2);
-		if (!id || !secret) throw new APIError$1("BAD_REQUEST", {
+		if (!id || !secret) throw new APIError("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
@@ -275,31 +221,37 @@ function basicToClientCredentials(authorization) {
 *
 * @internal
 */
-async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes) {
-	const client = await getClient(ctx, options, clientId);
-	if (!client) throw new APIError$1("BAD_REQUEST", {
+async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient) {
+	const client = preVerifiedClient ?? await getClient(ctx, options, clientId);
+	if (!client) throw new APIError("BAD_REQUEST", {
 		error_description: "missing client",
 		error: "invalid_client"
 	});
-	if (client.disabled) throw new APIError$1("BAD_REQUEST", {
+	if (client.disabled) throw new APIError("BAD_REQUEST", {
 		error_description: "client is disabled",
 		error: "invalid_client"
 	});
-	if (!client.public && !clientSecret) throw new APIError$1("BAD_REQUEST", {
-		error_description: "client secret must be provided",
-		error: "invalid_client"
-	});
-	if (clientSecret && !client.clientSecret) throw new APIError$1("BAD_REQUEST", {
-		error_description: "public client, client secret should not be received",
-		error: "invalid_client"
-	});
-	if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError$1("UNAUTHORIZED", {
-		error_description: "invalid client_secret",
+	if (client.tokenEndpointAuthMethod === "private_key_jwt" && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
+		error_description: "client registered for private_key_jwt must use client_assertion",
 		error: "invalid_client"
 	});
+	if (!preVerifiedClient) {
+		if (!client.public && !clientSecret) throw new APIError("BAD_REQUEST", {
+			error_description: "client secret must be provided",
+			error: "invalid_client"
+		});
+		if (clientSecret && !client.clientSecret) throw new APIError("BAD_REQUEST", {
+			error_description: "public client, client secret should not be received",
+			error: "invalid_client"
+		});
+		if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError("UNAUTHORIZED", {
+			error_description: "invalid client_secret",
+			error: "invalid_client"
+		});
+	}
 	if (scopes && client.scopes) {
 		const validScopes = new Set(client.scopes);
-		for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError$1("BAD_REQUEST", {
+		for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError("BAD_REQUEST", {
 			error_description: `client does not allow scope ${sc}`,
 			error: "invalid_scope"
 		});
@@ -316,6 +268,57 @@ function parseClientMetadata(metadata) {
 	if (!metadata) return void 0;
 	return typeof metadata === "string" ? JSON.parse(metadata) : metadata;
 }
+/** Unwraps ExtractedCredentials into the fields each grant handler needs. */
+function destructureCredentials(credentials) {
+	return {
+		clientId: credentials?.clientId,
+		clientSecret: credentials?.method === "client_secret_basic" || credentials?.method === "client_secret_post" ? credentials.clientSecret : void 0,
+		preVerifiedClient: credentials?.method === "private_key_jwt" ? credentials.client : void 0
+	};
+}
+/**
+* Extracts and resolves client credentials from the request.
+* Supports: client_secret_basic, client_secret_post, private_key_jwt, and none (public).
+*/
+async function extractClientCredentials(ctx, opts, expectedAudience) {
+	const body = ctx.body ?? {};
+	const authorization = ctx.request?.headers.get("authorization") ?? void 0;
+	if (body.client_assertion_type || body.client_assertion) {
+		if (!body.client_assertion || !body.client_assertion_type) throw new APIError("BAD_REQUEST", {
+			error_description: "client_assertion and client_assertion_type must both be provided",
+			error: "invalid_client"
+		});
+		if (body.client_secret || authorization?.startsWith("Basic ")) throw new APIError("BAD_REQUEST", {
+			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
+			error: "invalid_client"
+		});
+		const { verifyClientAssertion: verify } = await import("./client-assertion-DZqo-L5j.mjs").then((n) => n.t);
+		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
+		return {
+			method: "private_key_jwt",
+			clientId: result.clientId,
+			client: result.client
+		};
+	}
+	if (authorization?.startsWith("Basic ")) {
+		const res = basicToClientCredentials(authorization);
+		if (res) return {
+			method: "client_secret_basic",
+			clientId: res.client_id,
+			clientSecret: res.client_secret
+		};
+	}
+	if (body.client_id && body.client_secret) return {
+		method: "client_secret_post",
+		clientId: body.client_id,
+		clientSecret: body.client_secret
+	};
+	if (body.client_id) return {
+		method: "none",
+		clientId: body.client_id
+	};
+	return null;
+}
 /**
 * Parse space-separated prompt string into a set of prompts
 *
@@ -358,6 +361,18 @@ async function resolveSubjectIdentifier(userId, client, opts) {
 	return userId;
 }
 /**
+* Converts URLSearchParams to a plain object, preserving
+* multi-valued keys as arrays instead of discarding duplicates.
+*/
+function searchParamsToQuery(params) {
+	const result = Object.create(null);
+	for (const key of new Set(params.keys())) {
+		const values = params.getAll(key);
+		result[key] = values.length === 1 ? values[0] : values;
+	}
+	return result;
+}
+/**
 * Deletes a prompt value
 *
 * @param ctx
@@ -370,7 +385,7 @@ function deleteFromPrompt(query, prompt) {
 		prompts?.splice(foundPrompt, 1);
 		prompts?.length ? query.set("prompt", prompts.join(" ")) : query.delete("prompt");
 	}
-	return Object.fromEntries(query);
+	return searchParamsToQuery(query);
 }
 var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
 	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
@@ -399,4 +414,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { verifyOAuthQueryParams as _, getJwtPlugin as a, isPKCERequired as c, parsePrompt as d, resolveSessionAuthTime as f, validateClientCredentials as g, storeToken as h, getClient as i, normalizeTimestampValue as l, storeClientSecret as m, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, resolveSubjectIdentifier as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, handleMcpErrors as v, mcpHandler as y };
+export { storeToken as _, getClient as a, getStoredToken as c, parseClientMetadata as d, parsePrompt as f, storeClientSecret as g, searchParamsToQuery as h, extractClientCredentials as i, isPKCERequired as l, resolveSubjectIdentifier as m, deleteFromPrompt as n, getJwtPlugin as o, resolveSessionAuthTime as p, destructureCredentials as r, getOAuthProviderPlugin as s, decryptStoredClientSecret as t, normalizeTimestampValue as u, validateClientCredentials as v, verifyOAuthQueryParams as y };

package/dist/{version-xqVKoocI.mjs → version-BGWhjYBb.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.1";
+const PACKAGE_VERSION = "1.7.0-beta.0";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.1",
+  "version": "1.7.0-beta.0",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "better-auth": "1.6.1",
-    "@better-auth/core": "1.6.1"
+    "@better-auth/core": "1.7.0-beta.0",
+    "better-auth": "1.7.0-beta.0"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.1",
-    "better-auth": "^1.6.1"
+    "@better-auth/core": "^1.7.0-beta.0",
+    "better-auth": "^1.7.0-beta.0"
   },
   "scripts": {
     "build": "tsdown",