@better-auth/oauth-provider 1.6.14 → 1.6.16

package/dist/client-resource.d.mts

@@ -49,6 +49,20 @@ interface VerifyAccessTokenRemote {
    * is also still active.
    */
   force?: boolean;
+  /**
+   * Accept introspection responses that omit the `aud` claim even when a
+   * required `audience` is configured in `verifyOptions`.
+   *
+   * By default verification fails closed: if you configure an `audience` and
+   * the introspection response has no `aud` (or a mismatching one), the token
+   * is rejected. Some authorization servers legitimately omit `aud` from
+   * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+   * this if you trust the issuer to bind the token to this resource through
+   * another mechanism, as it skips the audience check in that case.
+   *
+   * @default false
+   */
+  allowMissingAudience?: boolean;
 }
 type VerifyAccessTokenOutput<T> = T extends undefined ? (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload>;
 type VerifyAccessTokenAuthOpts = {

package/dist/client-resource.mjs

@@ -1,5 +1,5 @@
-import { S as handleMcpErrors, a as getOAuthProviderPlugin, i as getJwtPlugin } from "./utils-DoYEeMrg.mjs";
-import { t as PACKAGE_VERSION } from "./version-CrTJknzp.mjs";
+import { C as handleMcpErrors, a as getJwtPlugin, o as getOAuthProviderPlugin } from "./utils-BKGiA6QL.mjs";
+import { t as PACKAGE_VERSION } from "./version-BJguNh6q.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-CUqnBdrR.mjs";
+import { n as oauthProvider } from "./oauth-DZ80cNUW.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CrTJknzp.mjs";
+import { t as PACKAGE_VERSION } from "./version-BJguNh6q.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,5 +1,5 @@
 import { _ as Scope, a as OAuthClient, b as Awaitable, c as TokenEndpointAuthMethod, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as GrantType, l as AuthorizePrompt, m as OAuthRefreshToken, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOptions, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-D74mBkw6.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-CUqnBdrR.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-DZ80cNUW.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";

package/dist/index.mjs

@@ -1,6 +1,6 @@
-import { C as mcpHandler, _ as signedQueryIssuedAtParam, b as validateClientCredentials, c as isPKCERequired, d as parsePrompt, f as postLoginClearedParam, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as getJwtPlugin, l as normalizeTimestampValue, m as resolveSessionAuthTime, n as decryptStoredClientSecret, o as getSignedQueryIssuedAt, p as removePromptFromQuery, r as getClient, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as storeClientSecret, x as verifyOAuthQueryParams, y as storeToken } from "./utils-DoYEeMrg.mjs";
-import { t as PACKAGE_VERSION } from "./version-CrTJknzp.mjs";
-import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { S as verifyOAuthQueryParams, _ as searchParamsToQuery, a as getJwtPlugin, b as storeToken, c as getStoredToken, d as parseClientMetadata, f as parsePrompt, g as resolveSubjectIdentifier, h as resolveSessionAuthTime, i as getClient, l as isPKCERequired, m as removePromptFromQuery, n as clientAllowsGrant, p as postLoginClearedParam, r as decryptStoredClientSecret, s as getSignedQueryIssuedAt, t as basicToClientCredentials, u as normalizeTimestampValue, v as signedQueryIssuedAtParam, w as mcpHandler, x as validateClientCredentials, y as storeClientSecret } from "./utils-BKGiA6QL.mjs";
+import { t as PACKAGE_VERSION } from "./version-BJguNh6q.mjs";
+import { APIError, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
@@ -16,7 +16,7 @@ import { signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
 import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
-async function consentEndpoint(ctx, opts) {
+async function consentEndpoint(ctx, opts, authorize) {
 	const oauthRequest = await oAuthState.get();
 	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
@@ -47,11 +47,7 @@ async function consentEndpoint(ctx, opts) {
 	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
 		ctx?.headers?.set("accept", "application/json");
 		ctx.query = searchParamsToQuery(query);
-		const { url } = await authorizeEndpoint(ctx, opts);
-		return {
-			redirect: true,
-			url
-		};
+		return await authorize(ctx);
 	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
@@ -106,11 +102,7 @@ async function consentEndpoint(ctx, opts) {
 	let authorizationQuery = removePromptFromQuery(query, "consent");
 	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
 	ctx.query = searchParamsToQuery(authorizationQuery);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 }
 function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
 	if (!signedQueryIssuedAt) return false;
@@ -120,16 +112,16 @@ function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
 }
 //#endregion
 //#region src/continue.ts
-async function continueEndpoint(ctx, opts) {
-	if (ctx.body.selected === true) return await selected(ctx, opts);
-	else if (ctx.body.created === true) return await created(ctx, opts);
-	else if (ctx.body.postLogin === true) return await postLogin(ctx, opts);
+async function continueEndpoint(ctx, authorize) {
+	if (ctx.body.selected === true) return await selected(ctx, authorize);
+	else if (ctx.body.created === true) return await created(ctx, authorize);
+	else if (ctx.body.postLogin === true) return await postLogin(ctx, authorize);
 	else throw new APIError("BAD_REQUEST", {
 		error_description: "Missing parameters",
 		error: "invalid_request"
 	});
 }
-async function selected(ctx, opts) {
+async function selected(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -137,13 +129,9 @@ async function selected(ctx, opts) {
 	});
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function created(ctx, opts) {
+async function created(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -152,14 +140,11 @@ async function created(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function postLogin(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+async function postLogin(ctx, authorize) {
+	const state = await oAuthState.get();
+	const _query = state?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -167,11 +152,8 @@ async function postLogin(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(query);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: true });
-	return {
-		redirect: true,
-		url
-	};
+	const session = await getSessionFromCtx(ctx);
+	return await authorize(ctx, { postLogin: state?.postLoginClearedForSession !== void 0 && state.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
 //#region src/types/zod.ts
@@ -523,7 +505,7 @@ async function createUserTokens(ctx, opts, params) {
 		return prev < curr ? prev : curr;
 	}, defaultExp) : defaultExp;
 	const audience = await checkResource(ctx, opts, scopes);
-	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
+	const isRefreshToken = user && clientAllowsGrant(client, "refresh_token") && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
 	const isIdToken = user && scopes.includes("openid");
 	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
@@ -638,7 +620,7 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_scope"
 	});
 	/** Verify Client */
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, "authorization_code");
 	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
 		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
 			error_description: "PKCE is required for this client",
@@ -721,7 +703,7 @@ async function handleClientCredentialsGrant(ctx, opts) {
 		error_description: "Missing a required client_secret",
 		error: "invalid_grant"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, "client_credentials");
 	let requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -804,7 +786,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 			error: "invalid_scope"
 		});
 	}
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, "refresh_token");
 	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
 	if (!user) throw new APIError("BAD_REQUEST", {
 		error_description: "user not found",
@@ -862,12 +844,10 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 		}
 		throw new Error(error);
 	}
-	let client;
-	if (jwtPayload.azp) {
-		client = await getClient(ctx, opts, jwtPayload.azp);
-		if (!client || client?.disabled) return { active: false };
-		if (clientId && jwtPayload.azp !== clientId) return { active: false };
-	}
+	if (!jwtPayload.azp) return { active: false };
+	const client = await getClient(ctx, opts, jwtPayload.azp);
+	if (!client || client?.disabled) return { active: false };
+	if (clientId && jwtPayload.azp !== clientId) return { active: false };
 	const sessionId = jwtPayload.sid;
 	if (sessionId) {
 		const session = await ctx.context.adapter.findOne({
@@ -879,7 +859,7 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 		});
 		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) jwtPayload.sid = void 0;
 	}
-	if (jwtPayload.azp) jwtPayload.client_id = jwtPayload.azp;
+	jwtPayload.client_id = jwtPayload.azp;
 	jwtPayload.active = true;
 	return jwtPayload;
 }
@@ -2849,6 +2829,140 @@ const oauthProvider = (options) => {
 		}
 		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
 	};
+	const oauth2AuthorizeEndpoint = createAuthEndpoint("/oauth2/authorize", {
+		method: "GET",
+		query: z.object({
+			response_type: z.enum(["code"]).optional(),
+			client_id: z.string(),
+			redirect_uri: SafeUrlSchema.optional(),
+			scope: z.string().optional(),
+			state: z.string().optional(),
+			request_uri: z.string().optional(),
+			code_challenge: z.string().optional(),
+			code_challenge_method: z.enum(["S256"]).optional(),
+			nonce: z.string().optional(),
+			prompt: z.enum([
+				"none",
+				"consent",
+				"login",
+				"create",
+				"select_account",
+				"login consent",
+				"select_account consent"
+			]).optional()
+		}),
+		metadata: { openapi: {
+			description: "Authorize an OAuth2 request",
+			parameters: [
+				{
+					name: "response_type",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 response type (e.g., 'code')"
+				},
+				{
+					name: "client_id",
+					in: "query",
+					required: true,
+					schema: { type: "string" },
+					description: "OAuth2 client ID"
+				},
+				{
+					name: "redirect_uri",
+					in: "query",
+					required: false,
+					schema: {
+						type: "string",
+						format: "uri"
+					},
+					description: "OAuth2 redirect URI"
+				},
+				{
+					name: "scope",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 scopes (space-separated)"
+				},
+				{
+					name: "state",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 state parameter"
+				},
+				{
+					name: "request_uri",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "Pushed Authorization Request URI referencing stored parameters"
+				},
+				{
+					name: "code_challenge",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge"
+				},
+				{
+					name: "code_challenge_method",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge method"
+				},
+				{
+					name: "nonce",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OpenID Connect nonce"
+				},
+				{
+					name: "prompt",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 prompt parameter"
+				}
+			],
+			responses: {
+				"302": {
+					description: "Redirect to client with code or error",
+					headers: { Location: {
+						description: "Redirect URI with code or error",
+						schema: {
+							type: "string",
+							format: "uri"
+						}
+					} }
+				},
+				"400": {
+					description: "Invalid request",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							error: { type: "string" },
+							error_description: { type: "string" },
+							state: { type: "string" }
+						},
+						required: ["error"]
+					} } }
+				}
+			}
+		} }
+	}, async (ctx) => {
+		return authorizeEndpoint(ctx, opts, ctx.authorizeSettings ?? { isAuthorize: true });
+	});
+	const runOAuth2Authorize = (ctx, settings) => dispatchAuthEndpoint(oauth2AuthorizeEndpoint, {
+		...ctx,
+		asResponse: false,
+		returnHeaders: false,
+		returnStatus: false,
+		authorizeSettings: settings ?? {}
+	});
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
@@ -2915,7 +3029,7 @@ const oauthProvider = (options) => {
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
 					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
-					return await authorizeEndpoint(ctx, opts);
+					return await runOAuth2Authorize(ctx);
 				})
 			}]
 		},
@@ -2940,133 +3054,7 @@ const oauthProvider = (options) => {
 				if (opts.scopes && !opts.scopes.includes("openid")) throw new APIError("NOT_FOUND");
 				return oidcServerMetadata(ctx, opts);
 			}),
-			oauth2Authorize: createAuthEndpoint("/oauth2/authorize", {
-				method: "GET",
-				query: z.object({
-					response_type: z.enum(["code"]).optional(),
-					client_id: z.string(),
-					redirect_uri: SafeUrlSchema.optional(),
-					scope: z.string().optional(),
-					state: z.string().optional(),
-					request_uri: z.string().optional(),
-					code_challenge: z.string().optional(),
-					code_challenge_method: z.enum(["S256"]).optional(),
-					nonce: z.string().optional(),
-					prompt: z.enum([
-						"none",
-						"consent",
-						"login",
-						"create",
-						"select_account",
-						"login consent",
-						"select_account consent"
-					]).optional()
-				}),
-				metadata: { openapi: {
-					description: "Authorize an OAuth2 request",
-					parameters: [
-						{
-							name: "response_type",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 response type (e.g., 'code')"
-						},
-						{
-							name: "client_id",
-							in: "query",
-							required: true,
-							schema: { type: "string" },
-							description: "OAuth2 client ID"
-						},
-						{
-							name: "redirect_uri",
-							in: "query",
-							required: false,
-							schema: {
-								type: "string",
-								format: "uri"
-							},
-							description: "OAuth2 redirect URI"
-						},
-						{
-							name: "scope",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 scopes (space-separated)"
-						},
-						{
-							name: "state",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 state parameter"
-						},
-						{
-							name: "request_uri",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "Pushed Authorization Request URI referencing stored parameters"
-						},
-						{
-							name: "code_challenge",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge"
-						},
-						{
-							name: "code_challenge_method",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge method"
-						},
-						{
-							name: "nonce",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OpenID Connect nonce"
-						},
-						{
-							name: "prompt",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 prompt parameter"
-						}
-					],
-					responses: {
-						"302": {
-							description: "Redirect to client with code or error",
-							headers: { Location: {
-								description: "Redirect URI with code or error",
-								schema: {
-									type: "string",
-									format: "uri"
-								}
-							} }
-						},
-						"400": {
-							description: "Invalid request",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" },
-									state: { type: "string" }
-								},
-								required: ["error"]
-							} } }
-						}
-					}
-				} }
-			}, async (ctx) => {
-				return authorizeEndpoint(ctx, opts, { isAuthorize: true });
-			}),
+			oauth2Authorize: oauth2AuthorizeEndpoint,
 			oauth2Consent: createAuthEndpoint("/oauth2/consent", {
 				method: "POST",
 				body: z.object({
@@ -3091,7 +3079,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return consentEndpoint(ctx, opts);
+				return consentEndpoint(ctx, opts, runOAuth2Authorize);
 			}),
 			oauth2Continue: createAuthEndpoint("/oauth2/continue", {
 				method: "POST",
@@ -3118,7 +3106,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return continueEndpoint(ctx, opts);
+				return continueEndpoint(ctx, runOAuth2Authorize);
 			}),
 			oauth2Token: createAuthEndpoint("/oauth2/token", {
 				method: "POST",
@@ -3432,7 +3420,7 @@ const oauthProvider = (options) => {
 				return revokeEndpoint(ctx, opts);
 			}),
 			oauth2UserInfo: createAuthEndpoint("/oauth2/userinfo", {
-				method: "GET",
+				method: ["GET", "POST"],
 				metadata: { openapi: {
 					description: "Get OpenID Connect user information (UserInfo endpoint)",
 					security: [{ bearerAuth: [] }, { OAuth2: [
@@ -3868,6 +3856,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	const client = await getClient(ctx, opts, query.client_id);
 	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
+	if (!clientAllowsGrant(client, "authorization_code")) return handleRedirect(ctx, getErrorURL(ctx, "unauthorized_client", "client is not authorized to use the authorization_code grant"));
 	if (!client.redirectUris?.find((url) => {
 		if (url === query.redirect_uri) return true;
 		try {

package/dist/{oauth-CUqnBdrR.d.mts → oauth-DZ80cNUW.d.mts}

@@ -234,6 +234,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
     }, {
       redirect: boolean;
       url: string;
+    } | {
+      redirect: boolean;
+      url: string;
     }>;
     oauth2Continue: better_call0.StrictEndpoint<"/oauth2/continue", {
       method: "POST";
@@ -661,7 +664,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       };
     }, null | undefined>;
     oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
-      method: "GET";
+      method: ("GET" | "POST")[];
       metadata: {
         openapi: {
           description: string;

package/dist/{utils-DoYEeMrg.mjs → utils-BKGiA6QL.mjs}

@@ -272,12 +272,27 @@ function basicToClientCredentials(authorization) {
 	}
 }
 /**
+* Whether a client is allowed to use a given grant type.
+*
+* A client's registered `grantTypes` defaults to the documented default
+* `["authorization_code"]` when unset (see client registration). Refresh tokens
+* are only ever issued through the authorization_code flow, so a client allowed
+* to use `authorization_code` is implicitly allowed to use `refresh_token`.
+*
+* @internal
+*/
+function clientAllowsGrant(client, grantType) {
+	const allowedGrants = client.grantTypes && client.grantTypes.length > 0 ? client.grantTypes : ["authorization_code"];
+	if (grantType === "refresh_token" && allowedGrants.includes("authorization_code")) return true;
+	return allowedGrants.includes(grantType);
+}
+/**
 * Validates client credentials failing on mismatches
 * and incorrectly provided information
 *
 * @internal
 */
-async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes) {
+async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, grantType) {
 	const client = await getClient(ctx, options, clientId);
 	if (!client) throw new APIError$1("BAD_REQUEST", {
 		error_description: "missing client",
@@ -306,6 +321,10 @@ async function validateClientCredentials(ctx, options, clientId, clientSecret, s
 			error: "invalid_scope"
 		});
 	}
+	if (grantType && !clientAllowsGrant(client, grantType)) throw new APIError$1("BAD_REQUEST", {
+		error_description: `client is not authorized to use grant type ${grantType}`,
+		error: "unauthorized_client"
+	});
 	return client;
 }
 /**
@@ -417,4 +436,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { mcpHandler as C, handleMcpErrors as S, signedQueryIssuedAtParam as _, getOAuthProviderPlugin as a, validateClientCredentials as b, isPKCERequired as c, parsePrompt as d, postLoginClearedParam as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, getJwtPlugin as i, normalizeTimestampValue as l, resolveSessionAuthTime as m, decryptStoredClientSecret as n, getSignedQueryIssuedAt as o, removePromptFromQuery as p, getClient as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, storeClientSecret as v, verifyOAuthQueryParams as x, storeToken as y };
+export { handleMcpErrors as C, verifyOAuthQueryParams as S, searchParamsToQuery as _, getJwtPlugin as a, storeToken as b, getStoredToken as c, parseClientMetadata as d, parsePrompt as f, resolveSubjectIdentifier as g, resolveSessionAuthTime as h, getClient as i, isPKCERequired as l, removePromptFromQuery as m, clientAllowsGrant as n, getOAuthProviderPlugin as o, postLoginClearedParam as p, decryptStoredClientSecret as r, getSignedQueryIssuedAt as s, basicToClientCredentials as t, normalizeTimestampValue as u, signedQueryIssuedAtParam as v, mcpHandler as w, validateClientCredentials as x, storeClientSecret as y };

package/dist/{version-CrTJknzp.mjs → version-BJguNh6q.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.14";
+const PACKAGE_VERSION = "1.6.16";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.6.14",
+  "version": "1.6.16",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.14",
-    "better-auth": "1.6.14"
+    "@better-auth/core": "1.6.16",
+    "better-auth": "1.6.16"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.14",
-    "better-auth": "^1.6.14"
+    "@better-fetch/fetch": "1.2.2",
+    "better-call": "1.3.6",
+    "@better-auth/core": "^1.6.16",
+    "better-auth": "^1.6.16"
   },
   "scripts": {
     "build": "tsdown",