@better-auth/oauth-provider 1.6.3 → 1.7.0-beta.1

package/dist/index.mjs

@@ -1,8 +1,11 @@
-import { _ as validateClientCredentials, a as getJwtPlugin, b as mcpHandler, c as isPKCERequired, d as parsePrompt, f as resolveSessionAuthTime, g as storeToken, h as storeClientSecret, i as getClient, l as normalizeTimestampValue, m as searchParamsToQuery, n as decryptStoredClientSecret, p as resolveSubjectIdentifier, r as deleteFromPrompt, s as getStoredToken, t as basicToClientCredentials, u as parseClientMetadata, v as verifyOAuthQueryParams } from "./utils-B9Pj9EPf.mjs";
-import { t as PACKAGE_VERSION } from "./version-BlcZ64XB.mjs";
+import { n as isPrivateHostname } from "./client-assertion-CderPEmR.mjs";
+import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
+import { _ as storeClientSecret, a as getClient, b as validateClientCredentials, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as extractClientCredentials, l as isPKCERequired, m as resolveSessionAuthTime, n as deleteFromPrompt, o as getJwtPlugin, p as parsePrompt, r as destructureCredentials, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as storeToken, x as verifyOAuthQueryParams, y as toClientDiscoveryArray } from "./utils-Cx_XnD9i.mjs";
+import { t as PACKAGE_VERSION } from "./version-DIwdpXrQ.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
+import { ASSERTION_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
 import { defineRequestState } from "@better-auth/core/context";
@@ -11,8 +14,8 @@ import { BetterAuthError } from "@better-auth/core/error";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
-import { signJWT, toExpJWT } from "better-auth/plugins";
-import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
+import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
+import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
 	const _query = (await oAuthState.get())?.query;
@@ -171,7 +174,7 @@ const oauthAuthorizationQuerySchema = z.object({
 	request_uri: z.string().optional(),
 	redirect_uri: z.string(),
 	scope: z.string().optional(),
-	state: z.string(),
+	state: z.string().optional(),
 	client_id: z.string(),
 	prompt: z.string().optional(),
 	display: z.string().optional(),
@@ -352,10 +355,23 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 	});
 }
 /**
+* Computes an OIDC hash (at_hash, c_hash) per OIDC Core §3.1.3.6.
+* Hashes the token, takes the left half, and base64url-encodes it.
+*/
+async function computeOidcHash(token, signingAlg) {
+	let hashAlg;
+	if (signingAlg === "EdDSA") hashAlg = "SHA-512";
+	else if (signingAlg.endsWith("384")) hashAlg = "SHA-384";
+	else if (signingAlg.endsWith("512")) hashAlg = "SHA-512";
+	else hashAlg = "SHA-256";
+	const digest = new Uint8Array(await crypto.subtle.digest(hashAlg, new TextEncoder().encode(token)));
+	return base64url.encode(digest.slice(0, digest.length / 2));
+}
+/**
 * Creates a user id token in code_authorization with scope of 'openid'
 * and hybrid/implicit (not yet implemented) flows
 */
-async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime) {
+async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) {
 	const iat = Math.floor(Date.now() / 1e3);
 	const exp = iat + (opts.idTokenExpiresIn ?? 36e3);
 	const userClaims = userNormalClaims(user, scopes);
@@ -368,11 +384,15 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	const resolvedKey = !opts.disableJwtPlugin && !jwtPluginOptions?.jwt?.sign ? await resolveSigningKey(ctx, jwtPluginOptions) : void 0;
+	const signingAlg = opts.disableJwtPlugin ? "HS256" : resolvedKey?.alg ?? jwtPluginOptions?.jwks?.keyPairConfig?.alg;
+	const atHash = accessToken ? await computeOidcHash(accessToken, signingAlg) : void 0;
 	const payload = {
 		...userClaims,
 		auth_time: authTimeSec,
 		acr,
 		...customClaims,
+		at_hash: atHash,
 		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
 		sub: resolvedSub,
 		aud: client.clientId,
@@ -382,10 +402,19 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		sid: client.enableEndSession ? sessionId : void 0
 	};
 	if (opts.disableJwtPlugin && !client.clientSecret) return;
-	return opts.disableJwtPlugin ? new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : signJWT(ctx, {
+	const idToken = opts.disableJwtPlugin ? await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : await signJWT(ctx, {
 		options: jwtPluginOptions,
-		payload
+		payload,
+		resolvedKey: resolvedKey ?? void 0
 	});
+	if (idToken && atHash && jwtPluginOptions?.jwt?.sign) {
+		const header = decodeProtectedHeader(idToken);
+		if (header.alg !== signingAlg) throw new APIError("INTERNAL_SERVER_ERROR", {
+			error_description: `ID token signed with "${header.alg}" but at_hash was computed for "${signingAlg}". Ensure jwt.sign uses the algorithm declared in keyPairConfig.alg.`,
+			error: "server_error"
+		});
+	}
+	return idToken;
 }
 /**
 * Encodes a refresh token for a client
@@ -497,23 +526,20 @@ async function createUserTokens(ctx, opts, params) {
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
 	}, existingRefreshToken, authTime) : void 0;
-	const [accessToken, refreshToken, idToken] = await Promise.all([
-		isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
-			iat,
-			exp,
-			sid: sessionId
-		}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
-			iat,
-			exp,
-			sid: sessionId
-		}, referenceId, earlyRefreshToken?.id),
-		earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
-			iat,
-			exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
-			sid: sessionId
-		}, existingRefreshToken, authTime) : void 0,
-		isIdToken && user ? createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime) : void 0
-	]);
+	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
+		iat,
+		exp,
+		sid: sessionId
+	}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
+		iat,
+		exp,
+		sid: sessionId
+	}, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+		iat,
+		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
+		sid: sessionId
+	}, existingRefreshToken, authTime) : void 0]);
+	const idToken = isIdToken ? await createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) : void 0;
 	return ctx.json({
 		...customFields,
 		access_token: accessToken,
@@ -569,13 +595,8 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 * Obtains new Session Jwt and Refresh Tokens using a code
 */
 async function handleAuthorizationCodeGrant(ctx, opts) {
-	let { client_id, client_secret, code, code_verifier, redirect_uri } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
+	const { code, code_verifier, redirect_uri } = ctx.body;
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "client_id is required",
 		error: "invalid_request"
@@ -590,7 +611,7 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 	});
 	const isAuthCodeWithSecret = client_id && client_secret;
 	const isAuthCodeWithPkce = client_id && code && code_verifier;
-	if (!isAuthCodeWithSecret && !isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
+	if (!isAuthCodeWithSecret && !isAuthCodeWithPkce && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
 		error_description: "Either code_verifier or client_secret is required",
 		error: "invalid_request"
 	});
@@ -602,14 +623,14 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_scope"
 	});
 	/** Verify Client */
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, preVerifiedClient);
 	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
 		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
 			error_description: "PKCE is required for this client",
 			error: "invalid_request"
 		});
-	} else if (!(isAuthCodeWithPkce || isAuthCodeWithSecret)) throw new APIError("BAD_REQUEST", {
-		error_description: "Either PKCE (code_verifier) or client authentication (client_secret) is required",
+	} else if (!(isAuthCodeWithPkce || isAuthCodeWithSecret || preVerifiedClient)) throw new APIError("BAD_REQUEST", {
+		error_description: "Either PKCE (code_verifier) or client authentication (client_secret or client_assertion) is required",
 		error: "invalid_request"
 	});
 	/** Check PKCE challenge if verifier is provided */
@@ -670,22 +691,17 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 * MUST follow https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
 */
 async function handleClientCredentialsGrant(ctx, opts) {
-	let { client_id, client_secret, scope } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
+	const { scope } = ctx.body;
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
 	});
-	if (!client_secret) throw new APIError("BAD_REQUEST", {
+	if (!client_secret && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing a required client_secret",
 		error: "invalid_grant"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
 	let requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -717,13 +733,8 @@ async function handleClientCredentialsGrant(ctx, opts) {
 * To add scopes, you must restart the authorize process again.
 */
 async function handleRefreshTokenGrant(ctx, opts) {
-	let { client_id, client_secret, refresh_token, scope } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
+	const { refresh_token, scope } = ctx.body;
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
@@ -777,7 +788,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 			error: "invalid_scope"
 		});
 	}
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, preVerifiedClient);
 	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
 	if (!user) throw new APIError("BAD_REQUEST", {
 		error_description: "user not found",
@@ -1004,14 +1015,9 @@ async function resolveIntrospectionSub(opts, payload, client) {
 	return payload;
 }
 async function introspectEndpoint(ctx, opts) {
-	let { client_id, client_secret, token, token_type_hint } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
-	if (!client_id || !client_secret) throw new APIError$1("UNAUTHORIZED", {
+	let { token, token_type_hint } = ctx.body;
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/introspect`));
+	if (!client_id || !client_secret && !preVerifiedClient) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
 		error: "invalid_client"
 	});
@@ -1020,7 +1026,7 @@ async function introspectEndpoint(ctx, opts) {
 		error_description: "missing a required token for introspection",
 		error: "invalid_request"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
 	try {
 		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
 			return resolveIntrospectionSub(opts, await validateAccessToken(ctx, opts, token, client.clientId), client);
@@ -1264,14 +1270,59 @@ async function checkOAuthClient(client, opts, settings) {
 		error: "invalid_client_metadata",
 		error_description: `pkce is required for registered clients.`
 	});
+	if (client.token_endpoint_auth_method === "private_key_jwt") {
+		if (client.jwks && client.jwks_uri) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "jwks and jwks_uri are mutually exclusive"
+		});
+		if (!client.jwks && !client.jwks_uri) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "private_key_jwt requires either jwks or jwks_uri"
+		});
+		if (client.jwks_uri) try {
+			const uri = new URL(client.jwks_uri);
+			if (uri.protocol !== "https:") throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks_uri must use HTTPS"
+			});
+			if (isPrivateHostname(uri.hostname)) throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks_uri must not point to a private or reserved address"
+			});
+			if (settings?.ctx && !settings.ctx.context.isTrustedOrigin(uri.href)) throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks_uri must belong to a trusted origin"
+			});
+		} catch (e) {
+			if (e instanceof APIError) throw e;
+			throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks_uri must be a valid URL"
+			});
+		}
+		if (client.jwks) {
+			const keys = Array.isArray(client.jwks) ? client.jwks : client.jwks.keys;
+			if (!Array.isArray(keys) || keys.length === 0) throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "jwks must be a non-empty array of JWK objects or a JWKS document {keys:[...]}"
+			});
+		}
+	} else if (client.jwks || client.jwks_uri) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "jwks and jwks_uri are only allowed with private_key_jwt authentication"
+	});
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
 	const session = await getSessionFromCtx(ctx);
 	const isPublic = body.token_endpoint_auth_method === "none";
-	await checkOAuthClient(ctx.body, opts, settings);
+	const isPrivateKeyJwt = body.token_endpoint_auth_method === "private_key_jwt";
+	await checkOAuthClient(ctx.body, opts, {
+		...settings,
+		ctx
+	});
 	const clientId = opts.generateClientId?.() || generateRandomString(32, "a-z", "A-Z");
-	const clientSecret = isPublic ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
+	const clientSecret = isPublic || isPrivateKeyJwt ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
 	const storedClientSecret = clientSecret ? await storeClientSecret(ctx, opts, clientSecret) : void 0;
 	const iat = Math.floor(Date.now() / 1e3);
 	const referenceId = opts.clientReference ? await opts.clientReference({
@@ -1281,8 +1332,6 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const schema = oauthToSchema({
 		...body ?? {},
 		disabled: void 0,
-		jwks: void 0,
-		jwks_uri: void 0,
 		client_secret_expires_at: storedClientSecret ? settings.isRegister && opts?.clientRegistrationClientSecretExpiration ? toExpJWT(opts.clientRegistrationClientSecretExpiration, iat) : 0 : void 0,
 		client_id: clientId,
 		client_secret: storedClientSecret,
@@ -1317,7 +1366,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: _jwks, jwks_uri: _jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
 	const scopes = _scope?.split(" ");
@@ -1325,6 +1374,7 @@ function oauthToSchema(input) {
 		...rest && Object.keys(rest).length ? rest : {},
 		...inputMetadata && typeof inputMetadata === "object" ? inputMetadata : {}
 	};
+	const metadata = Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0;
 	return {
 		clientId,
 		clientSecret,
@@ -1347,6 +1397,8 @@ function oauthToSchema(input) {
 		tokenEndpointAuthMethod,
 		grantTypes,
 		responseTypes,
+		jwks: inputJwks ? JSON.stringify({ keys: Array.isArray(inputJwks) ? inputJwks : inputJwks.keys }) : void 0,
+		jwksUri,
 		public: _public,
 		type,
 		skipConsent,
@@ -1354,7 +1406,7 @@ function oauthToSchema(input) {
 		requirePKCE,
 		subjectType,
 		referenceId,
-		metadata: Object.keys(metadataObj).length ? JSON.stringify(metadataObj) : void 0
+		metadata
 	};
 }
 /**
@@ -1364,7 +1416,7 @@ function oauthToSchema(input) {
 * @returns
 */
 function schemaToOAuth(input) {
-	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
 	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
 	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
@@ -1382,6 +1434,8 @@ function schemaToOAuth(input) {
 		contacts: contacts ?? void 0,
 		tos_uri: tos ?? void 0,
 		policy_uri: policy ?? void 0,
+		jwks: jwks ? JSON.parse(jwks).keys : void 0,
+		jwks_uri: jwksUri ?? void 0,
 		software_id: softwareId ?? void 0,
 		software_version: softwareVersion ?? void 0,
 		software_statement: softwareStatement ?? void 0,
@@ -1558,7 +1612,14 @@ async function updateClientEndpoint(ctx, opts) {
 	await checkOAuthClient({
 		...schemaToOAuth(client),
 		...updates
-	}, opts);
+	}, opts, { ctx });
+	const schemaUpdates = { ...oauthToSchema(updates) };
+	if (updates.token_endpoint_auth_method) if (updates.token_endpoint_auth_method === "private_key_jwt") schemaUpdates.clientSecret = null;
+	else {
+		schemaUpdates.jwks = null;
+		schemaUpdates.jwksUri = null;
+		if (!schemaUpdates.clientSecret) schemaUpdates.clientSecret = await storeClientSecret(ctx, opts, opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z"));
+	}
 	const updatedClient = await ctx.context.adapter.update({
 		model: "oauthClient",
 		where: [{
@@ -1566,7 +1627,7 @@ async function updateClientEndpoint(ctx, opts) {
 			value: clientId
 		}],
 		update: {
-			...oauthToSchema(updates),
+			...schemaUpdates,
 			updatedAt: /* @__PURE__ */ new Date(Math.floor(Date.now() / 1e3) * 1e3)
 		}
 	});
@@ -1604,7 +1665,7 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		if (client.referenceId !== await opts.clientReference(session)) throw new APIError("UNAUTHORIZED");
 	} else throw new APIError("UNAUTHORIZED");
 	if (client.public || !client.clientSecret) throw new APIError("BAD_REQUEST", {
-		error_description: "public clients cannot be updated",
+		error_description: "secret rotation is only available for clients using client_secret authentication",
 		error: "invalid_client"
 	});
 	const clientSecret = opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
@@ -1649,8 +1710,11 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		token_endpoint_auth_method: z.enum([
 			"none",
 			"client_secret_basic",
-			"client_secret_post"
+			"client_secret_post",
+			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
 			"client_credentials",
@@ -1832,8 +1896,11 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		token_endpoint_auth_method: z.enum([
 			"none",
 			"client_secret_basic",
-			"client_secret_post"
+			"client_secret_post",
+			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
 			"client_credentials",
@@ -2391,13 +2458,8 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 	});
 }
 async function revokeEndpoint(ctx, opts) {
-	let { client_id, client_secret, token, token_type_hint } = ctx.body;
-	const authorization = ctx.request?.headers.get("authorization") || null;
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		client_id = res?.client_id;
-		client_secret = res?.client_secret;
-	}
+	let { token, token_type_hint } = ctx.body;
+	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/revoke`));
 	if (!client_id) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
 		error: "invalid_client"
@@ -2407,7 +2469,7 @@ async function revokeEndpoint(ctx, opts) {
 		error_description: "missing a required token for introspection",
 		error: "invalid_request"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
 	try {
 		if (token_type_hint === void 0 || token_type_hint === "access_token") try {
 			return await revokeAccessToken(ctx, opts, client.clientId, token);
@@ -2542,6 +2604,14 @@ const schema = {
 				type: "string",
 				required: false
 			},
+			jwks: {
+				type: "string",
+				required: false
+			},
+			jwksUri: {
+				type: "string",
+				required: false
+			},
 			grantTypes: {
 				type: "string[]",
 				required: false
@@ -2806,7 +2876,7 @@ const oauthProvider = (options) => {
 					queryParams.delete("sig");
 					queryParams.delete("exp");
 					await oAuthState.set({ query: queryParams.toString() });
-					if (ctx.path === "/sign-in/social" || ctx.path === "/sign-in/oauth2") {
+					if (ctx.path === "/sign-in/social") {
 						if (ctx.body.additionalData?.query) return;
 						if (!ctx.body.additionalData) ctx.body.additionalData = {};
 						ctx.body.additionalData.query = queryParams.toString();
@@ -2840,12 +2910,15 @@ const oauthProvider = (options) => {
 				metadata: { SERVER_ONLY: true }
 			}, async (ctx) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
-				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
-					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-					public_client_supported: opts.allowUnauthenticatedClientRegistration,
-					grant_types_supported: opts.grantTypes,
-					jwt_disabled: opts.disableJwtPlugin
-				});
+				else return {
+					...authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
+						scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+						public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
+						grant_types_supported: opts.grantTypes,
+						jwt_disabled: opts.disableJwtPlugin
+					}),
+					...mergeDiscoveryMetadata(opts.clientDiscovery)
+				};
 			}),
 			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
 				method: "GET",
@@ -3044,6 +3117,8 @@ const oauthProvider = (options) => {
 					]),
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
+					client_assertion: z.string().optional(),
+					client_assertion_type: z.string().optional(),
 					code: z.string().optional(),
 					code_verifier: z.string().optional(),
 					redirect_uri: SafeUrlSchema.optional(),
@@ -3168,6 +3243,8 @@ const oauthProvider = (options) => {
 				body: z.object({
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
+					client_assertion: z.string().optional(),
+					client_assertion_type: z.string().optional(),
 					token: z.string(),
 					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
 				}),
@@ -3286,6 +3363,8 @@ const oauthProvider = (options) => {
 				body: z.object({
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
+					client_assertion: z.string().optional(),
+					client_assertion_type: z.string().optional(),
 					token: z.string(),
 					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
 				}),
@@ -3483,8 +3562,11 @@ const oauthProvider = (options) => {
 					token_endpoint_auth_method: z.enum([
 						"none",
 						"client_secret_basic",
-						"client_secret_post"
+						"client_secret_post",
+						"private_key_jwt"
 					]).default("client_secret_basic").optional(),
+					jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+					jwks_uri: z.string().optional(),
 					grant_types: z.array(z.enum([
 						"authorization_code",
 						"client_credentials",
@@ -3589,7 +3671,8 @@ const oauthProvider = (options) => {
 									enum: [
 										"none",
 										"client_secret_basic",
-										"client_secret_post"
+										"client_secret_post",
+										"private_key_jwt"
 									]
 								},
 								grant_types: {
@@ -3974,10 +4057,22 @@ function authServerMetadata(ctx, opts, overrides) {
 		token_endpoint_auth_methods_supported: [
 			...overrides?.public_client_supported ? ["none"] : [],
 			"client_secret_basic",
-			"client_secret_post"
+			"client_secret_post",
+			"private_key_jwt"
 		],
-		introspection_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
-		revocation_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post"],
+		token_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		introspection_endpoint_auth_methods_supported: [
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		introspection_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		revocation_endpoint_auth_methods_supported: [
+			"client_secret_basic",
+			"client_secret_post",
+			"private_key_jwt"
+		],
+		revocation_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
 		code_challenge_methods_supported: ["S256"],
 		authorization_response_iss_parameter_supported: true
 	};
@@ -3988,7 +4083,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-			public_client_supported: opts.allowUnauthenticatedClientRegistration,
+			public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin
 		}),
@@ -4004,7 +4099,8 @@ function oidcServerMetadata(ctx, opts) {
 			"create",
 			"select_account",
 			"none"
-		]
+		],
+		...mergeDiscoveryMetadata(opts.clientDiscovery)
 	};
 }
 const METADATA_CACHE_CONTROL = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
@@ -4050,4 +4146,4 @@ const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
 	};
 };
 //#endregion
-export { authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+export { authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };

package/dist/mcp-CYnz-MXn.mjs

@@ -0,0 +1,56 @@
+import { isAPIError } from "better-auth/api";
+import { verifyAccessToken } from "better-auth/oauth2";
+import { APIError as APIError$1 } from "better-call";
+//#region src/mcp.ts
+/**
+* A request middleware handler that checks and responds with
+* a WWW-Authenticate header for unauthenticated responses.
+*
+* @external
+*/
+const mcpHandler = (verifyOptions, handler, opts) => {
+	return async (req) => {
+		const authorization = req.headers?.get("authorization") ?? void 0;
+		const accessToken = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : authorization;
+		try {
+			if (!accessToken?.length) throw new APIError$1("UNAUTHORIZED", { message: "missing authorization header" });
+			return handler(req, await verifyAccessToken(accessToken, verifyOptions));
+		} catch (error) {
+			try {
+				handleMcpErrors(error, verifyOptions.verifyOptions.audience, opts);
+			} catch (err) {
+				if (err instanceof APIError$1) return new Response(err.message, {
+					...err,
+					status: err.statusCode
+				});
+				throw new Error(String(err));
+			}
+			throw new Error(String(error));
+		}
+	};
+};
+/**
+* The following handles all MCP errors and API errors
+*
+* @internal
+*/
+function handleMcpErrors(error, resource, opts) {
+	if (isAPIError(error) && error.status === "UNAUTHORIZED") {
+		const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((v) => {
+			let audiencePath;
+			if (URL.canParse?.(v)) {
+				const url = new URL(v);
+				audiencePath = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
+				return `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${audiencePath}"`;
+			} else {
+				const resourceMetadata = opts?.resourceMetadataMappings?.[v];
+				if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${v}` });
+				return `Bearer resource_metadata=${resourceMetadata}`;
+			}
+		}).join(", ");
+		throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
+	} else if (error instanceof Error) throw error;
+	else throw new Error(error);
+}
+//#endregion
+export { mcpHandler as n, handleMcpErrors as t };