@better-auth/oauth-provider 1.6.3 → 1.7.0-beta.1

package/dist/{oauth-DH61OMT6.d.mts → oauth-B_qonG53.d.mts}

@@ -1,4 +1,4 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-IpUqx-_N.mjs";
+import { _ as Scope, d as OAuthConsent, h as Prompt, i as OAuthClient, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod } from "./oauth-CU79t-eG.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -54,7 +54,64 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       metadata: {
         SERVER_ONLY: true;
       };
-    }, AuthServerMetadata>;
+    }, {
+      jwks_uri?: string | undefined;
+      userinfo_endpoint: string;
+      acr_values_supported: string[];
+      subject_types_supported: ("public" | "pairwise")[];
+      claims_supported: string[];
+      end_session_endpoint: string;
+      prompt_values_supported: Prompt[];
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      registration_endpoint: string;
+      scopes_supported?: string[] | undefined;
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      service_documentation?: string | undefined;
+      ui_locales_supported?: string[] | undefined;
+      op_policy_uri?: string | undefined;
+      op_tos_uri?: string | undefined;
+      revocation_endpoint?: string | undefined;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      introspection_endpoint?: string | undefined;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean | undefined;
+      client_id_metadata_document_supported?: boolean | undefined;
+      id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
+    } | {
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      jwks_uri?: string;
+      registration_endpoint: string;
+      scopes_supported?: string[];
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      service_documentation?: string;
+      ui_locales_supported?: string[];
+      op_policy_uri?: string;
+      op_tos_uri?: string;
+      revocation_endpoint?: string;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[];
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      introspection_endpoint?: string;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[];
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean;
+      client_id_metadata_document_supported?: boolean;
+    }>;
     /**
      * A server-only endpoint that helps provide the
      * OpenId configuration at the well-known endpoint.
@@ -67,7 +124,37 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       metadata: {
         SERVER_ONLY: true;
       };
-    }, Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
+    }, {
+      jwks_uri?: string | undefined;
+      userinfo_endpoint: string;
+      acr_values_supported: string[];
+      subject_types_supported: ("public" | "pairwise")[];
+      claims_supported: string[];
+      end_session_endpoint: string;
+      prompt_values_supported: Prompt[];
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      registration_endpoint: string;
+      scopes_supported?: string[] | undefined;
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      service_documentation?: string | undefined;
+      ui_locales_supported?: string[] | undefined;
+      op_policy_uri?: string | undefined;
+      op_tos_uri?: string | undefined;
+      revocation_endpoint?: string | undefined;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      introspection_endpoint?: string | undefined;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean | undefined;
+      client_id_metadata_document_supported?: boolean | undefined;
       id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
     }>;
     oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
@@ -298,6 +385,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         }>;
         client_id: z.ZodOptional<z.ZodString>;
         client_secret: z.ZodOptional<z.ZodString>;
+        client_assertion: z.ZodOptional<z.ZodString>;
+        client_assertion_type: z.ZodOptional<z.ZodString>;
         code: z.ZodOptional<z.ZodString>;
         code_verifier: z.ZodOptional<z.ZodString>;
         redirect_uri: z.ZodOptional<z.ZodURL>;
@@ -438,6 +527,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       body: z.ZodObject<{
         client_id: z.ZodOptional<z.ZodString>;
         client_secret: z.ZodOptional<z.ZodString>;
+        client_assertion: z.ZodOptional<z.ZodString>;
+        client_assertion_type: z.ZodOptional<z.ZodString>;
         token: z.ZodString;
         token_type_hint: z.ZodOptional<z.ZodEnum<{
           refresh_token: "refresh_token";
@@ -575,6 +666,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       body: z.ZodObject<{
         client_id: z.ZodOptional<z.ZodString>;
         client_secret: z.ZodOptional<z.ZodString>;
+        client_assertion: z.ZodOptional<z.ZodString>;
+        client_assertion_type: z.ZodOptional<z.ZodString>;
         token: z.ZodString;
         token_type_hint: z.ZodOptional<z.ZodEnum<{
           refresh_token: "refresh_token";
@@ -833,7 +926,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
+          private_key_jwt: "private_key_jwt";
         }>>>;
+        jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
+          keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strip>]>>;
+        jwks_uri: z.ZodOptional<z.ZodString>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
           client_credentials: "client_credentials";
@@ -1006,7 +1104,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
+          private_key_jwt: "private_key_jwt";
         }>>>;
+        jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
+          keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strip>]>>;
+        jwks_uri: z.ZodOptional<z.ZodString>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
           client_credentials: "client_credentials";
@@ -1210,7 +1313,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           none: "none";
           client_secret_basic: "client_secret_basic";
           client_secret_post: "client_secret_post";
+          private_key_jwt: "private_key_jwt";
         }>>>;
+        jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
+          keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        }, z.core.$strip>]>>;
+        jwks_uri: z.ZodOptional<z.ZodString>;
         grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
           authorization_code: "authorization_code";
           client_credentials: "client_credentials";
@@ -1876,6 +1984,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string";
           required: false;
         };
+        jwks: {
+          type: "string";
+          required: false;
+        };
+        jwksUri: {
+          type: "string";
+          required: false;
+        };
         grantTypes: {
           type: "string[]";
           required: false;

package/dist/{oauth-IpUqx-_N.d.mts → oauth-CU79t-eG.d.mts}

@@ -1,3 +1,4 @@
+import { AssertionSigningAlgorithm } from "@better-auth/core/oauth2";
 import { JWSAlgorithms } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { InferOptionSchema, Session, User } from "better-auth/types";
@@ -102,6 +103,14 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      jwks: {
+        type: "string";
+        required: false;
+      };
+      jwksUri: {
+        type: "string";
+        required: false;
+      };
       grantTypes: {
         type: "string[]";
         required: false;
@@ -306,6 +315,46 @@ type InternallySupportedScopes = "openid" | "profile" | "email" | "offline_acces
 type Scope = LiteralString | InternallySupportedScopes;
 type Prompt = "none" | "consent" | "login" | "create" | "select_account";
 type AuthorizePrompt = Prompt | "login consent" | "select_account consent";
+/**
+ * Describes how to resolve a `client_id` from an external source (a URL-based
+ * metadata document, a federated registry, an attestation header, etc.) and
+ * what fields that source contributes to discovery metadata.
+ *
+ * Plugins install one of these onto {@link OAuthOptions.clientDiscovery}.
+ * The host walks the configured entries in order and returns the first
+ * non-null `resolve()` result.
+ */
+interface ClientDiscovery<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
+  /**
+   * Stable identifier used in error messages and diagnostics. Convention
+   * is to match the plugin id (for example `"cimd"`).
+   */
+  readonly id: string;
+  /**
+   * Return `true` if this discovery handles the given `client_id`. Called
+   * on every `getClient()` lookup for every configured discovery, so keep
+   * it cheap and synchronous.
+   */
+  matches: (clientId: string) => boolean;
+  /**
+   * Resolve a client when this discovery matches. Receives the existing DB
+   * record (or `null`) so an implementation can decide between creating,
+   * refreshing, or passing through to the database result.
+   *
+   * Return:
+   * - a client record: `getClient()` returns it (creation / refresh / takeover).
+   * - `null`: `getClient()` falls through to the next matching discovery
+   *   or to the database record (if any).
+   */
+  resolve: (ctx: GenericEndpointContext, clientId: string, existing: SchemaClient<Scopes> | null) => Awaitable<SchemaClient<Scopes> | null>;
+  /**
+   * Fields merged into `/.well-known/oauth-authorization-server` and
+   * `/.well-known/openid-configuration` responses. Useful for advertising
+   * RFC-registered discovery flags like
+   * `client_id_metadata_document_supported`.
+   */
+  discoveryMetadata?: Record<string, unknown>;
+}
 interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
   /**
    * Custom schema definitions
@@ -388,6 +437,13 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * { "write:payments": "5m", "read:payments": "30m" }
    */
   scopeExpirations?: { [K in Scopes[number]]?: number | string | Date };
+  /**
+   * Maximum lifetime in seconds for client assertion JWTs
+   * used with `private_key_jwt` authentication.
+   *
+   * @default 300 (5 minutes)
+   */
+  assertionMaxLifetime?: number;
   /**
    * Allows /oauth2/public-client-prelogin endpoint to be
    * requestable prior to login via a valid oauth_query.
@@ -396,10 +452,13 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
   /**
    * Allow unauthenticated dynamic client registration.
    *
-   * Support for `allowUnauthenticatedClientRegistration` **will be deprecated**
-   * when the MCP protocol standardizes unauthenticated dynamic client registration.
-   * As of writing, both [Client ID Metadata Documents](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/991)
-   * and [`software_statement` and `jwks_uri`](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1032) are under debate.
+   * When enabled, the `/oauth2/register` endpoint accepts requests
+   * without a session, but only for public clients
+   * (`token_endpoint_auth_method: "none"`).
+   *
+   * For verified client discovery (MCP), consider installing the
+   * `@better-auth/cimd` plugin, which verifies client identity through
+   * domain ownership via Client ID Metadata Documents.
    *
    * @default false
    */
@@ -410,6 +469,21 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * @default false
    */
   allowDynamicClientRegistration?: boolean;
+  /**
+   * Discovery implementations consulted by `getClient()` when resolving
+   * a `client_id`. Each entry decides whether it handles the `client_id`
+   * via {@link ClientDiscovery.matches}, then creates, refreshes, or
+   * passes on a client record. Entries run in order; the first one to
+   * return a client wins.
+   *
+   * Each entry also contributes {@link ClientDiscovery.discoveryMetadata}
+   * into the `/.well-known/oauth-authorization-server` and
+   * `/.well-known/openid-configuration` responses.
+   *
+   * Plugins such as `@better-auth/cimd` install an entry here at init
+   * time; users can also pass discovery implementations directly.
+   */
+  clientDiscovery?: ClientDiscovery<Scopes> | ClientDiscovery<Scopes>[];
   /**
    * List of scopes for newly registered clients
    * if not requested.
@@ -1186,9 +1260,13 @@ interface SchemaClient<Scopes extends readonly Scope[] = InternallySupportedScop
    * For example, `https://example.com/logout/callback`
    */
   postLogoutRedirectUris?: string[];
-  tokenEndpointAuthMethod?: "none" | "client_secret_basic" | "client_secret_post";
+  tokenEndpointAuthMethod?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   grantTypes?: GrantType[];
   responseTypes?: "code"[];
+  /** Client's JSON Web Key Set for `private_key_jwt` authentication. Mutually exclusive with `jwksUri`. */
+  jwks?: string;
+  /** URI for the client's JSON Web Key Set. Mutually exclusive with `jwks`. Must be HTTPS. */
+  jwksUri?: string;
   /**
    * Indicates whether the client is public or confidential.
    * If public, refreshing tokens doesn't require
@@ -1325,7 +1403,7 @@ type OAuthConsent<Scopes extends readonly Scope[] = InternallySupportedScopes[]>
  * Supported grant types of the token endpoint
  */
 type GrantType = "authorization_code" | "client_credentials" | "refresh_token";
-type AuthMethod = "client_secret_basic" | "client_secret_post";
+type AuthMethod = "client_secret_basic" | "client_secret_post" | "private_key_jwt";
 type TokenEndpointAuthMethod = AuthMethod | "none";
 type BearerMethodsSupported = "header" | "body";
 /**
@@ -1402,7 +1480,7 @@ interface AuthServerMetadata {
    * token endpoint for the "private_key_jwt" and "client_secret_jwt"
    * authentication methods (see field token_endpoint_auth_methods_supported).
    */
-  token_endpoint_auth_signing_alg_values_supported?: JWSAlgorithms[];
+  token_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
   /**
    * URL of a page containing human-readable information
    * that developers might want or need to know when using the
@@ -1448,7 +1526,7 @@ interface AuthServerMetadata {
    * token endpoint for the "private_key_jwt" and "client_secret_jwt"
    * authentication methods (see field revocation_endpoint_auth_methods_supported).
    */
-  revocation_endpoint_auth_signing_alg_values_supported?: JWSAlgorithms[];
+  revocation_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
   /**
    * URL of the authorization server's OAuth 2.0
    * introspection endpoint [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662)
@@ -1469,7 +1547,7 @@ interface AuthServerMetadata {
    * the "private_key_jwt" and "client_secret_jwt" authentication methods
    * (see field introspection_endpoint_auth_methods_supported).
    */
-  introspection_endpoint_auth_signing_alg_values_supported?: JWSAlgorithms[];
+  introspection_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
   /**
    * Supported code challenge methods.
    *
@@ -1484,6 +1562,17 @@ interface AuthServerMetadata {
    * @default true
    */
   authorization_response_iss_parameter_supported?: boolean;
+  /**
+   * Whether the authorization server supports discovering clients via
+   * [Client ID Metadata Documents](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)
+   * (an HTTPS URL as `client_id`).
+   *
+   * Set at runtime by the `@better-auth/cimd` plugin (or any other
+   * `ClientDiscovery` that contributes this field via
+   * {@link ClientDiscovery.discoveryMetadata}). oauth-provider never sets
+   * it on its own.
+   */
+  client_id_metadata_document_supported?: boolean;
 }
 /**
  * Metadata returned by the openid-configuration endpoint:
@@ -1576,14 +1665,17 @@ interface OAuthClient {
   contacts?: string[];
   tos_uri?: string;
   policy_uri?: string;
-  jwks?: string[];
+  /** JWK Set — accepts either a bare key array or an RFC 7517 JWKS object `{"keys":[...]}` */
+  jwks?: Record<string, unknown>[] | {
+    keys: Record<string, unknown>[];
+  };
   jwks_uri?: string;
   software_id?: string;
   software_version?: string;
   software_statement?: string;
   redirect_uris: string[];
   post_logout_redirect_uris?: string[];
-  token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post";
+  token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   grant_types?: GrantType[];
   response_types?: "code"[];
   public?: boolean;
@@ -1647,4 +1739,4 @@ interface ResourceServerMetadata {
   dpop_bound_access_tokens_required?: boolean;
 }
 //#endregion
-export { Awaitable as _, ResourceServerMetadata as a, OAuthConsent as c, OAuthRefreshToken as d, Prompt as f, VerificationValue as g, StoreTokenType as h, OIDCMetadata as i, OAuthOpaqueAccessToken as l, Scope as m, GrantType as n, AuthorizePrompt as o, SchemaClient as p, OAuthClient as r, OAuthAuthorizationQuery as s, AuthServerMetadata as t, OAuthOptions as u };
+export { Scope as _, OIDCMetadata as a, Awaitable as b, AuthorizePrompt as c, OAuthConsent as d, OAuthOpaqueAccessToken as f, SchemaClient as g, Prompt as h, OAuthClient as i, ClientDiscovery as l, OAuthRefreshToken as m, AuthServerMetadata as n, ResourceServerMetadata as o, OAuthOptions as p, GrantType as r, TokenEndpointAuthMethod as s, AuthMethod as t, OAuthAuthorizationQuery as u, StoreTokenType as v, VerificationValue as y };

package/dist/{utils-B9Pj9EPf.mjs → utils-Cx_XnD9i.mjs}

@@ -1,62 +1,8 @@
-import { isAPIError } from "better-auth/api";
-import { verifyAccessToken } from "better-auth/oauth2";
-import { APIError as APIError$1 } from "better-call";
+import { APIError } from "better-call";
 import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
 import { BetterAuthError } from "@better-auth/core/error";
 import { base64, base64Url } from "@better-auth/utils/base64";
 import { createHash } from "@better-auth/utils/hash";
-//#region src/mcp.ts
-/**
-* A request middleware handler that checks and responds with
-* a WWW-Authenticate header for unauthenticated responses.
-*
-* @external
-*/
-const mcpHandler = (verifyOptions, handler, opts) => {
-	return async (req) => {
-		const authorization = req.headers?.get("authorization") ?? void 0;
-		const accessToken = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : authorization;
-		try {
-			if (!accessToken?.length) throw new APIError$1("UNAUTHORIZED", { message: "missing authorization header" });
-			return handler(req, await verifyAccessToken(accessToken, verifyOptions));
-		} catch (error) {
-			try {
-				handleMcpErrors(error, verifyOptions.verifyOptions.audience, opts);
-			} catch (err) {
-				if (err instanceof APIError$1) return new Response(err.message, {
-					...err,
-					status: err.statusCode
-				});
-				throw new Error(String(err));
-			}
-			throw new Error(String(error));
-		}
-	};
-};
-/**
-* The following handles all MCP errors and API errors
-*
-* @internal
-*/
-function handleMcpErrors(error, resource, opts) {
-	if (isAPIError(error) && error.status === "UNAUTHORIZED") {
-		const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((v) => {
-			let audiencePath;
-			if (URL.canParse?.(v)) {
-				const url = new URL(v);
-				audiencePath = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
-				return `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${audiencePath}"`;
-			} else {
-				const resourceMetadata = opts?.resourceMetadataMappings?.[v];
-				if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${v}` });
-				return `Bearer resource_metadata=${resourceMetadata}`;
-			}
-		}).join(", ");
-		throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
-	} else if (error instanceof Error) throw error;
-	else throw new Error(error);
-}
-//#endregion
 //#region src/utils/index.ts
 var TTLCache = class {
 	cache = /* @__PURE__ */ new Map();
@@ -143,17 +89,49 @@ async function verifyOAuthQueryParams(oauth_query, secret) {
 async function getClient(ctx, options, clientId) {
 	const trustedClient = cachedTrustedClients.get(clientId);
 	if (trustedClient) return Object.assign({}, trustedClient);
-	const dbClient = await ctx.context.adapter.findOne({
+	let dbClient = await ctx.context.adapter.findOne({
 		model: options.schema?.oauthClient?.modelName ?? "oauthClient",
 		where: [{
 			field: "clientId",
 			value: clientId
 		}]
 	});
+	const discoveries = toClientDiscoveryArray(options.clientDiscovery);
+	for (const discovery of discoveries) {
+		if (!discovery.matches(clientId)) continue;
+		const resolved = await discovery.resolve(ctx, clientId, dbClient);
+		if (resolved) {
+			dbClient = resolved;
+			break;
+		}
+	}
 	if (dbClient && options.cachedTrustedClients?.has(clientId)) cachedTrustedClients.set(clientId, Object.assign({}, dbClient));
 	return dbClient;
 }
 /**
+* Normalize the `clientDiscovery` option into an array. Accepts a single
+* {@link ClientDiscovery}, an array of them, or `undefined`.
+*
+* @internal
+*/
+function toClientDiscoveryArray(discovery) {
+	if (!discovery) return [];
+	return Array.isArray(discovery) ? discovery : [discovery];
+}
+/**
+* Merge `discoveryMetadata` from every configured {@link ClientDiscovery}
+* into a single object. Entries are spread in order; later entries override
+* earlier ones on key collisions.
+*
+* @internal
+*/
+function mergeDiscoveryMetadata(discovery) {
+	return toClientDiscoveryArray(discovery).reduce((acc, d) => ({
+		...acc,
+		...d.discoveryMetadata ?? {}
+	}), {});
+}
+/**
 * Default client secret hasher using SHA-256
 *
 * @internal
@@ -183,7 +161,7 @@ async function decryptStoredClientSecret(ctx, storageMethod, storedClientSecret)
 async function verifyStoredClientSecret(ctx, opts, storedClientSecret, clientSecret) {
 	const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
 	if (clientSecret && opts.prefix?.clientSecret) if (clientSecret.startsWith(opts.prefix?.clientSecret)) clientSecret = clientSecret.replace(opts.prefix.clientSecret, "");
-	else throw new APIError$1("UNAUTHORIZED", {
+	else throw new APIError("UNAUTHORIZED", {
 		error_description: "invalid client_secret",
 		error: "invalid_client"
 	});
@@ -254,12 +232,12 @@ function basicToClientCredentials(authorization) {
 	if (authorization.startsWith("Basic ")) {
 		const encoded = authorization.replace("Basic ", "");
 		const decoded = new TextDecoder().decode(base64.decode(encoded));
-		if (!decoded.includes(":")) throw new APIError$1("BAD_REQUEST", {
+		if (!decoded.includes(":")) throw new APIError("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
 		const [id, secret] = decoded.split(":", 2);
-		if (!id || !secret) throw new APIError$1("BAD_REQUEST", {
+		if (!id || !secret) throw new APIError("BAD_REQUEST", {
 			error_description: "invalid authorization header format",
 			error: "invalid_client"
 		});
@@ -275,31 +253,37 @@ function basicToClientCredentials(authorization) {
 *
 * @internal
 */
-async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes) {
-	const client = await getClient(ctx, options, clientId);
-	if (!client) throw new APIError$1("BAD_REQUEST", {
+async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient) {
+	const client = preVerifiedClient ?? await getClient(ctx, options, clientId);
+	if (!client) throw new APIError("BAD_REQUEST", {
 		error_description: "missing client",
 		error: "invalid_client"
 	});
-	if (client.disabled) throw new APIError$1("BAD_REQUEST", {
+	if (client.disabled) throw new APIError("BAD_REQUEST", {
 		error_description: "client is disabled",
 		error: "invalid_client"
 	});
-	if (!client.public && !clientSecret) throw new APIError$1("BAD_REQUEST", {
-		error_description: "client secret must be provided",
-		error: "invalid_client"
-	});
-	if (clientSecret && !client.clientSecret) throw new APIError$1("BAD_REQUEST", {
-		error_description: "public client, client secret should not be received",
-		error: "invalid_client"
-	});
-	if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError$1("UNAUTHORIZED", {
-		error_description: "invalid client_secret",
+	if (client.tokenEndpointAuthMethod === "private_key_jwt" && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
+		error_description: "client registered for private_key_jwt must use client_assertion",
 		error: "invalid_client"
 	});
+	if (!preVerifiedClient) {
+		if (!client.public && !clientSecret) throw new APIError("BAD_REQUEST", {
+			error_description: "client secret must be provided",
+			error: "invalid_client"
+		});
+		if (clientSecret && !client.clientSecret) throw new APIError("BAD_REQUEST", {
+			error_description: "public client, client secret should not be received",
+			error: "invalid_client"
+		});
+		if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError("UNAUTHORIZED", {
+			error_description: "invalid client_secret",
+			error: "invalid_client"
+		});
+	}
 	if (scopes && client.scopes) {
 		const validScopes = new Set(client.scopes);
-		for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError$1("BAD_REQUEST", {
+		for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError("BAD_REQUEST", {
 			error_description: `client does not allow scope ${sc}`,
 			error: "invalid_scope"
 		});
@@ -316,6 +300,57 @@ function parseClientMetadata(metadata) {
 	if (!metadata) return void 0;
 	return typeof metadata === "string" ? JSON.parse(metadata) : metadata;
 }
+/** Unwraps ExtractedCredentials into the fields each grant handler needs. */
+function destructureCredentials(credentials) {
+	return {
+		clientId: credentials?.clientId,
+		clientSecret: credentials?.method === "client_secret_basic" || credentials?.method === "client_secret_post" ? credentials.clientSecret : void 0,
+		preVerifiedClient: credentials?.method === "private_key_jwt" ? credentials.client : void 0
+	};
+}
+/**
+* Extracts and resolves client credentials from the request.
+* Supports: client_secret_basic, client_secret_post, private_key_jwt, and none (public).
+*/
+async function extractClientCredentials(ctx, opts, expectedAudience) {
+	const body = ctx.body ?? {};
+	const authorization = ctx.request?.headers.get("authorization") ?? void 0;
+	if (body.client_assertion_type || body.client_assertion) {
+		if (!body.client_assertion || !body.client_assertion_type) throw new APIError("BAD_REQUEST", {
+			error_description: "client_assertion and client_assertion_type must both be provided",
+			error: "invalid_client"
+		});
+		if (body.client_secret || authorization?.startsWith("Basic ")) throw new APIError("BAD_REQUEST", {
+			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
+			error: "invalid_client"
+		});
+		const { verifyClientAssertion: verify } = await import("./client-assertion-CderPEmR.mjs").then((n) => n.t);
+		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
+		return {
+			method: "private_key_jwt",
+			clientId: result.clientId,
+			client: result.client
+		};
+	}
+	if (authorization?.startsWith("Basic ")) {
+		const res = basicToClientCredentials(authorization);
+		if (res) return {
+			method: "client_secret_basic",
+			clientId: res.client_id,
+			clientSecret: res.client_secret
+		};
+	}
+	if (body.client_id && body.client_secret) return {
+		method: "client_secret_post",
+		clientId: body.client_id,
+		clientSecret: body.client_secret
+	};
+	if (body.client_id) return {
+		method: "none",
+		clientId: body.client_id
+	};
+	return null;
+}
 /**
 * Parse space-separated prompt string into a set of prompts
 *
@@ -411,4 +446,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { validateClientCredentials as _, getJwtPlugin as a, mcpHandler as b, isPKCERequired as c, parsePrompt as d, resolveSessionAuthTime as f, storeToken as g, storeClientSecret as h, getClient as i, normalizeTimestampValue as l, searchParamsToQuery as m, decryptStoredClientSecret as n, getOAuthProviderPlugin as o, resolveSubjectIdentifier as p, deleteFromPrompt as r, getStoredToken as s, basicToClientCredentials as t, parseClientMetadata as u, verifyOAuthQueryParams as v, handleMcpErrors as y };
+export { storeClientSecret as _, getClient as a, validateClientCredentials as b, getStoredToken as c, normalizeTimestampValue as d, parseClientMetadata as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, extractClientCredentials as i, isPKCERequired as l, resolveSessionAuthTime as m, deleteFromPrompt as n, getJwtPlugin as o, parsePrompt as p, destructureCredentials as r, getOAuthProviderPlugin as s, decryptStoredClientSecret as t, mergeDiscoveryMetadata as u, storeToken as v, verifyOAuthQueryParams as x, toClientDiscoveryArray as y };

package/dist/{version-BlcZ64XB.mjs → version-DIwdpXrQ.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.3";
+const PACKAGE_VERSION = "1.7.0-beta.1";
 //#endregion
 export { PACKAGE_VERSION as t };