@better-auth/oauth-provider 1.7.0-beta.0 → 1.7.0-beta.1

package/dist/{client-assertion-DZqo-L5j.mjs → client-assertion-CderPEmR.mjs}

@@ -1,4 +1,4 @@
-import { a as getClient } from "./utils-CIbcUsZ5.mjs";
+import { a as getClient } from "./utils-Cx_XnD9i.mjs";
 import { APIError } from "better-call";
 import { ASSERTION_SIGNING_ALGORITHMS, CLIENT_ASSERTION_TYPE } from "@better-auth/core/oauth2";
 import { createLocalJWKSet, decodeJwt, decodeProtectedHeader, jwtVerify } from "jose";
@@ -62,7 +62,7 @@ function isPrivateHostname(hostname) {
 	if (host === "metadata.google.internal") return true;
 	return false;
 }
-function validateJwksUri(ctx, jwksUri) {
+function validateJwksUri(ctx, jwksUri, clientIdUrlOrigin) {
 	const parsed = new URL(jwksUri);
 	if (parsed.protocol !== "https:") throw new APIError("BAD_REQUEST", {
 		error_description: "jwks_uri must use HTTPS",
@@ -72,11 +72,20 @@ function validateJwksUri(ctx, jwksUri) {
 		error_description: "jwks_uri must not point to a private or reserved address",
 		error: "invalid_client"
 	});
+	if (clientIdUrlOrigin && parsed.origin === clientIdUrlOrigin) return;
 	if (!ctx.context.isTrustedOrigin(parsed.href)) throw new APIError("BAD_REQUEST", {
 		error_description: "client jwks_uri is not trusted",
 		error: "invalid_client"
 	});
 }
+function urlClientIdOrigin(clientId) {
+	if (!clientId.startsWith("https://") && !clientId.startsWith("http://")) return;
+	try {
+		return new URL(clientId).origin;
+	} catch {
+		return;
+	}
+}
 async function fetchJwksFromUri(jwksUri) {
 	const controller = new AbortController();
 	const timeout = setTimeout(() => controller.abort(), JWKS_FETCH_TIMEOUT_MS);
@@ -100,7 +109,7 @@ async function fetchClientJwks(ctx, client) {
 		error_description: "client has no JWKS configured",
 		error: "invalid_client"
 	});
-	validateJwksUri(ctx, client.jwksUri);
+	validateJwksUri(ctx, client.jwksUri, urlClientIdOrigin(client.clientId));
 	const now = Date.now();
 	const cached = jwksCache.get(client.jwksUri);
 	if (cached && now - cached.fetchedAt < JWKS_CACHE_TTL_MS) return cached.jwks;

package/dist/client-resource.d.mts

@@ -1,4 +1,4 @@
-import { a as ResourceServerMetadata } from "./oauth-C8aTlaAC.mjs";
+import { o as ResourceServerMetadata } from "./oauth-CU79t-eG.mjs";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { Auth } from "better-auth/types";
 

package/dist/client-resource.mjs

@@ -1,6 +1,6 @@
 import { t as handleMcpErrors } from "./mcp-CYnz-MXn.mjs";
-import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-CIbcUsZ5.mjs";
-import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
+import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-Cx_XnD9i.mjs";
+import { t as PACKAGE_VERSION } from "./version-DIwdpXrQ.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-Dh4YXCXY.mjs";
+import { n as oauthProvider } from "./oauth-B_qonG53.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
+import { t as PACKAGE_VERSION } from "./version-DIwdpXrQ.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
 function parseSignedQuery(search) {

package/dist/index.d.mts

@@ -1,9 +1,10 @@
-import { _ as Awaitable, a as ResourceServerMetadata, c as OAuthConsent, d as OAuthRefreshToken, f as Prompt, g as VerificationValue, h as StoreTokenType, i as OIDCMetadata, l as OAuthOpaqueAccessToken, m as Scope, n as GrantType, o as AuthorizePrompt, p as SchemaClient, r as OAuthClient, s as OAuthAuthorizationQuery, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-C8aTlaAC.mjs";
-import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-Dh4YXCXY.mjs";
+import { _ as Scope, a as OIDCMetadata, b as Awaitable, c as AuthorizePrompt, d as OAuthConsent, f as OAuthOpaqueAccessToken, g as SchemaClient, h as Prompt, i as OAuthClient, l as ClientDiscovery, m as OAuthRefreshToken, n as AuthServerMetadata, o as ResourceServerMetadata, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod, u as OAuthAuthorizationQuery, v as StoreTokenType, y as VerificationValue } from "./oauth-CU79t-eG.mjs";
+import { n as oauthProvider, t as getOAuthProviderState } from "./oauth-B_qonG53.mjs";
 import { verifyAccessToken } from "better-auth/oauth2";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
 import { JWTPayload } from "jose";
 import { GenericEndpointContext } from "@better-auth/core";
+import * as better_auth0 from "better-auth";
 
 //#region src/mcp.d.ts
 /**
@@ -27,7 +28,37 @@ declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptio
 }): AuthServerMetadata;
 declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]> & {
   claims?: string[];
-}): Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
+}): {
+  jwks_uri?: string | undefined;
+  userinfo_endpoint: string;
+  acr_values_supported: string[];
+  subject_types_supported: ("public" | "pairwise")[];
+  claims_supported: string[];
+  end_session_endpoint: string;
+  prompt_values_supported: Prompt[];
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  registration_endpoint: string;
+  scopes_supported?: string[] | undefined;
+  response_types_supported: "code"[];
+  response_modes_supported: "query"[];
+  grant_types_supported: GrantType[];
+  token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+  token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  service_documentation?: string | undefined;
+  ui_locales_supported?: string[] | undefined;
+  op_policy_uri?: string | undefined;
+  op_tos_uri?: string | undefined;
+  revocation_endpoint?: string | undefined;
+  revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+  revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  introspection_endpoint?: string | undefined;
+  introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+  introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+  code_challenge_methods_supported: "S256"[];
+  authorization_response_iss_parameter_supported?: boolean | undefined;
+  client_id_metadata_document_supported?: boolean | undefined;
   id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
 };
 /**
@@ -44,7 +75,7 @@ declare const oauthProviderAuthServerMetadata: <Auth extends {
   };
 }>(auth: Auth, opts?: {
   headers?: HeadersInit;
-}) => (_request: Request) => Promise<Response>;
+}) => (request: Request) => Promise<Response>;
 /**
  * Provides an exportable `/.well-known/openid-configuration`.
  *
@@ -59,6 +90,19 @@ declare const oauthProviderOpenIdConfigMetadata: <Auth extends {
   };
 }>(auth: Auth, opts?: {
   headers?: HeadersInit;
-}) => (_request: Request) => Promise<Response>;
+}) => (request: Request) => Promise<Response>;
 //#endregion
-export { AuthServerMetadata, AuthorizePrompt, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+//#region src/register.d.ts
+declare function checkOAuthClient(client: OAuthClient, opts: OAuthOptions<Scope[]>, settings?: {
+  isRegister?: boolean;
+  ctx?: GenericEndpointContext;
+}): Promise<void>;
+/**
+ * Converts an OAuth 2.0 Dynamic Client Schema to a Database Schema
+ *
+ * @param input
+ * @returns
+ */
+declare function oauthToSchema(input: OAuthClient): SchemaClient<Scope[]>;
+//#endregion
+export { AuthServerMetadata, AuthorizePrompt, ClientDiscovery, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, OAuthOpaqueAccessToken, OAuthOptions, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, VerificationValue, authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };

package/dist/index.mjs

@@ -1,7 +1,7 @@
-import { n as isPrivateHostname } from "./client-assertion-DZqo-L5j.mjs";
+import { n as isPrivateHostname } from "./client-assertion-CderPEmR.mjs";
 import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { _ as storeToken, a as getClient, c as getStoredToken, d as parseClientMetadata, f as parsePrompt, g as storeClientSecret, h as searchParamsToQuery, i as extractClientCredentials, l as isPKCERequired, m as resolveSubjectIdentifier, n as deleteFromPrompt, o as getJwtPlugin, p as resolveSessionAuthTime, r as destructureCredentials, t as decryptStoredClientSecret, u as normalizeTimestampValue, v as validateClientCredentials, y as verifyOAuthQueryParams } from "./utils-CIbcUsZ5.mjs";
-import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
+import { _ as storeClientSecret, a as getClient, b as validateClientCredentials, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as extractClientCredentials, l as isPKCERequired, m as resolveSessionAuthTime, n as deleteFromPrompt, o as getJwtPlugin, p as parsePrompt, r as destructureCredentials, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as storeToken, x as verifyOAuthQueryParams, y as toClientDiscoveryArray } from "./utils-Cx_XnD9i.mjs";
+import { t as PACKAGE_VERSION } from "./version-DIwdpXrQ.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
@@ -14,8 +14,8 @@ import { BetterAuthError } from "@better-auth/core/error";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
-import { signJWT, toExpJWT } from "better-auth/plugins";
-import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
+import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
+import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
 	const _query = (await oAuthState.get())?.query;
@@ -156,6 +156,81 @@ async function postLogin(ctx, opts) {
 	};
 }
 //#endregion
+//#region src/types/zod.ts
+const DANGEROUS_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
+function isLocalhost(hostname) {
+	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
+}
+/**
+* Runtime schema for OAuthAuthorizationQuery.
+* Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
+*/
+const oauthAuthorizationQuerySchema = z.object({
+	response_type: z.literal("code").optional(),
+	request_uri: z.string().optional(),
+	redirect_uri: z.string(),
+	scope: z.string().optional(),
+	state: z.string().optional(),
+	client_id: z.string(),
+	prompt: z.string().optional(),
+	display: z.string().optional(),
+	ui_locales: z.string().optional(),
+	max_age: z.coerce.number().optional(),
+	acr_values: z.string().optional(),
+	login_hint: z.string().optional(),
+	id_token_hint: z.string().optional(),
+	code_challenge: z.string().optional(),
+	code_challenge_method: z.literal("S256").optional(),
+	nonce: z.string().optional()
+}).passthrough();
+/**
+* Runtime schema for the authorization code verification value.
+* Validates structure on deserialization from the JSON blob stored in the DB.
+* Uses passthrough so future fields (e.g. from authorization challenge) don't break parsing.
+*/
+const verificationValueSchema = z.object({
+	type: z.literal("authorization_code"),
+	query: oauthAuthorizationQuerySchema,
+	sessionId: z.string(),
+	userId: z.string(),
+	referenceId: z.string().optional(),
+	authTime: z.number().optional()
+}).passthrough();
+/**
+* Reusable URL validation for OAuth redirect URIs.
+* - Blocks dangerous schemes (javascript:, data:, vbscript:)
+* - For http/https: requires HTTPS (HTTP allowed only for localhost)
+* - Allows custom schemes for mobile apps (e.g., myapp://callback)
+*/
+const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z.NEVER;
+	}
+	const u = new URL(val);
+	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL cannot use javascript:, data:, or vbscript: scheme"
+		});
+		return;
+	}
+	if (u.protocol === "http:" || u.protocol === "https:") {
+		if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
+			code: "custom",
+			message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
+		});
+	}
+});
+//#endregion
 //#region src/userinfo.ts
 /**
 * Provides shared /userinfo and id_token claims functionality
@@ -268,7 +343,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		options: jwtPluginOptions,
 		payload: {
 			...customClaims,
-			sub: user.id,
+			sub: user?.id,
 			aud: typeof audience === "string" ? audience : audience?.length === 1 ? audience.at(0) : audience,
 			azp: client.clientId,
 			scope: scopes.join(" "),
@@ -280,10 +355,23 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 	});
 }
 /**
+* Computes an OIDC hash (at_hash, c_hash) per OIDC Core §3.1.3.6.
+* Hashes the token, takes the left half, and base64url-encodes it.
+*/
+async function computeOidcHash(token, signingAlg) {
+	let hashAlg;
+	if (signingAlg === "EdDSA") hashAlg = "SHA-512";
+	else if (signingAlg.endsWith("384")) hashAlg = "SHA-384";
+	else if (signingAlg.endsWith("512")) hashAlg = "SHA-512";
+	else hashAlg = "SHA-256";
+	const digest = new Uint8Array(await crypto.subtle.digest(hashAlg, new TextEncoder().encode(token)));
+	return base64url.encode(digest.slice(0, digest.length / 2));
+}
+/**
 * Creates a user id token in code_authorization with scope of 'openid'
 * and hybrid/implicit (not yet implemented) flows
 */
-async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime) {
+async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) {
 	const iat = Math.floor(Date.now() / 1e3);
 	const exp = iat + (opts.idTokenExpiresIn ?? 36e3);
 	const userClaims = userNormalClaims(user, scopes);
@@ -296,11 +384,15 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	const resolvedKey = !opts.disableJwtPlugin && !jwtPluginOptions?.jwt?.sign ? await resolveSigningKey(ctx, jwtPluginOptions) : void 0;
+	const signingAlg = opts.disableJwtPlugin ? "HS256" : resolvedKey?.alg ?? jwtPluginOptions?.jwks?.keyPairConfig?.alg;
+	const atHash = accessToken ? await computeOidcHash(accessToken, signingAlg) : void 0;
 	const payload = {
 		...userClaims,
 		auth_time: authTimeSec,
 		acr,
 		...customClaims,
+		at_hash: atHash,
 		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
 		sub: resolvedSub,
 		aud: client.clientId,
@@ -310,10 +402,19 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		sid: client.enableEndSession ? sessionId : void 0
 	};
 	if (opts.disableJwtPlugin && !client.clientSecret) return;
-	return opts.disableJwtPlugin ? new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : signJWT(ctx, {
+	const idToken = opts.disableJwtPlugin ? await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : await signJWT(ctx, {
 		options: jwtPluginOptions,
-		payload
+		payload,
+		resolvedKey: resolvedKey ?? void 0
 	});
+	if (idToken && atHash && jwtPluginOptions?.jwt?.sign) {
+		const header = decodeProtectedHeader(idToken);
+		if (header.alg !== signingAlg) throw new APIError("INTERNAL_SERVER_ERROR", {
+			error_description: `ID token signed with "${header.alg}" but at_hash was computed for "${signingAlg}". Ensure jwt.sign uses the algorithm declared in keyPairConfig.alg.`,
+			error: "server_error"
+		});
+	}
+	return idToken;
 }
 /**
 * Encodes a refresh token for a client
@@ -402,39 +503,45 @@ async function checkResource(ctx, opts, scopes) {
 	}
 	return audience?.length === 1 ? audience.at(0) : audience;
 }
-async function createUserTokens(ctx, opts, client, scopes, user, referenceId, sessionId, nonce, additional, authTime) {
+async function createUserTokens(ctx, opts, params) {
+	const { client, scopes, user, grantType, referenceId, sessionId, nonce, refreshToken: existingRefreshToken, authTime, verificationValue } = params;
 	const iat = Math.floor(Date.now() / 1e3);
-	const defaultExp = iat + (opts.accessTokenExpiresIn ?? 3600);
+	const defaultExp = iat + (user ? opts.accessTokenExpiresIn ?? 3600 : opts.m2mAccessTokenExpiresIn ?? 3600);
 	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
 		return prev < curr ? prev : curr;
 	}, defaultExp) : defaultExp;
 	const audience = await checkResource(ctx, opts, scopes);
-	const isRefreshToken = additional?.refreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access");
+	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
-	const isIdToken = scopes.includes("openid");
-	const earlyRefreshToken = isRefreshToken && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+	const isIdToken = user && scopes.includes("openid");
+	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
+		grantType,
+		user,
+		scopes,
+		metadata: parseClientMetadata(client.metadata),
+		verificationValue
+	}) : void 0;
+	const earlyRefreshToken = isRefreshToken && user && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, additional?.refreshToken, authTime) : void 0;
-	const [accessToken, refreshToken, idToken] = await Promise.all([
-		isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
-			iat,
-			exp,
-			sid: sessionId
-		}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
-			iat,
-			exp,
-			sid: sessionId
-		}, referenceId, earlyRefreshToken?.id),
-		earlyRefreshToken ? earlyRefreshToken : isRefreshToken ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
-			iat,
-			exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
-			sid: sessionId
-		}, additional?.refreshToken, authTime) : void 0,
-		isIdToken ? createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime) : void 0
-	]);
+	}, existingRefreshToken, authTime) : void 0;
+	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
+		iat,
+		exp,
+		sid: sessionId
+	}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
+		iat,
+		exp,
+		sid: sessionId
+	}, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+		iat,
+		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
+		sid: sessionId
+	}, existingRefreshToken, authTime) : void 0]);
+	const idToken = isIdToken ? await createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) : void 0;
 	return ctx.json({
+		...customFields,
 		access_token: accessToken,
 		expires_in: exp - iat,
 		expires_at: exp,
@@ -450,7 +557,6 @@ async function createUserTokens(ctx, opts, client, scopes, user, referenceId, se
 /** Checks verification value */
 async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
 	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
-	const verificationValue = verification ? JSON.parse(verification?.value) : void 0;
 	if (!verification) throw new APIError("UNAUTHORIZED", {
 		error_description: "Invalid code",
 		error: "invalid_verification"
@@ -460,22 +566,25 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 		error_description: "code expired",
 		error: "invalid_verification"
 	});
-	if (!verificationValue) throw new APIError("UNAUTHORIZED", {
-		error_description: "missing verification value content",
-		error: "invalid_verification"
-	});
-	if (verificationValue.type !== "authorization_code") throw new APIError("UNAUTHORIZED", {
-		error_description: "incorrect verification type",
+	let rawValue;
+	try {
+		rawValue = JSON.parse(verification.value);
+	} catch {
+		throw new APIError("UNAUTHORIZED", {
+			error_description: "malformed verification value",
+			error: "invalid_verification"
+		});
+	}
+	const parsed = verificationValueSchema.safeParse(rawValue);
+	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
+		error_description: "malformed verification value",
 		error: "invalid_verification"
 	});
+	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
 		error_description: "invalid client_id",
 		error: "invalid_client"
 	});
-	if (!verificationValue.userId) throw new APIError("BAD_REQUEST", {
-		error_description: "missing user_id on challenge",
-		error: "invalid_user"
-	});
 	if (verificationValue.query?.redirect_uri && verificationValue.query?.redirect_uri !== redirect_uri) throw new APIError("BAD_REQUEST", {
 		error_description: "redirect_uri mismatch",
 		error: "invalid_request"
@@ -563,7 +672,17 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	const authTime = verificationValue.authTime != null ? normalizeTimestampValue(verificationValue.authTime) : resolveSessionAuthTime(session);
-	return createUserTokens(ctx, opts, client, verificationValue.query.scope?.split(" ") ?? [], user, verificationValue.referenceId, session.id, verificationValue.query?.nonce, void 0, authTime);
+	return createUserTokens(ctx, opts, {
+		client,
+		scopes: verificationValue.query.scope?.split(" ") ?? [],
+		user,
+		grantType: "authorization_code",
+		referenceId: verificationValue.referenceId,
+		sessionId: session.id,
+		nonce: verificationValue.query?.nonce,
+		authTime,
+		verificationValue
+	});
 }
 /**
 * Grant that allows direct access to an API using the application's credentials
@@ -601,43 +720,11 @@ async function handleClientCredentialsGrant(ctx, opts) {
 		});
 	}
 	if (!requestedScopes) requestedScopes = client.scopes ?? opts.clientCredentialGrantDefaultScopes ?? opts.scopes ?? [];
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	const audience = await checkResource(ctx, opts, requestedScopes);
-	const iat = Math.floor(Date.now() / 1e3);
-	const defaultExp = iat + (opts.m2mAccessTokenExpiresIn ?? 3600);
-	const exp = opts.scopeExpirations && requestedScopes ? requestedScopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
-		return prev < curr ? prev : curr;
-	}, defaultExp) : defaultExp;
-	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
+	return createUserTokens(ctx, opts, {
+		client,
 		scopes: requestedScopes,
-		resource: ctx.body.resource,
-		metadata: parseClientMetadata(client.metadata)
-	}) : {};
-	const accessToken = audience && !opts.disableJwtPlugin ? await signJWT(ctx, {
-		options: jwtPluginOptions,
-		payload: {
-			...customClaims,
-			aud: audience,
-			azp: client.clientId,
-			scope: requestedScopes.join(" "),
-			iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-			iat,
-			exp
-		}
-	}) : await createOpaqueAccessToken(ctx, opts, void 0, client, requestedScopes, {
-		iat,
-		exp
+		grantType: "client_credentials"
 	});
-	return ctx.json({
-		access_token: accessToken,
-		expires_in: exp - iat,
-		expires_at: exp,
-		token_type: "Bearer",
-		scope: requestedScopes.join(" ")
-	}, { headers: {
-		"Cache-Control": "no-store",
-		Pragma: "no-cache"
-	} });
 }
 /**
 * Obtains new Session Jwt and Refresh Tokens using a refresh token
@@ -708,7 +795,16 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	const authTime = refreshToken.authTime != null ? normalizeTimestampValue(refreshToken.authTime) : void 0;
-	return createUserTokens(ctx, opts, client, requestedScopes ?? scopes, user, refreshToken.referenceId, refreshToken.sessionId, void 0, { refreshToken }, authTime);
+	return createUserTokens(ctx, opts, {
+		client,
+		scopes: requestedScopes ?? scopes,
+		user,
+		grantType: "refresh_token",
+		referenceId: refreshToken.referenceId,
+		sessionId: refreshToken.sessionId,
+		refreshToken,
+		authTime
+	});
 }
 //#endregion
 //#region src/introspect.ts
@@ -1085,6 +1181,21 @@ const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 });
 //#endregion
 //#region src/register.ts
+/**
+* Resolves the auth method and type for unauthenticated DCR.
+* Overrides confidential methods to "none" per RFC 7591 Section 3.2.1.
+* When overriding, clears type "web" since it is only valid for confidential clients.
+*/
+function resolveUnauthenticatedAuth(body) {
+	if (body.token_endpoint_auth_method === "none") return {
+		tokenEndpointAuthMethod: "none",
+		type: body.type
+	};
+	return {
+		tokenEndpointAuthMethod: "none",
+		type: body.type === "web" ? void 0 : body.type
+	};
+}
 async function registerEndpoint(ctx, opts) {
 	if (!opts.allowDynamicClientRegistration) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
@@ -1096,12 +1207,16 @@ async function registerEndpoint(ctx, opts) {
 		error: "invalid_token",
 		error_description: "Authentication required for client registration"
 	});
-	const isPublic = body.token_endpoint_auth_method === "none";
-	if (!session && !isPublic) throw new APIError("UNAUTHORIZED", {
-		error: "invalid_request",
-		error_description: "Authentication required for confidential client registration"
-	});
-	if (!ctx.body.scope) ctx.body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
+	if (!session) {
+		if (body.grant_types?.includes("client_credentials")) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "client_credentials grant requires authenticated registration"
+		});
+		const resolved = resolveUnauthenticatedAuth(body);
+		body.token_endpoint_auth_method = resolved.tokenEndpointAuthMethod;
+		body.type = resolved.type;
+	}
+	if (!body.scope) body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: true });
 }
 async function checkOAuthClient(client, opts, settings) {
@@ -1340,46 +1455,6 @@ function schemaToOAuth(input) {
 	};
 }
 //#endregion
-//#region src/types/zod.ts
-const DANGEROUS_SCHEMES = [
-	"javascript:",
-	"data:",
-	"vbscript:"
-];
-function isLocalhost(hostname) {
-	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
-}
-/**
-* Reusable URL validation for OAuth redirect URIs.
-* - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for localhost)
-* - Allows custom schemes for mobile apps (e.g., myapp://callback)
-*/
-const SafeUrlSchema = z.url().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL must be parseable",
-			fatal: true
-		});
-		return z.NEVER;
-	}
-	const u = new URL(val);
-	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL cannot use javascript:, data:, or vbscript: scheme"
-		});
-		return;
-	}
-	if (u.protocol === "http:" || u.protocol === "https:") {
-		if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
-			code: "custom",
-			message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
-		});
-	}
-});
-//#endregion
 //#region src/oauthClient/endpoints.ts
 async function getClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
@@ -1543,6 +1618,7 @@ async function updateClientEndpoint(ctx, opts) {
 	else {
 		schemaUpdates.jwks = null;
 		schemaUpdates.jwksUri = null;
+		if (!schemaUpdates.clientSecret) schemaUpdates.clientSecret = await storeClientSecret(ctx, opts, opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z"));
 	}
 	const updatedClient = await ctx.context.adapter.update({
 		model: "oauthClient",
@@ -2800,7 +2876,7 @@ const oauthProvider = (options) => {
 					queryParams.delete("sig");
 					queryParams.delete("exp");
 					await oAuthState.set({ query: queryParams.toString() });
-					if (ctx.path === "/sign-in/social" || ctx.path === "/sign-in/oauth2") {
+					if (ctx.path === "/sign-in/social") {
 						if (ctx.body.additionalData?.query) return;
 						if (!ctx.body.additionalData) ctx.body.additionalData = {};
 						ctx.body.additionalData.query = queryParams.toString();
@@ -2834,12 +2910,15 @@ const oauthProvider = (options) => {
 				metadata: { SERVER_ONLY: true }
 			}, async (ctx) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
-				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
-					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-					public_client_supported: opts.allowUnauthenticatedClientRegistration,
-					grant_types_supported: opts.grantTypes,
-					jwt_disabled: opts.disableJwtPlugin
-				});
+				else return {
+					...authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
+						scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+						public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
+						grant_types_supported: opts.grantTypes,
+						jwt_disabled: opts.disableJwtPlugin
+					}),
+					...mergeDiscoveryMetadata(opts.clientDiscovery)
+				};
 			}),
 			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
 				method: "GET",
@@ -4004,7 +4083,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-			public_client_supported: opts.allowUnauthenticatedClientRegistration,
+			public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin
 		}),
@@ -4020,9 +4099,20 @@ function oidcServerMetadata(ctx, opts) {
 			"create",
 			"select_account",
 			"none"
-		]
+		],
+		...mergeDiscoveryMetadata(opts.clientDiscovery)
 	};
 }
+const METADATA_CACHE_CONTROL = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
+function metadataResponse(body, extraHeaders) {
+	const headers = new Headers(extraHeaders);
+	if (!headers.has("Cache-Control")) headers.set("Cache-Control", METADATA_CACHE_CONTROL);
+	headers.set("Content-Type", "application/json");
+	return new Response(JSON.stringify(body), {
+		status: 200,
+		headers
+	});
+}
 /**
 * Provides an exportable `/.well-known/oauth-authorization-server`.
 *
@@ -4032,16 +4122,11 @@ function oidcServerMetadata(ctx, opts) {
 * @external
 */
 const oauthProviderAuthServerMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOAuthServerConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
+	return async (request) => {
+		return metadataResponse(await auth.api.getOAuthServerConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
 	};
 };
 /**
@@ -4053,17 +4138,12 @@ const oauthProviderAuthServerMetadata = (auth, opts) => {
 * @external
 */
 const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOpenIdConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
+	return async (request) => {
+		return metadataResponse(await auth.api.getOpenIdConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
 	};
 };
 //#endregion
-export { authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+export { authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };

package/dist/{oauth-Dh4YXCXY.d.mts → oauth-B_qonG53.d.mts}

@@ -1,4 +1,4 @@
-import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-C8aTlaAC.mjs";
+import { _ as Scope, d as OAuthConsent, h as Prompt, i as OAuthClient, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod } from "./oauth-CU79t-eG.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as better_auth_plugins0 from "better-auth/plugins";
@@ -54,7 +54,64 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       metadata: {
         SERVER_ONLY: true;
       };
-    }, AuthServerMetadata>;
+    }, {
+      jwks_uri?: string | undefined;
+      userinfo_endpoint: string;
+      acr_values_supported: string[];
+      subject_types_supported: ("public" | "pairwise")[];
+      claims_supported: string[];
+      end_session_endpoint: string;
+      prompt_values_supported: Prompt[];
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      registration_endpoint: string;
+      scopes_supported?: string[] | undefined;
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      service_documentation?: string | undefined;
+      ui_locales_supported?: string[] | undefined;
+      op_policy_uri?: string | undefined;
+      op_tos_uri?: string | undefined;
+      revocation_endpoint?: string | undefined;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      introspection_endpoint?: string | undefined;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean | undefined;
+      client_id_metadata_document_supported?: boolean | undefined;
+      id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
+    } | {
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      jwks_uri?: string;
+      registration_endpoint: string;
+      scopes_supported?: string[];
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      service_documentation?: string;
+      ui_locales_supported?: string[];
+      op_policy_uri?: string;
+      op_tos_uri?: string;
+      revocation_endpoint?: string;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[];
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      introspection_endpoint?: string;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[];
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean;
+      client_id_metadata_document_supported?: boolean;
+    }>;
     /**
      * A server-only endpoint that helps provide the
      * OpenId configuration at the well-known endpoint.
@@ -67,7 +124,37 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       metadata: {
         SERVER_ONLY: true;
       };
-    }, Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
+    }, {
+      jwks_uri?: string | undefined;
+      userinfo_endpoint: string;
+      acr_values_supported: string[];
+      subject_types_supported: ("public" | "pairwise")[];
+      claims_supported: string[];
+      end_session_endpoint: string;
+      prompt_values_supported: Prompt[];
+      issuer: string;
+      authorization_endpoint: string;
+      token_endpoint: string;
+      registration_endpoint: string;
+      scopes_supported?: string[] | undefined;
+      response_types_supported: "code"[];
+      response_modes_supported: "query"[];
+      grant_types_supported: GrantType[];
+      token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
+      token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      service_documentation?: string | undefined;
+      ui_locales_supported?: string[] | undefined;
+      op_policy_uri?: string | undefined;
+      op_tos_uri?: string | undefined;
+      revocation_endpoint?: string | undefined;
+      revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      introspection_endpoint?: string | undefined;
+      introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+      introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
+      code_challenge_methods_supported: "S256"[];
+      authorization_response_iss_parameter_supported?: boolean | undefined;
+      client_id_metadata_document_supported?: boolean | undefined;
       id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
     }>;
     oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
@@ -430,8 +517,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       access_token: string;
       expires_in: number;
       expires_at: number;
-      token_type: string;
+      token_type: "Bearer";
+      refresh_token: string | undefined;
       scope: string;
+      id_token: string | undefined;
     }>;
     oauth2Introspect: better_call0.StrictEndpoint<"/oauth2/introspect", {
       method: "POST";

package/dist/{oauth-C8aTlaAC.d.mts → oauth-CU79t-eG.d.mts}

@@ -315,6 +315,46 @@ type InternallySupportedScopes = "openid" | "profile" | "email" | "offline_acces
 type Scope = LiteralString | InternallySupportedScopes;
 type Prompt = "none" | "consent" | "login" | "create" | "select_account";
 type AuthorizePrompt = Prompt | "login consent" | "select_account consent";
+/**
+ * Describes how to resolve a `client_id` from an external source (a URL-based
+ * metadata document, a federated registry, an attestation header, etc.) and
+ * what fields that source contributes to discovery metadata.
+ *
+ * Plugins install one of these onto {@link OAuthOptions.clientDiscovery}.
+ * The host walks the configured entries in order and returns the first
+ * non-null `resolve()` result.
+ */
+interface ClientDiscovery<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
+  /**
+   * Stable identifier used in error messages and diagnostics. Convention
+   * is to match the plugin id (for example `"cimd"`).
+   */
+  readonly id: string;
+  /**
+   * Return `true` if this discovery handles the given `client_id`. Called
+   * on every `getClient()` lookup for every configured discovery, so keep
+   * it cheap and synchronous.
+   */
+  matches: (clientId: string) => boolean;
+  /**
+   * Resolve a client when this discovery matches. Receives the existing DB
+   * record (or `null`) so an implementation can decide between creating,
+   * refreshing, or passing through to the database result.
+   *
+   * Return:
+   * - a client record: `getClient()` returns it (creation / refresh / takeover).
+   * - `null`: `getClient()` falls through to the next matching discovery
+   *   or to the database record (if any).
+   */
+  resolve: (ctx: GenericEndpointContext, clientId: string, existing: SchemaClient<Scopes> | null) => Awaitable<SchemaClient<Scopes> | null>;
+  /**
+   * Fields merged into `/.well-known/oauth-authorization-server` and
+   * `/.well-known/openid-configuration` responses. Useful for advertising
+   * RFC-registered discovery flags like
+   * `client_id_metadata_document_supported`.
+   */
+  discoveryMetadata?: Record<string, unknown>;
+}
 interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
   /**
    * Custom schema definitions
@@ -412,10 +452,13 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
   /**
    * Allow unauthenticated dynamic client registration.
    *
-   * Support for `allowUnauthenticatedClientRegistration` **will be deprecated**
-   * when the MCP protocol standardizes unauthenticated dynamic client registration.
-   * As of writing, both [Client ID Metadata Documents](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/991)
-   * and [`software_statement` and `jwks_uri`](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1032) are under debate.
+   * When enabled, the `/oauth2/register` endpoint accepts requests
+   * without a session, but only for public clients
+   * (`token_endpoint_auth_method: "none"`).
+   *
+   * For verified client discovery (MCP), consider installing the
+   * `@better-auth/cimd` plugin, which verifies client identity through
+   * domain ownership via Client ID Metadata Documents.
    *
    * @default false
    */
@@ -426,6 +469,21 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * @default false
    */
   allowDynamicClientRegistration?: boolean;
+  /**
+   * Discovery implementations consulted by `getClient()` when resolving
+   * a `client_id`. Each entry decides whether it handles the `client_id`
+   * via {@link ClientDiscovery.matches}, then creates, refreshes, or
+   * passes on a client record. Entries run in order; the first one to
+   * return a client wins.
+   *
+   * Each entry also contributes {@link ClientDiscovery.discoveryMetadata}
+   * into the `/.well-known/oauth-authorization-server` and
+   * `/.well-known/openid-configuration` responses.
+   *
+   * Plugins such as `@better-auth/cimd` install an entry here at init
+   * time; users can also pass discovery implementations directly.
+   */
+  clientDiscovery?: ClientDiscovery<Scopes> | ClientDiscovery<Scopes>[];
   /**
    * List of scopes for newly registered clients
    * if not requested.
@@ -768,6 +826,34 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
     resource?: string; /** oAuthClient metadata */
     metadata?: Record<string, any>;
   }) => Awaitable<Record<string, any>>;
+  /**
+   * Custom fields to include in the token response body.
+   *
+   * Unlike `customAccessTokenClaims` (which adds claims inside the JWT payload),
+   * this adds fields to the JSON response envelope alongside `access_token`,
+   * `token_type`, etc. Standard OAuth fields (`access_token`, `token_type`,
+   * `expires_in`, `expires_at`, `refresh_token`, `scope`, `id_token`) cannot
+   * be overridden.
+   *
+   * @param info - context that may be useful when creating custom fields
+   */
+  customTokenResponseFields?: (info: {
+    /** The grant type being processed */grantType: GrantType;
+    /**
+     * The user, if applicable.
+     * Undefined for `client_credentials` (M2M, no user).
+     * Always present for `authorization_code` and `refresh_token`.
+     */
+    user?: (User & Record<string, unknown>) | null; /** Scopes granted for this token */
+    scopes: Scopes; /** oAuthClient metadata */
+    metadata?: Record<string, any>;
+    /**
+     * The authorization code verification value.
+     * Only present for `authorization_code` grant. Contains the original
+     * authorization request parameters (`query`), `referenceId`, `sessionId`, etc.
+     */
+    verificationValue?: VerificationValue;
+  }) => Awaitable<Record<string, unknown>>;
   /**
    * Overwrite specific /.well-known/openid-configuration
    * values so they are not available publically.
@@ -1476,6 +1562,17 @@ interface AuthServerMetadata {
    * @default true
    */
   authorization_response_iss_parameter_supported?: boolean;
+  /**
+   * Whether the authorization server supports discovering clients via
+   * [Client ID Metadata Documents](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/)
+   * (an HTTPS URL as `client_id`).
+   *
+   * Set at runtime by the `@better-auth/cimd` plugin (or any other
+   * `ClientDiscovery` that contributes this field via
+   * {@link ClientDiscovery.discoveryMetadata}). oauth-provider never sets
+   * it on its own.
+   */
+  client_id_metadata_document_supported?: boolean;
 }
 /**
  * Metadata returned by the openid-configuration endpoint:
@@ -1642,4 +1739,4 @@ interface ResourceServerMetadata {
   dpop_bound_access_tokens_required?: boolean;
 }
 //#endregion
-export { Awaitable as _, ResourceServerMetadata as a, OAuthConsent as c, OAuthRefreshToken as d, Prompt as f, VerificationValue as g, StoreTokenType as h, OIDCMetadata as i, OAuthOpaqueAccessToken as l, Scope as m, GrantType as n, AuthorizePrompt as o, SchemaClient as p, OAuthClient as r, OAuthAuthorizationQuery as s, AuthServerMetadata as t, OAuthOptions as u };
+export { Scope as _, OIDCMetadata as a, Awaitable as b, AuthorizePrompt as c, OAuthConsent as d, OAuthOpaqueAccessToken as f, SchemaClient as g, Prompt as h, OAuthClient as i, ClientDiscovery as l, OAuthRefreshToken as m, AuthServerMetadata as n, ResourceServerMetadata as o, OAuthOptions as p, GrantType as r, TokenEndpointAuthMethod as s, AuthMethod as t, OAuthAuthorizationQuery as u, StoreTokenType as v, VerificationValue as y };

package/dist/{utils-CIbcUsZ5.mjs → utils-Cx_XnD9i.mjs}

@@ -89,17 +89,49 @@ async function verifyOAuthQueryParams(oauth_query, secret) {
 async function getClient(ctx, options, clientId) {
 	const trustedClient = cachedTrustedClients.get(clientId);
 	if (trustedClient) return Object.assign({}, trustedClient);
-	const dbClient = await ctx.context.adapter.findOne({
+	let dbClient = await ctx.context.adapter.findOne({
 		model: options.schema?.oauthClient?.modelName ?? "oauthClient",
 		where: [{
 			field: "clientId",
 			value: clientId
 		}]
 	});
+	const discoveries = toClientDiscoveryArray(options.clientDiscovery);
+	for (const discovery of discoveries) {
+		if (!discovery.matches(clientId)) continue;
+		const resolved = await discovery.resolve(ctx, clientId, dbClient);
+		if (resolved) {
+			dbClient = resolved;
+			break;
+		}
+	}
 	if (dbClient && options.cachedTrustedClients?.has(clientId)) cachedTrustedClients.set(clientId, Object.assign({}, dbClient));
 	return dbClient;
 }
 /**
+* Normalize the `clientDiscovery` option into an array. Accepts a single
+* {@link ClientDiscovery}, an array of them, or `undefined`.
+*
+* @internal
+*/
+function toClientDiscoveryArray(discovery) {
+	if (!discovery) return [];
+	return Array.isArray(discovery) ? discovery : [discovery];
+}
+/**
+* Merge `discoveryMetadata` from every configured {@link ClientDiscovery}
+* into a single object. Entries are spread in order; later entries override
+* earlier ones on key collisions.
+*
+* @internal
+*/
+function mergeDiscoveryMetadata(discovery) {
+	return toClientDiscoveryArray(discovery).reduce((acc, d) => ({
+		...acc,
+		...d.discoveryMetadata ?? {}
+	}), {});
+}
+/**
 * Default client secret hasher using SHA-256
 *
 * @internal
@@ -292,7 +324,7 @@ async function extractClientCredentials(ctx, opts, expectedAudience) {
 			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
 			error: "invalid_client"
 		});
-		const { verifyClientAssertion: verify } = await import("./client-assertion-DZqo-L5j.mjs").then((n) => n.t);
+		const { verifyClientAssertion: verify } = await import("./client-assertion-CderPEmR.mjs").then((n) => n.t);
 		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
 		return {
 			method: "private_key_jwt",
@@ -414,4 +446,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { storeToken as _, getClient as a, getStoredToken as c, parseClientMetadata as d, parsePrompt as f, storeClientSecret as g, searchParamsToQuery as h, extractClientCredentials as i, isPKCERequired as l, resolveSubjectIdentifier as m, deleteFromPrompt as n, getJwtPlugin as o, resolveSessionAuthTime as p, destructureCredentials as r, getOAuthProviderPlugin as s, decryptStoredClientSecret as t, normalizeTimestampValue as u, validateClientCredentials as v, verifyOAuthQueryParams as y };
+export { storeClientSecret as _, getClient as a, validateClientCredentials as b, getStoredToken as c, normalizeTimestampValue as d, parseClientMetadata as f, searchParamsToQuery as g, resolveSubjectIdentifier as h, extractClientCredentials as i, isPKCERequired as l, resolveSessionAuthTime as m, deleteFromPrompt as n, getJwtPlugin as o, parsePrompt as p, destructureCredentials as r, getOAuthProviderPlugin as s, decryptStoredClientSecret as t, mergeDiscoveryMetadata as u, storeToken as v, verifyOAuthQueryParams as x, toClientDiscoveryArray as y };

package/dist/{version-BGWhjYBb.mjs → version-DIwdpXrQ.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.0";
+const PACKAGE_VERSION = "1.7.0-beta.1";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.7.0-beta.0",
+  "version": "1.7.0-beta.1",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -64,15 +64,15 @@
     "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.0",
-    "better-auth": "1.7.0-beta.0"
+    "@better-auth/core": "1.7.0-beta.1",
+    "better-auth": "1.7.0-beta.1"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.7.0-beta.0",
-    "better-auth": "^1.7.0-beta.0"
+    "@better-auth/core": "^1.7.0-beta.1",
+    "better-auth": "^1.7.0-beta.1"
   },
   "scripts": {
     "build": "tsdown",