@better-auth/oauth-provider 1.7.0-beta.0 → 1.7.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,1645 +0,0 @@
1
- import { AssertionSigningAlgorithm } from "@better-auth/core/oauth2";
2
- import { JWSAlgorithms } from "better-auth/plugins";
3
- import { JWTPayload } from "jose";
4
- import { InferOptionSchema, Session, User } from "better-auth/types";
5
- import { GenericEndpointContext, LiteralString } from "@better-auth/core";
6
-
7
- //#region src/schema.d.ts
8
- declare const schema: {
9
- oauthClient: {
10
- modelName: string;
11
- fields: {
12
- clientId: {
13
- type: "string";
14
- unique: true;
15
- required: true;
16
- };
17
- clientSecret: {
18
- type: "string";
19
- required: false;
20
- };
21
- disabled: {
22
- type: "boolean";
23
- defaultValue: false;
24
- required: false;
25
- };
26
- skipConsent: {
27
- type: "boolean";
28
- required: false;
29
- };
30
- enableEndSession: {
31
- type: "boolean";
32
- required: false;
33
- };
34
- subjectType: {
35
- type: "string";
36
- required: false;
37
- };
38
- scopes: {
39
- type: "string[]";
40
- required: false;
41
- };
42
- userId: {
43
- type: "string";
44
- required: false;
45
- references: {
46
- model: string;
47
- field: string;
48
- };
49
- };
50
- createdAt: {
51
- type: "date";
52
- required: false;
53
- };
54
- updatedAt: {
55
- type: "date";
56
- required: false;
57
- };
58
- name: {
59
- type: "string";
60
- required: false;
61
- };
62
- uri: {
63
- type: "string";
64
- required: false;
65
- };
66
- icon: {
67
- type: "string";
68
- required: false;
69
- };
70
- contacts: {
71
- type: "string[]";
72
- required: false;
73
- };
74
- tos: {
75
- type: "string";
76
- required: false;
77
- };
78
- policy: {
79
- type: "string";
80
- required: false;
81
- };
82
- softwareId: {
83
- type: "string";
84
- required: false;
85
- };
86
- softwareVersion: {
87
- type: "string";
88
- required: false;
89
- };
90
- softwareStatement: {
91
- type: "string";
92
- required: false;
93
- };
94
- redirectUris: {
95
- type: "string[]";
96
- required: true;
97
- };
98
- postLogoutRedirectUris: {
99
- type: "string[]";
100
- required: false;
101
- };
102
- tokenEndpointAuthMethod: {
103
- type: "string";
104
- required: false;
105
- };
106
- jwks: {
107
- type: "string";
108
- required: false;
109
- };
110
- jwksUri: {
111
- type: "string";
112
- required: false;
113
- };
114
- grantTypes: {
115
- type: "string[]";
116
- required: false;
117
- };
118
- responseTypes: {
119
- type: "string[]";
120
- required: false;
121
- };
122
- public: {
123
- type: "boolean";
124
- required: false;
125
- };
126
- type: {
127
- type: "string";
128
- required: false;
129
- };
130
- requirePKCE: {
131
- type: "boolean";
132
- required: false;
133
- };
134
- referenceId: {
135
- type: "string";
136
- required: false;
137
- };
138
- metadata: {
139
- type: "json";
140
- required: false;
141
- };
142
- };
143
- };
144
- /**
145
- * An opaque refresh token created with "offline_access"
146
- *
147
- * Refresh tokens are linked to a session.
148
- */
149
- oauthRefreshToken: {
150
- fields: {
151
- token: {
152
- type: "string";
153
- required: true;
154
- };
155
- clientId: {
156
- type: "string";
157
- required: true;
158
- references: {
159
- model: string;
160
- field: string;
161
- };
162
- };
163
- sessionId: {
164
- type: "string";
165
- required: false;
166
- references: {
167
- model: string;
168
- field: string;
169
- onDelete: "set null";
170
- };
171
- };
172
- userId: {
173
- type: "string";
174
- required: true;
175
- references: {
176
- model: string;
177
- field: string;
178
- };
179
- };
180
- referenceId: {
181
- type: "string";
182
- required: false;
183
- };
184
- expiresAt: {
185
- type: "date";
186
- };
187
- createdAt: {
188
- type: "date";
189
- };
190
- revoked: {
191
- type: "date";
192
- required: false;
193
- };
194
- authTime: {
195
- type: "date";
196
- required: false;
197
- };
198
- scopes: {
199
- type: "string[]";
200
- required: true;
201
- };
202
- };
203
- };
204
- /**
205
- * An opaque access token sent when there is no audience
206
- * to assigned to the JWT.
207
- *
208
- * Access tokens are linked to a session, better-auth
209
- * authors SHALL always check for valid session!
210
- *
211
- * AccessTokens SHALL only be created at refresh,
212
- * destroyed at revoke, and read at introspection.
213
- * NEVER update an access token! Typically a refresh and
214
- * revoke (if not expired) may want to occur at the same time.
215
- */
216
- oauthAccessToken: {
217
- modelName: string;
218
- fields: {
219
- token: {
220
- type: "string";
221
- unique: true;
222
- };
223
- clientId: {
224
- type: "string";
225
- required: true;
226
- references: {
227
- model: string;
228
- field: string;
229
- };
230
- };
231
- sessionId: {
232
- type: "string";
233
- required: false;
234
- references: {
235
- model: string;
236
- field: string;
237
- onDelete: "set null";
238
- };
239
- };
240
- userId: {
241
- type: "string";
242
- required: false;
243
- references: {
244
- model: string;
245
- field: string;
246
- };
247
- };
248
- referenceId: {
249
- type: "string";
250
- required: false;
251
- };
252
- refreshId: {
253
- type: "string";
254
- required: false;
255
- references: {
256
- model: string;
257
- field: string;
258
- };
259
- };
260
- expiresAt: {
261
- type: "date";
262
- };
263
- createdAt: {
264
- type: "date";
265
- };
266
- scopes: {
267
- type: "string[]";
268
- required: true;
269
- };
270
- };
271
- };
272
- oauthConsent: {
273
- modelName: string;
274
- fields: {
275
- clientId: {
276
- type: "string";
277
- required: true;
278
- references: {
279
- model: string;
280
- field: string;
281
- };
282
- };
283
- userId: {
284
- type: "string";
285
- required: false;
286
- references: {
287
- model: string;
288
- field: string;
289
- };
290
- };
291
- referenceId: {
292
- type: "string";
293
- required: false;
294
- };
295
- scopes: {
296
- type: "string[]";
297
- required: true;
298
- };
299
- createdAt: {
300
- type: "date";
301
- };
302
- updatedAt: {
303
- type: "date";
304
- };
305
- };
306
- };
307
- };
308
- //#endregion
309
- //#region src/types/helpers.d.ts
310
- type Awaitable<T> = Promise<T> | T;
311
- //#endregion
312
- //#region src/types/index.d.ts
313
- type StoreTokenType = "access_token" | "refresh_token" | "authorization_code";
314
- type InternallySupportedScopes = "openid" | "profile" | "email" | "offline_access";
315
- type Scope = LiteralString | InternallySupportedScopes;
316
- type Prompt = "none" | "consent" | "login" | "create" | "select_account";
317
- type AuthorizePrompt = Prompt | "login consent" | "select_account consent";
318
- interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
319
- /**
320
- * Custom schema definitions
321
- */
322
- schema?: InferOptionSchema<typeof schema>;
323
- /**
324
- * The scopes that the client is allowed to request.
325
- * Must contain "openid" to be considered an OIDC server,
326
- * otherwise it is just an OAuth server.
327
- *
328
- * @see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
329
- * @default
330
- * ```ts
331
- * ["openid", "profile", "email", "offline_access"]
332
- * ```
333
- */
334
- scopes?: Scopes;
335
- /**
336
- * List of valid audiences if there are multiple.
337
- *
338
- * @default baseURL
339
- * @example [
340
- * "https://api.example.com",
341
- * "https://api.example.com/mcp",
342
- * ]
343
- */
344
- validAudiences?: string[];
345
- /**
346
- * Automatically cache trusted clients by client_id.
347
- * Clients are cached at request.
348
- *
349
- * Additionally, cached trusted clients are immutable
350
- * through the CRUD endpoints.
351
- */
352
- cachedTrustedClients?: Set<string>;
353
- /**
354
- * The amount of time in seconds that the access token is valid for.
355
- *
356
- * @default 3600 (1 hour) - Industry standard
357
- */
358
- accessTokenExpiresIn?: number;
359
- /**
360
- * The amount of time in seconds that a client
361
- * credentials grant access token is valid for.
362
- *
363
- * @default 3600 (1 hour)
364
- */
365
- m2mAccessTokenExpiresIn?: number;
366
- /**
367
- * The amount of time in seconds that id token is valid for.
368
- *
369
- * @default 36000 (10 hours) - Recommended by the OIDC spec
370
- */
371
- idTokenExpiresIn?: number;
372
- /**
373
- * The amount of time in seconds that the refresh token is valid for.
374
- * Typical industry standard is 30 days
375
- *
376
- * @default 2592000 (30 days)
377
- */
378
- refreshTokenExpiresIn?: number;
379
- /**
380
- * The amount of time in seconds that the authorization code is valid for.
381
- *
382
- * @default 600 (10 minutes) - Recommended by the OIDC spec
383
- */
384
- codeExpiresIn?: number;
385
- /**
386
- * Create access token expirations based on scope.
387
- *
388
- * This is useful for higher-privilege scopes that
389
- * require shorter expiration times. The earliest
390
- * expiration will take precedence. If not specified,
391
- * the default will take place.
392
- *
393
- * Note: values should be lower than the defaults
394
- * `accessTokenExpiresIn` and `m2mAccessTokenExpiresIn`
395
- *
396
- * @example
397
- * { "write:payments": "5m", "read:payments": "30m" }
398
- */
399
- scopeExpirations?: { [K in Scopes[number]]?: number | string | Date };
400
- /**
401
- * Maximum lifetime in seconds for client assertion JWTs
402
- * used with `private_key_jwt` authentication.
403
- *
404
- * @default 300 (5 minutes)
405
- */
406
- assertionMaxLifetime?: number;
407
- /**
408
- * Allows /oauth2/public-client-prelogin endpoint to be
409
- * requestable prior to login via a valid oauth_query.
410
- */
411
- allowPublicClientPrelogin?: boolean;
412
- /**
413
- * Allow unauthenticated dynamic client registration.
414
- *
415
- * Support for `allowUnauthenticatedClientRegistration` **will be deprecated**
416
- * when the MCP protocol standardizes unauthenticated dynamic client registration.
417
- * As of writing, both [Client ID Metadata Documents](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/991)
418
- * and [`software_statement` and `jwks_uri`](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1032) are under debate.
419
- *
420
- * @default false
421
- */
422
- allowUnauthenticatedClientRegistration?: boolean;
423
- /**
424
- * Allow dynamic client registration.
425
- *
426
- * @default false
427
- */
428
- allowDynamicClientRegistration?: boolean;
429
- /**
430
- * List of scopes for newly registered clients
431
- * if not requested.
432
- *
433
- * For scopes that shall automatically adapt to your scopes
434
- * list in the future (ie scopes: undefined), create that client
435
- * using the server's `createOAuthClient` function.
436
- *
437
- * @default scopes
438
- */
439
- clientRegistrationDefaultScopes?: Scopes;
440
- /**
441
- * List of scopes for allowed clients in addition to
442
- * those listed in the default scope. Finalized allowed list is
443
- * the union of the default scopes and this list.
444
- *
445
- * If both clientRegistrationDefaultScopes and this
446
- * are undefined, only scopes listed in the scopes option
447
- * are allowed.
448
- *
449
- * @default - clientRegistrationDefaultScopes
450
- */
451
- clientRegistrationAllowedScopes?: Scopes;
452
- /**
453
- * How long a dynamically created confidential client
454
- * should last for.
455
- *
456
- * - If a `number` is passed as an argument it is used as the claim directly.
457
- * - If a `Date` instance is passed as an argument it is converted to unix timestamp and used as the
458
- * claim.
459
- * - If a `string` is passed as an argument it is resolved to a time span, and then added to the
460
- * current unix timestamp and used as the claim.
461
- *
462
- * Format used for time span should be a number followed by a unit, such as "5 minutes" or "1
463
- * day".
464
- *
465
- * Valid units are: "sec", "secs", "second", "seconds", "s", "minute", "minutes", "min", "mins",
466
- * "m", "hour", "hours", "hr", "hrs", "h", "day", "days", "d", "week", "weeks", "w", "year",
467
- * "years", "yr", "yrs", and "y". It is not possible to specify months. 365.25 days is used as an
468
- * alias for a year.
469
- *
470
- * If the string is suffixed with "ago", or prefixed with a "-", the resulting time span gets
471
- * subtracted from the current unix timestamp. A "from now" suffix can also be used for
472
- * readability when adding to the current unix timestamp.
473
- *
474
- * @default - undefined (does not expire)
475
- */
476
- clientRegistrationClientSecretExpiration?: number | string | Date;
477
- /**
478
- * Returns the reference id which owns the oauth clients.
479
- *
480
- * For example, it can be an organization, team, etc.
481
- * When provided, user_id of the client will be undefined
482
- * and the owner is defined under the field `reference_id`.
483
- *
484
- * With the organization plugin: @example ({ session }) => {
485
- * return session?.activeOrganizationId;
486
- * }
487
- */
488
- clientReference?: (context: {
489
- user?: User & Record<string, unknown>;
490
- session?: Session & Record<string, unknown>;
491
- }) => Awaitable<string | undefined>;
492
- /**
493
- * RBAC on OAuth Clients.
494
- *
495
- * Provides context to help determine if a user can perform
496
- * a specific action.
497
- */
498
- clientPrivileges?: (context: {
499
- headers: Headers;
500
- action: "create" | "read" | "update" | "delete" | "list" | "rotate";
501
- user?: User & Record<string, unknown>;
502
- session?: Session & Record<string, unknown>;
503
- }) => Awaitable<boolean | undefined>;
504
- /**
505
- * List default scopes when using the token endpoint's
506
- * grant type "client_credentials". This is used
507
- * only when oauthClients are stored in the database
508
- * without a scope and you do not want all `scopes` to be given.
509
- *
510
- * @default undefined
511
- */
512
- clientCredentialGrantDefaultScopes?: Scopes;
513
- /**
514
- * Grant types supported by the token endpoint
515
- *
516
- * @default
517
- * ["authorization_code", "client_credentials", "refresh_token"]
518
- */
519
- grantTypes?: GrantType[];
520
- /**
521
- * The URL to the login page. This is used if the client requests the `login`
522
- * prompt.
523
- */
524
- loginPage: string;
525
- /**
526
- * A URL to the consent page where the user will be redirected if the client
527
- * requests consent.
528
- *
529
- * After the user consents, they should be redirected by the client to the
530
- * `redirect_uri` with the authorization code.
531
- *
532
- * When the server redirects the user to the consent page, it will include the
533
- * following query parameters:
534
- *
535
- * - `client_id` - The ID of the client.
536
- * - `scope` - The requested scopes.
537
- * - `code` - The authorization code.
538
- *
539
- * once the user consents, you need to call the `/oauth2/consent` endpoint
540
- * with the code and `accept: true` to complete the authorization. Which will
541
- * then return the client to the `redirect_uri` with the authorization code.
542
- *
543
- * @example
544
- * ```ts
545
- * consentPage: "/consent"
546
- * ```
547
- */
548
- consentPage: string;
549
- /**
550
- * Sign Up page settings associated with `prompt: "create"`
551
- * @see https://openid.net/specs/openid-connect-prompt-create-1_0.html
552
- */
553
- signup?: {
554
- /**
555
- * A URL to the Sign Up page where the user will be redirected
556
- * to continue a signup flow.
557
- *
558
- * Upon completion of signup, you need to call the `/oauth2/continue`
559
- * with `created: true` to continue the login flow.
560
- *
561
- * @default loginPage
562
- * @example `/sign-up`
563
- */
564
- page?: string;
565
- /**
566
- * To add registration steps, specify the page(s) to redirect to.
567
- *
568
- * Note: the account would need to be logged in (or selected)
569
- * to specify steps.
570
- *
571
- * If true, user with redirect to `page`.
572
- * If string, user with redirect to the page specified by string.
573
- * If false, user has completed registration and will continue auth flow.
574
- *
575
- * @param context
576
- */
577
- shouldRedirect?: (context: {
578
- headers: Headers;
579
- user: User & Record<string, unknown>;
580
- session: Session & Record<string, unknown>;
581
- scopes: Scopes;
582
- }) => Awaitable<boolean | string>;
583
- };
584
- /**
585
- * Select Account page settings associated with `prompt: "select_account"`
586
- */
587
- selectAccount?: {
588
- /**
589
- * A URL to the account selection page where the user will be redirected if
590
- * the user must select an account (eg. multi-session).
591
- *
592
- * Once the user selects an account, you need to call the `/oauth2/continue`
593
- * with `selected: true` to continue the login flow.
594
- *
595
- * @default loginPage
596
- */
597
- page?: string;
598
- /**
599
- * Checks to see if an account needs selection
600
- * for the `/oauth2/authorize` endpoint.
601
- *
602
- * @returns
603
- * - `true`: account is not selected and needs selection
604
- * - `false`: intended user or account already selected
605
- */
606
- shouldRedirect: (context: {
607
- headers: Headers;
608
- user: User & Record<string, unknown>;
609
- session: Session & Record<string, unknown>;
610
- scopes: Scopes;
611
- }) => Awaitable<boolean>;
612
- };
613
- /**
614
- * Post login page settings
615
- */
616
- postLogin?: {
617
- /**
618
- * The page `shouldRedirect` should redirect to.
619
- */
620
- page: string;
621
- /**
622
- * A value to tie to the consent reference_id.
623
- *
624
- * Note that YOU must fail in this function if the requested
625
- * scope doesn't have a reference id and it should.
626
- */
627
- consentReferenceId: (context: {
628
- user: User & Record<string, unknown>;
629
- session: Session & Record<string, unknown>;
630
- scopes: Scopes;
631
- }) => Awaitable<string | undefined>;
632
- /**
633
- * After login and before consent, request the user to
634
- * select an additional choice for `/oauth2/authorize`.
635
- * For example, allow selection of an organization or team.
636
- *
637
- * Upon selection of a specific account, use `/oauth2/continue`
638
- * with `postLogin: true` to continue the login flow.
639
- *
640
- * @returns
641
- * - `true`: account is not selected and needs selection
642
- * - `false`: intended user or account selected
643
- */
644
- shouldRedirect: (context: {
645
- headers: Headers;
646
- user: User & Record<string, unknown>;
647
- session: Session & Record<string, unknown>;
648
- scopes: Scopes;
649
- }) => Awaitable<boolean>;
650
- };
651
- /**
652
- * Format your refresh tokens the returned to oauth clients.
653
- * For example with JWE encryption/decryption logic.
654
- *
655
- * If you changed the format after production deployment,
656
- * ensure that the prior version can still be decoded.
657
- *
658
- * NOTE: `prefix.refreshToken` is internally handled,
659
- * so `token` only contains the stored database token.
660
- */
661
- formatRefreshToken?: {
662
- /**
663
- * Custom session token format sent to client.
664
- */
665
- encrypt: (token: string, sessionId?: string) => Awaitable<string>;
666
- /**
667
- * Decodes the custom session token.
668
- *
669
- * @returns {string | undefined} sessionId - if returned,
670
- * should be same as the one received in `encode`.
671
- * There is an added benefit that updates to the session occur
672
- * via id instead of token.
673
- * @returns {string} token - should be same as the one
674
- * received in `encode`
675
- */
676
- decrypt: (token: string) => Awaitable<{
677
- sessionId?: string;
678
- token: string;
679
- }>;
680
- };
681
- /**
682
- * Store the client secret in your database in a secure way
683
- * Note: This will not affect the client secret sent to the user,
684
- * it will only affect the client secret stored in your database
685
- *
686
- * When disableJwtPlugin = false (recommended):
687
- * - "hashed" - The client secret is hashed using the `hash` function.
688
- * - {
689
- * hash: (clientSecret: string) => Awaitable<string>,
690
- * verify?: (clientSecret: string, storedHash: string) => Awaitable<boolean>
691
- * } - A function that hashes the client secret.
692
- *
693
- * When disableJwtPlugin = true:
694
- * - "encrypted" - The client secret is encrypted using the `encrypt` function.
695
- * - {
696
- * encrypt: (clientSecret: string) => Awaitable<string>,
697
- * decrypt: (storedSecret: string) => Awaitable<string>
698
- * } - A function that encrypts and decrypts the client secret.
699
- *
700
- * @default
701
- * options.disableJwtPlugin ? "encrypted" : "hashed"
702
- */
703
- storeClientSecret?: "hashed" | "encrypted" | {
704
- hash: (clientSecret: string) => Awaitable<string>;
705
- verify?: (clientSecret: string, storedHash: string) => Awaitable<boolean>;
706
- } | {
707
- encrypt: (clientSecret: string) => Awaitable<string>;
708
- decrypt: (storedSecret: string) => Awaitable<string>;
709
- };
710
- /**
711
- * Storage method of opaque access tokens and refresh tokens on your database.
712
- *
713
- * - "hashed" - The client secret is hashed using the `hash` function.
714
- * - {
715
- * hash: (token: string, type: StoreTokenType) => Awaitable<string>
716
- * } - A function that hashes the token
717
- *
718
- * @default "hashed"
719
- */
720
- storeTokens?: "hashed" | {
721
- hash: (token: string, type: StoreTokenType) => Awaitable<string>;
722
- };
723
- /**
724
- * Custom claims provided at the OIDC `userinfo` endpoint.
725
- *
726
- * @param info - context that may be useful when creating custom claims
727
- * @returns Additional claims for userinfo request
728
- */
729
- customUserInfoClaims?: (info: {
730
- /** The user object */user: User & Record<string, unknown>;
731
- /** The scopes from the access token used
732
- * in the /userinfo request (matches jwt.scopes) */
733
- scopes: Scopes; /** The access token payload used in the /userinfo request */
734
- jwt: JWTPayload;
735
- }) => Awaitable<Record<string, any>>;
736
- /**
737
- * Custom claims attached to OIDC id tokens.
738
- *
739
- * To remain OIDC-compliant, claims should be
740
- * namespaced with a URI. For example, a site
741
- * example.com should namespace an organization at
742
- * https://example.com/organization.
743
- *
744
- * @param info - context that may be useful when creating custom claims
745
- */
746
- customIdTokenClaims?: (info: {
747
- /** The user object if token is associated to a user. */user: User & Record<string, unknown>; /** Scopes granted for this token */
748
- scopes: Scopes; /** oAuthClient metadata */
749
- metadata?: Record<string, any>;
750
- }) => Awaitable<Record<string, any>>;
751
- /**
752
- * Custom claims attached to access tokens.
753
- *
754
- * Claims are added for both the token and introspect endpoints.
755
- *
756
- * Use the user and referenceId fields to fetch
757
- * for membership roles/permissions to attach for the token.
758
- * Note that scopes are those that requested,
759
- * permissions are what the the user can actually do which
760
- * must be done in this function.
761
- *
762
- * @param info - context that may be useful when creating custom claims
763
- */
764
- customAccessTokenClaims?: (info: {
765
- /** The user object if token is associated to a user. Null if user doesn't exist. Undefined if user not applicable. */user?: (User & Record<string, unknown>) | null; /** reference of the consent/authorization */
766
- referenceId?: string; /** Scopes granted for this token */
767
- scopes: Scopes; /** The resource requesting. Provided by the token endpoint. */
768
- resource?: string; /** oAuthClient metadata */
769
- metadata?: Record<string, any>;
770
- }) => Awaitable<Record<string, any>>;
771
- /**
772
- * Overwrite specific /.well-known/openid-configuration
773
- * values so they are not available publically.
774
- * This may be important if not all clients need specific scopes.
775
- */
776
- advertisedMetadata?: {
777
- /**
778
- * Advertised scopes_supported located at /.well-known/openid-configuration
779
- *
780
- * All values must be found in the scope field
781
- */
782
- scopes_supported?: Scopes;
783
- /**
784
- * Advertised claims_supported located at /.well-known/openid-configuration
785
- *
786
- * Internally supported claims:
787
- * ["sub", "iss", "aud", "exp", "iat", "sid", "scope", "azp"]
788
- */
789
- claims_supported?: string[];
790
- };
791
- /**
792
- * Attach prefixes to returned token types.
793
- * NOTE: The prefix is not stored in the database.
794
- *
795
- * Useful when also using the [API Key Plugin](../api-key/index.ts)
796
- * or Secret Scanners (ie Github Secret Scanning, GitGuardian, Trufflehog).
797
- *
798
- * We recommend to append an underscore to make it more identifiable.
799
- */
800
- prefix?: {
801
- /**
802
- * Prefix on returned opaque access tokens.
803
- *
804
- * Additionally, we recommend you add the prefix prior to the first deployment
805
- * otherwise you must utilize this with `generateOpaqueAccessToken` (storing the full
806
- * encoded value on the database).
807
- *
808
- * @example "domain_at_"
809
- * @default undefined
810
- */
811
- opaqueAccessToken?: string;
812
- /**
813
- * Prefix on returned refresh tokens.
814
- *
815
- * Additionally, we recommend you add the prefix prior to the first deployment
816
- * otherwise you must utilize this with `generateRefreshToken` (storing the full
817
- * encoded value on the database).
818
- *
819
- * @example "domain_rt_"
820
- * @default undefined
821
- */
822
- refreshToken?: string;
823
- /**
824
- * Prefix on returned client secrets.
825
- *
826
- * Additionally, we recommend you add the prefix prior to the first deployment
827
- * otherwise you must utilize this with `generateClientSecret` (storing the full
828
- * encoded value on the database).
829
- *
830
- * @example "domain_cs_"
831
- * @default undefined
832
- */
833
- clientSecret?: string;
834
- };
835
- /**
836
- * Custom function to generate a client ID.
837
- *
838
- * @default
839
- * generateRandomString(32, "A-Z", "a-z")
840
- */
841
- generateClientId?: () => string;
842
- /**
843
- * Custom function to generate a client secret.
844
- *
845
- * @default
846
- * generateRandomString(32, "A-Z", "a-z")
847
- */
848
- generateClientSecret?: () => string;
849
- /**
850
- * Generate a unique access token to save on the database.
851
- *
852
- * @default
853
- * generateRandomString(32, "A-Z", "a-z")
854
- */
855
- generateOpaqueAccessToken?: () => Awaitable<string>;
856
- /**
857
- * Generate a unique refresh token to save on the database.
858
- *
859
- * @default
860
- * generateRandomString(32, "A-Z", "a-z")
861
- */
862
- generateRefreshToken?: () => Awaitable<string>;
863
- /**
864
- * Confirmations that individually silences specific well-known endpoint
865
- * configuration warnings.
866
- *
867
- * Only set these specific values if you see the error as they
868
- * are configuration specific.
869
- */
870
- silenceWarnings?: {
871
- /**
872
- * Config warning for `/.well-known/oauth-authorization-server/[issuer-path]`
873
- *
874
- * @default false
875
- */
876
- oauthAuthServerConfig?: boolean;
877
- /**
878
- * Config warning for `[issuer-path]/.well-known/openid-configuration`
879
- *
880
- * @default false
881
- */
882
- openidConfig?: boolean;
883
- };
884
- /**
885
- * By default, access and id tokens can be issued and verified
886
- * through the JWT plugin.
887
- *
888
- * You can disable the JWT requirement in which access tokens
889
- * will always be opaque and id tokens are always signed
890
- * with HS256 using the client secret.
891
- *
892
- * @default false
893
- */
894
- disableJwtPlugin?: boolean;
895
- /**
896
- * Rate limit configuration for OAuth endpoints.
897
- *
898
- * Each endpoint can be configured with a `window` (in seconds) and `max` requests.
899
- * Set to `false` to disable rate limiting for a specific endpoint.
900
- *
901
- * @default
902
- * ```ts
903
- * {
904
- * token: { window: 60, max: 20 },
905
- * authorize: { window: 60, max: 30 },
906
- * introspect: { window: 60, max: 100 },
907
- * revoke: { window: 60, max: 30 },
908
- * register: { window: 60, max: 5 },
909
- * userinfo: { window: 60, max: 60 },
910
- * }
911
- * ```
912
- */
913
- rateLimit?: {
914
- /**
915
- * Rate limit for /oauth2/token endpoint
916
- * @default { window: 60, max: 20 }
917
- */
918
- token?: {
919
- window: number;
920
- max: number;
921
- } | false;
922
- /**
923
- * Rate limit for /oauth2/authorize endpoint
924
- * @default { window: 60, max: 30 }
925
- */
926
- authorize?: {
927
- window: number;
928
- max: number;
929
- } | false;
930
- /**
931
- * Rate limit for /oauth2/introspect endpoint
932
- * @default { window: 60, max: 100 }
933
- */
934
- introspect?: {
935
- window: number;
936
- max: number;
937
- } | false;
938
- /**
939
- * Rate limit for /oauth2/revoke endpoint
940
- * @default { window: 60, max: 30 }
941
- */
942
- revoke?: {
943
- window: number;
944
- max: number;
945
- } | false;
946
- /**
947
- * Rate limit for /oauth2/register endpoint
948
- * @default { window: 60, max: 5 }
949
- */
950
- register?: {
951
- window: number;
952
- max: number;
953
- } | false;
954
- /**
955
- * Rate limit for /oauth2/userinfo endpoint
956
- * @default { window: 60, max: 60 }
957
- */
958
- userinfo?: {
959
- window: number;
960
- max: number;
961
- } | false;
962
- };
963
- /**
964
- * Secret used to compute pairwise subject identifiers (HMAC-SHA256).
965
- * When set, clients with `subject_type: "pairwise"` receive unique,
966
- * unlinkable `sub` values per sector identifier.
967
- *
968
- * @see https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
969
- */
970
- pairwiseSecret?: string;
971
- /**
972
- * Resolves a `request_uri` at the authorize endpoint (PAR support).
973
- *
974
- * When the authorize endpoint receives a `request_uri` parameter, this callback
975
- * resolves it to the original authorization parameters. Return null if the URI
976
- * is invalid or expired.
977
- */
978
- requestUriResolver?: (input: {
979
- requestUri: string;
980
- clientId: string;
981
- ctx: GenericEndpointContext;
982
- }) => Promise<Record<string, string> | null>;
983
- }
984
- interface OAuthAuthorizationQuery {
985
- /**
986
- * The response type.
987
- * - "code": authorization code flow.
988
- * Optional in the query when using request_uri (PAR) — resolved from stored params.
989
- */
990
- response_type?: "code";
991
- /**
992
- * PAR request_uri. When present, other params are resolved from the stored request.
993
- */
994
- request_uri?: string;
995
- /**
996
- * The redirect URI for the client. Must be one of the registered redirect URLs for the client.
997
- */
998
- redirect_uri: string;
999
- /**
1000
- * The scope of the request. Must be a space-separated list of case sensitive strings.
1001
- *
1002
- * - "openid" is required for most requests to obtain user id (ie sub)
1003
- * - "profile" is required for requests that require user profile information.
1004
- * - "email" is required for requests that require user email information.
1005
- * - "offline_access" is required for requests that require a refresh token.
1006
- */
1007
- scope?: string;
1008
- /**
1009
- * Opaque value used to maintain state between the request and the callback. Typically,
1010
- * Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the
1011
- * value of this parameter with a browser cookie.
1012
- *
1013
- * Note: Better Auth stores the state in a database instead of a cookie. - This is to minimize
1014
- * the complication with native apps and other clients that may not have access to cookies.
1015
- */
1016
- state: string;
1017
- /**
1018
- * The client ID. Must be the ID of a registered client.
1019
- */
1020
- client_id: string;
1021
- /**
1022
- * The prompt parameter is used to specify the type of user interaction that is required.
1023
- */
1024
- prompt?: AuthorizePrompt;
1025
- /**
1026
- * The display parameter is used to specify how the authorization server displays the
1027
- * authentication and consent user interface pages to the end user.
1028
- */
1029
- display?: "page" | "popup" | "touch" | "wap";
1030
- /**
1031
- * End-User's preferred languages and scripts for the user interface, represented as a
1032
- * space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For
1033
- * instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada,
1034
- * then French (without a region designation), followed by English (without a region
1035
- * designation).
1036
- *
1037
- * Better Auth does not support this parameter yet. It'll not throw an error if it's provided,
1038
- *
1039
- * 🏗️ currently not implemented
1040
- */
1041
- ui_locales?: string;
1042
- /**
1043
- * The maximum authentication age.
1044
- *
1045
- * Specifies the allowable elapsed time in seconds since the last time the End-User was
1046
- * actively authenticated by the provider. If the elapsed time is greater than this value, the
1047
- * provider MUST attempt to actively re-authenticate the End-User.
1048
- *
1049
- * Note that max_age=0 is equivalent to prompt=login.
1050
- */
1051
- max_age?: number;
1052
- /**
1053
- * Requested Authentication Context Class Reference values.
1054
- *
1055
- * Space-separated string that
1056
- * specifies the acr values that the Authorization Server is being requested to use for
1057
- * processing this Authentication Request, with the values appearing in order of preference.
1058
- * The Authentication Context Class satisfied by the authentication performed is returned as
1059
- * the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary
1060
- * Claim by this parameter.
1061
- */
1062
- acr_values?: string;
1063
- /**
1064
- * Hint to the Authorization Server about the login identifier the End-User might use to log in
1065
- * (if necessary). This hint can be used by an RP if it first asks the End-User for their
1066
- * e-mail address (or other identifier) and then wants to pass that value as a hint to the
1067
- * discovered authorization service. It is RECOMMENDED that the hint value match the value used
1068
- * for discovery. This value MAY also be a phone number in the format specified for the
1069
- * phone_number Claim. The use of this parameter is left to the OP's discretion.
1070
- */
1071
- login_hint?: string;
1072
- /**
1073
- * ID Token previously issued by the Authorization Server being passed as a hint about the
1074
- * End-User's current or past authenticated session with the Client.
1075
- *
1076
- * 🏗️ currently not implemented
1077
- */
1078
- id_token_hint?: string;
1079
- /**
1080
- * Code challenge
1081
- */
1082
- code_challenge?: string;
1083
- /**
1084
- * Code challenge method used
1085
- */
1086
- code_challenge_method?: "S256";
1087
- /**
1088
- * String value used to associate a Client session with an ID Token, and to mitigate replay
1089
- * attacks. The value is passed through unmodified from the Authentication Request to the ID Token.
1090
- * If present in the ID Token, Clients MUST verify that the nonce Claim Value is equal to the
1091
- * value of the nonce parameter sent in the Authentication Request. If present in the
1092
- * Authentication Request, Authorization Servers MUST include a nonce Claim in the ID Token
1093
- * with the Claim Value being the nonce value sent in the Authentication Request.
1094
- */
1095
- nonce?: string;
1096
- }
1097
- /**
1098
- * Stored within the verification.value field
1099
- * in JSON format.
1100
- *
1101
- * It is stored in JSON to prevent
1102
- * direct searches by field on the db
1103
- */
1104
- interface VerificationValue {
1105
- type: "authorization_code";
1106
- query: OAuthAuthorizationQuery;
1107
- sessionId: string;
1108
- userId: string;
1109
- referenceId?: string;
1110
- authTime?: number;
1111
- }
1112
- /**
1113
- * Client registered values as used within the plugin
1114
- */
1115
- interface SchemaClient<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
1116
- /**
1117
- * Client ID
1118
- *
1119
- * size 32
1120
- *
1121
- * as described on https://www.rfc-editor.org/rfc/rfc6749.html#section-2.2
1122
- */
1123
- clientId: string;
1124
- /**
1125
- * Client Secret
1126
- *
1127
- * A secret for the client, if required by the authorization server.
1128
- *
1129
- * size 32
1130
- */
1131
- clientSecret?: string;
1132
- /** Whether the client is disabled or not. */
1133
- disabled?: boolean;
1134
- /**
1135
- * Restricts scopes allowed for the client.
1136
- *
1137
- * If not defined, any scope can be requested.
1138
- */
1139
- scopes?: Scopes;
1140
- /** User who owns this client */
1141
- userId?: string | null;
1142
- /** Created time */
1143
- createdAt?: Date;
1144
- /** Last updated time */
1145
- updatedAt?: Date;
1146
- /** Expires time */
1147
- expiresAt?: Date;
1148
- /** The name of the client. */
1149
- name?: string;
1150
- /** Linkable uri of the client. */
1151
- uri?: string;
1152
- /** The icon of the client. */
1153
- icon?: string;
1154
- /** List of contacts for the client. */
1155
- contacts?: string[];
1156
- /** Client Terms of Service Uri */
1157
- tos?: string;
1158
- /** Client Privacy Policy Uri */
1159
- policy?: string;
1160
- softwareId?: string;
1161
- softwareVersion?: string;
1162
- softwareStatement?: string;
1163
- /**
1164
- * List of registered redirect URLs. Must include the whole URL, including the protocol, port,
1165
- * and path.
1166
- *
1167
- * For example, `https://example.com/auth/callback`
1168
- */
1169
- redirectUris?: string[];
1170
- /**
1171
- * List of registered post-logout redirect URIs. Used for RP-Initiated Logout.
1172
- * Must include the whole URL, including the protocol, port, and path.
1173
- *
1174
- * For example, `https://example.com/logout/callback`
1175
- */
1176
- postLogoutRedirectUris?: string[];
1177
- tokenEndpointAuthMethod?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
1178
- grantTypes?: GrantType[];
1179
- responseTypes?: "code"[];
1180
- /** Client's JSON Web Key Set for `private_key_jwt` authentication. Mutually exclusive with `jwksUri`. */
1181
- jwks?: string;
1182
- /** URI for the client's JSON Web Key Set. Mutually exclusive with `jwks`. Must be HTTPS. */
1183
- jwksUri?: string;
1184
- /**
1185
- * Indicates whether the client is public or confidential.
1186
- * If public, refreshing tokens doesn't require
1187
- * a client_secret. Clients are considered confidential by default.
1188
- *
1189
- * Uses `token_endpoint_auth_method` field or `type` field to determine
1190
- *
1191
- * Described https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1
1192
- *
1193
- * @default undefined
1194
- */
1195
- public?: boolean;
1196
- /**
1197
- * The client type
1198
- *
1199
- * Described https://www.rfc-editor.org/rfc/rfc6749.html#section-2.1
1200
- *
1201
- * - web - A web application (confidential client)
1202
- * - native - A mobile application (public client)
1203
- * - user-agent-based - A user-agent-based application (public client)
1204
- */
1205
- type?: "web" | "native" | "user-agent-based";
1206
- /**
1207
- * Whether this client requires PKCE for authorization code flow.
1208
- *
1209
- * @default true
1210
- *
1211
- * Note: PKCE is always required for public clients and when
1212
- * requesting offline_access scope, regardless of this setting.
1213
- */
1214
- requirePKCE?: boolean;
1215
- /** Used to indicate if consent screen can be skipped */
1216
- skipConsent?: boolean;
1217
- /** Used to enable client to logout via the `/oauth2/end-session` endpoint */
1218
- enableEndSession?: boolean;
1219
- /** Subject identifier type: "public" (default) or "pairwise" */
1220
- subjectType?: "public" | "pairwise";
1221
- /** Reference to the owner of this client. Eg. Organization, Team, Profile */
1222
- referenceId?: string;
1223
- /**
1224
- * Additional metadata about the client.
1225
- */
1226
- metadata?: string;
1227
- }
1228
- interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
1229
- /**
1230
- * The opaque access token.
1231
- */
1232
- token: string;
1233
- /**
1234
- * The client ID of the client that requested the access token.
1235
- */
1236
- clientId: string;
1237
- /**
1238
- * The session ID the access token is associated with.
1239
- *
1240
- * Not available in client credentials grant
1241
- * where no user session is involved.
1242
- */
1243
- sessionId?: string;
1244
- /**
1245
- * The user ID the access token is associated with.
1246
- *
1247
- * Not available in client credentials grant
1248
- * where no user is involved.
1249
- */
1250
- userId?: string;
1251
- /**
1252
- * Reference Id of the consent/authorization.
1253
- *
1254
- * Not available in client credentials grant
1255
- * where no user is involved.
1256
- */
1257
- referenceId?: string;
1258
- /**
1259
- * The refresh token the access token is associated with.
1260
- *
1261
- * Not available without the "offline_access" scope
1262
- */
1263
- refreshId?: string;
1264
- /** The expiration date of the access token. */
1265
- expiresAt: Date;
1266
- /** The creation date of the access token. */
1267
- createdAt: Date;
1268
- /**
1269
- * Scope granted for the access token.
1270
- *
1271
- * Shall match the refreshId.scopes if refreshId is provided.
1272
- */
1273
- scopes: Scopes;
1274
- }
1275
- /**
1276
- * Refresh Token Database Schema
1277
- */
1278
- interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupportedScopes[]> {
1279
- token: string;
1280
- sessionId: string;
1281
- userId: string;
1282
- referenceId?: string;
1283
- clientId?: string;
1284
- expiresAt: Date;
1285
- createdAt: Date;
1286
- /**
1287
- * When token was revoked. If set, token is considered a replay attack.
1288
- */
1289
- revoked?: Date;
1290
- /**
1291
- * The time the user originally authenticated.
1292
- * Persisted so refreshed ID tokens can include a correct `auth_time` claim.
1293
- */
1294
- authTime?: Date;
1295
- /**
1296
- * Scopes granted for this refresh token.
1297
- *
1298
- * Considered Immutable once granted.
1299
- */
1300
- scopes: Scopes;
1301
- }
1302
- /**
1303
- * Consent Database Schema
1304
- */
1305
- type OAuthConsent<Scopes extends readonly Scope[] = InternallySupportedScopes[]> = {
1306
- id: string;
1307
- clientId: string;
1308
- userId: string;
1309
- referenceId?: string;
1310
- scopes: Scopes;
1311
- createdAt: Date;
1312
- updatedAt: Date;
1313
- };
1314
- //#endregion
1315
- //#region src/types/oauth.d.ts
1316
- /**
1317
- * Supported grant types of the token endpoint
1318
- */
1319
- type GrantType = "authorization_code" | "client_credentials" | "refresh_token";
1320
- type AuthMethod = "client_secret_basic" | "client_secret_post" | "private_key_jwt";
1321
- type TokenEndpointAuthMethod = AuthMethod | "none";
1322
- type BearerMethodsSupported = "header" | "body";
1323
- /**
1324
- * Metadata for authentication servers.
1325
- *
1326
- * @see https://datatracker.ietf.org/doc/html/rfc8414#section-2
1327
- */
1328
- interface AuthServerMetadata {
1329
- /**
1330
- * The issuer identifier, this is the URL of the provider and can be used to verify
1331
- * the `iss` claim in the ID token.
1332
- *
1333
- * default: the value set for the issuer in the jwt plugin,
1334
- * otherwise the base URL of the auth server (e.g. `https://example.com`)
1335
- */
1336
- issuer: string;
1337
- /**
1338
- * The URL of the authorization endpoint.
1339
- *
1340
- * @default `/oauth2/authorize`
1341
- */
1342
- authorization_endpoint: string;
1343
- /**
1344
- * The URL of the token endpoint.
1345
- *
1346
- * @default `/oauth2/token`
1347
- */
1348
- token_endpoint: string;
1349
- /**
1350
- * The URL of the jwks_uri endpoint.
1351
- *
1352
- * For JWKS to work, you must install the `jwt` plugin.
1353
- *
1354
- * This value is automatically set to `/jwks` if the `jwt` plugin is installed.
1355
- *
1356
- * @default `/jwks`
1357
- */
1358
- jwks_uri?: string;
1359
- /**
1360
- * The URL of the dynamic client registration endpoint.
1361
- *
1362
- * @default `/oauth2/register`
1363
- */
1364
- registration_endpoint: string;
1365
- /**
1366
- * Supported scopes.
1367
- */
1368
- scopes_supported?: string[];
1369
- /**
1370
- * Supported response types. (for /authorize endpoint)
1371
- */
1372
- response_types_supported: "code"[];
1373
- /**
1374
- * Supported response modes.
1375
- *
1376
- * `query`: the authorization code is returned in the query string
1377
- */
1378
- response_modes_supported: "query"[];
1379
- /**
1380
- * Supported grant types.
1381
- */
1382
- grant_types_supported: GrantType[];
1383
- /**
1384
- * Supported token endpoint authentication methods.
1385
- *
1386
- * @default
1387
- * ["client_secret_basic", "client_secret_post"]
1388
- */
1389
- token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
1390
- /**
1391
- * Array containing a list of the JWS signing
1392
- * algorithms ("alg" values) supported by the token endpoint for
1393
- * the signature on the JWT used to authenticate the client at the
1394
- * token endpoint for the "private_key_jwt" and "client_secret_jwt"
1395
- * authentication methods (see field token_endpoint_auth_methods_supported).
1396
- */
1397
- token_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
1398
- /**
1399
- * URL of a page containing human-readable information
1400
- * that developers might want or need to know when using the
1401
- * authorization server
1402
- */
1403
- service_documentation?: string;
1404
- /**
1405
- * Languages and scripts supported for the user interface,
1406
- * represented as an array of language tag values from BCP 47
1407
- * [RFC5646](https://datatracker.ietf.org/doc/html/rfc5646)
1408
- */
1409
- ui_locales_supported?: string[];
1410
- /**
1411
- * URL that the authorization server provides to the
1412
- * person registering the client to read about the authorization
1413
- * server's requirements on how the client can use the data provided
1414
- * by the authorization server.
1415
- */
1416
- op_policy_uri?: string;
1417
- /**
1418
- * URL that the authorization server provides to the
1419
- * person registering the client to read about the authorization
1420
- * server's terms of service.
1421
- */
1422
- op_tos_uri?: string;
1423
- /**
1424
- * URL of the authorization server's OAuth 2.0 revocation
1425
- * endpoint [RFC7009](https://datatracker.ietf.org/doc/html/rfc7009)
1426
- */
1427
- revocation_endpoint?: string;
1428
- /**
1429
- * Array containing a list of client authentication
1430
- * methods supported by this revocation endpoint
1431
- *
1432
- * @default
1433
- * ["client_secret_basic", "client_secret_post"]
1434
- */
1435
- revocation_endpoint_auth_methods_supported?: AuthMethod[];
1436
- /**
1437
- * Array containing a list of the JWS signing
1438
- * algorithms ("alg" values) supported by the revocation endpoint for
1439
- * the signature on the JWT used to authenticate the client at the
1440
- * token endpoint for the "private_key_jwt" and "client_secret_jwt"
1441
- * authentication methods (see field revocation_endpoint_auth_methods_supported).
1442
- */
1443
- revocation_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
1444
- /**
1445
- * URL of the authorization server's OAuth 2.0
1446
- * introspection endpoint [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662)
1447
- */
1448
- introspection_endpoint?: string;
1449
- /**
1450
- * Array containing a list of client authentication
1451
- * methods supported by this introspection endpoint
1452
- *
1453
- * @default
1454
- * ["client_secret_basic", "client_secret_post"]
1455
- */
1456
- introspection_endpoint_auth_methods_supported?: AuthMethod[];
1457
- /**
1458
- * Array containing a list of the JWS signing
1459
- * algorithms ("alg" values) supported by the introspection endpoint
1460
- * used to authenticate the client at the token endpoint for
1461
- * the "private_key_jwt" and "client_secret_jwt" authentication methods
1462
- * (see field introspection_endpoint_auth_methods_supported).
1463
- */
1464
- introspection_endpoint_auth_signing_alg_values_supported?: AssertionSigningAlgorithm[];
1465
- /**
1466
- * Supported code challenge methods.
1467
- *
1468
- * @default ["S256"]
1469
- */
1470
- code_challenge_methods_supported: "S256"[];
1471
- /**
1472
- * Boolean value specifying whether the authorization server provides
1473
- * the iss parameter in the authorization response (RFC 9207)
1474
- *
1475
- * @see https://datatracker.ietf.org/doc/html/rfc9207
1476
- * @default true
1477
- */
1478
- authorization_response_iss_parameter_supported?: boolean;
1479
- }
1480
- /**
1481
- * Metadata returned by the openid-configuration endpoint:
1482
- * /.well-known/openid-configuration
1483
- *
1484
- * NOTE: Url structure is different by appending to the end
1485
- * of the url instead of the base.
1486
- *
1487
- * @see https://datatracker.ietf.org/doc/html/rfc8414#section-5
1488
- */
1489
- interface OIDCMetadata extends AuthServerMetadata {
1490
- /**
1491
- * The URL of the userinfo endpoint.
1492
- *
1493
- * @default `/oauth2/userinfo`
1494
- */
1495
- userinfo_endpoint: string;
1496
- /**
1497
- * acr_values supported.
1498
- *
1499
- * - `urn:mace:incommon:iap:silver`: Silver level of assurance
1500
- * - `urn:mace:incommon:iap:bronze`: Bronze level of assurance
1501
- *
1502
- * Determination of acr_value is considered bronze by default.
1503
- * Silver level determination coming soon.
1504
- *
1505
- * @default
1506
- * ["urn:mace:incommon:iap:bronze"]
1507
- * @see https://incommon.org/federation/attributes.html
1508
- */
1509
- acr_values_supported: string[];
1510
- /**
1511
- * Supported subject types.
1512
- *
1513
- * pairwise: the subject identifier is unique to the client
1514
- * public: the subject identifier is unique to the server
1515
- *
1516
- * @see https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1517
- */
1518
- subject_types_supported: ("public" | "pairwise")[];
1519
- /**
1520
- * Supported ID token signing algorithms.
1521
- *
1522
- * Automatically uses the same algorithm used in the JWK Plugin.
1523
- * Support for symmetric algorithms is strictly prohibited
1524
- * to sharing key vulnerabilities!
1525
- *
1526
- * @default
1527
- * ["EdDSA"]
1528
- */
1529
- id_token_signing_alg_values_supported: JWSAlgorithms[];
1530
- /**
1531
- * Supported claims.
1532
- *
1533
- * @default
1534
- * ["sub", "iss", "aud", "exp", "nbf", "iat", "jti", "email", "email_verified", "name", "family_name", "given_name", "sid", "scope", "azp"]
1535
- */
1536
- claims_supported: string[];
1537
- /**
1538
- * RP-Initiated Logout Endpoint
1539
- *
1540
- * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html
1541
- */
1542
- end_session_endpoint: string;
1543
- /**
1544
- * Prompt values supported by this OIDC server
1545
- *
1546
- * @see https://openid.net/specs/openid-connect-prompt-create-1_0.html#OpenID.Discovery
1547
- */
1548
- prompt_values_supported: Prompt[];
1549
- }
1550
- /**
1551
- * OAuth 2.0 Dynamic Client Registration Schema
1552
- *
1553
- * Current spec is based on OAuth 2.0, but shall use
1554
- * OAuth 2.1 restrictions.
1555
- *
1556
- * https://datatracker.ietf.org/doc/html/rfc7591#section-2
1557
- */
1558
- interface OAuthClient {
1559
- client_id: string;
1560
- client_secret?: string;
1561
- client_secret_expires_at?: number;
1562
- scope?: string;
1563
- user_id?: string | null;
1564
- client_id_issued_at?: number;
1565
- client_name?: string;
1566
- client_uri?: string;
1567
- logo_uri?: string;
1568
- contacts?: string[];
1569
- tos_uri?: string;
1570
- policy_uri?: string;
1571
- /** JWK Set — accepts either a bare key array or an RFC 7517 JWKS object `{"keys":[...]}` */
1572
- jwks?: Record<string, unknown>[] | {
1573
- keys: Record<string, unknown>[];
1574
- };
1575
- jwks_uri?: string;
1576
- software_id?: string;
1577
- software_version?: string;
1578
- software_statement?: string;
1579
- redirect_uris: string[];
1580
- post_logout_redirect_uris?: string[];
1581
- token_endpoint_auth_method?: "none" | "client_secret_basic" | "client_secret_post" | "private_key_jwt";
1582
- grant_types?: GrantType[];
1583
- response_types?: "code"[];
1584
- public?: boolean;
1585
- type?: "web" | "native" | "user-agent-based";
1586
- disabled?: boolean;
1587
- skip_consent?: boolean;
1588
- enable_end_session?: boolean;
1589
- /**
1590
- * Whether this client requires PKCE for authorization code flow.
1591
- *
1592
- * @default true
1593
- *
1594
- * Note: PKCE is always required for public clients and when
1595
- * requesting offline_access scope, regardless of this setting.
1596
- */
1597
- require_pkce?: boolean;
1598
- /**
1599
- * Subject identifier type for this client.
1600
- *
1601
- * @see https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
1602
- */
1603
- subject_type?: "public" | "pairwise";
1604
- reference_id?: string;
1605
- [key: string]: unknown;
1606
- }
1607
- /**
1608
- * Resource metadata server as defined by RFC 9728
1609
- *
1610
- * @see https://datatracker.ietf.org/doc/html/rfc9728#Terminology
1611
- */
1612
- interface ResourceServerMetadata {
1613
- /**
1614
- * The protected resource's resource identifier,
1615
- * which is a URL that uses the https scheme and
1616
- * has no fragment component. It also SHOULD NOT
1617
- * include a query component, but it may if
1618
- * necessary.
1619
- *
1620
- * This SHOULD match the aud field of your JWT.
1621
- */
1622
- resource: string;
1623
- /**
1624
- * Each server should pertain to one issuer.
1625
- *
1626
- * MCP requires at least one server.
1627
- *
1628
- * @default [`${baseUrl}/.well-known/oauth-authorization-server`]
1629
- */
1630
- authorization_servers?: string[];
1631
- jwks_uri?: string;
1632
- scopes_supported?: string[];
1633
- bearer_methods_supported?: BearerMethodsSupported[];
1634
- resource_signing_alg_values_supported?: JWSAlgorithms[];
1635
- resource_name?: string;
1636
- resource_documentation?: string;
1637
- resource_policy_uri?: string;
1638
- resource_tos_uri?: string;
1639
- tls_client_certificate_bound_access_tokens?: boolean;
1640
- authorization_details_types_supported?: string;
1641
- dpop_signing_alg_values_supported?: JWSAlgorithms[];
1642
- dpop_bound_access_tokens_required?: boolean;
1643
- }
1644
- //#endregion
1645
- export { Awaitable as _, ResourceServerMetadata as a, OAuthConsent as c, OAuthRefreshToken as d, Prompt as f, VerificationValue as g, StoreTokenType as h, OIDCMetadata as i, OAuthOpaqueAccessToken as l, Scope as m, GrantType as n, AuthorizePrompt as o, SchemaClient as p, OAuthClient as r, OAuthAuthorizationQuery as s, AuthServerMetadata as t, OAuthOptions as u };