@better-auth/oauth-provider 1.7.0-beta.0 → 1.7.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,11 +1,58 @@
1
- import { c as OAuthConsent, i as OIDCMetadata, m as Scope, r as OAuthClient, t as AuthServerMetadata, u as OAuthOptions } from "./oauth-C8aTlaAC.mjs";
1
+ import { C as OAuthConsent, L as Prompt, M as OAuthResource, O as OAuthOptions, a as GrantType, l as TokenEndpointAuthMethod, n as AuthServerMetadata, o as OAuthClient, u as TokenType, z as Scope } from "./oauth-ScTJEcFV.mjs";
2
2
  import * as better_call0 from "better-call";
3
3
  import * as z from "zod";
4
- import * as better_auth_plugins0 from "better-auth/plugins";
5
4
  import * as jose from "jose";
5
+ import * as better_auth_plugins0 from "better-auth/plugins";
6
+ import { AuthContext, GenericEndpointContext } from "@better-auth/core";
6
7
  import * as better_auth0 from "better-auth";
7
8
 
9
+ //#region src/oauth-endpoint.d.ts
10
+ /**
11
+ * Canonical OAuth 2.0 / OpenID Connect error codes. The union is the single
12
+ * vocabulary for every error-emitting surface in this plugin: token, authorize,
13
+ * revoke, introspect, register, userinfo, logout, consent, and the redirect
14
+ * error channel. Entries are grouped by source RFC so the declaration doubles
15
+ * as a specification map.
16
+ *
17
+ * The trailing `(string & {})` keeps the type open for product-specific codes
18
+ * (e.g. `"invalid_verification"`, `"invalid_user"`) while preserving editor
19
+ * autocomplete for the listed standard codes. Prefer a standard code whenever
20
+ * one applies; fall back to a custom string only for states no RFC covers.
21
+ */
22
+ type OAuthErrorCode = "invalid_request" | "invalid_client" | "invalid_grant" | "unauthorized_client" | "unsupported_grant_type" | "unsupported_response_type" | "invalid_scope" | "access_denied" | "server_error" | "temporarily_unavailable" | "invalid_token" | "unsupported_token_type" | "invalid_redirect_uri" | "invalid_client_metadata" | "invalid_software_statement" | "unapproved_software_statement" | "invalid_target" | "invalid_request_object" | "login_required" | "consent_required" | "interaction_required" | "account_selection_required" | "invalid_request_uri" | "request_not_supported" | "request_uri_not_supported" | "registration_not_supported" | (string & {});
23
+ type OAuthFieldErrorCodeMap = {
24
+ missing?: OAuthErrorCode;
25
+ invalid?: OAuthErrorCode;
26
+ };
27
+ type OAuthFieldErrorCode = OAuthErrorCode | OAuthFieldErrorCodeMap;
28
+ interface OAuthEndpointErrorResult {
29
+ error: OAuthErrorCode;
30
+ error_description: string;
31
+ }
32
+ interface OAuthEndpointRedirectContext<Ctx = unknown> {
33
+ error: OAuthErrorCode;
34
+ error_description: string;
35
+ ctx: Ctx;
36
+ }
37
+ type OAuthRedirectOnError<Ctx = unknown, Result = unknown> = (result: OAuthEndpointRedirectContext<Ctx>) => Result | Promise<Result>;
38
+ //#endregion
39
+ //#region src/authorize.d.ts
40
+ type OAuthRedirectResult = {
41
+ redirect: true;
42
+ url: string;
43
+ };
44
+ /**
45
+ * Gets the issuer identifier
46
+ */
47
+ declare function getIssuer(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>): string;
48
+ //#endregion
8
49
  //#region src/oauth.d.ts
50
+ /**
51
+ * Default scopes advertised and accepted when a configuration sets none. Shared
52
+ * with the MCP preset so the resource metadata it serves matches what the
53
+ * authorization-server metadata advertises.
54
+ */
55
+ declare const DEFAULT_OAUTH_SCOPES: readonly ["openid", "profile", "email", "offline_access"];
9
56
  declare module "@better-auth/core" {
10
57
  interface BetterAuthPluginRegistry<AuthOptions, Options> {
11
58
  "oauth-provider": {
@@ -15,6 +62,8 @@ declare module "@better-auth/core" {
15
62
  }
16
63
  declare const getOAuthProviderState: () => Promise<{
17
64
  query?: string;
65
+ signedQueryIssuedAt?: Date;
66
+ postLoginClearedForSession?: string;
18
67
  } | null>;
19
68
  /**
20
69
  * oAuth 2.1 provider plugin for Better Auth.
@@ -27,7 +76,31 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
27
76
  id: "oauth-provider";
28
77
  version: string;
29
78
  options: NoInfer<O>;
30
- init: (ctx: better_auth0.AuthContext) => void;
79
+ onRequest: (request: Request, ctx: better_auth0.AuthContext) => Promise<{
80
+ response: Response;
81
+ } | {
82
+ request: Request;
83
+ } | void>;
84
+ init: (ctx: better_auth0.AuthContext) => Promise<{
85
+ options: {
86
+ databaseHooks: {
87
+ session: {
88
+ delete: {
89
+ before(session: {
90
+ id: string;
91
+ createdAt: Date;
92
+ updatedAt: Date;
93
+ userId: string;
94
+ expiresAt: Date;
95
+ token: string;
96
+ ipAddress?: string | null | undefined;
97
+ userAgent?: string | null | undefined;
98
+ } & Record<string, unknown>, hookCtx: GenericEndpointContext | null): Promise<void>;
99
+ };
100
+ };
101
+ };
102
+ };
103
+ }>;
31
104
  hooks: {
32
105
  before: {
33
106
  matcher(ctx: better_auth0.HookEndpointContext): any;
@@ -35,10 +108,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
35
108
  }[];
36
109
  after: {
37
110
  matcher(ctx: better_auth0.HookEndpointContext): boolean;
38
- handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
39
- redirect: boolean;
40
- url: string;
41
- } | undefined>;
111
+ handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<OAuthRedirectResult | undefined>;
42
112
  }[];
43
113
  };
44
114
  endpoints: {
@@ -67,36 +137,51 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
67
137
  metadata: {
68
138
  SERVER_ONLY: true;
69
139
  };
70
- }, Omit<OIDCMetadata, "id_token_signing_alg_values_supported"> & {
140
+ }, {
141
+ jwks_uri?: string | undefined;
142
+ userinfo_endpoint: string;
143
+ acr_values_supported?: string[] | undefined;
144
+ subject_types_supported: ("public" | "pairwise")[];
145
+ claims_supported: string[];
146
+ claims_parameter_supported?: boolean | undefined;
147
+ end_session_endpoint: string;
148
+ request_parameter_supported?: boolean | undefined;
149
+ request_uri_parameter_supported?: boolean | undefined;
150
+ prompt_values_supported: Prompt[];
151
+ issuer: string;
152
+ authorization_endpoint: string;
153
+ token_endpoint: string;
154
+ registration_endpoint?: string | undefined;
155
+ scopes_supported?: string[] | undefined;
156
+ response_types_supported: "code"[];
157
+ response_modes_supported: "query"[];
158
+ grant_types_supported: GrantType[];
159
+ token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
160
+ token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
161
+ service_documentation?: string | undefined;
162
+ ui_locales_supported?: string[] | undefined;
163
+ op_policy_uri?: string | undefined;
164
+ op_tos_uri?: string | undefined;
165
+ revocation_endpoint?: string | undefined;
166
+ revocation_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
167
+ revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
168
+ introspection_endpoint?: string | undefined;
169
+ introspection_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
170
+ introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
171
+ code_challenge_methods_supported: "S256"[];
172
+ authorization_response_iss_parameter_supported?: boolean | undefined;
173
+ client_id_metadata_document_supported?: boolean | undefined;
174
+ backchannel_logout_supported?: boolean | undefined;
175
+ backchannel_logout_session_supported?: boolean | undefined;
176
+ dpop_signing_alg_values_supported?: better_auth_plugins0.JWSAlgorithms[] | undefined;
71
177
  id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
72
178
  }>;
73
179
  oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
74
- method: "GET";
75
- query: z.ZodObject<{
76
- response_type: z.ZodOptional<z.ZodEnum<{
77
- code: "code";
78
- }>>;
79
- client_id: z.ZodString;
80
- redirect_uri: z.ZodOptional<z.ZodURL>;
81
- scope: z.ZodOptional<z.ZodString>;
82
- state: z.ZodOptional<z.ZodString>;
83
- request_uri: z.ZodOptional<z.ZodString>;
84
- code_challenge: z.ZodOptional<z.ZodString>;
85
- code_challenge_method: z.ZodOptional<z.ZodEnum<{
86
- S256: "S256";
87
- }>>;
88
- nonce: z.ZodOptional<z.ZodString>;
89
- prompt: z.ZodOptional<z.ZodEnum<{
90
- none: "none";
91
- consent: "consent";
92
- login: "login";
93
- create: "create";
94
- select_account: "select_account";
95
- "login consent": "login consent";
96
- "select_account consent": "select_account consent";
97
- }>>;
98
- }, z.core.$strip>;
180
+ method: ("GET" | "POST")[];
181
+ body: z.ZodObject<{}, z.core.$loose>;
182
+ redirectOnError: OAuthRedirectOnError<GenericEndpointContext, OAuthRedirectResult>;
99
183
  metadata: {
184
+ allowedMediaTypes: string[];
100
185
  openapi: {
101
186
  description: string;
102
187
  parameters: ({
@@ -106,6 +191,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
106
191
  schema: {
107
192
  type: "string";
108
193
  format?: undefined;
194
+ minimum?: undefined;
195
+ items?: undefined;
109
196
  };
110
197
  description: string;
111
198
  } | {
@@ -115,6 +202,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
115
202
  schema: {
116
203
  type: "string";
117
204
  format?: undefined;
205
+ minimum?: undefined;
206
+ items?: undefined;
118
207
  };
119
208
  description: string;
120
209
  } | {
@@ -124,6 +213,32 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
124
213
  schema: {
125
214
  type: "string";
126
215
  format: string;
216
+ minimum?: undefined;
217
+ items?: undefined;
218
+ };
219
+ description: string;
220
+ } | {
221
+ name: string;
222
+ in: "query";
223
+ required: false;
224
+ schema: {
225
+ type: "integer";
226
+ minimum: number;
227
+ format?: undefined;
228
+ items?: undefined;
229
+ };
230
+ description: string;
231
+ } | {
232
+ name: string;
233
+ in: "query";
234
+ required: false;
235
+ schema: {
236
+ type: "array";
237
+ items: {
238
+ type: "string";
239
+ };
240
+ format?: undefined;
241
+ minimum?: undefined;
127
242
  };
128
243
  description: string;
129
244
  })[];
@@ -165,15 +280,13 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
165
280
  };
166
281
  };
167
282
  };
168
- }, {
169
- redirect: boolean;
170
- url: string;
171
- }>;
283
+ }, OAuthRedirectResult>;
172
284
  oauth2Consent: better_call0.StrictEndpoint<"/oauth2/consent", {
173
285
  method: "POST";
174
286
  body: z.ZodObject<{
175
287
  accept: z.ZodBoolean;
176
288
  scope: z.ZodOptional<z.ZodString>;
289
+ claims: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>>;
177
290
  oauth_query: z.ZodOptional<z.ZodString>;
178
291
  }, z.core.$strip>;
179
292
  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -224,7 +337,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
224
337
  };
225
338
  };
226
339
  };
227
- }, {
340
+ }, OAuthRedirectResult | {
228
341
  redirect: boolean;
229
342
  url: string;
230
343
  }>;
@@ -284,18 +397,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
284
397
  };
285
398
  };
286
399
  };
287
- }, {
288
- redirect: boolean;
289
- url: string;
290
- }>;
400
+ }, OAuthRedirectResult>;
291
401
  oauth2Token: better_call0.StrictEndpoint<"/oauth2/token", {
292
402
  method: "POST";
403
+ cloneRequest: true;
293
404
  body: z.ZodObject<{
294
- grant_type: z.ZodEnum<{
295
- authorization_code: "authorization_code";
296
- client_credentials: "client_credentials";
297
- refresh_token: "refresh_token";
298
- }>;
405
+ grant_type: z.ZodString;
299
406
  client_id: z.ZodOptional<z.ZodString>;
300
407
  client_secret: z.ZodOptional<z.ZodString>;
301
408
  client_assertion: z.ZodOptional<z.ZodString>;
@@ -304,13 +411,32 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
304
411
  code_verifier: z.ZodOptional<z.ZodString>;
305
412
  redirect_uri: z.ZodOptional<z.ZodURL>;
306
413
  refresh_token: z.ZodOptional<z.ZodString>;
307
- resource: z.ZodOptional<z.ZodString>;
414
+ resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
308
415
  scope: z.ZodOptional<z.ZodString>;
309
- }, z.core.$strip>;
416
+ }, z.core.$loose>;
417
+ errorCodesByField: {
418
+ grant_type: {
419
+ missing: "invalid_request";
420
+ invalid: "unsupported_grant_type";
421
+ };
422
+ resource: {
423
+ invalid: "invalid_target";
424
+ };
425
+ };
310
426
  metadata: {
427
+ noStore: boolean;
311
428
  allowedMediaTypes: string[];
312
429
  openapi: {
313
430
  description: string;
431
+ parameters: {
432
+ name: string;
433
+ in: "header";
434
+ required: false;
435
+ schema: {
436
+ type: "string";
437
+ };
438
+ description: string;
439
+ }[];
314
440
  requestBody: {
315
441
  required: boolean;
316
442
  content: {
@@ -320,7 +446,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
320
446
  properties: {
321
447
  grant_type: {
322
448
  type: string;
323
- enum: string[];
324
449
  description: string;
325
450
  };
326
451
  client_id: {
@@ -349,7 +474,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
349
474
  description: string;
350
475
  };
351
476
  resource: {
352
- type: string;
477
+ oneOf: ({
478
+ type: string;
479
+ description: string;
480
+ items?: undefined;
481
+ } | {
482
+ type: string;
483
+ items: {
484
+ type: string;
485
+ };
486
+ description: string;
487
+ })[];
353
488
  description: string;
354
489
  };
355
490
  scope: {
@@ -427,11 +562,13 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
427
562
  };
428
563
  };
429
564
  }, {
430
- access_token: string;
431
565
  expires_in: number;
566
+ access_token: string;
432
567
  expires_at: number;
433
- token_type: string;
568
+ token_type: TokenType;
569
+ refresh_token: string | undefined;
434
570
  scope: string;
571
+ id_token: string | undefined;
435
572
  }>;
436
573
  oauth2Introspect: better_call0.StrictEndpoint<"/oauth2/introspect", {
437
574
  method: "POST";
@@ -441,12 +578,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
441
578
  client_assertion: z.ZodOptional<z.ZodString>;
442
579
  client_assertion_type: z.ZodOptional<z.ZodString>;
443
580
  token: z.ZodString;
444
- token_type_hint: z.ZodOptional<z.ZodEnum<{
445
- refresh_token: "refresh_token";
446
- access_token: "access_token";
447
- }>>;
581
+ token_type_hint: z.ZodOptional<z.ZodString>;
448
582
  }, z.core.$strip>;
449
583
  metadata: {
584
+ noStore: boolean;
450
585
  allowedMediaTypes: string[];
451
586
  openapi: {
452
587
  description: string;
@@ -470,11 +605,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
470
605
  description: string;
471
606
  };
472
607
  token_type_hint: {
473
- type: string;
474
- enum: string[];
475
- description: string;
476
- };
477
- resource: {
478
608
  type: string;
479
609
  description: string;
480
610
  };
@@ -580,10 +710,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
580
710
  client_assertion: z.ZodOptional<z.ZodString>;
581
711
  client_assertion_type: z.ZodOptional<z.ZodString>;
582
712
  token: z.ZodString;
583
- token_type_hint: z.ZodOptional<z.ZodEnum<{
584
- refresh_token: "refresh_token";
585
- access_token: "access_token";
586
- }>>;
713
+ token_type_hint: z.ZodOptional<z.ZodString>;
587
714
  }, z.core.$strip>;
588
715
  metadata: {
589
716
  allowedMediaTypes: string[];
@@ -610,7 +737,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
610
737
  };
611
738
  token_type_hint: {
612
739
  type: string;
613
- enum: string[];
614
740
  description: string;
615
741
  };
616
742
  };
@@ -658,8 +784,13 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
658
784
  };
659
785
  }, null | undefined>;
660
786
  oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
661
- method: "GET";
787
+ method: ("GET" | "POST")[];
788
+ body: z.ZodOptional<z.ZodObject<{
789
+ access_token: z.ZodOptional<z.ZodString>;
790
+ }, z.core.$loose>>;
662
791
  metadata: {
792
+ noStore: boolean;
793
+ allowedMediaTypes: string[];
663
794
  openapi: {
664
795
  description: string;
665
796
  security: ({
@@ -770,13 +901,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
770
901
  };
771
902
  };
772
903
  }, {
773
- email?: string | undefined;
774
- email_verified?: boolean | undefined;
775
- name?: string | undefined;
776
- picture?: string | undefined;
777
- given_name?: string | undefined;
778
- family_name?: string | undefined;
779
- sub: string;
904
+ sub: unknown;
780
905
  }>;
781
906
  oauth2EndSession: better_call0.StrictEndpoint<"/oauth2/end-session", {
782
907
  method: "GET";
@@ -814,14 +939,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
814
939
  };
815
940
  };
816
941
  };
817
- }, {
818
- redirect: boolean;
819
- url: string;
820
- } | undefined>;
942
+ }, OAuthRedirectResult | undefined>;
821
943
  registerOAuthClient: better_call0.StrictEndpoint<"/oauth2/register", {
822
944
  method: "POST";
823
945
  body: z.ZodObject<{
824
- redirect_uris: z.ZodArray<z.ZodURL>;
946
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
825
947
  scope: z.ZodOptional<z.ZodString>;
826
948
  client_name: z.ZodOptional<z.ZodString>;
827
949
  client_uri: z.ZodOptional<z.ZodString>;
@@ -833,24 +955,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
833
955
  software_version: z.ZodOptional<z.ZodString>;
834
956
  software_statement: z.ZodOptional<z.ZodString>;
835
957
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
836
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
837
- none: "none";
838
- client_secret_basic: "client_secret_basic";
839
- client_secret_post: "client_secret_post";
840
- private_key_jwt: "private_key_jwt";
841
- }>>>;
958
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
959
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
960
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
842
961
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
843
962
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
844
963
  }, z.core.$strip>]>>;
845
964
  jwks_uri: z.ZodOptional<z.ZodString>;
846
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
847
- authorization_code: "authorization_code";
848
- client_credentials: "client_credentials";
849
- refresh_token: "refresh_token";
850
- }>>>>;
851
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
965
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
966
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
852
967
  code: "code";
853
- }>>>>;
968
+ }>>>;
854
969
  type: z.ZodOptional<z.ZodEnum<{
855
970
  web: "web";
856
971
  native: "native";
@@ -860,13 +975,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
860
975
  public: "public";
861
976
  pairwise: "pairwise";
862
977
  }>>;
978
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
979
+ resources: z.ZodOptional<z.ZodArray<z.ZodString>>;
863
980
  skip_consent: z.ZodOptional<z.ZodNever>;
864
981
  }, z.core.$strip>;
982
+ errorCodesByField: {
983
+ redirect_uris: "invalid_redirect_uri";
984
+ post_logout_redirect_uris: "invalid_redirect_uri";
985
+ software_statement: "invalid_software_statement";
986
+ resources: "invalid_target";
987
+ };
988
+ defaultError: "invalid_client_metadata";
865
989
  metadata: {
990
+ noStore: boolean;
866
991
  openapi: {
867
992
  description: string;
868
993
  responses: {
869
- "200": {
994
+ "201": {
870
995
  description: string;
871
996
  content: {
872
997
  "application/json": {
@@ -952,16 +1077,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
952
1077
  };
953
1078
  description: string;
954
1079
  };
1080
+ backchannel_logout_uri: {
1081
+ type: string;
1082
+ format: string;
1083
+ description: string;
1084
+ };
1085
+ backchannel_logout_session_required: {
1086
+ type: string;
1087
+ description: string;
1088
+ };
955
1089
  token_endpoint_auth_method: {
956
1090
  type: string;
957
1091
  description: string;
958
- enum: string[];
959
1092
  };
960
1093
  grant_types: {
961
1094
  type: string;
962
1095
  items: {
963
1096
  type: string;
964
- enum: string[];
965
1097
  };
966
1098
  description: string;
967
1099
  };
@@ -999,7 +1131,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
999
1131
  adminCreateOAuthClient: better_call0.StrictEndpoint<"/admin/oauth2/create-client", {
1000
1132
  method: "POST";
1001
1133
  body: z.ZodObject<{
1002
- redirect_uris: z.ZodArray<z.ZodURL>;
1134
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1003
1135
  scope: z.ZodOptional<z.ZodString>;
1004
1136
  client_name: z.ZodOptional<z.ZodString>;
1005
1137
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1011,24 +1143,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1011
1143
  software_version: z.ZodOptional<z.ZodString>;
1012
1144
  software_statement: z.ZodOptional<z.ZodString>;
1013
1145
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1014
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1015
- none: "none";
1016
- client_secret_basic: "client_secret_basic";
1017
- client_secret_post: "client_secret_post";
1018
- private_key_jwt: "private_key_jwt";
1019
- }>>>;
1146
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1147
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1148
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1020
1149
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1021
1150
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1022
1151
  }, z.core.$strip>]>>;
1023
1152
  jwks_uri: z.ZodOptional<z.ZodString>;
1024
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1025
- authorization_code: "authorization_code";
1026
- client_credentials: "client_credentials";
1027
- refresh_token: "refresh_token";
1028
- }>>>>;
1029
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1153
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1154
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1030
1155
  code: "code";
1031
- }>>>>;
1156
+ }>>>;
1032
1157
  type: z.ZodOptional<z.ZodEnum<{
1033
1158
  web: "web";
1034
1159
  native: "native";
@@ -1038,6 +1163,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1038
1163
  skip_consent: z.ZodOptional<z.ZodBoolean>;
1039
1164
  enable_end_session: z.ZodOptional<z.ZodBoolean>;
1040
1165
  require_pkce: z.ZodOptional<z.ZodBoolean>;
1166
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1041
1167
  subject_type: z.ZodOptional<z.ZodEnum<{
1042
1168
  public: "public";
1043
1169
  pairwise: "pairwise";
@@ -1045,11 +1171,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1045
1171
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1046
1172
  }, z.core.$strip>;
1047
1173
  metadata: {
1174
+ noStore: boolean;
1048
1175
  SERVER_ONLY: true;
1049
1176
  openapi: {
1050
1177
  description: string;
1051
1178
  responses: {
1052
- "200": {
1179
+ "201": {
1053
1180
  description: string;
1054
1181
  content: {
1055
1182
  "application/json": {
@@ -1130,13 +1257,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1130
1257
  token_endpoint_auth_method: {
1131
1258
  type: string;
1132
1259
  description: string;
1133
- enum: string[];
1134
1260
  };
1135
1261
  grant_types: {
1136
1262
  type: string;
1137
1263
  items: {
1138
1264
  type: string;
1139
- enum: string[];
1140
1265
  };
1141
1266
  description: string;
1142
1267
  };
@@ -1208,7 +1333,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1208
1333
  };
1209
1334
  }>)[];
1210
1335
  body: z.ZodObject<{
1211
- redirect_uris: z.ZodArray<z.ZodURL>;
1336
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1212
1337
  scope: z.ZodOptional<z.ZodString>;
1213
1338
  client_name: z.ZodOptional<z.ZodString>;
1214
1339
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1220,35 +1345,30 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1220
1345
  software_version: z.ZodOptional<z.ZodString>;
1221
1346
  software_statement: z.ZodOptional<z.ZodString>;
1222
1347
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1223
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1224
- none: "none";
1225
- client_secret_basic: "client_secret_basic";
1226
- client_secret_post: "client_secret_post";
1227
- private_key_jwt: "private_key_jwt";
1228
- }>>>;
1348
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1349
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1350
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1229
1351
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1230
1352
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1231
1353
  }, z.core.$strip>]>>;
1232
1354
  jwks_uri: z.ZodOptional<z.ZodString>;
1233
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1234
- authorization_code: "authorization_code";
1235
- client_credentials: "client_credentials";
1236
- refresh_token: "refresh_token";
1237
- }>>>>;
1238
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1355
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1356
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1239
1357
  code: "code";
1240
- }>>>>;
1358
+ }>>>;
1241
1359
  type: z.ZodOptional<z.ZodEnum<{
1242
1360
  web: "web";
1243
1361
  native: "native";
1244
1362
  "user-agent-based": "user-agent-based";
1245
1363
  }>>;
1364
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1246
1365
  }, z.core.$strip>;
1247
1366
  metadata: {
1367
+ noStore: boolean;
1248
1368
  openapi: {
1249
1369
  description: string;
1250
1370
  responses: {
1251
- "200": {
1371
+ "201": {
1252
1372
  description: string;
1253
1373
  content: {
1254
1374
  "application/json": {
@@ -1329,13 +1449,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1329
1449
  token_endpoint_auth_method: {
1330
1450
  type: string;
1331
1451
  description: string;
1332
- enum: string[];
1333
1452
  };
1334
1453
  grant_types: {
1335
1454
  type: string;
1336
1455
  items: {
1337
1456
  type: string;
1338
- enum: string[];
1339
1457
  };
1340
1458
  description: string;
1341
1459
  };
@@ -1505,11 +1623,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1505
1623
  software_version: z.ZodOptional<z.ZodString>;
1506
1624
  software_statement: z.ZodOptional<z.ZodString>;
1507
1625
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1508
- grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1509
- authorization_code: "authorization_code";
1510
- client_credentials: "client_credentials";
1511
- refresh_token: "refresh_token";
1512
- }>>>;
1626
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1627
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1628
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1513
1629
  response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1514
1630
  code: "code";
1515
1631
  }>>>;
@@ -1521,6 +1637,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1521
1637
  client_secret_expires_at: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
1522
1638
  skip_consent: z.ZodOptional<z.ZodBoolean>;
1523
1639
  enable_end_session: z.ZodOptional<z.ZodBoolean>;
1640
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1524
1641
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1525
1642
  }, z.core.$strip>;
1526
1643
  }, z.core.$strip>;
@@ -1571,11 +1688,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1571
1688
  software_version: z.ZodOptional<z.ZodString>;
1572
1689
  software_statement: z.ZodOptional<z.ZodString>;
1573
1690
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1574
- grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1575
- authorization_code: "authorization_code";
1576
- client_credentials: "client_credentials";
1577
- refresh_token: "refresh_token";
1578
- }>>>;
1691
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1692
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1693
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1579
1694
  response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1580
1695
  code: "code";
1581
1696
  }>>>;
@@ -1621,6 +1736,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1621
1736
  client_id: z.ZodString;
1622
1737
  }, z.core.$strip>;
1623
1738
  metadata: {
1739
+ noStore: boolean;
1624
1740
  openapi: {
1625
1741
  description: string;
1626
1742
  };
@@ -1796,6 +1912,92 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1796
1912
  };
1797
1913
  };
1798
1914
  }, void>;
1915
+ adminCreateOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources", {
1916
+ method: "POST";
1917
+ body: z.ZodObject<{
1918
+ identifier: z.ZodNonOptional<z.ZodOptional<z.ZodString>>;
1919
+ name: z.ZodOptional<z.ZodString>;
1920
+ accessTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1921
+ refreshTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1922
+ signingAlgorithm: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
1923
+ RS256: "RS256";
1924
+ PS256: "PS256";
1925
+ ES256: "ES256";
1926
+ ES512: "ES512";
1927
+ EdDSA: "EdDSA";
1928
+ }>>>;
1929
+ signingKeyId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
1930
+ allowedScopes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
1931
+ customClaims: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1932
+ dpopBoundAccessTokensRequired: z.ZodOptional<z.ZodBoolean>;
1933
+ disabled: z.ZodOptional<z.ZodBoolean>;
1934
+ metadata: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1935
+ }, z.core.$strip>;
1936
+ metadata: {
1937
+ SERVER_ONLY: true;
1938
+ };
1939
+ }, OAuthResource>;
1940
+ adminListOAuthResources: better_call0.StrictEndpoint<"/admin/oauth2/resources", {
1941
+ method: "GET";
1942
+ metadata: {
1943
+ SERVER_ONLY: true;
1944
+ };
1945
+ }, OAuthResource[]>;
1946
+ adminGetOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1947
+ method: "GET";
1948
+ metadata: {
1949
+ SERVER_ONLY: true;
1950
+ };
1951
+ }, OAuthResource>;
1952
+ adminUpdateOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1953
+ method: "PATCH";
1954
+ body: z.ZodObject<{
1955
+ identifier: z.ZodOptional<z.ZodString>;
1956
+ name: z.ZodOptional<z.ZodString>;
1957
+ accessTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1958
+ refreshTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1959
+ signingAlgorithm: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
1960
+ RS256: "RS256";
1961
+ PS256: "PS256";
1962
+ ES256: "ES256";
1963
+ ES512: "ES512";
1964
+ EdDSA: "EdDSA";
1965
+ }>>>;
1966
+ signingKeyId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
1967
+ allowedScopes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
1968
+ customClaims: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1969
+ dpopBoundAccessTokensRequired: z.ZodOptional<z.ZodBoolean>;
1970
+ disabled: z.ZodOptional<z.ZodBoolean>;
1971
+ metadata: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1972
+ }, z.core.$strip>;
1973
+ metadata: {
1974
+ SERVER_ONLY: true;
1975
+ };
1976
+ }, OAuthResource>;
1977
+ adminDeleteOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1978
+ method: "DELETE";
1979
+ metadata: {
1980
+ SERVER_ONLY: true;
1981
+ };
1982
+ }, {
1983
+ deleted: boolean;
1984
+ }>;
1985
+ adminLinkClientResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier/clients/:client_id", {
1986
+ method: "POST";
1987
+ metadata: {
1988
+ SERVER_ONLY: true;
1989
+ };
1990
+ }, {
1991
+ linked: boolean;
1992
+ }>;
1993
+ adminUnlinkClientResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier/clients/:client_id", {
1994
+ method: "DELETE";
1995
+ metadata: {
1996
+ SERVER_ONLY: true;
1997
+ };
1998
+ }, {
1999
+ unlinked: boolean;
2000
+ }>;
1799
2001
  };
1800
2002
  schema: {
1801
2003
  oauthClient: {
@@ -1838,6 +2040,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1838
2040
  model: string;
1839
2041
  field: string;
1840
2042
  };
2043
+ index: true;
1841
2044
  };
1842
2045
  createdAt: {
1843
2046
  type: "date";
@@ -1891,6 +2094,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1891
2094
  type: "string[]";
1892
2095
  required: false;
1893
2096
  };
2097
+ backchannelLogoutUri: {
2098
+ type: "string";
2099
+ required: false;
2100
+ };
2101
+ backchannelLogoutSessionRequired: {
2102
+ type: "boolean";
2103
+ required: false;
2104
+ };
1894
2105
  tokenEndpointAuthMethod: {
1895
2106
  type: "string";
1896
2107
  required: false;
@@ -1923,6 +2134,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1923
2134
  type: "boolean";
1924
2135
  required: false;
1925
2136
  };
2137
+ dpopBoundAccessTokens: {
2138
+ type: "boolean";
2139
+ required: false;
2140
+ defaultValue: false;
2141
+ };
1926
2142
  referenceId: {
1927
2143
  type: "string";
1928
2144
  required: false;
@@ -1933,11 +2149,110 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1933
2149
  };
1934
2150
  };
1935
2151
  };
2152
+ oauthResource: {
2153
+ modelName: string;
2154
+ fields: {
2155
+ identifier: {
2156
+ type: "string";
2157
+ required: true;
2158
+ unique: true;
2159
+ };
2160
+ name: {
2161
+ type: "string";
2162
+ required: true;
2163
+ };
2164
+ accessTokenTtl: {
2165
+ type: "number";
2166
+ required: false;
2167
+ };
2168
+ refreshTokenTtl: {
2169
+ type: "number";
2170
+ required: false;
2171
+ };
2172
+ signingAlgorithm: {
2173
+ type: "string";
2174
+ required: false;
2175
+ };
2176
+ signingKeyId: {
2177
+ type: "string";
2178
+ required: false;
2179
+ };
2180
+ allowedScopes: {
2181
+ type: "string[]";
2182
+ required: false;
2183
+ };
2184
+ customClaims: {
2185
+ type: "json";
2186
+ required: false;
2187
+ };
2188
+ dpopBoundAccessTokensRequired: {
2189
+ type: "boolean";
2190
+ required: false;
2191
+ defaultValue: false;
2192
+ };
2193
+ disabled: {
2194
+ type: "boolean";
2195
+ required: false;
2196
+ defaultValue: false;
2197
+ };
2198
+ createdAt: {
2199
+ type: "date";
2200
+ required: false;
2201
+ };
2202
+ updatedAt: {
2203
+ type: "date";
2204
+ required: false;
2205
+ };
2206
+ policyVersion: {
2207
+ type: "number";
2208
+ required: false;
2209
+ defaultValue: number;
2210
+ };
2211
+ metadata: {
2212
+ type: "json";
2213
+ required: false;
2214
+ };
2215
+ };
2216
+ };
2217
+ oauthClientResource: {
2218
+ modelName: string;
2219
+ fields: {
2220
+ clientId: {
2221
+ type: "string";
2222
+ required: true;
2223
+ references: {
2224
+ model: string;
2225
+ field: string;
2226
+ onDelete: "cascade";
2227
+ };
2228
+ index: true;
2229
+ };
2230
+ resourceId: {
2231
+ type: "string";
2232
+ required: true;
2233
+ references: {
2234
+ model: string;
2235
+ field: string;
2236
+ onDelete: "cascade";
2237
+ };
2238
+ index: true;
2239
+ };
2240
+ metadata: {
2241
+ type: "json";
2242
+ required: false;
2243
+ };
2244
+ createdAt: {
2245
+ type: "date";
2246
+ required: false;
2247
+ };
2248
+ };
2249
+ };
1936
2250
  oauthRefreshToken: {
1937
2251
  fields: {
1938
2252
  token: {
1939
2253
  type: "string";
1940
2254
  required: true;
2255
+ unique: true;
1941
2256
  };
1942
2257
  clientId: {
1943
2258
  type: "string";
@@ -1946,6 +2261,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1946
2261
  model: string;
1947
2262
  field: string;
1948
2263
  };
2264
+ index: true;
1949
2265
  };
1950
2266
  sessionId: {
1951
2267
  type: "string";
@@ -1955,6 +2271,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1955
2271
  field: string;
1956
2272
  onDelete: "set null";
1957
2273
  };
2274
+ index: true;
1958
2275
  };
1959
2276
  userId: {
1960
2277
  type: "string";
@@ -1963,11 +2280,25 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1963
2280
  model: string;
1964
2281
  field: string;
1965
2282
  };
2283
+ index: true;
1966
2284
  };
1967
2285
  referenceId: {
1968
2286
  type: "string";
1969
2287
  required: false;
1970
2288
  };
2289
+ authorizationCodeId: {
2290
+ type: "string";
2291
+ required: false;
2292
+ index: true;
2293
+ };
2294
+ resources: {
2295
+ type: "string[]";
2296
+ required: false;
2297
+ };
2298
+ requestedUserInfoClaims: {
2299
+ type: "string[]";
2300
+ required: false;
2301
+ };
1971
2302
  expiresAt: {
1972
2303
  type: "date";
1973
2304
  };
@@ -1978,10 +2309,26 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1978
2309
  type: "date";
1979
2310
  required: false;
1980
2311
  };
2312
+ rotatedAt: {
2313
+ type: "date";
2314
+ required: false;
2315
+ };
2316
+ rotationReplayResponse: {
2317
+ type: "string";
2318
+ required: false;
2319
+ };
2320
+ rotationReplayExpiresAt: {
2321
+ type: "date";
2322
+ required: false;
2323
+ };
1981
2324
  authTime: {
1982
2325
  type: "date";
1983
2326
  required: false;
1984
2327
  };
2328
+ confirmation: {
2329
+ type: "json";
2330
+ required: false;
2331
+ };
1985
2332
  scopes: {
1986
2333
  type: "string[]";
1987
2334
  required: true;
@@ -2002,6 +2349,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2002
2349
  model: string;
2003
2350
  field: string;
2004
2351
  };
2352
+ index: true;
2005
2353
  };
2006
2354
  sessionId: {
2007
2355
  type: "string";
@@ -2011,6 +2359,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2011
2359
  field: string;
2012
2360
  onDelete: "set null";
2013
2361
  };
2362
+ index: true;
2014
2363
  };
2015
2364
  userId: {
2016
2365
  type: "string";
@@ -2019,11 +2368,25 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2019
2368
  model: string;
2020
2369
  field: string;
2021
2370
  };
2371
+ index: true;
2022
2372
  };
2023
2373
  referenceId: {
2024
2374
  type: "string";
2025
2375
  required: false;
2026
2376
  };
2377
+ authorizationCodeId: {
2378
+ type: "string";
2379
+ required: false;
2380
+ index: true;
2381
+ };
2382
+ resources: {
2383
+ type: "string[]";
2384
+ required: false;
2385
+ };
2386
+ requestedUserInfoClaims: {
2387
+ type: "string[]";
2388
+ required: false;
2389
+ };
2027
2390
  refreshId: {
2028
2391
  type: "string";
2029
2392
  required: false;
@@ -2031,6 +2394,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2031
2394
  model: string;
2032
2395
  field: string;
2033
2396
  };
2397
+ index: true;
2034
2398
  };
2035
2399
  expiresAt: {
2036
2400
  type: "date";
@@ -2038,6 +2402,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2038
2402
  createdAt: {
2039
2403
  type: "date";
2040
2404
  };
2405
+ revoked: {
2406
+ type: "date";
2407
+ required: false;
2408
+ };
2409
+ confirmation: {
2410
+ type: "json";
2411
+ required: false;
2412
+ };
2041
2413
  scopes: {
2042
2414
  type: "string[]";
2043
2415
  required: true;
@@ -2054,6 +2426,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2054
2426
  model: string;
2055
2427
  field: string;
2056
2428
  };
2429
+ index: true;
2057
2430
  };
2058
2431
  userId: {
2059
2432
  type: "string";
@@ -2062,11 +2435,20 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2062
2435
  model: string;
2063
2436
  field: string;
2064
2437
  };
2438
+ index: true;
2065
2439
  };
2066
2440
  referenceId: {
2067
2441
  type: "string";
2068
2442
  required: false;
2069
2443
  };
2444
+ resources: {
2445
+ type: "string[]";
2446
+ required: false;
2447
+ };
2448
+ requestedUserInfoClaims: {
2449
+ type: "string[]";
2450
+ required: false;
2451
+ };
2070
2452
  scopes: {
2071
2453
  type: "string[]";
2072
2454
  required: true;
@@ -2079,6 +2461,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2079
2461
  };
2080
2462
  };
2081
2463
  };
2464
+ oauthClientAssertion: {
2465
+ modelName: string;
2466
+ fields: {
2467
+ expiresAt: {
2468
+ type: "date";
2469
+ required: true;
2470
+ };
2471
+ };
2472
+ };
2082
2473
  };
2083
2474
  rateLimit: ({
2084
2475
  pathMatcher: (path: string) => path is "/oauth2/token";
@@ -2107,4 +2498,4 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2107
2498
  })[];
2108
2499
  };
2109
2500
  //#endregion
2110
- export { oauthProvider as n, getOAuthProviderState as t };
2501
+ export { OAuthEndpointErrorResult as a, OAuthFieldErrorCode as c, getIssuer as i, OAuthFieldErrorCodeMap as l, getOAuthProviderState as n, OAuthEndpointRedirectContext as o, oauthProvider as r, OAuthErrorCode as s, DEFAULT_OAUTH_SCOPES as t, OAuthRedirectOnError as u };