@better-auth/oauth-provider 1.7.0-beta.0 → 1.7.0-beta.2

package/dist/index.mjs

@@ -1,12 +1,13 @@
-import { n as isPrivateHostname } from "./client-assertion-DZqo-L5j.mjs";
+import { n as isPrivateHostname } from "./client-assertion-CderPEmR.mjs";
 import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { _ as storeToken, a as getClient, c as getStoredToken, d as parseClientMetadata, f as parsePrompt, g as storeClientSecret, h as searchParamsToQuery, i as extractClientCredentials, l as isPKCERequired, m as resolveSubjectIdentifier, n as deleteFromPrompt, o as getJwtPlugin, p as resolveSessionAuthTime, r as destructureCredentials, t as decryptStoredClientSecret, u as normalizeTimestampValue, v as validateClientCredentials, y as verifyOAuthQueryParams } from "./utils-CIbcUsZ5.mjs";
-import { t as PACKAGE_VERSION } from "./version-BGWhjYBb.mjs";
+import { _ as storeClientSecret, a as getClient, b as validateClientCredentials, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as extractClientCredentials, l as isPKCERequired, m as resolveSessionAuthTime, n as deleteFromPrompt, o as getJwtPlugin, p as parsePrompt, r as destructureCredentials, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as storeToken, x as verifyOAuthQueryParams, y as toClientDiscoveryArray } from "./utils-Cx_XnD9i.mjs";
+import { t as PACKAGE_VERSION } from "./version-CZxZ64qJ.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
 import { ASSERTION_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
+import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
 import { defineRequestState } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
@@ -14,8 +15,8 @@ import { BetterAuthError } from "@better-auth/core/error";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
-import { signJWT, toExpJWT } from "better-auth/plugins";
-import { SignJWT, compactVerify, createLocalJWKSet, decodeJwt } from "jose";
+import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
+import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
 	const _query = (await oAuthState.get())?.query;
@@ -156,6 +157,76 @@ async function postLogin(ctx, opts) {
 	};
 }
 //#endregion
+//#region src/types/zod.ts
+const DANGEROUS_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
+/**
+* Runtime schema for OAuthAuthorizationQuery.
+* Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
+*/
+const oauthAuthorizationQuerySchema = z.object({
+	response_type: z.literal("code").optional(),
+	request_uri: z.string().optional(),
+	redirect_uri: z.string(),
+	scope: z.string().optional(),
+	state: z.string().optional(),
+	client_id: z.string(),
+	prompt: z.string().optional(),
+	display: z.string().optional(),
+	ui_locales: z.string().optional(),
+	max_age: z.coerce.number().optional(),
+	acr_values: z.string().optional(),
+	login_hint: z.string().optional(),
+	id_token_hint: z.string().optional(),
+	code_challenge: z.string().optional(),
+	code_challenge_method: z.literal("S256").optional(),
+	nonce: z.string().optional()
+}).passthrough();
+/**
+* Runtime schema for the authorization code verification value.
+* Validates structure on deserialization from the JSON blob stored in the DB.
+* Uses passthrough so future fields (e.g. from authorization challenge) don't break parsing.
+*/
+const verificationValueSchema = z.object({
+	type: z.literal("authorization_code"),
+	query: oauthAuthorizationQuerySchema,
+	sessionId: z.string(),
+	userId: z.string(),
+	referenceId: z.string().optional(),
+	authTime: z.number().optional()
+}).passthrough();
+/**
+* Reusable URL validation for OAuth redirect URIs.
+* - Blocks dangerous schemes (javascript:, data:, vbscript:)
+* - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
+* - Allows custom schemes for mobile apps (e.g., myapp://callback)
+*/
+const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL must be parseable",
+			fatal: true
+		});
+		return z.NEVER;
+	}
+	const u = new URL(val);
+	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "URL cannot use javascript:, data:, or vbscript: scheme"
+		});
+		return;
+	}
+	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
+		code: "custom",
+		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
+	});
+});
+//#endregion
 //#region src/userinfo.ts
 /**
 * Provides shared /userinfo and id_token claims functionality
@@ -184,11 +255,7 @@ function userNormalClaims(user, scopes) {
 * Handles the /oauth2/userinfo endpoint
 */
 async function userInfoEndpoint(ctx, opts) {
-	if (!ctx.request) throw new APIError("UNAUTHORIZED", {
-		error_description: "request not found",
-		error: "invalid_request"
-	});
-	const authorization = ctx.request.headers.get("authorization");
+	const authorization = ctx.headers?.get("authorization");
 	const token = typeof authorization === "string" && authorization?.startsWith("Bearer ") ? authorization?.replace("Bearer ", "") : authorization;
 	if (!token?.length) throw new APIError("UNAUTHORIZED", {
 		error_description: "authorization header not found",
@@ -234,8 +301,8 @@ async function userInfoEndpoint(ctx, opts) {
 * the grant types
 */
 async function tokenEndpoint(ctx, opts) {
-	const grantType = ctx.body?.grant_type;
-	if (opts.grantTypes && grantType && !opts.grantTypes.includes(grantType)) throw new APIError("BAD_REQUEST", {
+	const grantType = ctx.body.grant_type;
+	if (opts.grantTypes && !opts.grantTypes.includes(grantType)) throw new APIError("BAD_REQUEST", {
 		error_description: `unsupported grant_type ${grantType}`,
 		error: "unsupported_grant_type"
 	});
@@ -243,14 +310,6 @@ async function tokenEndpoint(ctx, opts) {
 		case "authorization_code": return handleAuthorizationCodeGrant(ctx, opts);
 		case "client_credentials": return handleClientCredentialsGrant(ctx, opts);
 		case "refresh_token": return handleRefreshTokenGrant(ctx, opts);
-		case void 0: throw new APIError("BAD_REQUEST", {
-			error_description: "missing required grant_type",
-			error: "unsupported_grant_type"
-		});
-		default: throw new APIError("BAD_REQUEST", {
-			error_description: `unsupported grant_type ${grantType}`,
-			error: "unsupported_grant_type"
-		});
 	}
 }
 async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, overrides) {
@@ -268,7 +327,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		options: jwtPluginOptions,
 		payload: {
 			...customClaims,
-			sub: user.id,
+			sub: user?.id,
 			aud: typeof audience === "string" ? audience : audience?.length === 1 ? audience.at(0) : audience,
 			azp: client.clientId,
 			scope: scopes.join(" "),
@@ -280,10 +339,23 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 	});
 }
 /**
+* Computes an OIDC hash (at_hash, c_hash) per OIDC Core §3.1.3.6.
+* Hashes the token, takes the left half, and base64url-encodes it.
+*/
+async function computeOidcHash(token, signingAlg) {
+	let hashAlg;
+	if (signingAlg === "EdDSA") hashAlg = "SHA-512";
+	else if (signingAlg.endsWith("384")) hashAlg = "SHA-384";
+	else if (signingAlg.endsWith("512")) hashAlg = "SHA-512";
+	else hashAlg = "SHA-256";
+	const digest = new Uint8Array(await crypto.subtle.digest(hashAlg, new TextEncoder().encode(token)));
+	return base64url.encode(digest.slice(0, digest.length / 2));
+}
+/**
 * Creates a user id token in code_authorization with scope of 'openid'
 * and hybrid/implicit (not yet implemented) flows
 */
-async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime) {
+async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) {
 	const iat = Math.floor(Date.now() / 1e3);
 	const exp = iat + (opts.idTokenExpiresIn ?? 36e3);
 	const userClaims = userNormalClaims(user, scopes);
@@ -296,11 +368,15 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		metadata: parseClientMetadata(client.metadata)
 	}) : {};
 	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
+	const resolvedKey = !opts.disableJwtPlugin && !jwtPluginOptions?.jwt?.sign ? await resolveSigningKey(ctx, jwtPluginOptions) : void 0;
+	const signingAlg = opts.disableJwtPlugin ? "HS256" : resolvedKey?.alg ?? jwtPluginOptions?.jwks?.keyPairConfig?.alg;
+	const atHash = accessToken ? await computeOidcHash(accessToken, signingAlg) : void 0;
 	const payload = {
 		...userClaims,
 		auth_time: authTimeSec,
 		acr,
 		...customClaims,
+		at_hash: atHash,
 		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
 		sub: resolvedSub,
 		aud: client.clientId,
@@ -310,10 +386,19 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		sid: client.enableEndSession ? sessionId : void 0
 	};
 	if (opts.disableJwtPlugin && !client.clientSecret) return;
-	return opts.disableJwtPlugin ? new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : signJWT(ctx, {
+	const idToken = opts.disableJwtPlugin ? await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : await signJWT(ctx, {
 		options: jwtPluginOptions,
-		payload
+		payload,
+		resolvedKey: resolvedKey ?? void 0
 	});
+	if (idToken && atHash && jwtPluginOptions?.jwt?.sign) {
+		const header = decodeProtectedHeader(idToken);
+		if (header.alg !== signingAlg) throw new APIError("INTERNAL_SERVER_ERROR", {
+			error_description: `ID token signed with "${header.alg}" but at_hash was computed for "${signingAlg}". Ensure jwt.sign uses the algorithm declared in keyPairConfig.alg.`,
+			error: "server_error"
+		});
+	}
+	return idToken;
 }
 /**
 * Encodes a refresh token for a client
@@ -402,39 +487,45 @@ async function checkResource(ctx, opts, scopes) {
 	}
 	return audience?.length === 1 ? audience.at(0) : audience;
 }
-async function createUserTokens(ctx, opts, client, scopes, user, referenceId, sessionId, nonce, additional, authTime) {
+async function createUserTokens(ctx, opts, params) {
+	const { client, scopes, user, grantType, referenceId, sessionId, nonce, refreshToken: existingRefreshToken, authTime, verificationValue } = params;
 	const iat = Math.floor(Date.now() / 1e3);
-	const defaultExp = iat + (opts.accessTokenExpiresIn ?? 3600);
+	const defaultExp = iat + (user ? opts.accessTokenExpiresIn ?? 3600 : opts.m2mAccessTokenExpiresIn ?? 3600);
 	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
 		return prev < curr ? prev : curr;
 	}, defaultExp) : defaultExp;
 	const audience = await checkResource(ctx, opts, scopes);
-	const isRefreshToken = additional?.refreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access");
+	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
-	const isIdToken = scopes.includes("openid");
-	const earlyRefreshToken = isRefreshToken && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+	const isIdToken = user && scopes.includes("openid");
+	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
+		grantType,
+		user,
+		scopes,
+		metadata: parseClientMetadata(client.metadata),
+		verificationValue
+	}) : void 0;
+	const earlyRefreshToken = isRefreshToken && user && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, additional?.refreshToken, authTime) : void 0;
-	const [accessToken, refreshToken, idToken] = await Promise.all([
-		isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
-			iat,
-			exp,
-			sid: sessionId
-		}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
-			iat,
-			exp,
-			sid: sessionId
-		}, referenceId, earlyRefreshToken?.id),
-		earlyRefreshToken ? earlyRefreshToken : isRefreshToken ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
-			iat,
-			exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
-			sid: sessionId
-		}, additional?.refreshToken, authTime) : void 0,
-		isIdToken ? createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime) : void 0
-	]);
+	}, existingRefreshToken, authTime) : void 0;
+	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
+		iat,
+		exp,
+		sid: sessionId
+	}) : createOpaqueAccessToken(ctx, opts, user, client, scopes, {
+		iat,
+		exp,
+		sid: sessionId
+	}, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+		iat,
+		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
+		sid: sessionId
+	}, existingRefreshToken, authTime) : void 0]);
+	const idToken = isIdToken ? await createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) : void 0;
 	return ctx.json({
+		...customFields,
 		access_token: accessToken,
 		expires_in: exp - iat,
 		expires_at: exp,
@@ -450,7 +541,6 @@ async function createUserTokens(ctx, opts, client, scopes, user, referenceId, se
 /** Checks verification value */
 async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
 	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
-	const verificationValue = verification ? JSON.parse(verification?.value) : void 0;
 	if (!verification) throw new APIError("UNAUTHORIZED", {
 		error_description: "Invalid code",
 		error: "invalid_verification"
@@ -460,22 +550,25 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 		error_description: "code expired",
 		error: "invalid_verification"
 	});
-	if (!verificationValue) throw new APIError("UNAUTHORIZED", {
-		error_description: "missing verification value content",
-		error: "invalid_verification"
-	});
-	if (verificationValue.type !== "authorization_code") throw new APIError("UNAUTHORIZED", {
-		error_description: "incorrect verification type",
+	let rawValue;
+	try {
+		rawValue = JSON.parse(verification.value);
+	} catch {
+		throw new APIError("UNAUTHORIZED", {
+			error_description: "malformed verification value",
+			error: "invalid_verification"
+		});
+	}
+	const parsed = verificationValueSchema.safeParse(rawValue);
+	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
+		error_description: "malformed verification value",
 		error: "invalid_verification"
 	});
+	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
 		error_description: "invalid client_id",
 		error: "invalid_client"
 	});
-	if (!verificationValue.userId) throw new APIError("BAD_REQUEST", {
-		error_description: "missing user_id on challenge",
-		error: "invalid_user"
-	});
 	if (verificationValue.query?.redirect_uri && verificationValue.query?.redirect_uri !== redirect_uri) throw new APIError("BAD_REQUEST", {
 		error_description: "redirect_uri mismatch",
 		error: "invalid_request"
@@ -563,7 +656,17 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	const authTime = verificationValue.authTime != null ? normalizeTimestampValue(verificationValue.authTime) : resolveSessionAuthTime(session);
-	return createUserTokens(ctx, opts, client, verificationValue.query.scope?.split(" ") ?? [], user, verificationValue.referenceId, session.id, verificationValue.query?.nonce, void 0, authTime);
+	return createUserTokens(ctx, opts, {
+		client,
+		scopes: verificationValue.query.scope?.split(" ") ?? [],
+		user,
+		grantType: "authorization_code",
+		referenceId: verificationValue.referenceId,
+		sessionId: session.id,
+		nonce: verificationValue.query?.nonce,
+		authTime,
+		verificationValue
+	});
 }
 /**
 * Grant that allows direct access to an API using the application's credentials
@@ -601,43 +704,11 @@ async function handleClientCredentialsGrant(ctx, opts) {
 		});
 	}
 	if (!requestedScopes) requestedScopes = client.scopes ?? opts.clientCredentialGrantDefaultScopes ?? opts.scopes ?? [];
-	const jwtPluginOptions = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context).options;
-	const audience = await checkResource(ctx, opts, requestedScopes);
-	const iat = Math.floor(Date.now() / 1e3);
-	const defaultExp = iat + (opts.m2mAccessTokenExpiresIn ?? 3600);
-	const exp = opts.scopeExpirations && requestedScopes ? requestedScopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
-		return prev < curr ? prev : curr;
-	}, defaultExp) : defaultExp;
-	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
+	return createUserTokens(ctx, opts, {
+		client,
 		scopes: requestedScopes,
-		resource: ctx.body.resource,
-		metadata: parseClientMetadata(client.metadata)
-	}) : {};
-	const accessToken = audience && !opts.disableJwtPlugin ? await signJWT(ctx, {
-		options: jwtPluginOptions,
-		payload: {
-			...customClaims,
-			aud: audience,
-			azp: client.clientId,
-			scope: requestedScopes.join(" "),
-			iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
-			iat,
-			exp
-		}
-	}) : await createOpaqueAccessToken(ctx, opts, void 0, client, requestedScopes, {
-		iat,
-		exp
+		grantType: "client_credentials"
 	});
-	return ctx.json({
-		access_token: accessToken,
-		expires_in: exp - iat,
-		expires_at: exp,
-		token_type: "Bearer",
-		scope: requestedScopes.join(" ")
-	}, { headers: {
-		"Cache-Control": "no-store",
-		Pragma: "no-cache"
-	} });
 }
 /**
 * Obtains new Session Jwt and Refresh Tokens using a refresh token
@@ -708,7 +779,16 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	const authTime = refreshToken.authTime != null ? normalizeTimestampValue(refreshToken.authTime) : void 0;
-	return createUserTokens(ctx, opts, client, requestedScopes ?? scopes, user, refreshToken.referenceId, refreshToken.sessionId, void 0, { refreshToken }, authTime);
+	return createUserTokens(ctx, opts, {
+		client,
+		scopes: requestedScopes ?? scopes,
+		user,
+		grantType: "refresh_token",
+		referenceId: refreshToken.referenceId,
+		sessionId: refreshToken.sessionId,
+		refreshToken,
+		authTime
+	});
 }
 //#endregion
 //#region src/introspect.ts
@@ -920,6 +1000,7 @@ async function resolveIntrospectionSub(opts, payload, client) {
 }
 async function introspectEndpoint(ctx, opts) {
 	let { token, token_type_hint } = ctx.body;
+	if (token_type_hint !== "access_token" && token_type_hint !== "refresh_token") token_type_hint = void 0;
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/introspect`));
 	if (!client_id || !client_secret && !preVerifiedClient) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
@@ -1077,6 +1158,109 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 	}
 }
 //#endregion
+//#region src/oauth-endpoint.ts
+/**
+* Wraps `createAuthEndpoint` so zod schemas stay the single source of truth
+* for body/query shape while validation failures serialize as the RFC 6749
+* §5.2 error envelope `{ error, error_description }`.
+*
+* A failing issue is routed by its first path segment via `errorCodesByField`:
+* - missing required (`invalid_type` + "received undefined") → `.missing`
+* - unsupported value (`invalid_value`) → `.invalid`
+* - anything else (wrong type, duplicated params, bad format) → `defaultError`
+*
+* For enum fields that need to distinguish missing from unsupported, compose
+* as `z.string().pipe(z.enum([...]))` so duplicated params fail the outer
+* `z.string()` as `invalid_type` instead of masquerading as an unsupported
+* enum value.
+*/
+function createOAuthEndpoint(path, options, handler) {
+	const { redirectOnError, onValidationError: userHook, errorCodesByField, defaultError = "invalid_request", ...rest } = options;
+	if (!redirectOnError) return createAuthEndpoint(path, {
+		...rest,
+		onValidationError: async (args) => {
+			if (userHook) await userHook(args);
+			throw new APIError$1("BAD_REQUEST", { ...mapIssuesToOAuthError(args.issues, errorCodesByField, defaultError) });
+		}
+	}, handler);
+	const redirect = redirectOnError;
+	const { body: bodySchema, query: querySchema, ...forwarded } = rest;
+	async function validateSlot(ctx, slot, schema) {
+		if (!schema) return { ok: true };
+		const result = await schema.safeParseAsync(ctx[slot] ?? {});
+		if (result.success) {
+			ctx[slot] = result.data;
+			return { ok: true };
+		}
+		if (userHook) await userHook({
+			message: result.error.message,
+			issues: result.error.issues
+		});
+		return {
+			ok: false,
+			response: redirect({
+				...mapIssuesToOAuthError(result.error.issues, errorCodesByField, defaultError),
+				ctx
+			})
+		};
+	}
+	return createAuthEndpoint(path, forwarded, async (ctx) => {
+		const body = await validateSlot(ctx, "body", bodySchema);
+		if (!body.ok) return body.response;
+		const query = await validateSlot(ctx, "query", querySchema);
+		if (!query.ok) return query.response;
+		return handler(ctx);
+	});
+}
+function mapIssuesToOAuthError(issues, errorCodesByField, defaultError = "invalid_request") {
+	const issue = issues[0];
+	if (!issue) return {
+		error: defaultError,
+		error_description: "Invalid request."
+	};
+	const first = issue.path?.[0];
+	const fieldKey = typeof first === "string" ? first : void 0;
+	const mapping = fieldKey ? errorCodesByField?.[fieldKey] : void 0;
+	const field = issue.path?.length ? z.core.toDotPath(issue.path) : "";
+	return {
+		error: resolveErrorCode(issue, mapping, defaultError),
+		error_description: describeIssue(issue, field)
+	};
+}
+function resolveErrorCode(issue, mapping, defaultError) {
+	if (typeof mapping === "string") return mapping;
+	if (isMissingValueIssue(issue)) return mapping?.missing ?? defaultError;
+	if (issue.code === "invalid_value") return mapping?.invalid ?? defaultError;
+	return defaultError;
+}
+/**
+* Returns `true` for issues that represent an absent required value. Zod v4
+* strips `input` from published issues, so the signal is the `invalid_type`
+* code combined with a message suffix of "received undefined". The suffix is
+* pinned by a regression test so a zod rephrase fails the test instead of
+* silently reclassifying missing fields.
+*
+* Assumes the default zod error map. Consumers that install a localized map
+* via `z.setErrorMap()` will break this check, collapsing missing-field
+* failures to `defaultError`.
+*/
+function isMissingValueIssue(issue) {
+	return issue.code === "invalid_type" && issue.message.endsWith("received undefined");
+}
+function describeIssue(issue, field) {
+	if (!field) return issue.message;
+	if (issue.code === "invalid_type") {
+		if (issue.message.endsWith("received undefined")) return `${field} is required`;
+		if (issue.message.endsWith("received array")) return `${field} must not appear more than once`;
+		return `${field} must be a ${issue.expected ?? "valid value"}`;
+	}
+	if (issue.code === "invalid_value") {
+		const values = issue.values;
+		if (Array.isArray(values) && values.length > 0) return `${field} must be one of: ${values.join(", ")}`;
+	}
+	return `${field}: ${issue.message}`;
+}
+//#endregion
 //#region src/middleware/index.ts
 const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 	if (!opts.allowPublicClientPrelogin) throw new APIError("BAD_REQUEST");
@@ -1085,6 +1269,21 @@ const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 });
 //#endregion
 //#region src/register.ts
+/**
+* Resolves the auth method and type for unauthenticated DCR.
+* Overrides confidential methods to "none" per RFC 7591 Section 3.2.1.
+* When overriding, clears type "web" since it is only valid for confidential clients.
+*/
+function resolveUnauthenticatedAuth(body) {
+	if (body.token_endpoint_auth_method === "none") return {
+		tokenEndpointAuthMethod: "none",
+		type: body.type
+	};
+	return {
+		tokenEndpointAuthMethod: "none",
+		type: body.type === "web" ? void 0 : body.type
+	};
+}
 async function registerEndpoint(ctx, opts) {
 	if (!opts.allowDynamicClientRegistration) throw new APIError("FORBIDDEN", {
 		error: "access_denied",
@@ -1096,12 +1295,16 @@ async function registerEndpoint(ctx, opts) {
 		error: "invalid_token",
 		error_description: "Authentication required for client registration"
 	});
-	const isPublic = body.token_endpoint_auth_method === "none";
-	if (!session && !isPublic) throw new APIError("UNAUTHORIZED", {
-		error: "invalid_request",
-		error_description: "Authentication required for confidential client registration"
-	});
-	if (!ctx.body.scope) ctx.body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
+	if (!session) {
+		if (body.grant_types?.includes("client_credentials")) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "client_credentials grant requires authenticated registration"
+		});
+		const resolved = resolveUnauthenticatedAuth(body);
+		body.token_endpoint_auth_method = resolved.tokenEndpointAuthMethod;
+		body.type = resolved.type;
+	}
+	if (!body.scope) body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: true });
 }
 async function checkOAuthClient(client, opts, settings) {
@@ -1340,57 +1543,11 @@ function schemaToOAuth(input) {
 	};
 }
 //#endregion
-//#region src/types/zod.ts
-const DANGEROUS_SCHEMES = [
-	"javascript:",
-	"data:",
-	"vbscript:"
-];
-function isLocalhost(hostname) {
-	return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "[::1]" || hostname.endsWith(".localhost");
-}
-/**
-* Reusable URL validation for OAuth redirect URIs.
-* - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for localhost)
-* - Allows custom schemes for mobile apps (e.g., myapp://callback)
-*/
-const SafeUrlSchema = z.url().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL must be parseable",
-			fatal: true
-		});
-		return z.NEVER;
-	}
-	const u = new URL(val);
-	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL cannot use javascript:, data:, or vbscript: scheme"
-		});
-		return;
-	}
-	if (u.protocol === "http:" || u.protocol === "https:") {
-		if (u.protocol === "http:" && !isLocalhost(u.hostname)) ctx.addIssue({
-			code: "custom",
-			message: "Redirect URI must use HTTPS (HTTP allowed only for localhost)"
-		});
-	}
-});
-//#endregion
 //#region src/oauthClient/endpoints.ts
 async function getClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "read");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "read",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, ctx.query.client_id);
 	if (!client) throw new APIError("NOT_FOUND", {
 		error_description: "client not found",
@@ -1431,14 +1588,8 @@ async function getClientPublicEndpoint(ctx, opts, clientId) {
 }
 async function getClientsEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "list");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "list",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const referenceId = await opts.clientReference?.(session);
 	if (referenceId) return await ctx.context.adapter.findMany({
 		model: "oauthClient",
@@ -1472,14 +1623,8 @@ async function getClientsEndpoint(ctx, opts) {
 }
 async function deleteClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "delete");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "delete",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1505,14 +1650,8 @@ async function deleteClientEndpoint(ctx, opts) {
 }
 async function updateClientEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "update");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "update",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1543,6 +1682,7 @@ async function updateClientEndpoint(ctx, opts) {
 	else {
 		schemaUpdates.jwks = null;
 		schemaUpdates.jwksUri = null;
+		if (!schemaUpdates.clientSecret) schemaUpdates.clientSecret = await storeClientSecret(ctx, opts, opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z"));
 	}
 	const updatedClient = await ctx.context.adapter.update({
 		model: "oauthClient",
@@ -1565,14 +1705,8 @@ async function updateClientEndpoint(ctx, opts) {
 }
 async function rotateClientSecretEndpoint(ctx, opts) {
 	const session = await getSessionFromCtx(ctx);
+	await assertClientPrivileges(ctx, session, opts, "rotate");
 	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action: "rotate",
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
 	const clientId = ctx.body.client_id;
 	if (opts.cachedTrustedClients?.has(clientId)) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "trusted clients must be updated manually",
@@ -1614,6 +1748,16 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
 	});
 }
+async function assertClientPrivileges(ctx, session, opts, action) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+}
 //#endregion
 //#region src/oauthClient/index.ts
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
@@ -1799,6 +1943,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		}
 	}
 }, async (ctx) => {
+	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
@@ -1971,6 +2116,7 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		} }
 	} }
 }, async (ctx) => {
+	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
@@ -2383,6 +2529,7 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 }
 async function revokeEndpoint(ctx, opts) {
 	let { token, token_type_hint } = ctx.body;
+	if (token_type_hint !== "access_token" && token_type_hint !== "refresh_token") token_type_hint = void 0;
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/revoke`));
 	if (!client_id) throw new APIError$1("UNAUTHORIZED", {
 		error_description: "missing required credentials",
@@ -2800,7 +2947,7 @@ const oauthProvider = (options) => {
 					queryParams.delete("sig");
 					queryParams.delete("exp");
 					await oAuthState.set({ query: queryParams.toString() });
-					if (ctx.path === "/sign-in/social" || ctx.path === "/sign-in/oauth2") {
+					if (ctx.path === "/sign-in/social") {
 						if (ctx.body.additionalData?.query) return;
 						if (!ctx.body.additionalData) ctx.body.additionalData = {};
 						ctx.body.additionalData.query = queryParams.toString();
@@ -2834,12 +2981,15 @@ const oauthProvider = (options) => {
 				metadata: { SERVER_ONLY: true }
 			}, async (ctx) => {
 				if (opts.scopes && opts.scopes.includes("openid")) return oidcServerMetadata(ctx, opts);
-				else return authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
-					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-					public_client_supported: opts.allowUnauthenticatedClientRegistration,
-					grant_types_supported: opts.grantTypes,
-					jwt_disabled: opts.disableJwtPlugin
-				});
+				else return {
+					...authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
+						scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+						public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
+						grant_types_supported: opts.grantTypes,
+						jwt_disabled: opts.disableJwtPlugin
+					}),
+					...mergeDiscoveryMetadata(opts.clientDiscovery)
+				};
 			}),
 			getOpenIdConfig: createAuthEndpoint("/.well-known/openid-configuration", {
 				method: "GET",
@@ -2848,19 +2998,19 @@ const oauthProvider = (options) => {
 				if (opts.scopes && !opts.scopes.includes("openid")) throw new APIError("NOT_FOUND");
 				return oidcServerMetadata(ctx, opts);
 			}),
-			oauth2Authorize: createAuthEndpoint("/oauth2/authorize", {
+			oauth2Authorize: createOAuthEndpoint("/oauth2/authorize", {
 				method: "GET",
 				query: z.object({
-					response_type: z.enum(["code"]).optional(),
+					response_type: z.string().pipe(z.enum(["code"])).optional(),
 					client_id: z.string(),
 					redirect_uri: SafeUrlSchema.optional(),
 					scope: z.string().optional(),
 					state: z.string().optional(),
 					request_uri: z.string().optional(),
 					code_challenge: z.string().optional(),
-					code_challenge_method: z.enum(["S256"]).optional(),
+					code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
 					nonce: z.string().optional(),
-					prompt: z.enum([
+					prompt: z.string().pipe(z.enum([
 						"none",
 						"consent",
 						"login",
@@ -2868,8 +3018,10 @@ const oauthProvider = (options) => {
 						"select_account",
 						"login consent",
 						"select_account consent"
-					]).optional()
+					])).optional()
 				}),
+				redirectOnError: authorizeRedirectOnError(opts),
+				errorCodesByField: { response_type: { invalid: "unsupported_response_type" } },
 				metadata: { openapi: {
 					description: "Authorize an OAuth2 request",
 					parameters: [
@@ -3028,14 +3180,14 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return continueEndpoint(ctx, opts);
 			}),
-			oauth2Token: createAuthEndpoint("/oauth2/token", {
+			oauth2Token: createOAuthEndpoint("/oauth2/token", {
 				method: "POST",
 				body: z.object({
-					grant_type: z.enum([
+					grant_type: z.string().pipe(z.enum([
 						"authorization_code",
 						"client_credentials",
 						"refresh_token"
-					]),
+					])),
 					client_id: z.string().optional(),
 					client_secret: z.string().optional(),
 					client_assertion: z.string().optional(),
@@ -3047,6 +3199,10 @@ const oauthProvider = (options) => {
 					resource: z.string().optional(),
 					scope: z.string().optional()
 				}),
+				errorCodesByField: { grant_type: {
+					missing: "invalid_request",
+					invalid: "unsupported_grant_type"
+				} },
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
@@ -3159,7 +3315,7 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return tokenEndpoint(ctx, opts);
 			}),
-			oauth2Introspect: createAuthEndpoint("/oauth2/introspect", {
+			oauth2Introspect: createOAuthEndpoint("/oauth2/introspect", {
 				method: "POST",
 				body: z.object({
 					client_id: z.string().optional(),
@@ -3167,7 +3323,7 @@ const oauthProvider = (options) => {
 					client_assertion: z.string().optional(),
 					client_assertion_type: z.string().optional(),
 					token: z.string(),
-					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
+					token_type_hint: z.string().optional()
 				}),
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
@@ -3192,8 +3348,7 @@ const oauthProvider = (options) => {
 									},
 									token_type_hint: {
 										type: "string",
-										enum: ["access_token", "refresh_token"],
-										description: "Hint about the type of the token submitted for introspection"
+										description: "Hint about the token type. Recognized values: `access_token`, `refresh_token`."
 									},
 									resource: {
 										type: "string",
@@ -3279,7 +3434,7 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return introspectEndpoint(ctx, opts);
 			}),
-			oauth2Revoke: createAuthEndpoint("/oauth2/revoke", {
+			oauth2Revoke: createOAuthEndpoint("/oauth2/revoke", {
 				method: "POST",
 				body: z.object({
 					client_id: z.string().optional(),
@@ -3287,7 +3442,7 @@ const oauthProvider = (options) => {
 					client_assertion: z.string().optional(),
 					client_assertion_type: z.string().optional(),
 					token: z.string(),
-					token_type_hint: z.enum(["access_token", "refresh_token"]).optional()
+					token_type_hint: z.string().optional()
 				}),
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
@@ -3312,8 +3467,7 @@ const oauthProvider = (options) => {
 									},
 									token_type_hint: {
 										type: "string",
-										enum: ["access_token", "refresh_token"],
-										description: "Hint about the type of the token submitted for revocation"
+										description: "Hint about the token type. Recognized values: `access_token`, `refresh_token`."
 									}
 								},
 								required: ["token"]
@@ -3434,7 +3588,7 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return userInfoEndpoint(ctx, opts);
 			}),
-			oauth2EndSession: createAuthEndpoint("/oauth2/end-session", {
+			oauth2EndSession: createOAuthEndpoint("/oauth2/end-session", {
 				method: "GET",
 				query: z.object({
 					id_token_hint: z.string(),
@@ -3465,7 +3619,7 @@ const oauthProvider = (options) => {
 			}, async (ctx) => {
 				return rpInitiatedLogoutEndpoint(ctx, opts);
 			}),
-			registerOAuthClient: createAuthEndpoint("/oauth2/register", {
+			registerOAuthClient: createOAuthEndpoint("/oauth2/register", {
 				method: "POST",
 				body: z.object({
 					redirect_uris: z.array(SafeUrlSchema).min(1).min(1),
@@ -3502,6 +3656,12 @@ const oauthProvider = (options) => {
 					subject_type: z.enum(["public", "pairwise"]).optional(),
 					skip_consent: z.never({ error: "skip_consent cannot be set during dynamic client registration" }).optional()
 				}),
+				errorCodesByField: {
+					redirect_uris: "invalid_redirect_uri",
+					post_logout_redirect_uris: "invalid_redirect_uri",
+					software_statement: "invalid_software_statement"
+				},
+				defaultError: "invalid_client_metadata",
 				metadata: { openapi: {
 					description: "Register an OAuth2 application",
 					responses: { "200": {
@@ -3694,17 +3854,37 @@ const oauthProvider = (options) => {
 //#endregion
 //#region src/authorize.ts
 /**
-* Formats an error url
+* Formats an error url. Per OIDC Core 1.0 §5 / RFC 6749 §4.2.2.1, errors on
+* implicit and hybrid flows are delivered in the URL fragment, not the query.
+* Callers on the code flow (default) omit `mode` and get query delivery.
 */
-function formatErrorURL(url, error, description, state, iss) {
+function formatErrorURL(url, error, description, state, iss, mode = "query") {
 	const searchParams = new URLSearchParams({
 		error,
 		error_description: description
 	});
 	state && searchParams.append("state", state);
 	iss && searchParams.append("iss", iss);
+	if (mode === "fragment") return `${url}#${searchParams.toString()}`;
 	return `${url}${url.includes("?") ? "&" : "?"}${searchParams.toString()}`;
 }
+/**
+* Selects the response mode for an error redirect to the RP. OIDC Core 1.0 §5
+* defines defaults based on response_type: `code` → query, types containing
+* `token` / `id_token` → fragment. An explicit `response_mode` overrides.
+*
+* When `response_type` is duplicated (array) or absent, we can't trust the
+* caller's intent, so we default to query — the safer channel for
+* unrecognized shapes.
+*/
+function deriveResponseMode(raw) {
+	const responseMode = typeof raw.response_mode === "string" ? raw.response_mode : void 0;
+	if (responseMode === "fragment") return "fragment";
+	if (responseMode === "query") return "query";
+	const responseType = typeof raw.response_type === "string" ? raw.response_type : void 0;
+	if (responseType && /\b(token|id_token)\b/.test(responseType)) return "fragment";
+	return "query";
+}
 const handleRedirect = (ctx, uri) => {
 	const fromFetch = isBrowserFetchRequest(ctx.request?.headers);
 	const acceptJson = ctx.headers?.get("accept")?.includes("application/json");
@@ -3728,8 +3908,7 @@ function redirectWithPromptNoneError(ctx, opts, query, error, description) {
 function validateIssuerUrl(issuer) {
 	try {
 		const url = new URL(issuer);
-		const isLocalhost = url.hostname === "localhost" || url.hostname === "127.0.0.1";
-		if (url.protocol !== "https:" && !isLocalhost) url.protocol = "https:";
+		if (url.protocol !== "https:" && !isLoopbackHost(url.host)) url.protocol = "https:";
 		url.search = "";
 		url.hash = "";
 		return url.toString().replace(/\/$/, "");
@@ -3757,6 +3936,64 @@ function getIssuer(ctx, opts) {
 function getErrorURL(ctx, error, description) {
 	return formatErrorURL(ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`, error, description);
 }
+/**
+* Finds the matching entry in a client's registered redirect_uris for a
+* requested redirect_uri. Honors RFC 8252 §7.3 loopback port variance for
+* the full 127.0.0.0/8 range and [::1], matching on scheme+host+path+query
+* and ignoring port. DNS names like "localhost" are excluded per §8.3.
+*/
+function findRegisteredRedirectUri(registered, requested) {
+	if (!registered || !requested) return void 0;
+	let req;
+	try {
+		req = new URL(requested);
+	} catch {}
+	return registered.find((url) => {
+		if (url === requested) return true;
+		if (!req) return false;
+		try {
+			const reg = new URL(url);
+			return isLoopbackIP(reg.hostname) && reg.hostname === req.hostname && reg.pathname === req.pathname && reg.protocol === req.protocol && reg.search === req.search;
+		} catch {
+			return false;
+		}
+	});
+}
+/**
+* Loads the client, verifies it's enabled, and returns the requested
+* redirect_uri when it matches a registered entry. Returns null whenever the
+* RP cannot be safely reached, so callers can fall back to the server error
+* page (avoiding open-redirect risk on validation failures).
+*/
+async function resolveTrustedRedirectUri(ctx, opts, clientId, redirectUri) {
+	if (!clientId || !redirectUri) return null;
+	let client;
+	try {
+		client = await getClient(ctx, opts, clientId);
+	} catch {
+		return null;
+	}
+	if (!client || client.disabled) return null;
+	return findRegisteredRedirectUri(client.redirectUris, redirectUri) ? redirectUri : null;
+}
+/**
+* `redirectOnError` callback for `/oauth2/authorize`. Per RFC 6749 §4.1.2.1,
+* authorize errors MUST be delivered to the client's `redirect_uri` with
+* `error`, `error_description`, `state`, and (RFC 9207) `iss`. The clause
+* carves out one case: a missing/invalid `redirect_uri` or `client_id` MUST
+* NOT redirect to the requested URI. We implement the carve-out via
+* `resolveTrustedRedirectUri`, falling back to the server error page.
+*
+* Channel (query vs fragment) follows OIDC Core §5 via `deriveResponseMode`.
+*/
+function authorizeRedirectOnError(opts) {
+	return async ({ error, error_description, ctx }) => {
+		const raw = ctx.query ?? {};
+		const trusted = await resolveTrustedRedirectUri(ctx, opts, typeof raw.client_id === "string" ? raw.client_id : void 0, typeof raw.redirect_uri === "string" ? raw.redirect_uri : void 0);
+		if (trusted) return handleRedirect(ctx, formatErrorURL(trusted, error, error_description, typeof raw.state === "string" ? raw.state : void 0, getIssuer(ctx, opts), deriveResponseMode(raw)));
+		return handleRedirect(ctx, getErrorURL(ctx, error, error_description));
+	};
+}
 async function authorizeEndpoint(ctx, opts, settings) {
 	if (opts.grantTypes && !opts.grantTypes.includes("authorization_code")) throw new APIError$1("NOT_FOUND");
 	if (!ctx.request) throw new APIError$1("UNAUTHORIZED", {
@@ -3787,15 +4024,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	const client = await getClient(ctx, opts, query.client_id);
 	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
-	if (!client.redirectUris?.find((url) => {
-		if (url === query.redirect_uri) return true;
-		try {
-			const registered = new URL(url);
-			const requested = new URL(query.redirect_uri);
-			if ((registered.hostname === "127.0.0.1" || registered.hostname === "[::1]") && registered.hostname === requested.hostname && registered.pathname === requested.pathname && registered.protocol === requested.protocol && registered.search === requested.search) return true;
-		} catch {}
-		return false;
-	}) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
+	if (!findRegisteredRedirectUri(client.redirectUris, query.redirect_uri) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
 	let requestedScopes = query.scope?.split(" ").filter((s) => s);
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -4004,7 +4233,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
-			public_client_supported: opts.allowUnauthenticatedClientRegistration,
+			public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin
 		}),
@@ -4020,9 +4249,20 @@ function oidcServerMetadata(ctx, opts) {
 			"create",
 			"select_account",
 			"none"
-		]
+		],
+		...mergeDiscoveryMetadata(opts.clientDiscovery)
 	};
 }
+const METADATA_CACHE_CONTROL = "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400";
+function metadataResponse(body, extraHeaders) {
+	const headers = new Headers(extraHeaders);
+	if (!headers.has("Cache-Control")) headers.set("Cache-Control", METADATA_CACHE_CONTROL);
+	headers.set("Content-Type", "application/json");
+	return new Response(JSON.stringify(body), {
+		status: 200,
+		headers
+	});
+}
 /**
 * Provides an exportable `/.well-known/oauth-authorization-server`.
 *
@@ -4032,16 +4272,11 @@ function oidcServerMetadata(ctx, opts) {
 * @external
 */
 const oauthProviderAuthServerMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOAuthServerConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
+	return async (request) => {
+		return metadataResponse(await auth.api.getOAuthServerConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
 	};
 };
 /**
@@ -4053,17 +4288,12 @@ const oauthProviderAuthServerMetadata = (auth, opts) => {
 * @external
 */
 const oauthProviderOpenIdConfigMetadata = (auth, opts) => {
-	return async (_request) => {
-		const res = await auth.api.getOpenIdConfig();
-		return new Response(JSON.stringify(res), {
-			status: 200,
-			headers: {
-				"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400",
-				...opts?.headers,
-				"Content-Type": "application/json"
-			}
-		});
+	return async (request) => {
+		return metadataResponse(await auth.api.getOpenIdConfig({
+			request,
+			asResponse: false
+		}), opts?.headers);
 	};
 };
 //#endregion
-export { authServerMetadata, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oidcServerMetadata };
+export { authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };