@better-auth/oauth-provider 1.7.0-beta.1 → 1.7.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,11 +1,58 @@
1
- import { _ as Scope, d as OAuthConsent, h as Prompt, i as OAuthClient, p as OAuthOptions, r as GrantType, s as TokenEndpointAuthMethod, t as AuthMethod } from "./oauth-CU79t-eG.mjs";
1
+ import { C as OAuthConsent, L as Prompt, M as OAuthResource, O as OAuthOptions, a as GrantType, l as TokenEndpointAuthMethod, n as AuthServerMetadata, o as OAuthClient, u as TokenType, z as Scope } from "./oauth-ScTJEcFV.mjs";
2
2
  import * as better_call0 from "better-call";
3
3
  import * as z from "zod";
4
- import * as better_auth_plugins0 from "better-auth/plugins";
5
4
  import * as jose from "jose";
5
+ import * as better_auth_plugins0 from "better-auth/plugins";
6
+ import { AuthContext, GenericEndpointContext } from "@better-auth/core";
6
7
  import * as better_auth0 from "better-auth";
7
8
 
9
+ //#region src/oauth-endpoint.d.ts
10
+ /**
11
+ * Canonical OAuth 2.0 / OpenID Connect error codes. The union is the single
12
+ * vocabulary for every error-emitting surface in this plugin: token, authorize,
13
+ * revoke, introspect, register, userinfo, logout, consent, and the redirect
14
+ * error channel. Entries are grouped by source RFC so the declaration doubles
15
+ * as a specification map.
16
+ *
17
+ * The trailing `(string & {})` keeps the type open for product-specific codes
18
+ * (e.g. `"invalid_verification"`, `"invalid_user"`) while preserving editor
19
+ * autocomplete for the listed standard codes. Prefer a standard code whenever
20
+ * one applies; fall back to a custom string only for states no RFC covers.
21
+ */
22
+ type OAuthErrorCode = "invalid_request" | "invalid_client" | "invalid_grant" | "unauthorized_client" | "unsupported_grant_type" | "unsupported_response_type" | "invalid_scope" | "access_denied" | "server_error" | "temporarily_unavailable" | "invalid_token" | "unsupported_token_type" | "invalid_redirect_uri" | "invalid_client_metadata" | "invalid_software_statement" | "unapproved_software_statement" | "invalid_target" | "invalid_request_object" | "login_required" | "consent_required" | "interaction_required" | "account_selection_required" | "invalid_request_uri" | "request_not_supported" | "request_uri_not_supported" | "registration_not_supported" | (string & {});
23
+ type OAuthFieldErrorCodeMap = {
24
+ missing?: OAuthErrorCode;
25
+ invalid?: OAuthErrorCode;
26
+ };
27
+ type OAuthFieldErrorCode = OAuthErrorCode | OAuthFieldErrorCodeMap;
28
+ interface OAuthEndpointErrorResult {
29
+ error: OAuthErrorCode;
30
+ error_description: string;
31
+ }
32
+ interface OAuthEndpointRedirectContext<Ctx = unknown> {
33
+ error: OAuthErrorCode;
34
+ error_description: string;
35
+ ctx: Ctx;
36
+ }
37
+ type OAuthRedirectOnError<Ctx = unknown, Result = unknown> = (result: OAuthEndpointRedirectContext<Ctx>) => Result | Promise<Result>;
38
+ //#endregion
39
+ //#region src/authorize.d.ts
40
+ type OAuthRedirectResult = {
41
+ redirect: true;
42
+ url: string;
43
+ };
44
+ /**
45
+ * Gets the issuer identifier
46
+ */
47
+ declare function getIssuer(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>): string;
48
+ //#endregion
8
49
  //#region src/oauth.d.ts
50
+ /**
51
+ * Default scopes advertised and accepted when a configuration sets none. Shared
52
+ * with the MCP preset so the resource metadata it serves matches what the
53
+ * authorization-server metadata advertises.
54
+ */
55
+ declare const DEFAULT_OAUTH_SCOPES: readonly ["openid", "profile", "email", "offline_access"];
9
56
  declare module "@better-auth/core" {
10
57
  interface BetterAuthPluginRegistry<AuthOptions, Options> {
11
58
  "oauth-provider": {
@@ -15,6 +62,8 @@ declare module "@better-auth/core" {
15
62
  }
16
63
  declare const getOAuthProviderState: () => Promise<{
17
64
  query?: string;
65
+ signedQueryIssuedAt?: Date;
66
+ postLoginClearedForSession?: string;
18
67
  } | null>;
19
68
  /**
20
69
  * oAuth 2.1 provider plugin for Better Auth.
@@ -27,7 +76,31 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
27
76
  id: "oauth-provider";
28
77
  version: string;
29
78
  options: NoInfer<O>;
30
- init: (ctx: better_auth0.AuthContext) => void;
79
+ onRequest: (request: Request, ctx: better_auth0.AuthContext) => Promise<{
80
+ response: Response;
81
+ } | {
82
+ request: Request;
83
+ } | void>;
84
+ init: (ctx: better_auth0.AuthContext) => Promise<{
85
+ options: {
86
+ databaseHooks: {
87
+ session: {
88
+ delete: {
89
+ before(session: {
90
+ id: string;
91
+ createdAt: Date;
92
+ updatedAt: Date;
93
+ userId: string;
94
+ expiresAt: Date;
95
+ token: string;
96
+ ipAddress?: string | null | undefined;
97
+ userAgent?: string | null | undefined;
98
+ } & Record<string, unknown>, hookCtx: GenericEndpointContext | null): Promise<void>;
99
+ };
100
+ };
101
+ };
102
+ };
103
+ }>;
31
104
  hooks: {
32
105
  before: {
33
106
  matcher(ctx: better_auth0.HookEndpointContext): any;
@@ -35,10 +108,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
35
108
  }[];
36
109
  after: {
37
110
  matcher(ctx: better_auth0.HookEndpointContext): boolean;
38
- handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
39
- redirect: boolean;
40
- url: string;
41
- } | undefined>;
111
+ handler: (inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<OAuthRedirectResult | undefined>;
42
112
  }[];
43
113
  };
44
114
  endpoints: {
@@ -54,64 +124,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
54
124
  metadata: {
55
125
  SERVER_ONLY: true;
56
126
  };
57
- }, {
58
- jwks_uri?: string | undefined;
59
- userinfo_endpoint: string;
60
- acr_values_supported: string[];
61
- subject_types_supported: ("public" | "pairwise")[];
62
- claims_supported: string[];
63
- end_session_endpoint: string;
64
- prompt_values_supported: Prompt[];
65
- issuer: string;
66
- authorization_endpoint: string;
67
- token_endpoint: string;
68
- registration_endpoint: string;
69
- scopes_supported?: string[] | undefined;
70
- response_types_supported: "code"[];
71
- response_modes_supported: "query"[];
72
- grant_types_supported: GrantType[];
73
- token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
74
- token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
75
- service_documentation?: string | undefined;
76
- ui_locales_supported?: string[] | undefined;
77
- op_policy_uri?: string | undefined;
78
- op_tos_uri?: string | undefined;
79
- revocation_endpoint?: string | undefined;
80
- revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
81
- revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
82
- introspection_endpoint?: string | undefined;
83
- introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
84
- introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
85
- code_challenge_methods_supported: "S256"[];
86
- authorization_response_iss_parameter_supported?: boolean | undefined;
87
- client_id_metadata_document_supported?: boolean | undefined;
88
- id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
89
- } | {
90
- issuer: string;
91
- authorization_endpoint: string;
92
- token_endpoint: string;
93
- jwks_uri?: string;
94
- registration_endpoint: string;
95
- scopes_supported?: string[];
96
- response_types_supported: "code"[];
97
- response_modes_supported: "query"[];
98
- grant_types_supported: GrantType[];
99
- token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
100
- token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
101
- service_documentation?: string;
102
- ui_locales_supported?: string[];
103
- op_policy_uri?: string;
104
- op_tos_uri?: string;
105
- revocation_endpoint?: string;
106
- revocation_endpoint_auth_methods_supported?: AuthMethod[];
107
- revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
108
- introspection_endpoint?: string;
109
- introspection_endpoint_auth_methods_supported?: AuthMethod[];
110
- introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[];
111
- code_challenge_methods_supported: "S256"[];
112
- authorization_response_iss_parameter_supported?: boolean;
113
- client_id_metadata_document_supported?: boolean;
114
- }>;
127
+ }, AuthServerMetadata>;
115
128
  /**
116
129
  * A server-only endpoint that helps provide the
117
130
  * OpenId configuration at the well-known endpoint.
@@ -127,63 +140,48 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
127
140
  }, {
128
141
  jwks_uri?: string | undefined;
129
142
  userinfo_endpoint: string;
130
- acr_values_supported: string[];
143
+ acr_values_supported?: string[] | undefined;
131
144
  subject_types_supported: ("public" | "pairwise")[];
132
145
  claims_supported: string[];
146
+ claims_parameter_supported?: boolean | undefined;
133
147
  end_session_endpoint: string;
148
+ request_parameter_supported?: boolean | undefined;
149
+ request_uri_parameter_supported?: boolean | undefined;
134
150
  prompt_values_supported: Prompt[];
135
151
  issuer: string;
136
152
  authorization_endpoint: string;
137
153
  token_endpoint: string;
138
- registration_endpoint: string;
154
+ registration_endpoint?: string | undefined;
139
155
  scopes_supported?: string[] | undefined;
140
156
  response_types_supported: "code"[];
141
157
  response_modes_supported: "query"[];
142
158
  grant_types_supported: GrantType[];
143
159
  token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
144
- token_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
160
+ token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
145
161
  service_documentation?: string | undefined;
146
162
  ui_locales_supported?: string[] | undefined;
147
163
  op_policy_uri?: string | undefined;
148
164
  op_tos_uri?: string | undefined;
149
165
  revocation_endpoint?: string | undefined;
150
- revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
151
- revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
166
+ revocation_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
167
+ revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
152
168
  introspection_endpoint?: string | undefined;
153
- introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
154
- introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.AssertionSigningAlgorithm[] | undefined;
169
+ introspection_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
170
+ introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
155
171
  code_challenge_methods_supported: "S256"[];
156
172
  authorization_response_iss_parameter_supported?: boolean | undefined;
157
173
  client_id_metadata_document_supported?: boolean | undefined;
174
+ backchannel_logout_supported?: boolean | undefined;
175
+ backchannel_logout_session_supported?: boolean | undefined;
176
+ dpop_signing_alg_values_supported?: better_auth_plugins0.JWSAlgorithms[] | undefined;
158
177
  id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
159
178
  }>;
160
179
  oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
161
- method: "GET";
162
- query: z.ZodObject<{
163
- response_type: z.ZodOptional<z.ZodEnum<{
164
- code: "code";
165
- }>>;
166
- client_id: z.ZodString;
167
- redirect_uri: z.ZodOptional<z.ZodURL>;
168
- scope: z.ZodOptional<z.ZodString>;
169
- state: z.ZodOptional<z.ZodString>;
170
- request_uri: z.ZodOptional<z.ZodString>;
171
- code_challenge: z.ZodOptional<z.ZodString>;
172
- code_challenge_method: z.ZodOptional<z.ZodEnum<{
173
- S256: "S256";
174
- }>>;
175
- nonce: z.ZodOptional<z.ZodString>;
176
- prompt: z.ZodOptional<z.ZodEnum<{
177
- none: "none";
178
- consent: "consent";
179
- login: "login";
180
- create: "create";
181
- select_account: "select_account";
182
- "login consent": "login consent";
183
- "select_account consent": "select_account consent";
184
- }>>;
185
- }, z.core.$strip>;
180
+ method: ("GET" | "POST")[];
181
+ body: z.ZodObject<{}, z.core.$loose>;
182
+ redirectOnError: OAuthRedirectOnError<GenericEndpointContext, OAuthRedirectResult>;
186
183
  metadata: {
184
+ allowedMediaTypes: string[];
187
185
  openapi: {
188
186
  description: string;
189
187
  parameters: ({
@@ -193,6 +191,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
193
191
  schema: {
194
192
  type: "string";
195
193
  format?: undefined;
194
+ minimum?: undefined;
195
+ items?: undefined;
196
196
  };
197
197
  description: string;
198
198
  } | {
@@ -202,6 +202,8 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
202
202
  schema: {
203
203
  type: "string";
204
204
  format?: undefined;
205
+ minimum?: undefined;
206
+ items?: undefined;
205
207
  };
206
208
  description: string;
207
209
  } | {
@@ -211,6 +213,32 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
211
213
  schema: {
212
214
  type: "string";
213
215
  format: string;
216
+ minimum?: undefined;
217
+ items?: undefined;
218
+ };
219
+ description: string;
220
+ } | {
221
+ name: string;
222
+ in: "query";
223
+ required: false;
224
+ schema: {
225
+ type: "integer";
226
+ minimum: number;
227
+ format?: undefined;
228
+ items?: undefined;
229
+ };
230
+ description: string;
231
+ } | {
232
+ name: string;
233
+ in: "query";
234
+ required: false;
235
+ schema: {
236
+ type: "array";
237
+ items: {
238
+ type: "string";
239
+ };
240
+ format?: undefined;
241
+ minimum?: undefined;
214
242
  };
215
243
  description: string;
216
244
  })[];
@@ -252,15 +280,13 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
252
280
  };
253
281
  };
254
282
  };
255
- }, {
256
- redirect: boolean;
257
- url: string;
258
- }>;
283
+ }, OAuthRedirectResult>;
259
284
  oauth2Consent: better_call0.StrictEndpoint<"/oauth2/consent", {
260
285
  method: "POST";
261
286
  body: z.ZodObject<{
262
287
  accept: z.ZodBoolean;
263
288
  scope: z.ZodOptional<z.ZodString>;
289
+ claims: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>>;
264
290
  oauth_query: z.ZodOptional<z.ZodString>;
265
291
  }, z.core.$strip>;
266
292
  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -311,7 +337,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
311
337
  };
312
338
  };
313
339
  };
314
- }, {
340
+ }, OAuthRedirectResult | {
315
341
  redirect: boolean;
316
342
  url: string;
317
343
  }>;
@@ -371,18 +397,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
371
397
  };
372
398
  };
373
399
  };
374
- }, {
375
- redirect: boolean;
376
- url: string;
377
- }>;
400
+ }, OAuthRedirectResult>;
378
401
  oauth2Token: better_call0.StrictEndpoint<"/oauth2/token", {
379
402
  method: "POST";
403
+ cloneRequest: true;
380
404
  body: z.ZodObject<{
381
- grant_type: z.ZodEnum<{
382
- authorization_code: "authorization_code";
383
- client_credentials: "client_credentials";
384
- refresh_token: "refresh_token";
385
- }>;
405
+ grant_type: z.ZodString;
386
406
  client_id: z.ZodOptional<z.ZodString>;
387
407
  client_secret: z.ZodOptional<z.ZodString>;
388
408
  client_assertion: z.ZodOptional<z.ZodString>;
@@ -391,13 +411,32 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
391
411
  code_verifier: z.ZodOptional<z.ZodString>;
392
412
  redirect_uri: z.ZodOptional<z.ZodURL>;
393
413
  refresh_token: z.ZodOptional<z.ZodString>;
394
- resource: z.ZodOptional<z.ZodString>;
414
+ resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
395
415
  scope: z.ZodOptional<z.ZodString>;
396
- }, z.core.$strip>;
416
+ }, z.core.$loose>;
417
+ errorCodesByField: {
418
+ grant_type: {
419
+ missing: "invalid_request";
420
+ invalid: "unsupported_grant_type";
421
+ };
422
+ resource: {
423
+ invalid: "invalid_target";
424
+ };
425
+ };
397
426
  metadata: {
427
+ noStore: boolean;
398
428
  allowedMediaTypes: string[];
399
429
  openapi: {
400
430
  description: string;
431
+ parameters: {
432
+ name: string;
433
+ in: "header";
434
+ required: false;
435
+ schema: {
436
+ type: "string";
437
+ };
438
+ description: string;
439
+ }[];
401
440
  requestBody: {
402
441
  required: boolean;
403
442
  content: {
@@ -407,7 +446,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
407
446
  properties: {
408
447
  grant_type: {
409
448
  type: string;
410
- enum: string[];
411
449
  description: string;
412
450
  };
413
451
  client_id: {
@@ -436,7 +474,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
436
474
  description: string;
437
475
  };
438
476
  resource: {
439
- type: string;
477
+ oneOf: ({
478
+ type: string;
479
+ description: string;
480
+ items?: undefined;
481
+ } | {
482
+ type: string;
483
+ items: {
484
+ type: string;
485
+ };
486
+ description: string;
487
+ })[];
440
488
  description: string;
441
489
  };
442
490
  scope: {
@@ -514,10 +562,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
514
562
  };
515
563
  };
516
564
  }, {
517
- access_token: string;
518
565
  expires_in: number;
566
+ access_token: string;
519
567
  expires_at: number;
520
- token_type: "Bearer";
568
+ token_type: TokenType;
521
569
  refresh_token: string | undefined;
522
570
  scope: string;
523
571
  id_token: string | undefined;
@@ -530,12 +578,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
530
578
  client_assertion: z.ZodOptional<z.ZodString>;
531
579
  client_assertion_type: z.ZodOptional<z.ZodString>;
532
580
  token: z.ZodString;
533
- token_type_hint: z.ZodOptional<z.ZodEnum<{
534
- refresh_token: "refresh_token";
535
- access_token: "access_token";
536
- }>>;
581
+ token_type_hint: z.ZodOptional<z.ZodString>;
537
582
  }, z.core.$strip>;
538
583
  metadata: {
584
+ noStore: boolean;
539
585
  allowedMediaTypes: string[];
540
586
  openapi: {
541
587
  description: string;
@@ -559,11 +605,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
559
605
  description: string;
560
606
  };
561
607
  token_type_hint: {
562
- type: string;
563
- enum: string[];
564
- description: string;
565
- };
566
- resource: {
567
608
  type: string;
568
609
  description: string;
569
610
  };
@@ -669,10 +710,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
669
710
  client_assertion: z.ZodOptional<z.ZodString>;
670
711
  client_assertion_type: z.ZodOptional<z.ZodString>;
671
712
  token: z.ZodString;
672
- token_type_hint: z.ZodOptional<z.ZodEnum<{
673
- refresh_token: "refresh_token";
674
- access_token: "access_token";
675
- }>>;
713
+ token_type_hint: z.ZodOptional<z.ZodString>;
676
714
  }, z.core.$strip>;
677
715
  metadata: {
678
716
  allowedMediaTypes: string[];
@@ -699,7 +737,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
699
737
  };
700
738
  token_type_hint: {
701
739
  type: string;
702
- enum: string[];
703
740
  description: string;
704
741
  };
705
742
  };
@@ -747,8 +784,13 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
747
784
  };
748
785
  }, null | undefined>;
749
786
  oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
750
- method: "GET";
787
+ method: ("GET" | "POST")[];
788
+ body: z.ZodOptional<z.ZodObject<{
789
+ access_token: z.ZodOptional<z.ZodString>;
790
+ }, z.core.$loose>>;
751
791
  metadata: {
792
+ noStore: boolean;
793
+ allowedMediaTypes: string[];
752
794
  openapi: {
753
795
  description: string;
754
796
  security: ({
@@ -859,13 +901,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
859
901
  };
860
902
  };
861
903
  }, {
862
- email?: string | undefined;
863
- email_verified?: boolean | undefined;
864
- name?: string | undefined;
865
- picture?: string | undefined;
866
- given_name?: string | undefined;
867
- family_name?: string | undefined;
868
- sub: string;
904
+ sub: unknown;
869
905
  }>;
870
906
  oauth2EndSession: better_call0.StrictEndpoint<"/oauth2/end-session", {
871
907
  method: "GET";
@@ -903,14 +939,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
903
939
  };
904
940
  };
905
941
  };
906
- }, {
907
- redirect: boolean;
908
- url: string;
909
- } | undefined>;
942
+ }, OAuthRedirectResult | undefined>;
910
943
  registerOAuthClient: better_call0.StrictEndpoint<"/oauth2/register", {
911
944
  method: "POST";
912
945
  body: z.ZodObject<{
913
- redirect_uris: z.ZodArray<z.ZodURL>;
946
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
914
947
  scope: z.ZodOptional<z.ZodString>;
915
948
  client_name: z.ZodOptional<z.ZodString>;
916
949
  client_uri: z.ZodOptional<z.ZodString>;
@@ -922,24 +955,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
922
955
  software_version: z.ZodOptional<z.ZodString>;
923
956
  software_statement: z.ZodOptional<z.ZodString>;
924
957
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
925
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
926
- none: "none";
927
- client_secret_basic: "client_secret_basic";
928
- client_secret_post: "client_secret_post";
929
- private_key_jwt: "private_key_jwt";
930
- }>>>;
958
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
959
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
960
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
931
961
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
932
962
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
933
963
  }, z.core.$strip>]>>;
934
964
  jwks_uri: z.ZodOptional<z.ZodString>;
935
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
936
- authorization_code: "authorization_code";
937
- client_credentials: "client_credentials";
938
- refresh_token: "refresh_token";
939
- }>>>>;
940
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
965
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
966
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
941
967
  code: "code";
942
- }>>>>;
968
+ }>>>;
943
969
  type: z.ZodOptional<z.ZodEnum<{
944
970
  web: "web";
945
971
  native: "native";
@@ -949,13 +975,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
949
975
  public: "public";
950
976
  pairwise: "pairwise";
951
977
  }>>;
978
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
979
+ resources: z.ZodOptional<z.ZodArray<z.ZodString>>;
952
980
  skip_consent: z.ZodOptional<z.ZodNever>;
953
981
  }, z.core.$strip>;
982
+ errorCodesByField: {
983
+ redirect_uris: "invalid_redirect_uri";
984
+ post_logout_redirect_uris: "invalid_redirect_uri";
985
+ software_statement: "invalid_software_statement";
986
+ resources: "invalid_target";
987
+ };
988
+ defaultError: "invalid_client_metadata";
954
989
  metadata: {
990
+ noStore: boolean;
955
991
  openapi: {
956
992
  description: string;
957
993
  responses: {
958
- "200": {
994
+ "201": {
959
995
  description: string;
960
996
  content: {
961
997
  "application/json": {
@@ -1041,16 +1077,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1041
1077
  };
1042
1078
  description: string;
1043
1079
  };
1080
+ backchannel_logout_uri: {
1081
+ type: string;
1082
+ format: string;
1083
+ description: string;
1084
+ };
1085
+ backchannel_logout_session_required: {
1086
+ type: string;
1087
+ description: string;
1088
+ };
1044
1089
  token_endpoint_auth_method: {
1045
1090
  type: string;
1046
1091
  description: string;
1047
- enum: string[];
1048
1092
  };
1049
1093
  grant_types: {
1050
1094
  type: string;
1051
1095
  items: {
1052
1096
  type: string;
1053
- enum: string[];
1054
1097
  };
1055
1098
  description: string;
1056
1099
  };
@@ -1088,7 +1131,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1088
1131
  adminCreateOAuthClient: better_call0.StrictEndpoint<"/admin/oauth2/create-client", {
1089
1132
  method: "POST";
1090
1133
  body: z.ZodObject<{
1091
- redirect_uris: z.ZodArray<z.ZodURL>;
1134
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1092
1135
  scope: z.ZodOptional<z.ZodString>;
1093
1136
  client_name: z.ZodOptional<z.ZodString>;
1094
1137
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1100,24 +1143,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1100
1143
  software_version: z.ZodOptional<z.ZodString>;
1101
1144
  software_statement: z.ZodOptional<z.ZodString>;
1102
1145
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1103
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1104
- none: "none";
1105
- client_secret_basic: "client_secret_basic";
1106
- client_secret_post: "client_secret_post";
1107
- private_key_jwt: "private_key_jwt";
1108
- }>>>;
1146
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1147
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1148
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1109
1149
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1110
1150
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1111
1151
  }, z.core.$strip>]>>;
1112
1152
  jwks_uri: z.ZodOptional<z.ZodString>;
1113
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1114
- authorization_code: "authorization_code";
1115
- client_credentials: "client_credentials";
1116
- refresh_token: "refresh_token";
1117
- }>>>>;
1118
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1153
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1154
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1119
1155
  code: "code";
1120
- }>>>>;
1156
+ }>>>;
1121
1157
  type: z.ZodOptional<z.ZodEnum<{
1122
1158
  web: "web";
1123
1159
  native: "native";
@@ -1127,6 +1163,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1127
1163
  skip_consent: z.ZodOptional<z.ZodBoolean>;
1128
1164
  enable_end_session: z.ZodOptional<z.ZodBoolean>;
1129
1165
  require_pkce: z.ZodOptional<z.ZodBoolean>;
1166
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1130
1167
  subject_type: z.ZodOptional<z.ZodEnum<{
1131
1168
  public: "public";
1132
1169
  pairwise: "pairwise";
@@ -1134,11 +1171,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1134
1171
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1135
1172
  }, z.core.$strip>;
1136
1173
  metadata: {
1174
+ noStore: boolean;
1137
1175
  SERVER_ONLY: true;
1138
1176
  openapi: {
1139
1177
  description: string;
1140
1178
  responses: {
1141
- "200": {
1179
+ "201": {
1142
1180
  description: string;
1143
1181
  content: {
1144
1182
  "application/json": {
@@ -1219,13 +1257,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1219
1257
  token_endpoint_auth_method: {
1220
1258
  type: string;
1221
1259
  description: string;
1222
- enum: string[];
1223
1260
  };
1224
1261
  grant_types: {
1225
1262
  type: string;
1226
1263
  items: {
1227
1264
  type: string;
1228
- enum: string[];
1229
1265
  };
1230
1266
  description: string;
1231
1267
  };
@@ -1297,7 +1333,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1297
1333
  };
1298
1334
  }>)[];
1299
1335
  body: z.ZodObject<{
1300
- redirect_uris: z.ZodArray<z.ZodURL>;
1336
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1301
1337
  scope: z.ZodOptional<z.ZodString>;
1302
1338
  client_name: z.ZodOptional<z.ZodString>;
1303
1339
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1309,35 +1345,30 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1309
1345
  software_version: z.ZodOptional<z.ZodString>;
1310
1346
  software_statement: z.ZodOptional<z.ZodString>;
1311
1347
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1312
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1313
- none: "none";
1314
- client_secret_basic: "client_secret_basic";
1315
- client_secret_post: "client_secret_post";
1316
- private_key_jwt: "private_key_jwt";
1317
- }>>>;
1348
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1349
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1350
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1318
1351
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1319
1352
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1320
1353
  }, z.core.$strip>]>>;
1321
1354
  jwks_uri: z.ZodOptional<z.ZodString>;
1322
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1323
- authorization_code: "authorization_code";
1324
- client_credentials: "client_credentials";
1325
- refresh_token: "refresh_token";
1326
- }>>>>;
1327
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1355
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1356
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1328
1357
  code: "code";
1329
- }>>>>;
1358
+ }>>>;
1330
1359
  type: z.ZodOptional<z.ZodEnum<{
1331
1360
  web: "web";
1332
1361
  native: "native";
1333
1362
  "user-agent-based": "user-agent-based";
1334
1363
  }>>;
1364
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1335
1365
  }, z.core.$strip>;
1336
1366
  metadata: {
1367
+ noStore: boolean;
1337
1368
  openapi: {
1338
1369
  description: string;
1339
1370
  responses: {
1340
- "200": {
1371
+ "201": {
1341
1372
  description: string;
1342
1373
  content: {
1343
1374
  "application/json": {
@@ -1418,13 +1449,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1418
1449
  token_endpoint_auth_method: {
1419
1450
  type: string;
1420
1451
  description: string;
1421
- enum: string[];
1422
1452
  };
1423
1453
  grant_types: {
1424
1454
  type: string;
1425
1455
  items: {
1426
1456
  type: string;
1427
- enum: string[];
1428
1457
  };
1429
1458
  description: string;
1430
1459
  };
@@ -1594,11 +1623,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1594
1623
  software_version: z.ZodOptional<z.ZodString>;
1595
1624
  software_statement: z.ZodOptional<z.ZodString>;
1596
1625
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1597
- grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1598
- authorization_code: "authorization_code";
1599
- client_credentials: "client_credentials";
1600
- refresh_token: "refresh_token";
1601
- }>>>;
1626
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1627
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1628
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1602
1629
  response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1603
1630
  code: "code";
1604
1631
  }>>>;
@@ -1610,6 +1637,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1610
1637
  client_secret_expires_at: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
1611
1638
  skip_consent: z.ZodOptional<z.ZodBoolean>;
1612
1639
  enable_end_session: z.ZodOptional<z.ZodBoolean>;
1640
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1613
1641
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1614
1642
  }, z.core.$strip>;
1615
1643
  }, z.core.$strip>;
@@ -1660,11 +1688,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1660
1688
  software_version: z.ZodOptional<z.ZodString>;
1661
1689
  software_statement: z.ZodOptional<z.ZodString>;
1662
1690
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1663
- grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1664
- authorization_code: "authorization_code";
1665
- client_credentials: "client_credentials";
1666
- refresh_token: "refresh_token";
1667
- }>>>;
1691
+ backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1692
+ backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1693
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1668
1694
  response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1669
1695
  code: "code";
1670
1696
  }>>>;
@@ -1710,6 +1736,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1710
1736
  client_id: z.ZodString;
1711
1737
  }, z.core.$strip>;
1712
1738
  metadata: {
1739
+ noStore: boolean;
1713
1740
  openapi: {
1714
1741
  description: string;
1715
1742
  };
@@ -1885,6 +1912,92 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1885
1912
  };
1886
1913
  };
1887
1914
  }, void>;
1915
+ adminCreateOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources", {
1916
+ method: "POST";
1917
+ body: z.ZodObject<{
1918
+ identifier: z.ZodNonOptional<z.ZodOptional<z.ZodString>>;
1919
+ name: z.ZodOptional<z.ZodString>;
1920
+ accessTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1921
+ refreshTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1922
+ signingAlgorithm: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
1923
+ RS256: "RS256";
1924
+ PS256: "PS256";
1925
+ ES256: "ES256";
1926
+ ES512: "ES512";
1927
+ EdDSA: "EdDSA";
1928
+ }>>>;
1929
+ signingKeyId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
1930
+ allowedScopes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
1931
+ customClaims: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1932
+ dpopBoundAccessTokensRequired: z.ZodOptional<z.ZodBoolean>;
1933
+ disabled: z.ZodOptional<z.ZodBoolean>;
1934
+ metadata: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1935
+ }, z.core.$strip>;
1936
+ metadata: {
1937
+ SERVER_ONLY: true;
1938
+ };
1939
+ }, OAuthResource>;
1940
+ adminListOAuthResources: better_call0.StrictEndpoint<"/admin/oauth2/resources", {
1941
+ method: "GET";
1942
+ metadata: {
1943
+ SERVER_ONLY: true;
1944
+ };
1945
+ }, OAuthResource[]>;
1946
+ adminGetOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1947
+ method: "GET";
1948
+ metadata: {
1949
+ SERVER_ONLY: true;
1950
+ };
1951
+ }, OAuthResource>;
1952
+ adminUpdateOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1953
+ method: "PATCH";
1954
+ body: z.ZodObject<{
1955
+ identifier: z.ZodOptional<z.ZodString>;
1956
+ name: z.ZodOptional<z.ZodString>;
1957
+ accessTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1958
+ refreshTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1959
+ signingAlgorithm: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
1960
+ RS256: "RS256";
1961
+ PS256: "PS256";
1962
+ ES256: "ES256";
1963
+ ES512: "ES512";
1964
+ EdDSA: "EdDSA";
1965
+ }>>>;
1966
+ signingKeyId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
1967
+ allowedScopes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
1968
+ customClaims: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1969
+ dpopBoundAccessTokensRequired: z.ZodOptional<z.ZodBoolean>;
1970
+ disabled: z.ZodOptional<z.ZodBoolean>;
1971
+ metadata: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1972
+ }, z.core.$strip>;
1973
+ metadata: {
1974
+ SERVER_ONLY: true;
1975
+ };
1976
+ }, OAuthResource>;
1977
+ adminDeleteOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1978
+ method: "DELETE";
1979
+ metadata: {
1980
+ SERVER_ONLY: true;
1981
+ };
1982
+ }, {
1983
+ deleted: boolean;
1984
+ }>;
1985
+ adminLinkClientResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier/clients/:client_id", {
1986
+ method: "POST";
1987
+ metadata: {
1988
+ SERVER_ONLY: true;
1989
+ };
1990
+ }, {
1991
+ linked: boolean;
1992
+ }>;
1993
+ adminUnlinkClientResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier/clients/:client_id", {
1994
+ method: "DELETE";
1995
+ metadata: {
1996
+ SERVER_ONLY: true;
1997
+ };
1998
+ }, {
1999
+ unlinked: boolean;
2000
+ }>;
1888
2001
  };
1889
2002
  schema: {
1890
2003
  oauthClient: {
@@ -1927,6 +2040,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1927
2040
  model: string;
1928
2041
  field: string;
1929
2042
  };
2043
+ index: true;
1930
2044
  };
1931
2045
  createdAt: {
1932
2046
  type: "date";
@@ -1980,6 +2094,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1980
2094
  type: "string[]";
1981
2095
  required: false;
1982
2096
  };
2097
+ backchannelLogoutUri: {
2098
+ type: "string";
2099
+ required: false;
2100
+ };
2101
+ backchannelLogoutSessionRequired: {
2102
+ type: "boolean";
2103
+ required: false;
2104
+ };
1983
2105
  tokenEndpointAuthMethod: {
1984
2106
  type: "string";
1985
2107
  required: false;
@@ -2012,6 +2134,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2012
2134
  type: "boolean";
2013
2135
  required: false;
2014
2136
  };
2137
+ dpopBoundAccessTokens: {
2138
+ type: "boolean";
2139
+ required: false;
2140
+ defaultValue: false;
2141
+ };
2015
2142
  referenceId: {
2016
2143
  type: "string";
2017
2144
  required: false;
@@ -2022,11 +2149,110 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2022
2149
  };
2023
2150
  };
2024
2151
  };
2152
+ oauthResource: {
2153
+ modelName: string;
2154
+ fields: {
2155
+ identifier: {
2156
+ type: "string";
2157
+ required: true;
2158
+ unique: true;
2159
+ };
2160
+ name: {
2161
+ type: "string";
2162
+ required: true;
2163
+ };
2164
+ accessTokenTtl: {
2165
+ type: "number";
2166
+ required: false;
2167
+ };
2168
+ refreshTokenTtl: {
2169
+ type: "number";
2170
+ required: false;
2171
+ };
2172
+ signingAlgorithm: {
2173
+ type: "string";
2174
+ required: false;
2175
+ };
2176
+ signingKeyId: {
2177
+ type: "string";
2178
+ required: false;
2179
+ };
2180
+ allowedScopes: {
2181
+ type: "string[]";
2182
+ required: false;
2183
+ };
2184
+ customClaims: {
2185
+ type: "json";
2186
+ required: false;
2187
+ };
2188
+ dpopBoundAccessTokensRequired: {
2189
+ type: "boolean";
2190
+ required: false;
2191
+ defaultValue: false;
2192
+ };
2193
+ disabled: {
2194
+ type: "boolean";
2195
+ required: false;
2196
+ defaultValue: false;
2197
+ };
2198
+ createdAt: {
2199
+ type: "date";
2200
+ required: false;
2201
+ };
2202
+ updatedAt: {
2203
+ type: "date";
2204
+ required: false;
2205
+ };
2206
+ policyVersion: {
2207
+ type: "number";
2208
+ required: false;
2209
+ defaultValue: number;
2210
+ };
2211
+ metadata: {
2212
+ type: "json";
2213
+ required: false;
2214
+ };
2215
+ };
2216
+ };
2217
+ oauthClientResource: {
2218
+ modelName: string;
2219
+ fields: {
2220
+ clientId: {
2221
+ type: "string";
2222
+ required: true;
2223
+ references: {
2224
+ model: string;
2225
+ field: string;
2226
+ onDelete: "cascade";
2227
+ };
2228
+ index: true;
2229
+ };
2230
+ resourceId: {
2231
+ type: "string";
2232
+ required: true;
2233
+ references: {
2234
+ model: string;
2235
+ field: string;
2236
+ onDelete: "cascade";
2237
+ };
2238
+ index: true;
2239
+ };
2240
+ metadata: {
2241
+ type: "json";
2242
+ required: false;
2243
+ };
2244
+ createdAt: {
2245
+ type: "date";
2246
+ required: false;
2247
+ };
2248
+ };
2249
+ };
2025
2250
  oauthRefreshToken: {
2026
2251
  fields: {
2027
2252
  token: {
2028
2253
  type: "string";
2029
2254
  required: true;
2255
+ unique: true;
2030
2256
  };
2031
2257
  clientId: {
2032
2258
  type: "string";
@@ -2035,6 +2261,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2035
2261
  model: string;
2036
2262
  field: string;
2037
2263
  };
2264
+ index: true;
2038
2265
  };
2039
2266
  sessionId: {
2040
2267
  type: "string";
@@ -2044,6 +2271,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2044
2271
  field: string;
2045
2272
  onDelete: "set null";
2046
2273
  };
2274
+ index: true;
2047
2275
  };
2048
2276
  userId: {
2049
2277
  type: "string";
@@ -2052,11 +2280,25 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2052
2280
  model: string;
2053
2281
  field: string;
2054
2282
  };
2283
+ index: true;
2055
2284
  };
2056
2285
  referenceId: {
2057
2286
  type: "string";
2058
2287
  required: false;
2059
2288
  };
2289
+ authorizationCodeId: {
2290
+ type: "string";
2291
+ required: false;
2292
+ index: true;
2293
+ };
2294
+ resources: {
2295
+ type: "string[]";
2296
+ required: false;
2297
+ };
2298
+ requestedUserInfoClaims: {
2299
+ type: "string[]";
2300
+ required: false;
2301
+ };
2060
2302
  expiresAt: {
2061
2303
  type: "date";
2062
2304
  };
@@ -2067,10 +2309,26 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2067
2309
  type: "date";
2068
2310
  required: false;
2069
2311
  };
2312
+ rotatedAt: {
2313
+ type: "date";
2314
+ required: false;
2315
+ };
2316
+ rotationReplayResponse: {
2317
+ type: "string";
2318
+ required: false;
2319
+ };
2320
+ rotationReplayExpiresAt: {
2321
+ type: "date";
2322
+ required: false;
2323
+ };
2070
2324
  authTime: {
2071
2325
  type: "date";
2072
2326
  required: false;
2073
2327
  };
2328
+ confirmation: {
2329
+ type: "json";
2330
+ required: false;
2331
+ };
2074
2332
  scopes: {
2075
2333
  type: "string[]";
2076
2334
  required: true;
@@ -2091,6 +2349,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2091
2349
  model: string;
2092
2350
  field: string;
2093
2351
  };
2352
+ index: true;
2094
2353
  };
2095
2354
  sessionId: {
2096
2355
  type: "string";
@@ -2100,6 +2359,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2100
2359
  field: string;
2101
2360
  onDelete: "set null";
2102
2361
  };
2362
+ index: true;
2103
2363
  };
2104
2364
  userId: {
2105
2365
  type: "string";
@@ -2108,11 +2368,25 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2108
2368
  model: string;
2109
2369
  field: string;
2110
2370
  };
2371
+ index: true;
2111
2372
  };
2112
2373
  referenceId: {
2113
2374
  type: "string";
2114
2375
  required: false;
2115
2376
  };
2377
+ authorizationCodeId: {
2378
+ type: "string";
2379
+ required: false;
2380
+ index: true;
2381
+ };
2382
+ resources: {
2383
+ type: "string[]";
2384
+ required: false;
2385
+ };
2386
+ requestedUserInfoClaims: {
2387
+ type: "string[]";
2388
+ required: false;
2389
+ };
2116
2390
  refreshId: {
2117
2391
  type: "string";
2118
2392
  required: false;
@@ -2120,6 +2394,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2120
2394
  model: string;
2121
2395
  field: string;
2122
2396
  };
2397
+ index: true;
2123
2398
  };
2124
2399
  expiresAt: {
2125
2400
  type: "date";
@@ -2127,6 +2402,14 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2127
2402
  createdAt: {
2128
2403
  type: "date";
2129
2404
  };
2405
+ revoked: {
2406
+ type: "date";
2407
+ required: false;
2408
+ };
2409
+ confirmation: {
2410
+ type: "json";
2411
+ required: false;
2412
+ };
2130
2413
  scopes: {
2131
2414
  type: "string[]";
2132
2415
  required: true;
@@ -2143,6 +2426,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2143
2426
  model: string;
2144
2427
  field: string;
2145
2428
  };
2429
+ index: true;
2146
2430
  };
2147
2431
  userId: {
2148
2432
  type: "string";
@@ -2151,11 +2435,20 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2151
2435
  model: string;
2152
2436
  field: string;
2153
2437
  };
2438
+ index: true;
2154
2439
  };
2155
2440
  referenceId: {
2156
2441
  type: "string";
2157
2442
  required: false;
2158
2443
  };
2444
+ resources: {
2445
+ type: "string[]";
2446
+ required: false;
2447
+ };
2448
+ requestedUserInfoClaims: {
2449
+ type: "string[]";
2450
+ required: false;
2451
+ };
2159
2452
  scopes: {
2160
2453
  type: "string[]";
2161
2454
  required: true;
@@ -2168,6 +2461,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2168
2461
  };
2169
2462
  };
2170
2463
  };
2464
+ oauthClientAssertion: {
2465
+ modelName: string;
2466
+ fields: {
2467
+ expiresAt: {
2468
+ type: "date";
2469
+ required: true;
2470
+ };
2471
+ };
2472
+ };
2171
2473
  };
2172
2474
  rateLimit: ({
2173
2475
  pathMatcher: (path: string) => path is "/oauth2/token";
@@ -2196,4 +2498,4 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2196
2498
  })[];
2197
2499
  };
2198
2500
  //#endregion
2199
- export { oauthProvider as n, getOAuthProviderState as t };
2501
+ export { OAuthEndpointErrorResult as a, OAuthFieldErrorCode as c, getIssuer as i, OAuthFieldErrorCodeMap as l, getOAuthProviderState as n, OAuthEndpointRedirectContext as o, oauthProvider as r, OAuthErrorCode as s, DEFAULT_OAUTH_SCOPES as t, OAuthRedirectOnError as u };