@better-auth/oauth-provider 1.7.0-beta.2 → 1.7.0-beta.4

package/dist/index.mjs

@@ -1,11 +1,11 @@
-import { n as isPrivateHostname } from "./client-assertion-CderPEmR.mjs";
+import { n as isPrivateHostname } from "./client-assertion-DLMKVgoj.mjs";
 import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { _ as storeClientSecret, a as getClient, b as validateClientCredentials, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as searchParamsToQuery, h as resolveSubjectIdentifier, i as extractClientCredentials, l as isPKCERequired, m as resolveSessionAuthTime, n as deleteFromPrompt, o as getJwtPlugin, p as parsePrompt, r as destructureCredentials, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as storeToken, x as verifyOAuthQueryParams, y as toClientDiscoveryArray } from "./utils-Cx_XnD9i.mjs";
-import { t as PACKAGE_VERSION } from "./version-CZxZ64qJ.mjs";
+import { C as toAudienceClaim, D as verifyOAuthQueryParams, E as validateClientCredentials, S as storeToken, T as toResourceList, _ as resolveSessionAuthTime, a as getClient, b as signedQueryIssuedAtParam, c as getSignedQueryIssuedAt, d as mergeDiscoveryMetadata, f as normalizeTimestampValue, g as removePromptFromQuery, h as postLoginClearedParam, i as extractClientCredentials, l as getStoredToken, m as parsePrompt, n as decryptStoredClientSecret, o as getJwtPlugin, p as parseClientMetadata, r as destructureCredentials, t as checkResource, u as isPKCERequired, v as resolveSubjectIdentifier, w as toClientDiscoveryArray, x as storeClientSecret, y as searchParamsToQuery } from "./utils-DKBWQ8fe.mjs";
+import { t as PACKAGE_VERSION } from "./version-nFnRm-a3.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
-import { ASSERTION_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
@@ -17,9 +17,11 @@ import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
 import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
+import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+	const oauthRequest = await oAuthState.get();
+	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -43,6 +45,17 @@ async function consentEndpoint(ctx, opts) {
 		url: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
 	};
 	const session = await getSessionFromCtx(ctx);
+	const hasLoginPrompt = parsePrompt(query.get("prompt") ?? "").has("login");
+	const hasSatisfiedLoginPrompt = hasLoginPrompt && sessionSatisfiesLoginPrompt(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
+	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
+		ctx?.headers?.set("accept", "application/json");
+		ctx.query = searchParamsToQuery(query);
+		const { url } = await authorizeEndpoint(ctx, opts);
+		return {
+			redirect: true,
+			url
+		};
+	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
 		session: session?.session,
@@ -66,12 +79,14 @@ async function consentEndpoint(ctx, opts) {
 		]
 	});
 	const iat = Math.floor(Date.now() / 1e3);
+	const resource = query.getAll("resource");
 	const consent = {
 		clientId,
 		userId: session?.user.id,
 		scopes: requestedScopes ?? originalRequestedScopes,
 		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
 		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
+		resources: resource.length ? resource : void 0,
 		referenceId
 	};
 	foundConsent?.id ? await ctx.context.adapter.update({
@@ -81,6 +96,7 @@ async function consentEndpoint(ctx, opts) {
 			value: foundConsent.id
 		}],
 		update: {
+			resources: consent.resources,
 			scopes: consent.scopes,
 			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
 		}
@@ -93,14 +109,21 @@ async function consentEndpoint(ctx, opts) {
 	});
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
 	ctx?.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "consent");
-	ctx.context.postLogin = true;
-	const { url } = await authorizeEndpoint(ctx, opts);
+	let authorizationQuery = removePromptFromQuery(query, "consent");
+	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+	ctx.query = searchParamsToQuery(authorizationQuery);
+	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 	return {
 		redirect: true,
 		url
 	};
 }
+function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
+	if (!signedQueryIssuedAt) return false;
+	const normalized = normalizeTimestampValue(sessionCreatedAt);
+	if (!normalized) return false;
+	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+}
 //#endregion
 //#region src/continue.ts
 async function continueEndpoint(ctx, opts) {
@@ -119,7 +142,7 @@ async function selected(ctx, opts) {
 		error: "invalid_request"
 	});
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(new URLSearchParams(_query), "select_account");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -134,7 +157,7 @@ async function created(ctx, opts) {
 	});
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
-	ctx.query = deleteFromPrompt(query, "create");
+	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
 	const { url } = await authorizeEndpoint(ctx, opts);
 	return {
 		redirect: true,
@@ -158,11 +181,6 @@ async function postLogin(ctx, opts) {
 }
 //#endregion
 //#region src/types/zod.ts
-const DANGEROUS_SCHEMES = [
-	"javascript:",
-	"data:",
-	"vbscript:"
-];
 /**
 * Runtime schema for OAuthAuthorizationQuery.
 * Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
@@ -183,7 +201,8 @@ const oauthAuthorizationQuerySchema = z.object({
 	id_token_hint: z.string().optional(),
 	code_challenge: z.string().optional(),
 	code_challenge_method: z.literal("S256").optional(),
-	nonce: z.string().optional()
+	nonce: z.string().optional(),
+	resource: z.union([z.string(), z.array(z.string())]).optional()
 }).passthrough();
 /**
 * Runtime schema for the authorization code verification value.
@@ -196,34 +215,40 @@ const verificationValueSchema = z.object({
 	sessionId: z.string(),
 	userId: z.string(),
 	referenceId: z.string().optional(),
-	authTime: z.number().optional()
+	authTime: z.number().optional(),
+	resource: z.array(z.string()).optional()
 }).passthrough();
+const DANGEROUS_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
 /**
-* Reusable URL validation for OAuth redirect URIs.
-* - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
-* - Allows custom schemes for mobile apps (e.g., myapp://callback)
+* Validates an RFC 8707 resource indicator. The value must be an absolute URI
+* with no fragment (RFC 8707 §2). Unlike a redirect URI it is not restricted to
+* HTTPS, because a resource server identifier may use any absolute URI scheme;
+* the configured `validAudiences` allowlist is the authoritative control over
+* which resources a token may target.
 */
-const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+const ResourceUriSchema = z.string().superRefine((val, ctx) => {
 	if (!URL.canParse(val)) {
 		ctx.addIssue({
 			code: "custom",
-			message: "URL must be parseable",
+			message: "resource must be an absolute URI",
 			fatal: true
 		});
 		return z.NEVER;
 	}
-	const u = new URL(val);
-	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
+	if (val.includes("#")) {
 		ctx.addIssue({
 			code: "custom",
-			message: "URL cannot use javascript:, data:, or vbscript: scheme"
+			message: "resource must not contain a fragment"
 		});
 		return;
 	}
-	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
+	if (DANGEROUS_SCHEMES.includes(new URL(val).protocol)) ctx.addIssue({
 		code: "custom",
-		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
+		message: "resource cannot use javascript:, data:, or vbscript: scheme"
 	});
 });
 //#endregion
@@ -312,13 +337,13 @@ async function tokenEndpoint(ctx, opts) {
 		case "refresh_token": return handleRefreshTokenGrant(ctx, opts);
 	}
 }
-async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, overrides) {
+async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, resources, referenceId, overrides) {
 	const iat = overrides?.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = overrides?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		user,
 		scopes,
-		resource: ctx.body.resource,
+		resources,
 		referenceId,
 		metadata: parseClientMetadata(client.metadata)
 	}) : {};
@@ -328,7 +353,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		payload: {
 			...customClaims,
 			sub: user?.id,
-			aud: typeof audience === "string" ? audience : audience?.length === 1 ? audience.at(0) : audience,
+			aud: toAudienceClaim(audience),
 			azp: client.clientId,
 			scope: scopes.join(" "),
 			sid: overrides?.sid,
@@ -419,7 +444,7 @@ async function decodeRefreshToken(opts, token) {
 	});
 	return opts.formatRefreshToken?.decrypt ? opts.formatRefreshToken?.decrypt(token) : { token };
 }
-async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, referenceId, refreshId) {
+async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, resources, referenceId, refreshId) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
 	const token = opts.generateOpaqueAccessToken ? await opts.generateOpaqueAccessToken() : generateRandomString(32, "A-Z", "a-z");
@@ -431,6 +456,7 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 			sessionId: payload?.sid,
 			userId: user?.id,
 			referenceId,
+			resources,
 			refreshId,
 			scopes,
 			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
@@ -439,54 +465,100 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 	});
 	return (opts.prefix?.opaqueAccessToken ?? "") + token;
 }
-async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime) {
+/**
+* Tear down the entire refresh-token family for a (client, user) pair, plus
+* any access tokens that reference those refresh rows, per RFC 9700 §4.14.
+* Access tokens are deleted first so the parent rows' foreign-key children
+* do not block the refresh-row delete.
+*
+* TODO(invalidate-family-race): the two `deleteMany` calls are not atomic
+* with respect to each other. Between them, a concurrent rotation in a
+* different worker can `create` a fresh refresh row (and, immediately after,
+* an access-token row referencing it) for the same (client, user) pair,
+* leaving the family partially rebuilt and the new refresh row orphaned of
+* any deletion. Closing this window requires the same transactional adapter
+* contract tracked under FIXME(strict-family-invalidation) in
+* `createRefreshToken`.
+*
+* @internal
+*/
+async function invalidateRefreshFamily(ctx, clientId, userId) {
+	const refreshTokens = await ctx.context.adapter.findMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+	if (refreshTokens.length) await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			operator: "in",
+			value: refreshTokens.map((r) => r.id)
+		}]
+	});
+	await ctx.context.adapter.deleteMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+}
+async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime, resources) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
 	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
 	const sessionId = payload?.sid;
-	if (originalRefresh?.id) await ctx.context.adapter.update({
+	const newRow = {
+		token: await storeToken(opts.storeTokens, token, "refresh_token"),
+		clientId: client.clientId,
+		sessionId,
+		userId: user.id,
+		referenceId,
+		authTime,
+		scopes,
+		resources,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+		expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
+	};
+	if (!originalRefresh?.id) return {
+		id: (await ctx.context.adapter.create({
+			model: "oauthRefreshToken",
+			data: newRow
+		})).id,
+		token: await encodeRefreshToken(opts, token, sessionId)
+	};
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: originalRefresh.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+	})) throw new APIError("BAD_REQUEST", {
+		error_description: "invalid refresh token",
+		error: "invalid_grant"
 	});
 	return {
 		id: (await ctx.context.adapter.create({
 			model: "oauthRefreshToken",
-			data: {
-				token: await storeToken(opts.storeTokens, token, "refresh_token"),
-				clientId: client.clientId,
-				sessionId,
-				userId: user.id,
-				referenceId,
-				authTime,
-				scopes,
-				createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-				expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-			}
+			data: newRow
 		})).id,
 		token: await encodeRefreshToken(opts, token, sessionId)
 	};
 }
-/**
-* Checks the resource parameter, if provided,
-* and returns a valid audience based on the request
-*/
-async function checkResource(ctx, opts, scopes) {
-	const resource = ctx.body.resource;
-	const audience = typeof resource === "string" ? [resource] : resource ? [...resource] : void 0;
-	if (audience) {
-		if (scopes.includes("openid")) audience.push(`${ctx.context.baseURL}/oauth2/userinfo`);
-		const validAudiences = new Set([...opts.validAudiences ?? [ctx.context.baseURL], scopes?.includes("openid") ? `${ctx.context.baseURL}/oauth2/userinfo` : void 0].flat().filter((v) => v?.length));
-		for (const aud of audience) if (!validAudiences.has(aud)) throw new APIError("BAD_REQUEST", {
-			error_description: "requested resource invalid",
-			error: "invalid_request"
-		});
-	}
-	return audience?.length === 1 ? audience.at(0) : audience;
-}
 async function createUserTokens(ctx, opts, params) {
 	const { client, scopes, user, grantType, referenceId, sessionId, nonce, refreshToken: existingRefreshToken, authTime, verificationValue } = params;
 	const iat = Math.floor(Date.now() / 1e3);
@@ -494,7 +566,12 @@ async function createUserTokens(ctx, opts, params) {
 	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
 		return prev < curr ? prev : curr;
 	}, defaultExp) : defaultExp;
-	const audience = await checkResource(ctx, opts, scopes);
+	const resourceResult = await checkResource(ctx, opts, params?.resources, scopes);
+	if (!resourceResult.success) throw new APIError("BAD_REQUEST", {
+		error_description: "requested resource invalid",
+		error: "invalid_target"
+	});
+	const audience = resourceResult.audience;
 	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
 	const isIdToken = user && scopes.includes("openid");
@@ -505,12 +582,13 @@ async function createUserTokens(ctx, opts, params) {
 		metadata: parseClientMetadata(client.metadata),
 		verificationValue
 	}) : void 0;
+	const refreshResources = params?.refreshToken?.resources ?? params?.originalResources ?? params?.resources;
 	const earlyRefreshToken = isRefreshToken && user && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, existingRefreshToken, authTime) : void 0;
-	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
+	}, existingRefreshToken, authTime, refreshResources) : void 0;
+	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, params?.resources, referenceId, {
 		iat,
 		exp,
 		sid: sessionId
@@ -518,11 +596,11 @@ async function createUserTokens(ctx, opts, params) {
 		iat,
 		exp,
 		sid: sessionId
-	}, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+	}, params?.resources, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, existingRefreshToken, authTime) : void 0]);
+	}, existingRefreshToken, authTime, refreshResources) : void 0]);
 	const idToken = isIdToken ? await createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) : void 0;
 	return ctx.json({
 		...customFields,
@@ -539,16 +617,11 @@ async function createUserTokens(ctx, opts, params) {
 	} });
 }
 /** Checks verification value */
-async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
-	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
+async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resource) {
+	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification) throw new APIError("UNAUTHORIZED", {
-		error_description: "Invalid code",
-		error: "invalid_verification"
-	});
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(await storeToken(opts.storeTokens, code, "authorization_code"));
-	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-		error_description: "code expired",
-		error: "invalid_verification"
+		error_description: "invalid code",
+		error: "invalid_grant"
 	});
 	let rawValue;
 	try {
@@ -556,13 +629,13 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 	} catch {
 		throw new APIError("UNAUTHORIZED", {
 			error_description: "malformed verification value",
-			error: "invalid_verification"
+			error: "invalid_grant"
 		});
 	}
 	const parsed = verificationValueSchema.safeParse(rawValue);
 	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
 		error_description: "malformed verification value",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
 	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
@@ -573,14 +646,29 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 		error_description: "redirect_uri mismatch",
 		error: "invalid_request"
 	});
-	return verificationValue;
+	const storedResources = toResourceList(verificationValue.resource) ?? toResourceList(verificationValue.query.resource);
+	const effectiveResources = resource ?? storedResources;
+	if (resource && storedResources) {
+		const requestedSet = new Set(resource);
+		const authorizedSet = new Set(storedResources);
+		for (const r of requestedSet) if (!authorizedSet.has(r)) throw new APIError("BAD_REQUEST", {
+			error_description: "requested resource not authorized",
+			error: "invalid_target"
+		});
+	}
+	return {
+		verificationValue,
+		effectiveResources,
+		authorizedResources: storedResources
+	};
 }
 /**
 * Obtains new Session Jwt and Refresh Tokens using a code
 */
 async function handleAuthorizationCodeGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { code, code_verifier, redirect_uri } = ctx.body;
+	const { code, code_verifier, redirect_uri, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "client_id is required",
 		error: "invalid_request"
@@ -600,7 +688,7 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	/** Get and check Verification Value */
-	const verificationValue = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri);
+	const { verificationValue, effectiveResources, authorizedResources } = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resources);
 	const scopes = verificationValue.query.scope?.split(" ");
 	if (!scopes) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "verification scope unset",
@@ -665,7 +753,9 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		sessionId: session.id,
 		nonce: verificationValue.query?.nonce,
 		authTime,
-		verificationValue
+		verificationValue,
+		resources: effectiveResources,
+		originalResources: authorizedResources
 	});
 }
 /**
@@ -676,7 +766,8 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 */
 async function handleClientCredentialsGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { scope } = ctx.body;
+	const { scope, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
@@ -707,7 +798,8 @@ async function handleClientCredentialsGrant(ctx, opts) {
 	return createUserTokens(ctx, opts, {
 		client,
 		scopes: requestedScopes,
-		grantType: "client_credentials"
+		grantType: "client_credentials",
+		resources
 	});
 }
 /**
@@ -718,7 +810,8 @@ async function handleClientCredentialsGrant(ctx, opts) {
 */
 async function handleRefreshTokenGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { refresh_token, scope } = ctx.body;
+	const { refresh_token, scope, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
@@ -748,21 +841,16 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_grant"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: client_id
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, client_id, refreshToken.userId);
 		throw new APIError("BAD_REQUEST", {
 			error_description: "invalid refresh token",
 			error: "invalid_grant"
 		});
 	}
+	if (resources && refreshToken.resources && !resources.every((v) => refreshToken.resources?.includes(v))) throw new APIError("BAD_REQUEST", {
+		error_description: "requested resource invalid",
+		error: "invalid_target"
+	});
 	const scopes = refreshToken?.scopes;
 	const requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
@@ -787,6 +875,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		referenceId: refreshToken.referenceId,
 		sessionId: refreshToken.sessionId,
 		refreshToken,
+		resources: resources ?? refreshToken.resources,
 		authTime
 	});
 }
@@ -894,10 +983,17 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 	}
 	let user;
 	if (accessToken.userId) user = await ctx.context.internalAdapter.findUserById(accessToken?.userId);
+	const resources = Array.isArray(accessToken.resources) ? accessToken.resources : void 0;
+	const audience = resources ? [...resources] : void 0;
+	if (audience?.length && accessToken.scopes?.includes("openid")) {
+		const userInfoEndpoint = `${ctx.context.baseURL}/oauth2/userinfo`;
+		if (!audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
+	}
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		user,
 		scopes: accessToken.scopes,
 		referenceId: accessToken?.referenceId,
+		resources,
 		metadata: parseClientMetadata(client?.metadata)
 	}) : {};
 	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
@@ -905,6 +1001,7 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		...customClaims,
 		active: true,
 		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
+		aud: toAudienceClaim(audience),
 		client_id: accessToken.clientId,
 		sub: user?.id,
 		sid: sessionId,
@@ -939,7 +1036,7 @@ async function validateRefreshToken(ctx, opts, token, clientId) {
 			model: "session",
 			where: [{
 				field: "id",
-				value: refreshToken.sessionId
+				value: sessionId
 			}]
 		});
 		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
@@ -1268,6 +1365,28 @@ const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 	if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("UNAUTHORIZED", { error: "invalid_signature" });
 });
 //#endregion
+//#region src/oauthClient/privileges.ts
+/**
+* Authorizes a client action against the configured `clientPrivileges` hook.
+*
+* This is the single authorization helper for every OAuth client mutation. The
+* create path enforces it at the shared creation chokepoint so that no
+* registration route can reach client persistence without it.
+*
+* @throws APIError UNAUTHORIZED when there is no session or the hook denies the action.
+* @throws APIError BAD_REQUEST when the request carries no headers.
+*/
+async function assertClientPrivileges(ctx, session, opts, action) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+}
+//#endregion
 //#region src/register.ts
 /**
 * Resolves the auth method and type for unauthenticated DCR.
@@ -1403,6 +1522,9 @@ async function checkOAuthClient(client, opts, settings) {
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
 	const session = await getSessionFromCtx(ctx);
+	if (settings.isRegister) {
+		if (session) await assertClientPrivileges(ctx, session, opts, "create");
+	} else await assertClientPrivileges(ctx, session, opts, "create");
 	const isPublic = body.token_endpoint_auth_method === "none";
 	const isPrivateKeyJwt = body.token_endpoint_auth_method === "private_key_jwt";
 	await checkOAuthClient(ctx.body, opts, {
@@ -1748,16 +1870,6 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
 	});
 }
-async function assertClientPrivileges(ctx, session, opts, action) {
-	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action,
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
-}
 //#endregion
 //#region src/oauthClient/index.ts
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
@@ -1781,7 +1893,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 			"client_secret_post",
 			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
-		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
@@ -1943,7 +2055,6 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		}
 	}
 }, async (ctx) => {
-	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
@@ -1968,7 +2079,7 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 			"client_secret_post",
 			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
-		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
@@ -2116,7 +2227,6 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		} }
 	} }
 }, async (ctx) => {
-	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
@@ -2320,12 +2430,12 @@ async function updateConsentEndpoint(ctx, opts) {
 		error_description: "no consent",
 		error: "not_found"
 	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, consent.clientId);
-	if (!consent) throw new APIError("NOT_FOUND", {
-		error_description: "no consent",
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
 		error: "not_found"
 	});
-	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const allowedScopes = client?.scopes ?? opts.scopes ?? [];
 	const updates = ctx.body.update;
 	const scopes = updates.scopes;
@@ -2473,16 +2583,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 		error: "invalid_request"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: clientId
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
 		throw new APIError$1("BAD_REQUEST", {
 			error_description: "refresh token revoked",
 			error: "invalid_request"
@@ -2490,20 +2591,31 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 	}
 	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
 	const iat = Math.floor(Date.now() / 1e3);
-	await Promise.allSettled([ctx.context.adapter.deleteMany({
-		model: "oauthAccessToken",
-		where: [{
-			field: "refreshId",
-			value: refreshToken.id
-		}]
-	}), ctx.context.adapter.update({
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: refreshToken.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
-	})]);
+	})) {
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "refresh token revoked",
+			error: "invalid_request"
+		});
+	}
+	await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			value: refreshToken.id
+		}]
+	});
 }
 /**
 * We don't know the access token format so we try to validate it
@@ -2617,7 +2729,8 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			createdAt: {
 				type: "date",
@@ -2716,7 +2829,8 @@ const schema = {
 	oauthRefreshToken: { fields: {
 		token: {
 			type: "string",
-			required: true
+			required: true,
+			unique: true
 		},
 		clientId: {
 			type: "string",
@@ -2724,7 +2838,8 @@ const schema = {
 			references: {
 				model: "oauthClient",
 				field: "clientId"
-			}
+			},
+			index: true
 		},
 		sessionId: {
 			type: "string",
@@ -2733,7 +2848,8 @@ const schema = {
 				model: "session",
 				field: "id",
 				onDelete: "set null"
-			}
+			},
+			index: true
 		},
 		userId: {
 			type: "string",
@@ -2741,12 +2857,17 @@ const schema = {
 			references: {
 				model: "user",
 				field: "id"
-			}
+			},
+			index: true
 		},
 		referenceId: {
 			type: "string",
 			required: false
 		},
+		resources: {
+			type: "string[]",
+			required: false
+		},
 		expiresAt: { type: "date" },
 		createdAt: { type: "date" },
 		revoked: {
@@ -2775,7 +2896,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			sessionId: {
 				type: "string",
@@ -2784,7 +2906,8 @@ const schema = {
 					model: "session",
 					field: "id",
 					onDelete: "set null"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2792,19 +2915,25 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
 				required: false
 			},
+			resources: {
+				type: "string[]",
+				required: false
+			},
 			refreshId: {
 				type: "string",
 				required: false,
 				references: {
 					model: "oauthRefreshToken",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			expiresAt: { type: "date" },
 			createdAt: { type: "date" },
@@ -2823,7 +2952,8 @@ const schema = {
 				references: {
 					model: "oauthClient",
 					field: "clientId"
-				}
+				},
+				index: true
 			},
 			userId: {
 				type: "string",
@@ -2831,12 +2961,17 @@ const schema = {
 				references: {
 					model: "user",
 					field: "id"
-				}
+				},
+				index: true
 			},
 			referenceId: {
 				type: "string",
 				required: false
 			},
+			resources: {
+				type: "string[]",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: true
@@ -2914,10 +3049,55 @@ const oauthProvider = (options) => {
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
+	const handleIssuerMetadataRequest = async (request, ctx) => {
+		const requestPathname = new URL(request.url).pathname;
+		const requestPath = ctx.options.advanced?.skipTrailingSlashes ? requestPathname.replace(/\/+$/, "") || "/" : requestPathname;
+		const issuer = opts.disableJwtPlugin ? ctx.baseURL : getJwtPlugin(ctx)?.options?.jwt?.issuer ?? ctx.baseURL;
+		let issuerPath = "/";
+		try {
+			issuerPath = new URL(issuer).pathname.replace(/\/$/, "") || "";
+		} catch {
+			issuerPath = new URL(ctx.baseURL).pathname.replace(/\/$/, "") || "";
+		}
+		const endpointCtx = { context: ctx };
+		const authServerMetadataPaths = new Set([`/.well-known/oauth-authorization-server${issuerPath}`, `${issuerPath}/.well-known/oauth-authorization-server`]);
+		const openIdConfigPath = `${issuerPath}/.well-known/openid-configuration`;
+		const isAuthServerMetadataRequest = authServerMetadataPaths.has(requestPath);
+		const isOpenIdConfigRequest = opts.scopes?.includes("openid") && requestPath === openIdConfigPath;
+		const createMetadataResponse = (metadata) => {
+			const response = metadataResponse(metadata);
+			if (request.method === "HEAD") return new Response(null, {
+				status: response.status,
+				headers: response.headers
+			});
+			return response;
+		};
+		if (isAuthServerMetadataRequest || isOpenIdConfigRequest) {
+			if (request.method !== "GET" && request.method !== "HEAD") return { response: new Response(null, {
+				status: 405,
+				headers: { Allow: "GET, HEAD" }
+			}) };
+		}
+		if (isAuthServerMetadataRequest) {
+			if (opts.scopes?.includes("openid")) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+			return { response: createMetadataResponse({
+				...authServerMetadata(endpointCtx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx)?.options, {
+					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+					dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
+					public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
+					grant_types_supported: opts.grantTypes,
+					jwt_disabled: opts.disableJwtPlugin
+				}),
+				...mergeDiscoveryMetadata(opts.clientDiscovery)
+			}) };
+		}
+		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+	};
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
 		options: opts,
+		onRequest: handleIssuerMetadataRequest,
 		init: (ctx) => {
 			if (ctx.options.secondaryStorage && ctx.options.session?.storeSessionInDatabase !== true) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
 			if (!opts.disableJwtPlugin) {
@@ -2943,10 +3123,18 @@ const oauthProvider = (options) => {
 				handler: createAuthMiddleware(async (ctx) => {
 					const query = ctx.body.oauth_query;
 					if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("BAD_REQUEST", { error: "invalid_signature" });
+					const signedQueryIssuedAt = getSignedQueryIssuedAt(query);
 					const queryParams = new URLSearchParams(query);
+					const postLoginClearedForSession = queryParams.get("ba_pl") ?? void 0;
 					queryParams.delete("sig");
 					queryParams.delete("exp");
-					await oAuthState.set({ query: queryParams.toString() });
+					queryParams.delete(signedQueryIssuedAtParam);
+					queryParams.delete(postLoginClearedParam);
+					await oAuthState.set({
+						query: queryParams.toString(),
+						signedQueryIssuedAt: signedQueryIssuedAt ?? void 0,
+						postLoginClearedForSession
+					});
 					if (ctx.path === "/sign-in/social") {
 						if (ctx.body.additionalData?.query) return;
 						if (!ctx.body.additionalData) ctx.body.additionalData = {};
@@ -2970,7 +3158,7 @@ const oauthProvider = (options) => {
 					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
-					ctx.query = deleteFromPrompt(query, "login");
+					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
 					return await authorizeEndpoint(ctx, opts);
 				})
 			}]
@@ -2984,6 +3172,7 @@ const oauthProvider = (options) => {
 				else return {
 					...authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
 						scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+						dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 						public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 						grant_types_supported: opts.grantTypes,
 						jwt_disabled: opts.disableJwtPlugin
@@ -3010,6 +3199,7 @@ const oauthProvider = (options) => {
 					code_challenge: z.string().optional(),
 					code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
 					nonce: z.string().optional(),
+					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
 					prompt: z.string().pipe(z.enum([
 						"none",
 						"consent",
@@ -3021,7 +3211,10 @@ const oauthProvider = (options) => {
 					])).optional()
 				}),
 				redirectOnError: authorizeRedirectOnError(opts),
-				errorCodesByField: { response_type: { invalid: "unsupported_response_type" } },
+				errorCodesByField: {
+					response_type: { invalid: "unsupported_response_type" },
+					resource: { invalid: "invalid_target" }
+				},
 				metadata: { openapi: {
 					description: "Authorize an OAuth2 request",
 					parameters: [
@@ -3091,6 +3284,16 @@ const oauthProvider = (options) => {
 							schema: { type: "string" },
 							description: "OpenID Connect nonce"
 						},
+						{
+							name: "resource",
+							in: "query",
+							required: false,
+							schema: {
+								type: "array",
+								items: { type: "string" }
+							},
+							description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
+						},
 						{
 							name: "prompt",
 							in: "query",
@@ -3196,13 +3399,16 @@ const oauthProvider = (options) => {
 					code_verifier: z.string().optional(),
 					redirect_uri: SafeUrlSchema.optional(),
 					refresh_token: z.string().optional(),
-					resource: z.string().optional(),
+					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
 					scope: z.string().optional()
 				}),
-				errorCodesByField: { grant_type: {
-					missing: "invalid_request",
-					invalid: "unsupported_grant_type"
-				} },
+				errorCodesByField: {
+					grant_type: {
+						missing: "invalid_request",
+						invalid: "unsupported_grant_type"
+					},
+					resource: { invalid: "invalid_target" }
+				},
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
@@ -3247,8 +3453,15 @@ const oauthProvider = (options) => {
 										description: "Refresh token (for refresh_token grant)"
 									},
 									resource: {
-										type: "string",
-										description: "Requested token resource (ie audience) to obtain a JWT formatted access token"
+										oneOf: [{
+											type: "string",
+											description: "Single resource (URL)"
+										}, {
+											type: "array",
+											items: { type: "string" },
+											description: "Multiple resources (URLs)"
+										}],
+										description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token"
 									},
 									scope: {
 										type: "string",
@@ -3349,10 +3562,6 @@ const oauthProvider = (options) => {
 									token_type_hint: {
 										type: "string",
 										description: "Hint about the token type. Recognized values: `access_token`, `refresh_token`."
-									},
-									resource: {
-										type: "string",
-										description: "Introspects a token for a specific resource."
 									}
 								},
 								required: ["token"]
@@ -3640,7 +3849,7 @@ const oauthProvider = (options) => {
 						"client_secret_post",
 						"private_key_jwt"
 					]).default("client_secret_basic").optional(),
-					jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+					jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 					jwks_uri: z.string().optional(),
 					grant_types: z.array(z.enum([
 						"authorization_code",
@@ -4045,6 +4254,9 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge and code_challenge_method must both be provided", query.state, getIssuer(ctx, opts)));
 		if (!["S256"].includes(query.code_challenge_method)) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method, only S256 is supported", query.state, getIssuer(ctx, opts)));
 	}
+	const resource = query.resource;
+	if (!(await checkResource(ctx, opts, resource, requestedScopes)).success) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_target", "requested resource invalid", query.state, getIssuer(ctx, opts)));
+	const requestedResources = toResourceList(resource) ?? [];
 	const session = await getSessionFromCtx(ctx);
 	if (!session || promptSet?.has("login") || promptSet?.has("create")) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "login_required", "authentication required");
@@ -4071,7 +4283,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		});
 		if (signupRedirect) {
 			if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "interaction_required", "End-User interaction is required");
-			return redirectWithPromptCode(ctx, opts, "create", typeof signupRedirect === "string" ? signupRedirect : void 0);
+			return redirectWithPromptCode(ctx, opts, "create", { page: typeof signupRedirect === "string" ? signupRedirect : void 0 });
 		}
 	}
 	if (!settings?.postLogin && opts.postLogin) {
@@ -4085,7 +4297,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 			return redirectWithPromptCode(ctx, opts, "post_login");
 		}
 	}
-	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent");
+	if (promptSet?.has("consent")) return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session.user,
 		session: session.session,
@@ -4097,7 +4309,8 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		userId: session.user.id,
 		sessionId: session.session.id,
 		authTime: new Date(session.session.createdAt).getTime(),
-		referenceId
+		referenceId,
+		resource: requestedResources
 	});
 	const consent = await ctx.context.adapter.findOne({
 		model: "oauthConsent",
@@ -4118,7 +4331,12 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	});
 	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
-		return redirectWithPromptCode(ctx, opts, "consent");
+		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
+	}
+	const consentedResources = consent?.resources ?? [];
+	if (requestedResources.some((requestedResource) => !consentedResources.includes(requestedResource))) {
+		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
+		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	}
 	return redirectWithAuthorizationCode(ctx, opts, {
 		query,
@@ -4126,7 +4344,8 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		userId: session.user.id,
 		sessionId: session.session.id,
 		authTime: new Date(session.session.createdAt).getTime(),
-		referenceId
+		referenceId,
+		resource: requestedResources
 	});
 }
 function serializeAuthorizationQuery(query) {
@@ -4152,7 +4371,8 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 			userId: verificationValue.userId,
 			sessionId: verificationValue?.sessionId,
 			referenceId: verificationValue.referenceId,
-			authTime: verificationValue.authTime
+			authTime: verificationValue.authTime,
+			resource: verificationValue.resource
 		})
 	};
 	await ctx.context.internalAdapter.createVerificationValue({
@@ -4165,8 +4385,8 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 	redirectUriWithCode.searchParams.set("iss", getIssuer(ctx, opts));
 	return handleRedirect(ctx, redirectUriWithCode.toString());
 }
-async function redirectWithPromptCode(ctx, opts, type, page) {
-	const queryParams = await signParams(ctx, opts);
+async function redirectWithPromptCode(ctx, opts, type, options) {
+	const queryParams = await signParams(ctx, opts, { postLoginClearedForSession: type === "consent" && opts.postLogin ? options?.sessionId : void 0 });
 	let path = opts.loginPage;
 	if (type === "select_account") path = opts.selectAccount?.page ?? opts.loginPage;
 	else if (type === "post_login") {
@@ -4174,12 +4394,16 @@ async function redirectWithPromptCode(ctx, opts, type, page) {
 		path = opts.postLogin?.page;
 	} else if (type === "consent") path = opts.consentPage;
 	else if (type === "create") path = opts.signup?.page ?? opts.loginPage;
-	return handleRedirect(ctx, `${page ?? path}?${queryParams}`);
+	return handleRedirect(ctx, `${options?.page ?? path}?${queryParams}`);
 }
-async function signParams(ctx, opts) {
-	const exp = Math.floor(Date.now() / 1e3) + (opts.codeExpiresIn ?? 600);
+async function signParams(ctx, opts, flags) {
+	const issuedAt = Date.now();
+	const exp = Math.floor(issuedAt / 1e3) + (opts.codeExpiresIn ?? 600);
 	const params = serializeAuthorizationQuery(ctx.query);
 	params.set("exp", String(exp));
+	params.set(signedQueryIssuedAtParam, String(issuedAt));
+	params.delete(postLoginClearedParam);
+	if (flags?.postLoginClearedForSession) params.set(postLoginClearedParam, flags.postLoginClearedForSession);
 	const signature = await makeSignature(params.toString(), ctx.context.secret);
 	params.append("sig", signature);
 	return params.toString();
@@ -4194,7 +4418,7 @@ function authServerMetadata(ctx, opts, overrides) {
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
 		token_endpoint: `${baseURL}/oauth2/token`,
 		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: `${baseURL}/oauth2/register`,
+		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
 		introspection_endpoint: `${baseURL}/oauth2/introspect`,
 		revocation_endpoint: `${baseURL}/oauth2/revoke`,
 		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
@@ -4210,19 +4434,19 @@ function authServerMetadata(ctx, opts, overrides) {
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		token_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		token_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		introspection_endpoint_auth_methods_supported: [
 			"client_secret_basic",
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		introspection_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		introspection_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		revocation_endpoint_auth_methods_supported: [
 			"client_secret_basic",
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		revocation_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		revocation_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		code_challenge_methods_supported: ["S256"],
 		authorization_response_iss_parameter_supported: true
 	};
@@ -4233,6 +4457,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 			public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin