@better-auth/oauth-provider 1.7.0-beta.3 → 1.7.0-beta.4

package/dist/index.mjs

@@ -1,11 +1,11 @@
-import { n as isPrivateHostname } from "./client-assertion-BYtMWGCE.mjs";
+import { n as isPrivateHostname } from "./client-assertion-DLMKVgoj.mjs";
 import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { C as validateClientCredentials, S as toClientDiscoveryArray, _ as resolveSubjectIdentifier, a as getJwtPlugin, b as storeClientSecret, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as resolveSessionAuthTime, h as removePromptFromQuery, i as getClient, l as isPKCERequired, m as postLoginClearedParam, n as destructureCredentials, p as parsePrompt, r as extractClientCredentials, s as getSignedQueryIssuedAt, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as searchParamsToQuery, w as verifyOAuthQueryParams, x as storeToken, y as signedQueryIssuedAtParam } from "./utils-_Jr_enAe.mjs";
-import { t as PACKAGE_VERSION } from "./version-CG1YnCiF.mjs";
+import { C as toAudienceClaim, D as verifyOAuthQueryParams, E as validateClientCredentials, S as storeToken, T as toResourceList, _ as resolveSessionAuthTime, a as getClient, b as signedQueryIssuedAtParam, c as getSignedQueryIssuedAt, d as mergeDiscoveryMetadata, f as normalizeTimestampValue, g as removePromptFromQuery, h as postLoginClearedParam, i as extractClientCredentials, l as getStoredToken, m as parsePrompt, n as decryptStoredClientSecret, o as getJwtPlugin, p as parseClientMetadata, r as destructureCredentials, t as checkResource, u as isPKCERequired, v as resolveSubjectIdentifier, w as toClientDiscoveryArray, x as storeClientSecret, y as searchParamsToQuery } from "./utils-DKBWQ8fe.mjs";
+import { t as PACKAGE_VERSION } from "./version-nFnRm-a3.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
-import { ASSERTION_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
@@ -17,6 +17,7 @@ import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
 import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
+import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
 async function consentEndpoint(ctx, opts) {
 	const oauthRequest = await oAuthState.get();
@@ -78,12 +79,14 @@ async function consentEndpoint(ctx, opts) {
 		]
 	});
 	const iat = Math.floor(Date.now() / 1e3);
+	const resource = query.getAll("resource");
 	const consent = {
 		clientId,
 		userId: session?.user.id,
 		scopes: requestedScopes ?? originalRequestedScopes,
 		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
 		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
+		resources: resource.length ? resource : void 0,
 		referenceId
 	};
 	foundConsent?.id ? await ctx.context.adapter.update({
@@ -93,6 +96,7 @@ async function consentEndpoint(ctx, opts) {
 			value: foundConsent.id
 		}],
 		update: {
+			resources: consent.resources,
 			scopes: consent.scopes,
 			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
 		}
@@ -177,11 +181,6 @@ async function postLogin(ctx, opts) {
 }
 //#endregion
 //#region src/types/zod.ts
-const DANGEROUS_SCHEMES = [
-	"javascript:",
-	"data:",
-	"vbscript:"
-];
 /**
 * Runtime schema for OAuthAuthorizationQuery.
 * Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
@@ -202,7 +201,8 @@ const oauthAuthorizationQuerySchema = z.object({
 	id_token_hint: z.string().optional(),
 	code_challenge: z.string().optional(),
 	code_challenge_method: z.literal("S256").optional(),
-	nonce: z.string().optional()
+	nonce: z.string().optional(),
+	resource: z.union([z.string(), z.array(z.string())]).optional()
 }).passthrough();
 /**
 * Runtime schema for the authorization code verification value.
@@ -215,34 +215,40 @@ const verificationValueSchema = z.object({
 	sessionId: z.string(),
 	userId: z.string(),
 	referenceId: z.string().optional(),
-	authTime: z.number().optional()
+	authTime: z.number().optional(),
+	resource: z.array(z.string()).optional()
 }).passthrough();
+const DANGEROUS_SCHEMES = [
+	"javascript:",
+	"data:",
+	"vbscript:"
+];
 /**
-* Reusable URL validation for OAuth redirect URIs.
-* - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
-* - Allows custom schemes for mobile apps (e.g., myapp://callback)
+* Validates an RFC 8707 resource indicator. The value must be an absolute URI
+* with no fragment (RFC 8707 §2). Unlike a redirect URI it is not restricted to
+* HTTPS, because a resource server identifier may use any absolute URI scheme;
+* the configured `validAudiences` allowlist is the authoritative control over
+* which resources a token may target.
 */
-const SafeUrlSchema = z.url().superRefine((val, ctx) => {
+const ResourceUriSchema = z.string().superRefine((val, ctx) => {
 	if (!URL.canParse(val)) {
 		ctx.addIssue({
 			code: "custom",
-			message: "URL must be parseable",
+			message: "resource must be an absolute URI",
 			fatal: true
 		});
 		return z.NEVER;
 	}
-	const u = new URL(val);
-	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
+	if (val.includes("#")) {
 		ctx.addIssue({
 			code: "custom",
-			message: "URL cannot use javascript:, data:, or vbscript: scheme"
+			message: "resource must not contain a fragment"
 		});
 		return;
 	}
-	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
+	if (DANGEROUS_SCHEMES.includes(new URL(val).protocol)) ctx.addIssue({
 		code: "custom",
-		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
+		message: "resource cannot use javascript:, data:, or vbscript: scheme"
 	});
 });
 //#endregion
@@ -331,13 +337,13 @@ async function tokenEndpoint(ctx, opts) {
 		case "refresh_token": return handleRefreshTokenGrant(ctx, opts);
 	}
 }
-async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, overrides) {
+async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, resources, referenceId, overrides) {
 	const iat = overrides?.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = overrides?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		user,
 		scopes,
-		resource: ctx.body.resource,
+		resources,
 		referenceId,
 		metadata: parseClientMetadata(client.metadata)
 	}) : {};
@@ -347,7 +353,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		payload: {
 			...customClaims,
 			sub: user?.id,
-			aud: typeof audience === "string" ? audience : audience?.length === 1 ? audience.at(0) : audience,
+			aud: toAudienceClaim(audience),
 			azp: client.clientId,
 			scope: scopes.join(" "),
 			sid: overrides?.sid,
@@ -438,7 +444,7 @@ async function decodeRefreshToken(opts, token) {
 	});
 	return opts.formatRefreshToken?.decrypt ? opts.formatRefreshToken?.decrypt(token) : { token };
 }
-async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, referenceId, refreshId) {
+async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, resources, referenceId, refreshId) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
 	const token = opts.generateOpaqueAccessToken ? await opts.generateOpaqueAccessToken() : generateRandomString(32, "A-Z", "a-z");
@@ -450,6 +456,7 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 			sessionId: payload?.sid,
 			userId: user?.id,
 			referenceId,
+			resources,
 			refreshId,
 			scopes,
 			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
@@ -458,54 +465,100 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 	});
 	return (opts.prefix?.opaqueAccessToken ?? "") + token;
 }
-async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime) {
+/**
+* Tear down the entire refresh-token family for a (client, user) pair, plus
+* any access tokens that reference those refresh rows, per RFC 9700 §4.14.
+* Access tokens are deleted first so the parent rows' foreign-key children
+* do not block the refresh-row delete.
+*
+* TODO(invalidate-family-race): the two `deleteMany` calls are not atomic
+* with respect to each other. Between them, a concurrent rotation in a
+* different worker can `create` a fresh refresh row (and, immediately after,
+* an access-token row referencing it) for the same (client, user) pair,
+* leaving the family partially rebuilt and the new refresh row orphaned of
+* any deletion. Closing this window requires the same transactional adapter
+* contract tracked under FIXME(strict-family-invalidation) in
+* `createRefreshToken`.
+*
+* @internal
+*/
+async function invalidateRefreshFamily(ctx, clientId, userId) {
+	const refreshTokens = await ctx.context.adapter.findMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+	if (refreshTokens.length) await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			operator: "in",
+			value: refreshTokens.map((r) => r.id)
+		}]
+	});
+	await ctx.context.adapter.deleteMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+}
+async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime, resources) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
 	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
 	const sessionId = payload?.sid;
-	if (originalRefresh?.id) await ctx.context.adapter.update({
+	const newRow = {
+		token: await storeToken(opts.storeTokens, token, "refresh_token"),
+		clientId: client.clientId,
+		sessionId,
+		userId: user.id,
+		referenceId,
+		authTime,
+		scopes,
+		resources,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+		expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
+	};
+	if (!originalRefresh?.id) return {
+		id: (await ctx.context.adapter.create({
+			model: "oauthRefreshToken",
+			data: newRow
+		})).id,
+		token: await encodeRefreshToken(opts, token, sessionId)
+	};
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: originalRefresh.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+	})) throw new APIError("BAD_REQUEST", {
+		error_description: "invalid refresh token",
+		error: "invalid_grant"
 	});
 	return {
 		id: (await ctx.context.adapter.create({
 			model: "oauthRefreshToken",
-			data: {
-				token: await storeToken(opts.storeTokens, token, "refresh_token"),
-				clientId: client.clientId,
-				sessionId,
-				userId: user.id,
-				referenceId,
-				authTime,
-				scopes,
-				createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-				expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-			}
+			data: newRow
 		})).id,
 		token: await encodeRefreshToken(opts, token, sessionId)
 	};
 }
-/**
-* Checks the resource parameter, if provided,
-* and returns a valid audience based on the request
-*/
-async function checkResource(ctx, opts, scopes) {
-	const resource = ctx.body.resource;
-	const audience = typeof resource === "string" ? [resource] : resource ? [...resource] : void 0;
-	if (audience) {
-		if (scopes.includes("openid")) audience.push(`${ctx.context.baseURL}/oauth2/userinfo`);
-		const validAudiences = new Set([...opts.validAudiences ?? [ctx.context.baseURL], scopes?.includes("openid") ? `${ctx.context.baseURL}/oauth2/userinfo` : void 0].flat().filter((v) => v?.length));
-		for (const aud of audience) if (!validAudiences.has(aud)) throw new APIError("BAD_REQUEST", {
-			error_description: "requested resource invalid",
-			error: "invalid_request"
-		});
-	}
-	return audience?.length === 1 ? audience.at(0) : audience;
-}
 async function createUserTokens(ctx, opts, params) {
 	const { client, scopes, user, grantType, referenceId, sessionId, nonce, refreshToken: existingRefreshToken, authTime, verificationValue } = params;
 	const iat = Math.floor(Date.now() / 1e3);
@@ -513,7 +566,12 @@ async function createUserTokens(ctx, opts, params) {
 	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
 		return prev < curr ? prev : curr;
 	}, defaultExp) : defaultExp;
-	const audience = await checkResource(ctx, opts, scopes);
+	const resourceResult = await checkResource(ctx, opts, params?.resources, scopes);
+	if (!resourceResult.success) throw new APIError("BAD_REQUEST", {
+		error_description: "requested resource invalid",
+		error: "invalid_target"
+	});
+	const audience = resourceResult.audience;
 	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
 	const isIdToken = user && scopes.includes("openid");
@@ -524,12 +582,13 @@ async function createUserTokens(ctx, opts, params) {
 		metadata: parseClientMetadata(client.metadata),
 		verificationValue
 	}) : void 0;
+	const refreshResources = params?.refreshToken?.resources ?? params?.originalResources ?? params?.resources;
 	const earlyRefreshToken = isRefreshToken && user && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, existingRefreshToken, authTime) : void 0;
-	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
+	}, existingRefreshToken, authTime, refreshResources) : void 0;
+	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, params?.resources, referenceId, {
 		iat,
 		exp,
 		sid: sessionId
@@ -537,11 +596,11 @@ async function createUserTokens(ctx, opts, params) {
 		iat,
 		exp,
 		sid: sessionId
-	}, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+	}, params?.resources, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, existingRefreshToken, authTime) : void 0]);
+	}, existingRefreshToken, authTime, refreshResources) : void 0]);
 	const idToken = isIdToken ? await createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) : void 0;
 	return ctx.json({
 		...customFields,
@@ -558,16 +617,11 @@ async function createUserTokens(ctx, opts, params) {
 	} });
 }
 /** Checks verification value */
-async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
-	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
+async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resource) {
+	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification) throw new APIError("UNAUTHORIZED", {
-		error_description: "Invalid code",
-		error: "invalid_verification"
-	});
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(await storeToken(opts.storeTokens, code, "authorization_code"));
-	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-		error_description: "code expired",
-		error: "invalid_verification"
+		error_description: "invalid code",
+		error: "invalid_grant"
 	});
 	let rawValue;
 	try {
@@ -575,13 +629,13 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 	} catch {
 		throw new APIError("UNAUTHORIZED", {
 			error_description: "malformed verification value",
-			error: "invalid_verification"
+			error: "invalid_grant"
 		});
 	}
 	const parsed = verificationValueSchema.safeParse(rawValue);
 	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
 		error_description: "malformed verification value",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
 	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
@@ -592,14 +646,29 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 		error_description: "redirect_uri mismatch",
 		error: "invalid_request"
 	});
-	return verificationValue;
+	const storedResources = toResourceList(verificationValue.resource) ?? toResourceList(verificationValue.query.resource);
+	const effectiveResources = resource ?? storedResources;
+	if (resource && storedResources) {
+		const requestedSet = new Set(resource);
+		const authorizedSet = new Set(storedResources);
+		for (const r of requestedSet) if (!authorizedSet.has(r)) throw new APIError("BAD_REQUEST", {
+			error_description: "requested resource not authorized",
+			error: "invalid_target"
+		});
+	}
+	return {
+		verificationValue,
+		effectiveResources,
+		authorizedResources: storedResources
+	};
 }
 /**
 * Obtains new Session Jwt and Refresh Tokens using a code
 */
 async function handleAuthorizationCodeGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { code, code_verifier, redirect_uri } = ctx.body;
+	const { code, code_verifier, redirect_uri, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "client_id is required",
 		error: "invalid_request"
@@ -619,7 +688,7 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	/** Get and check Verification Value */
-	const verificationValue = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri);
+	const { verificationValue, effectiveResources, authorizedResources } = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resources);
 	const scopes = verificationValue.query.scope?.split(" ");
 	if (!scopes) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "verification scope unset",
@@ -684,7 +753,9 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		sessionId: session.id,
 		nonce: verificationValue.query?.nonce,
 		authTime,
-		verificationValue
+		verificationValue,
+		resources: effectiveResources,
+		originalResources: authorizedResources
 	});
 }
 /**
@@ -695,7 +766,8 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 */
 async function handleClientCredentialsGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { scope } = ctx.body;
+	const { scope, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
@@ -726,7 +798,8 @@ async function handleClientCredentialsGrant(ctx, opts) {
 	return createUserTokens(ctx, opts, {
 		client,
 		scopes: requestedScopes,
-		grantType: "client_credentials"
+		grantType: "client_credentials",
+		resources
 	});
 }
 /**
@@ -737,7 +810,8 @@ async function handleClientCredentialsGrant(ctx, opts) {
 */
 async function handleRefreshTokenGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { refresh_token, scope } = ctx.body;
+	const { refresh_token, scope, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
@@ -767,21 +841,16 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_grant"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: client_id
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, client_id, refreshToken.userId);
 		throw new APIError("BAD_REQUEST", {
 			error_description: "invalid refresh token",
 			error: "invalid_grant"
 		});
 	}
+	if (resources && refreshToken.resources && !resources.every((v) => refreshToken.resources?.includes(v))) throw new APIError("BAD_REQUEST", {
+		error_description: "requested resource invalid",
+		error: "invalid_target"
+	});
 	const scopes = refreshToken?.scopes;
 	const requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
@@ -806,6 +875,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		referenceId: refreshToken.referenceId,
 		sessionId: refreshToken.sessionId,
 		refreshToken,
+		resources: resources ?? refreshToken.resources,
 		authTime
 	});
 }
@@ -913,10 +983,17 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 	}
 	let user;
 	if (accessToken.userId) user = await ctx.context.internalAdapter.findUserById(accessToken?.userId);
+	const resources = Array.isArray(accessToken.resources) ? accessToken.resources : void 0;
+	const audience = resources ? [...resources] : void 0;
+	if (audience?.length && accessToken.scopes?.includes("openid")) {
+		const userInfoEndpoint = `${ctx.context.baseURL}/oauth2/userinfo`;
+		if (!audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
+	}
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		user,
 		scopes: accessToken.scopes,
 		referenceId: accessToken?.referenceId,
+		resources,
 		metadata: parseClientMetadata(client?.metadata)
 	}) : {};
 	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
@@ -924,6 +1001,7 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		...customClaims,
 		active: true,
 		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
+		aud: toAudienceClaim(audience),
 		client_id: accessToken.clientId,
 		sub: user?.id,
 		sid: sessionId,
@@ -1287,6 +1365,28 @@ const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 	if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("UNAUTHORIZED", { error: "invalid_signature" });
 });
 //#endregion
+//#region src/oauthClient/privileges.ts
+/**
+* Authorizes a client action against the configured `clientPrivileges` hook.
+*
+* This is the single authorization helper for every OAuth client mutation. The
+* create path enforces it at the shared creation chokepoint so that no
+* registration route can reach client persistence without it.
+*
+* @throws APIError UNAUTHORIZED when there is no session or the hook denies the action.
+* @throws APIError BAD_REQUEST when the request carries no headers.
+*/
+async function assertClientPrivileges(ctx, session, opts, action) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+}
+//#endregion
 //#region src/register.ts
 /**
 * Resolves the auth method and type for unauthenticated DCR.
@@ -1422,6 +1522,9 @@ async function checkOAuthClient(client, opts, settings) {
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
 	const session = await getSessionFromCtx(ctx);
+	if (settings.isRegister) {
+		if (session) await assertClientPrivileges(ctx, session, opts, "create");
+	} else await assertClientPrivileges(ctx, session, opts, "create");
 	const isPublic = body.token_endpoint_auth_method === "none";
 	const isPrivateKeyJwt = body.token_endpoint_auth_method === "private_key_jwt";
 	await checkOAuthClient(ctx.body, opts, {
@@ -1767,16 +1870,6 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
 	});
 }
-async function assertClientPrivileges(ctx, session, opts, action) {
-	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action,
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
-}
 //#endregion
 //#region src/oauthClient/index.ts
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
@@ -1800,7 +1893,7 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 			"client_secret_post",
 			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
-		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
@@ -1962,7 +2055,6 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		}
 	}
 }, async (ctx) => {
-	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
@@ -1987,7 +2079,7 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 			"client_secret_post",
 			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
-		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
@@ -2135,7 +2227,6 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		} }
 	} }
 }, async (ctx) => {
-	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
@@ -2339,12 +2430,12 @@ async function updateConsentEndpoint(ctx, opts) {
 		error_description: "no consent",
 		error: "not_found"
 	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, consent.clientId);
-	if (!consent) throw new APIError("NOT_FOUND", {
-		error_description: "no consent",
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
 		error: "not_found"
 	});
-	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const allowedScopes = client?.scopes ?? opts.scopes ?? [];
 	const updates = ctx.body.update;
 	const scopes = updates.scopes;
@@ -2492,16 +2583,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 		error: "invalid_request"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: clientId
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
 		throw new APIError$1("BAD_REQUEST", {
 			error_description: "refresh token revoked",
 			error: "invalid_request"
@@ -2509,20 +2591,31 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 	}
 	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
 	const iat = Math.floor(Date.now() / 1e3);
-	await Promise.allSettled([ctx.context.adapter.deleteMany({
-		model: "oauthAccessToken",
-		where: [{
-			field: "refreshId",
-			value: refreshToken.id
-		}]
-	}), ctx.context.adapter.update({
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: refreshToken.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
-	})]);
+	})) {
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "refresh token revoked",
+			error: "invalid_request"
+		});
+	}
+	await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			value: refreshToken.id
+		}]
+	});
 }
 /**
 * We don't know the access token format so we try to validate it
@@ -2736,7 +2829,8 @@ const schema = {
 	oauthRefreshToken: { fields: {
 		token: {
 			type: "string",
-			required: true
+			required: true,
+			unique: true
 		},
 		clientId: {
 			type: "string",
@@ -2770,6 +2864,10 @@ const schema = {
 			type: "string",
 			required: false
 		},
+		resources: {
+			type: "string[]",
+			required: false
+		},
 		expiresAt: { type: "date" },
 		createdAt: { type: "date" },
 		revoked: {
@@ -2824,6 +2922,10 @@ const schema = {
 				type: "string",
 				required: false
 			},
+			resources: {
+				type: "string[]",
+				required: false
+			},
 			refreshId: {
 				type: "string",
 				required: false,
@@ -2866,6 +2968,10 @@ const schema = {
 				type: "string",
 				required: false
 			},
+			resources: {
+				type: "string[]",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: true
@@ -2943,10 +3049,55 @@ const oauthProvider = (options) => {
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
+	const handleIssuerMetadataRequest = async (request, ctx) => {
+		const requestPathname = new URL(request.url).pathname;
+		const requestPath = ctx.options.advanced?.skipTrailingSlashes ? requestPathname.replace(/\/+$/, "") || "/" : requestPathname;
+		const issuer = opts.disableJwtPlugin ? ctx.baseURL : getJwtPlugin(ctx)?.options?.jwt?.issuer ?? ctx.baseURL;
+		let issuerPath = "/";
+		try {
+			issuerPath = new URL(issuer).pathname.replace(/\/$/, "") || "";
+		} catch {
+			issuerPath = new URL(ctx.baseURL).pathname.replace(/\/$/, "") || "";
+		}
+		const endpointCtx = { context: ctx };
+		const authServerMetadataPaths = new Set([`/.well-known/oauth-authorization-server${issuerPath}`, `${issuerPath}/.well-known/oauth-authorization-server`]);
+		const openIdConfigPath = `${issuerPath}/.well-known/openid-configuration`;
+		const isAuthServerMetadataRequest = authServerMetadataPaths.has(requestPath);
+		const isOpenIdConfigRequest = opts.scopes?.includes("openid") && requestPath === openIdConfigPath;
+		const createMetadataResponse = (metadata) => {
+			const response = metadataResponse(metadata);
+			if (request.method === "HEAD") return new Response(null, {
+				status: response.status,
+				headers: response.headers
+			});
+			return response;
+		};
+		if (isAuthServerMetadataRequest || isOpenIdConfigRequest) {
+			if (request.method !== "GET" && request.method !== "HEAD") return { response: new Response(null, {
+				status: 405,
+				headers: { Allow: "GET, HEAD" }
+			}) };
+		}
+		if (isAuthServerMetadataRequest) {
+			if (opts.scopes?.includes("openid")) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+			return { response: createMetadataResponse({
+				...authServerMetadata(endpointCtx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx)?.options, {
+					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+					dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
+					public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
+					grant_types_supported: opts.grantTypes,
+					jwt_disabled: opts.disableJwtPlugin
+				}),
+				...mergeDiscoveryMetadata(opts.clientDiscovery)
+			}) };
+		}
+		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+	};
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
 		options: opts,
+		onRequest: handleIssuerMetadataRequest,
 		init: (ctx) => {
 			if (ctx.options.secondaryStorage && ctx.options.session?.storeSessionInDatabase !== true) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
 			if (!opts.disableJwtPlugin) {
@@ -3021,6 +3172,7 @@ const oauthProvider = (options) => {
 				else return {
 					...authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
 						scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+						dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 						public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 						grant_types_supported: opts.grantTypes,
 						jwt_disabled: opts.disableJwtPlugin
@@ -3047,6 +3199,7 @@ const oauthProvider = (options) => {
 					code_challenge: z.string().optional(),
 					code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
 					nonce: z.string().optional(),
+					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
 					prompt: z.string().pipe(z.enum([
 						"none",
 						"consent",
@@ -3058,7 +3211,10 @@ const oauthProvider = (options) => {
 					])).optional()
 				}),
 				redirectOnError: authorizeRedirectOnError(opts),
-				errorCodesByField: { response_type: { invalid: "unsupported_response_type" } },
+				errorCodesByField: {
+					response_type: { invalid: "unsupported_response_type" },
+					resource: { invalid: "invalid_target" }
+				},
 				metadata: { openapi: {
 					description: "Authorize an OAuth2 request",
 					parameters: [
@@ -3128,6 +3284,16 @@ const oauthProvider = (options) => {
 							schema: { type: "string" },
 							description: "OpenID Connect nonce"
 						},
+						{
+							name: "resource",
+							in: "query",
+							required: false,
+							schema: {
+								type: "array",
+								items: { type: "string" }
+							},
+							description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
+						},
 						{
 							name: "prompt",
 							in: "query",
@@ -3233,13 +3399,16 @@ const oauthProvider = (options) => {
 					code_verifier: z.string().optional(),
 					redirect_uri: SafeUrlSchema.optional(),
 					refresh_token: z.string().optional(),
-					resource: z.string().optional(),
+					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
 					scope: z.string().optional()
 				}),
-				errorCodesByField: { grant_type: {
-					missing: "invalid_request",
-					invalid: "unsupported_grant_type"
-				} },
+				errorCodesByField: {
+					grant_type: {
+						missing: "invalid_request",
+						invalid: "unsupported_grant_type"
+					},
+					resource: { invalid: "invalid_target" }
+				},
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
@@ -3284,8 +3453,15 @@ const oauthProvider = (options) => {
 										description: "Refresh token (for refresh_token grant)"
 									},
 									resource: {
-										type: "string",
-										description: "Requested token resource (ie audience) to obtain a JWT formatted access token"
+										oneOf: [{
+											type: "string",
+											description: "Single resource (URL)"
+										}, {
+											type: "array",
+											items: { type: "string" },
+											description: "Multiple resources (URLs)"
+										}],
+										description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token"
 									},
 									scope: {
 										type: "string",
@@ -3386,10 +3562,6 @@ const oauthProvider = (options) => {
 									token_type_hint: {
 										type: "string",
 										description: "Hint about the token type. Recognized values: `access_token`, `refresh_token`."
-									},
-									resource: {
-										type: "string",
-										description: "Introspects a token for a specific resource."
 									}
 								},
 								required: ["token"]
@@ -3677,7 +3849,7 @@ const oauthProvider = (options) => {
 						"client_secret_post",
 						"private_key_jwt"
 					]).default("client_secret_basic").optional(),
-					jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+					jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 					jwks_uri: z.string().optional(),
 					grant_types: z.array(z.enum([
 						"authorization_code",
@@ -4082,6 +4254,9 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge and code_challenge_method must both be provided", query.state, getIssuer(ctx, opts)));
 		if (!["S256"].includes(query.code_challenge_method)) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method, only S256 is supported", query.state, getIssuer(ctx, opts)));
 	}
+	const resource = query.resource;
+	if (!(await checkResource(ctx, opts, resource, requestedScopes)).success) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_target", "requested resource invalid", query.state, getIssuer(ctx, opts)));
+	const requestedResources = toResourceList(resource) ?? [];
 	const session = await getSessionFromCtx(ctx);
 	if (!session || promptSet?.has("login") || promptSet?.has("create")) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "login_required", "authentication required");
@@ -4134,7 +4309,8 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		userId: session.user.id,
 		sessionId: session.session.id,
 		authTime: new Date(session.session.createdAt).getTime(),
-		referenceId
+		referenceId,
+		resource: requestedResources
 	});
 	const consent = await ctx.context.adapter.findOne({
 		model: "oauthConsent",
@@ -4157,13 +4333,19 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
 		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	}
+	const consentedResources = consent?.resources ?? [];
+	if (requestedResources.some((requestedResource) => !consentedResources.includes(requestedResource))) {
+		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
+		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
+	}
 	return redirectWithAuthorizationCode(ctx, opts, {
 		query,
 		clientId: client.clientId,
 		userId: session.user.id,
 		sessionId: session.session.id,
 		authTime: new Date(session.session.createdAt).getTime(),
-		referenceId
+		referenceId,
+		resource: requestedResources
 	});
 }
 function serializeAuthorizationQuery(query) {
@@ -4189,7 +4371,8 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 			userId: verificationValue.userId,
 			sessionId: verificationValue?.sessionId,
 			referenceId: verificationValue.referenceId,
-			authTime: verificationValue.authTime
+			authTime: verificationValue.authTime,
+			resource: verificationValue.resource
 		})
 	};
 	await ctx.context.internalAdapter.createVerificationValue({
@@ -4235,7 +4418,7 @@ function authServerMetadata(ctx, opts, overrides) {
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
 		token_endpoint: `${baseURL}/oauth2/token`,
 		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: `${baseURL}/oauth2/register`,
+		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
 		introspection_endpoint: `${baseURL}/oauth2/introspect`,
 		revocation_endpoint: `${baseURL}/oauth2/revoke`,
 		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
@@ -4251,19 +4434,19 @@ function authServerMetadata(ctx, opts, overrides) {
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		token_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		token_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		introspection_endpoint_auth_methods_supported: [
 			"client_secret_basic",
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		introspection_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		introspection_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		revocation_endpoint_auth_methods_supported: [
 			"client_secret_basic",
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		revocation_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		revocation_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		code_challenge_methods_supported: ["S256"],
 		authorization_response_iss_parameter_supported: true
 	};
@@ -4274,6 +4457,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 			public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin