@better-auth/oauth-provider 1.7.0-beta.3 → 1.7.0-beta.5

package/dist/index.mjs

@@ -1,11 +1,11 @@
-import { n as isPrivateHostname } from "./client-assertion-BYtMWGCE.mjs";
+import { n as isPrivateHostname } from "./client-assertion-DmT1B6_6.mjs";
 import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { C as validateClientCredentials, S as toClientDiscoveryArray, _ as resolveSubjectIdentifier, a as getJwtPlugin, b as storeClientSecret, c as getStoredToken, d as normalizeTimestampValue, f as parseClientMetadata, g as resolveSessionAuthTime, h as removePromptFromQuery, i as getClient, l as isPKCERequired, m as postLoginClearedParam, n as destructureCredentials, p as parsePrompt, r as extractClientCredentials, s as getSignedQueryIssuedAt, t as decryptStoredClientSecret, u as mergeDiscoveryMetadata, v as searchParamsToQuery, w as verifyOAuthQueryParams, x as storeToken, y as signedQueryIssuedAtParam } from "./utils-_Jr_enAe.mjs";
-import { t as PACKAGE_VERSION } from "./version-CG1YnCiF.mjs";
-import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { A as verifyOAuthQueryParams, C as signedQueryIssuedAtParam, D as toClientDiscoveryArray, E as toAudienceClaim, O as toResourceList, S as searchParamsToQuery, T as storeToken, _ as postLoginClearedParam, a as extractClientCredentials, b as resolveSessionAuthTime, d as isPKCERequired, f as isSessionFreshForSignedQuery, g as parsePrompt, h as parseClientMetadata, i as destructureCredentials, k as validateClientCredentials, l as getSignedQueryIssuedAt, m as normalizeTimestampValue, n as clientAllowsGrant, o as getClient, p as mergeDiscoveryMetadata, r as decryptStoredClientSecret, s as getJwtPlugin, t as checkResource, u as getStoredToken, v as removeMaxAgeFromQuery, w as storeClientSecret, x as resolveSubjectIdentifier, y as removePromptFromQuery } from "./utils-D2dLqo7f.mjs";
+import { t as PACKAGE_VERSION } from "./version-B1ZiRmxj.mjs";
+import { APIError, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
-import { ASSERTION_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
@@ -17,8 +17,9 @@ import { mergeSchema } from "better-auth/db";
 import * as z from "zod";
 import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
+import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
-async function consentEndpoint(ctx, opts) {
+async function consentEndpoint(ctx, opts, authorize) {
 	const oauthRequest = await oAuthState.get();
 	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
@@ -45,15 +46,11 @@ async function consentEndpoint(ctx, opts) {
 	};
 	const session = await getSessionFromCtx(ctx);
 	const hasLoginPrompt = parsePrompt(query.get("prompt") ?? "").has("login");
-	const hasSatisfiedLoginPrompt = hasLoginPrompt && sessionSatisfiesLoginPrompt(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
+	const hasSatisfiedLoginPrompt = hasLoginPrompt && isSessionFreshForSignedQuery(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
 	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
 		ctx?.headers?.set("accept", "application/json");
 		ctx.query = searchParamsToQuery(query);
-		const { url } = await authorizeEndpoint(ctx, opts);
-		return {
-			redirect: true,
-			url
-		};
+		return await authorize(ctx);
 	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
@@ -78,12 +75,14 @@ async function consentEndpoint(ctx, opts) {
 		]
 	});
 	const iat = Math.floor(Date.now() / 1e3);
+	const resource = query.getAll("resource");
 	const consent = {
 		clientId,
 		userId: session?.user.id,
 		scopes: requestedScopes ?? originalRequestedScopes,
 		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
 		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
+		resources: resource.length ? resource : void 0,
 		referenceId
 	};
 	foundConsent?.id ? await ctx.context.adapter.update({
@@ -93,6 +92,7 @@ async function consentEndpoint(ctx, opts) {
 			value: foundConsent.id
 		}],
 		update: {
+			resources: consent.resources,
 			scopes: consent.scopes,
 			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
 		}
@@ -106,32 +106,25 @@ async function consentEndpoint(ctx, opts) {
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
 	ctx?.headers?.set("accept", "application/json");
 	let authorizationQuery = removePromptFromQuery(query, "consent");
-	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+	if (hasSatisfiedLoginPrompt) {
+		authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+		authorizationQuery = removeMaxAgeFromQuery(authorizationQuery);
+	}
 	ctx.query = searchParamsToQuery(authorizationQuery);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
-	return {
-		redirect: true,
-		url
-	};
-}
-function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
-	if (!signedQueryIssuedAt) return false;
-	const normalized = normalizeTimestampValue(sessionCreatedAt);
-	if (!normalized) return false;
-	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+	return await authorize(ctx, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
 //#region src/continue.ts
-async function continueEndpoint(ctx, opts) {
-	if (ctx.body.selected === true) return await selected(ctx, opts);
-	else if (ctx.body.created === true) return await created(ctx, opts);
-	else if (ctx.body.postLogin === true) return await postLogin(ctx, opts);
+async function continueEndpoint(ctx, authorize) {
+	if (ctx.body.selected === true) return await selected(ctx, authorize);
+	else if (ctx.body.created === true) return await created(ctx, authorize);
+	else if (ctx.body.postLogin === true) return await postLogin(ctx, authorize);
 	else throw new APIError("BAD_REQUEST", {
 		error_description: "Missing parameters",
 		error: "invalid_request"
 	});
 }
-async function selected(ctx, opts) {
+async function selected(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -139,13 +132,9 @@ async function selected(ctx, opts) {
 	});
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function created(ctx, opts) {
+async function created(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -154,14 +143,11 @@ async function created(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function postLogin(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+async function postLogin(ctx, authorize) {
+	const state = await oAuthState.get();
+	const _query = state?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -169,11 +155,8 @@ async function postLogin(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(query);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: true });
-	return {
-		redirect: true,
-		url
-	};
+	const session = await getSessionFromCtx(ctx);
+	return await authorize(ctx, { postLogin: state?.postLoginClearedForSession !== void 0 && state.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
 //#region src/types/zod.ts
@@ -183,27 +166,101 @@ const DANGEROUS_SCHEMES = [
 	"vbscript:"
 ];
 /**
+* Validates an RFC 8707 resource indicator. The value must be an absolute URI
+* with no fragment (RFC 8707 §2). Unlike a redirect URI it is not restricted to
+* HTTPS, because a resource server identifier may use any absolute URI scheme;
+* the configured `validAudiences` allowlist is the authoritative control over
+* which resources a token may target.
+*/
+const ResourceUriSchema = z.string().superRefine((val, ctx) => {
+	if (!URL.canParse(val)) {
+		ctx.addIssue({
+			code: "custom",
+			message: "resource must be an absolute URI",
+			fatal: true
+		});
+		return z.NEVER;
+	}
+	if (val.includes("#")) {
+		ctx.addIssue({
+			code: "custom",
+			message: "resource must not contain a fragment"
+		});
+		return;
+	}
+	if (DANGEROUS_SCHEMES.includes(new URL(val).protocol)) ctx.addIssue({
+		code: "custom",
+		message: "resource cannot use javascript:, data:, or vbscript: scheme"
+	});
+});
+const authorizationPromptTokenSchema = z.enum([
+	"none",
+	"consent",
+	"login",
+	"create",
+	"select_account"
+]);
+const authorizationPromptSchema = z.string().superRefine((value, ctx) => {
+	const promptTokens = value.split(" ").map((token) => token.trim()).filter(Boolean);
+	const promptSet = /* @__PURE__ */ new Set();
+	if (!promptTokens.length) {
+		ctx.addIssue({
+			code: "custom",
+			message: "prompt must include at least one value"
+		});
+		return;
+	}
+	for (const token of promptTokens) {
+		const result = authorizationPromptTokenSchema.safeParse(token);
+		if (!result.success) {
+			ctx.addIssue({
+				code: "custom",
+				message: `unsupported prompt value: ${token}`
+			});
+			continue;
+		}
+		promptSet.add(result.data);
+	}
+	if (promptSet.has("none") && promptSet.size > 1) ctx.addIssue({
+		code: "custom",
+		message: "prompt=none cannot be combined with other prompt values"
+	});
+});
+const maxAgeSchema = z.union([z.number(), z.string().trim().min(1)]).transform((value, ctx) => {
+	const maxAge = typeof value === "number" ? value : Number(value);
+	if (!Number.isInteger(maxAge) || maxAge < 0) {
+		ctx.addIssue({
+			code: "custom",
+			message: "max_age must be a non-negative integer"
+		});
+		return z.NEVER;
+	}
+	return maxAge;
+});
+/**
 * Runtime schema for OAuthAuthorizationQuery.
 * Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
 */
-const oauthAuthorizationQuerySchema = z.object({
-	response_type: z.literal("code").optional(),
+const authorizationQuerySchema = z.object({
+	response_type: z.string().pipe(z.enum(["code"])).optional(),
 	request_uri: z.string().optional(),
-	redirect_uri: z.string(),
+	redirect_uri: SafeUrlSchema.optional(),
 	scope: z.string().optional(),
 	state: z.string().optional(),
 	client_id: z.string(),
-	prompt: z.string().optional(),
+	prompt: authorizationPromptSchema.optional(),
 	display: z.string().optional(),
 	ui_locales: z.string().optional(),
-	max_age: z.coerce.number().optional(),
+	max_age: maxAgeSchema.optional(),
 	acr_values: z.string().optional(),
 	login_hint: z.string().optional(),
 	id_token_hint: z.string().optional(),
 	code_challenge: z.string().optional(),
-	code_challenge_method: z.literal("S256").optional(),
-	nonce: z.string().optional()
+	code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
+	nonce: z.string().optional(),
+	resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional()
 }).passthrough();
+const storedAuthorizationQuerySchema = authorizationQuerySchema.extend({ redirect_uri: SafeUrlSchema });
 /**
 * Runtime schema for the authorization code verification value.
 * Validates structure on deserialization from the JSON blob stored in the DB.
@@ -211,40 +268,13 @@ const oauthAuthorizationQuerySchema = z.object({
 */
 const verificationValueSchema = z.object({
 	type: z.literal("authorization_code"),
-	query: oauthAuthorizationQuerySchema,
+	query: storedAuthorizationQuerySchema,
 	sessionId: z.string(),
 	userId: z.string(),
 	referenceId: z.string().optional(),
-	authTime: z.number().optional()
+	authTime: z.number().optional(),
+	resource: z.array(z.string()).optional()
 }).passthrough();
-/**
-* Reusable URL validation for OAuth redirect URIs.
-* - Blocks dangerous schemes (javascript:, data:, vbscript:)
-* - For http/https: requires HTTPS (HTTP allowed only for loopback hosts: 127.0.0.0/8, [::1], *.localhost per RFC 6761)
-* - Allows custom schemes for mobile apps (e.g., myapp://callback)
-*/
-const SafeUrlSchema = z.url().superRefine((val, ctx) => {
-	if (!URL.canParse(val)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL must be parseable",
-			fatal: true
-		});
-		return z.NEVER;
-	}
-	const u = new URL(val);
-	if (DANGEROUS_SCHEMES.includes(u.protocol)) {
-		ctx.addIssue({
-			code: "custom",
-			message: "URL cannot use javascript:, data:, or vbscript: scheme"
-		});
-		return;
-	}
-	if (u.protocol === "http:" && !isLoopbackHost(u.host)) ctx.addIssue({
-		code: "custom",
-		message: "Redirect URI must use HTTPS (HTTP allowed only for loopback hosts)"
-	});
-});
 //#endregion
 //#region src/userinfo.ts
 /**
@@ -281,6 +311,10 @@ async function userInfoEndpoint(ctx, opts) {
 		error: "invalid_request"
 	});
 	const jwt = await validateAccessToken(ctx, opts, token);
+	if (!jwt.active) throw new APIError("UNAUTHORIZED", {
+		error_description: "the access token is invalid or has been revoked",
+		error: "invalid_token"
+	});
 	const scopes = jwt.scope?.split(" ");
 	if (!scopes?.includes("openid")) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required scope",
@@ -331,13 +365,13 @@ async function tokenEndpoint(ctx, opts) {
 		case "refresh_token": return handleRefreshTokenGrant(ctx, opts);
 	}
 }
-async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, overrides) {
+async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, resources, referenceId, overrides) {
 	const iat = overrides?.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = overrides?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		user,
 		scopes,
-		resource: ctx.body.resource,
+		resources,
 		referenceId,
 		metadata: parseClientMetadata(client.metadata)
 	}) : {};
@@ -347,7 +381,7 @@ async function createJwtAccessToken(ctx, opts, user, client, audience, scopes, r
 		payload: {
 			...customClaims,
 			sub: user?.id,
-			aud: typeof audience === "string" ? audience : audience?.length === 1 ? audience.at(0) : audience,
+			aud: toAudienceClaim(audience),
 			azp: client.clientId,
 			scope: scopes.join(" "),
 			sid: overrides?.sid,
@@ -390,6 +424,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 	const resolvedKey = !opts.disableJwtPlugin && !jwtPluginOptions?.jwt?.sign ? await resolveSigningKey(ctx, jwtPluginOptions) : void 0;
 	const signingAlg = opts.disableJwtPlugin ? "HS256" : resolvedKey?.alg ?? jwtPluginOptions?.jwks?.keyPairConfig?.alg;
 	const atHash = accessToken ? await computeOidcHash(accessToken, signingAlg) : void 0;
+	const emitSid = Boolean(client.enableEndSession || client.backchannelLogoutUri);
 	const payload = {
 		...userClaims,
 		auth_time: authTimeSec,
@@ -402,7 +437,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		nonce,
 		iat,
 		exp,
-		sid: client.enableEndSession ? sessionId : void 0
+		sid: emitSid ? sessionId : void 0
 	};
 	if (opts.disableJwtPlugin && !client.clientSecret) return;
 	const idToken = opts.disableJwtPlugin ? await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : await signJWT(ctx, {
@@ -438,7 +473,7 @@ async function decodeRefreshToken(opts, token) {
 	});
 	return opts.formatRefreshToken?.decrypt ? opts.formatRefreshToken?.decrypt(token) : { token };
 }
-async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, referenceId, refreshId) {
+async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload, resources, referenceId, refreshId) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.accessTokenExpiresIn ?? 3600);
 	const token = opts.generateOpaqueAccessToken ? await opts.generateOpaqueAccessToken() : generateRandomString(32, "A-Z", "a-z");
@@ -450,6 +485,7 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 			sessionId: payload?.sid,
 			userId: user?.id,
 			referenceId,
+			resources,
 			refreshId,
 			scopes,
 			createdAt: /* @__PURE__ */ new Date(iat * 1e3),
@@ -458,54 +494,100 @@ async function createOpaqueAccessToken(ctx, opts, user, client, scopes, payload,
 	});
 	return (opts.prefix?.opaqueAccessToken ?? "") + token;
 }
-async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime) {
+/**
+* Tear down the entire refresh-token family for a (client, user) pair, plus
+* any access tokens that reference those refresh rows, per RFC 9700 §4.14.
+* Access tokens are deleted first so the parent rows' foreign-key children
+* do not block the refresh-row delete.
+*
+* TODO(invalidate-family-race): the two `deleteMany` calls are not atomic
+* with respect to each other. Between them, a concurrent rotation in a
+* different worker can `create` a fresh refresh row (and, immediately after,
+* an access-token row referencing it) for the same (client, user) pair,
+* leaving the family partially rebuilt and the new refresh row orphaned of
+* any deletion. Closing this window requires the same transactional adapter
+* contract tracked under FIXME(strict-family-invalidation) in
+* `createRefreshToken`.
+*
+* @internal
+*/
+async function invalidateRefreshFamily(ctx, clientId, userId) {
+	const refreshTokens = await ctx.context.adapter.findMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+	if (refreshTokens.length) await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			operator: "in",
+			value: refreshTokens.map((r) => r.id)
+		}]
+	});
+	await ctx.context.adapter.deleteMany({
+		model: "oauthRefreshToken",
+		where: [{
+			field: "clientId",
+			value: clientId
+		}, {
+			field: "userId",
+			value: userId
+		}]
+	});
+}
+async function createRefreshToken(ctx, opts, user, referenceId, client, scopes, payload, originalRefresh, authTime, resources) {
 	const iat = payload.iat ?? Math.floor(Date.now() / 1e3);
 	const exp = payload?.exp ?? iat + (opts.refreshTokenExpiresIn ?? 2592e3);
 	const token = opts.generateRefreshToken ? await opts.generateRefreshToken() : generateRandomString(32, "A-Z", "a-z");
 	const sessionId = payload?.sid;
-	if (originalRefresh?.id) await ctx.context.adapter.update({
+	const newRow = {
+		token: await storeToken(opts.storeTokens, token, "refresh_token"),
+		clientId: client.clientId,
+		sessionId,
+		userId: user.id,
+		referenceId,
+		authTime,
+		scopes,
+		resources,
+		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
+		expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
+	};
+	if (!originalRefresh?.id) return {
+		id: (await ctx.context.adapter.create({
+			model: "oauthRefreshToken",
+			data: newRow
+		})).id,
+		token: await encodeRefreshToken(opts, token, sessionId)
+	};
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: originalRefresh.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
+	})) throw new APIError("BAD_REQUEST", {
+		error_description: "invalid refresh token",
+		error: "invalid_grant"
 	});
 	return {
 		id: (await ctx.context.adapter.create({
 			model: "oauthRefreshToken",
-			data: {
-				token: await storeToken(opts.storeTokens, token, "refresh_token"),
-				clientId: client.clientId,
-				sessionId,
-				userId: user.id,
-				referenceId,
-				authTime,
-				scopes,
-				createdAt: /* @__PURE__ */ new Date(iat * 1e3),
-				expiresAt: /* @__PURE__ */ new Date(exp * 1e3)
-			}
+			data: newRow
 		})).id,
 		token: await encodeRefreshToken(opts, token, sessionId)
 	};
 }
-/**
-* Checks the resource parameter, if provided,
-* and returns a valid audience based on the request
-*/
-async function checkResource(ctx, opts, scopes) {
-	const resource = ctx.body.resource;
-	const audience = typeof resource === "string" ? [resource] : resource ? [...resource] : void 0;
-	if (audience) {
-		if (scopes.includes("openid")) audience.push(`${ctx.context.baseURL}/oauth2/userinfo`);
-		const validAudiences = new Set([...opts.validAudiences ?? [ctx.context.baseURL], scopes?.includes("openid") ? `${ctx.context.baseURL}/oauth2/userinfo` : void 0].flat().filter((v) => v?.length));
-		for (const aud of audience) if (!validAudiences.has(aud)) throw new APIError("BAD_REQUEST", {
-			error_description: "requested resource invalid",
-			error: "invalid_request"
-		});
-	}
-	return audience?.length === 1 ? audience.at(0) : audience;
-}
 async function createUserTokens(ctx, opts, params) {
 	const { client, scopes, user, grantType, referenceId, sessionId, nonce, refreshToken: existingRefreshToken, authTime, verificationValue } = params;
 	const iat = Math.floor(Date.now() / 1e3);
@@ -513,8 +595,13 @@ async function createUserTokens(ctx, opts, params) {
 	const exp = opts.scopeExpirations ? scopes.map((sc) => opts.scopeExpirations?.[sc] ? toExpJWT(opts.scopeExpirations[sc], iat) : defaultExp).reduce((prev, curr) => {
 		return prev < curr ? prev : curr;
 	}, defaultExp) : defaultExp;
-	const audience = await checkResource(ctx, opts, scopes);
-	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
+	const resourceResult = await checkResource(ctx, opts, params?.resources, scopes);
+	if (!resourceResult.success) throw new APIError("BAD_REQUEST", {
+		error_description: "requested resource invalid",
+		error: "invalid_target"
+	});
+	const audience = resourceResult.audience;
+	const isRefreshToken = user && clientAllowsGrant(client, "refresh_token") && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
 	const isIdToken = user && scopes.includes("openid");
 	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
@@ -524,12 +611,13 @@ async function createUserTokens(ctx, opts, params) {
 		metadata: parseClientMetadata(client.metadata),
 		verificationValue
 	}) : void 0;
+	const refreshResources = params?.refreshToken?.resources ?? params?.originalResources ?? params?.resources;
 	const earlyRefreshToken = isRefreshToken && user && !isJwtAccessToken ? await createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, existingRefreshToken, authTime) : void 0;
-	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, referenceId, {
+	}, existingRefreshToken, authTime, refreshResources) : void 0;
+	const [accessToken, refreshToken] = await Promise.all([isJwtAccessToken ? createJwtAccessToken(ctx, opts, user, client, audience, scopes, params?.resources, referenceId, {
 		iat,
 		exp,
 		sid: sessionId
@@ -537,11 +625,11 @@ async function createUserTokens(ctx, opts, params) {
 		iat,
 		exp,
 		sid: sessionId
-	}, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
+	}, params?.resources, referenceId, earlyRefreshToken?.id), earlyRefreshToken ? earlyRefreshToken : isRefreshToken && user ? createRefreshToken(ctx, opts, user, referenceId, client, scopes, {
 		iat,
 		exp: iat + (opts.refreshTokenExpiresIn ?? 2592e3),
 		sid: sessionId
-	}, existingRefreshToken, authTime) : void 0]);
+	}, existingRefreshToken, authTime, refreshResources) : void 0]);
 	const idToken = isIdToken ? await createIdToken(ctx, opts, user, client, scopes, nonce, sessionId, authTime, accessToken) : void 0;
 	return ctx.json({
 		...customFields,
@@ -558,16 +646,11 @@ async function createUserTokens(ctx, opts, params) {
 	} });
 }
 /** Checks verification value */
-async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri) {
-	const verification = await ctx.context.internalAdapter.findVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
+async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resource) {
+	const verification = await ctx.context.internalAdapter.consumeVerificationValue(await storeToken(opts.storeTokens, code, "authorization_code"));
 	if (!verification) throw new APIError("UNAUTHORIZED", {
-		error_description: "Invalid code",
-		error: "invalid_verification"
-	});
-	await ctx.context.internalAdapter.deleteVerificationByIdentifier(await storeToken(opts.storeTokens, code, "authorization_code"));
-	if (!verification.expiresAt || verification.expiresAt < /* @__PURE__ */ new Date()) throw new APIError("UNAUTHORIZED", {
-		error_description: "code expired",
-		error: "invalid_verification"
+		error_description: "invalid code",
+		error: "invalid_grant"
 	});
 	let rawValue;
 	try {
@@ -575,13 +658,13 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 	} catch {
 		throw new APIError("UNAUTHORIZED", {
 			error_description: "malformed verification value",
-			error: "invalid_verification"
+			error: "invalid_grant"
 		});
 	}
 	const parsed = verificationValueSchema.safeParse(rawValue);
 	if (!parsed.success) throw new APIError("UNAUTHORIZED", {
 		error_description: "malformed verification value",
-		error: "invalid_verification"
+		error: "invalid_grant"
 	});
 	const verificationValue = parsed.data;
 	if (verificationValue.query.client_id !== client_id) throw new APIError("UNAUTHORIZED", {
@@ -592,14 +675,29 @@ async function checkVerificationValue(ctx, opts, code, client_id, redirect_uri)
 		error_description: "redirect_uri mismatch",
 		error: "invalid_request"
 	});
-	return verificationValue;
+	const storedResources = toResourceList(verificationValue.resource) ?? toResourceList(verificationValue.query.resource);
+	const effectiveResources = resource ?? storedResources;
+	if (resource && storedResources) {
+		const requestedSet = new Set(resource);
+		const authorizedSet = new Set(storedResources);
+		for (const r of requestedSet) if (!authorizedSet.has(r)) throw new APIError("BAD_REQUEST", {
+			error_description: "requested resource not authorized",
+			error: "invalid_target"
+		});
+	}
+	return {
+		verificationValue,
+		effectiveResources,
+		authorizedResources: storedResources
+	};
 }
 /**
 * Obtains new Session Jwt and Refresh Tokens using a code
 */
 async function handleAuthorizationCodeGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { code, code_verifier, redirect_uri } = ctx.body;
+	const { code, code_verifier, redirect_uri, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "client_id is required",
 		error: "invalid_request"
@@ -619,14 +717,14 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_request"
 	});
 	/** Get and check Verification Value */
-	const verificationValue = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri);
+	const { verificationValue, effectiveResources, authorizedResources } = await checkVerificationValue(ctx, opts, code, client_id, redirect_uri, resources);
 	const scopes = verificationValue.query.scope?.split(" ");
 	if (!scopes) throw new APIError("INTERNAL_SERVER_ERROR", {
 		error_description: "verification scope unset",
 		error: "invalid_scope"
 	});
 	/** Verify Client */
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, preVerifiedClient);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, preVerifiedClient, "authorization_code");
 	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
 		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
 			error_description: "PKCE is required for this client",
@@ -684,7 +782,9 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		sessionId: session.id,
 		nonce: verificationValue.query?.nonce,
 		authTime,
-		verificationValue
+		verificationValue,
+		resources: effectiveResources,
+		originalResources: authorizedResources
 	});
 }
 /**
@@ -695,7 +795,8 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 */
 async function handleClientCredentialsGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { scope } = ctx.body;
+	const { scope, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
@@ -704,7 +805,7 @@ async function handleClientCredentialsGrant(ctx, opts) {
 		error_description: "Missing a required client_secret",
 		error: "invalid_grant"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient, "client_credentials");
 	let requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -726,7 +827,8 @@ async function handleClientCredentialsGrant(ctx, opts) {
 	return createUserTokens(ctx, opts, {
 		client,
 		scopes: requestedScopes,
-		grantType: "client_credentials"
+		grantType: "client_credentials",
+		resources
 	});
 }
 /**
@@ -737,7 +839,8 @@ async function handleClientCredentialsGrant(ctx, opts) {
 */
 async function handleRefreshTokenGrant(ctx, opts) {
 	const { clientId: client_id, clientSecret: client_secret, preVerifiedClient } = destructureCredentials(await extractClientCredentials(ctx, opts, `${ctx.context.baseURL}/oauth2/token`));
-	const { refresh_token, scope } = ctx.body;
+	const { refresh_token, scope, resource } = ctx.body;
+	const resources = toResourceList(resource);
 	if (!client_id) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required client_id",
 		error: "invalid_grant"
@@ -767,21 +870,16 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		error: "invalid_grant"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: client_id
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, client_id, refreshToken.userId);
 		throw new APIError("BAD_REQUEST", {
 			error_description: "invalid refresh token",
 			error: "invalid_grant"
 		});
 	}
+	if (resources && refreshToken.resources && !resources.every((v) => refreshToken.resources?.includes(v))) throw new APIError("BAD_REQUEST", {
+		error_description: "requested resource invalid",
+		error: "invalid_target"
+	});
 	const scopes = refreshToken?.scopes;
 	const requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
@@ -791,7 +889,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 			error: "invalid_scope"
 		});
 	}
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, preVerifiedClient);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, preVerifiedClient, "refresh_token");
 	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
 	if (!user) throw new APIError("BAD_REQUEST", {
 		error_description: "user not found",
@@ -806,6 +904,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 		referenceId: refreshToken.referenceId,
 		sessionId: refreshToken.sessionId,
 		refreshToken,
+		resources: resources ?? refreshToken.resources,
 		authTime
 	});
 }
@@ -849,12 +948,10 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 		}
 		throw new Error(error);
 	}
-	let client;
-	if (jwtPayload.azp) {
-		client = await getClient(ctx, opts, jwtPayload.azp);
-		if (!client || client?.disabled) return { active: false };
-		if (clientId && jwtPayload.azp !== clientId) return { active: false };
-	}
+	if (!jwtPayload.azp) return { active: false };
+	const client = await getClient(ctx, opts, jwtPayload.azp);
+	if (!client || client?.disabled) return { active: false };
+	if (clientId && jwtPayload.azp !== clientId) return { active: false };
 	const sessionId = jwtPayload.sid;
 	if (sessionId) {
 		const session = await ctx.context.adapter.findOne({
@@ -864,9 +961,9 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 				value: sessionId
 			}]
 		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) jwtPayload.sid = void 0;
+		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
 	}
-	if (jwtPayload.azp) jwtPayload.client_id = jwtPayload.azp;
+	jwtPayload.client_id = jwtPayload.azp;
 	jwtPayload.active = true;
 	return jwtPayload;
 }
@@ -894,13 +991,14 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		error: "invalid_token"
 	});
 	if (!accessToken.expiresAt || accessToken.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
+	if (accessToken.revoked) return { active: false };
 	let client;
 	if (accessToken.clientId) {
 		client = await getClient(ctx, opts, accessToken.clientId);
 		if (!client || client?.disabled) return { active: false };
 		if (clientId && accessToken.clientId !== clientId) return { active: false };
 	}
-	let sessionId = accessToken.sessionId ?? void 0;
+	const sessionId = accessToken.sessionId ?? void 0;
 	if (sessionId) {
 		const session = await ctx.context.adapter.findOne({
 			model: "session",
@@ -909,14 +1007,21 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 				value: sessionId
 			}]
 		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
+		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
 	}
 	let user;
 	if (accessToken.userId) user = await ctx.context.internalAdapter.findUserById(accessToken?.userId);
+	const resources = Array.isArray(accessToken.resources) ? accessToken.resources : void 0;
+	const audience = resources ? [...resources] : void 0;
+	if (audience?.length && accessToken.scopes?.includes("openid")) {
+		const userInfoEndpoint = `${ctx.context.baseURL}/oauth2/userinfo`;
+		if (!audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
+	}
 	const customClaims = opts.customAccessTokenClaims ? await opts.customAccessTokenClaims({
 		user,
 		scopes: accessToken.scopes,
 		referenceId: accessToken?.referenceId,
+		resources,
 		metadata: parseClientMetadata(client?.metadata)
 	}) : {};
 	const jwtPluginOptions = (opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context))?.options;
@@ -924,6 +1029,7 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		...customClaims,
 		active: true,
 		iss: jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL,
+		aud: toAudienceClaim(audience),
 		client_id: accessToken.clientId,
 		sub: user?.id,
 		sid: sessionId,
@@ -1067,9 +1173,173 @@ async function introspectEndpoint(ctx, opts) {
 }
 //#endregion
 //#region src/logout.ts
+const BACKCHANNEL_LOGOUT_EVENT_URI = "http://schemas.openid.net/event/backchannel-logout";
+const LOGOUT_TOKEN_JWT_TYP = "logout+jwt";
+const LOGOUT_TOKEN_LIFETIME_SECONDS = 120;
+const BACKCHANNEL_DISPATCH_TIMEOUT_MS = 5e3;
 /**
-* IMPORTANT NOTES:
-* Follows OIDC RP-Initiated Logout
+* Signs a Back-Channel Logout Token per OIDC Back-Channel Logout 1.0 §2.4.
+*
+* The token reuses the ID Token signing key so any RP that validates ID Tokens
+* from this OP can validate Logout Tokens without extra configuration. The
+* caller resolves that key once and passes it in so a fan-out to many RPs does
+* not re-read it per target.
+*
+* §2.4 mandates `iss`, `aud`, `iat`, `exp`, `jti`, `events`, and at least one
+* of `sub` / `sid` (we send both). A `nonce` claim MUST NOT be present, and
+* `alg: none` is forbidden (§2.6).
+*/
+async function signLogoutToken(ctx, options, resolvedKey, claims) {
+	return signJWT(ctx, {
+		options,
+		payload: {
+			...claims,
+			events: { [BACKCHANNEL_LOGOUT_EVENT_URI]: {} }
+		},
+		header: { typ: LOGOUT_TOKEN_JWT_TYP },
+		resolvedKey: resolvedKey ?? void 0
+	});
+}
+/**
+* Synchronous phase: enumerate tokens for the session being terminated, revoke
+* them, and return a plan for the asynchronous delivery phase. Runs inline in
+* the `session.delete.before` hook so the DB state is consistent before the
+* session row disappears.
+*
+* Revocation is the stored backstop, not the primary enforcement: introspection
+* and `/userinfo` already treat a token whose session has ended as inactive
+* (see `validateOpaqueAccessToken` / `validateJwtAccessToken`), so a missed
+* `revoked` write cannot keep a session-bound token alive on its own. Access
+* tokens bound to the session are revoked as OP hardening. Refresh tokens
+* follow OIDC Back-Channel Logout 1.0 §2.7: those without `offline_access` are
+* revoked; `offline_access` refresh tokens survive so long-lived API access can
+* outlive the browser session.
+*
+* Revocation runs regardless of the JWT plugin (refresh-token revocation has no
+* dependency on signing). Only the Logout Token delivery plan needs the JWT
+* plugin, so when it is disabled we still revoke but never build a plan.
+*
+* Returns `null` when there is nothing to do, so the caller can skip the
+* background handoff entirely.
+*/
+async function revokeAndPlanBackchannelLogout(ctx, opts, input) {
+	const { sessionId, userId } = input;
+	if (!userId) return null;
+	const logger = ctx.context.logger;
+	try {
+		const where = [{
+			field: "sessionId",
+			value: sessionId
+		}];
+		const [accessTokens, refreshTokens] = await Promise.all([ctx.context.adapter.findMany({
+			model: "oauthAccessToken",
+			where
+		}), ctx.context.adapter.findMany({
+			model: "oauthRefreshToken",
+			where
+		})]);
+		const affectedClientIds = /* @__PURE__ */ new Set();
+		for (const t of accessTokens) affectedClientIds.add(t.clientId);
+		for (const t of refreshTokens) affectedClientIds.add(t.clientId);
+		if (affectedClientIds.size === 0) return null;
+		const clients = await ctx.context.adapter.findMany({
+			model: "oauthClient",
+			where: [{
+				field: "clientId",
+				operator: "in",
+				value: Array.from(affectedClientIds)
+			}]
+		});
+		const revokedAt = /* @__PURE__ */ new Date();
+		const accessToRevokeIds = accessTokens.filter((t) => !t.revoked).map((t) => t.id);
+		const refreshToRevokeIds = refreshTokens.filter((t) => !t.revoked && !t.scopes?.includes("offline_access")).map((t) => t.id);
+		const revocations = await Promise.allSettled([accessToRevokeIds.length > 0 ? ctx.context.adapter.updateMany({
+			model: "oauthAccessToken",
+			where: [{
+				field: "id",
+				operator: "in",
+				value: accessToRevokeIds
+			}],
+			update: { revoked: revokedAt }
+		}) : Promise.resolve(), refreshToRevokeIds.length > 0 ? ctx.context.adapter.updateMany({
+			model: "oauthRefreshToken",
+			where: [{
+				field: "id",
+				operator: "in",
+				value: refreshToRevokeIds
+			}],
+			update: { revoked: revokedAt }
+		}) : Promise.resolve()]);
+		for (const result of revocations) if (result.status === "rejected") logger.error("back-channel logout: token revocation update failed", result.reason);
+		const eligibleClients = opts.disableJwtPlugin ? [] : clients.filter((c) => Boolean(c.backchannelLogoutUri) && !c.disabled);
+		if (eligibleClients.length === 0) return null;
+		return {
+			sessionId,
+			targets: await Promise.all(eligibleClients.map(async (client) => ({
+				client,
+				sub: await resolveSubjectIdentifier(userId, client, opts)
+			})))
+		};
+	} catch (error) {
+		logger.error("back-channel logout revocation failed", error);
+		return null;
+	}
+}
+/**
+* Asynchronous phase: sign one Logout Token per target client and POST it to
+* the registered `backchannel_logout_uri`. The caller hands this to
+* `runInBackgroundOrAwait`, so when a background handler is configured (Vercel
+* `waitUntil`, Cloudflare `ctx.waitUntil`) it runs after the response; without
+* one it completes inline so delivery is not lost on request teardown.
+*
+* Spec §2.5: "the OP SHOULD NOT retransmit", so each RP gets a single attempt
+* within `BACKCHANNEL_DISPATCH_TIMEOUT_MS`. Every per-client failure (fetch
+* error, non-2xx response, signing error, subject resolution error) is
+* logged; none of them can reject the outer promise.
+*/
+async function deliverBackchannelLogoutTokens(ctx, plan) {
+	const logger = ctx.context.logger;
+	const jwtPluginOptions = getJwtPlugin(ctx.context)?.options;
+	const iss = jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL;
+	const iat = Math.floor(Date.now() / 1e3);
+	const exp = iat + LOGOUT_TOKEN_LIFETIME_SECONDS;
+	const resolvedKey = jwtPluginOptions?.jwt?.sign ? null : await resolveSigningKey(ctx, jwtPluginOptions);
+	await Promise.allSettled(plan.targets.map(async ({ client, sub }) => {
+		try {
+			const jti = generateRandomString(32, "a-z", "A-Z", "0-9");
+			const token = await signLogoutToken(ctx, jwtPluginOptions, resolvedKey, {
+				iss,
+				aud: client.clientId,
+				sub,
+				sid: plan.sessionId,
+				iat,
+				exp,
+				jti
+			});
+			const response = await fetch(client.backchannelLogoutUri, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/x-www-form-urlencoded",
+					Accept: "application/json"
+				},
+				body: new URLSearchParams({ logout_token: token }),
+				signal: AbortSignal.timeout(BACKCHANNEL_DISPATCH_TIMEOUT_MS),
+				redirect: "error"
+			});
+			if (response.status !== 200 && response.status !== 204) logger.warn(`back-channel logout to client ${client.clientId} returned ${response.status}`);
+		} catch (error) {
+			logger.warn(`back-channel logout to client ${client.clientId} failed`, error);
+		}
+	}));
+}
+/**
+* RP-Initiated Logout (OIDC RP-Initiated Logout 1.0). The RP presents a signed
+* `id_token_hint`; after verification, the OP terminates the matching session
+* and optionally redirects to `post_logout_redirect_uri`.
+*
+* Session termination goes through `internalAdapter.deleteSession`, which fires
+* `session.delete.before` so the hook drives revocation and back-channel
+* notifications to every RP with tokens on the session.
 *
 * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html
 */
@@ -1117,12 +1387,10 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 		});
 		const secret = await decryptStoredClientSecret(ctx, opts.storeClientSecret, clientSecret);
 		const { payload } = await compactVerify(id_token_hint, new TextEncoder().encode(secret));
-		const idToken = new TextDecoder().decode(payload);
-		idTokenPayload = JSON.parse(idToken);
+		idTokenPayload = JSON.parse(new TextDecoder().decode(payload));
 	} else {
 		const { payload } = await compactVerify(id_token_hint, createLocalJWKSet(await getJwks(id_token_hint, { jwksFetch: jwksUrl })));
-		const idToken = new TextDecoder().decode(payload);
-		idTokenPayload = JSON.parse(idToken);
+		idTokenPayload = JSON.parse(new TextDecoder().decode(payload));
 	}
 	if (!idTokenPayload) throw new APIError$1("INTERNAL_SERVER_ERROR", {
 		error_description: "missing payload",
@@ -1154,18 +1422,13 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 				value: sessionId
 			}]
 		});
-		session?.token ? await ctx.context.internalAdapter.deleteSession(session?.token) : session?.id ? await ctx.context.adapter.delete({
+		if (session?.token) await ctx.context.internalAdapter.deleteSession(session.token);
+		else if (session) await ctx.context.adapter.delete({
 			model: "session",
 			where: [{
 				field: "id",
 				value: session.id
 			}]
-		}) : await ctx.context.adapter.delete({
-			model: "session",
-			where: [{
-				field: "id",
-				value: sessionId
-			}]
 		});
 	} catch {}
 	if (post_logout_redirect_uri) {
@@ -1287,6 +1550,28 @@ const publicSessionMiddleware = (opts) => createAuthMiddleware(async (ctx) => {
 	if (!await verifyOAuthQueryParams(query, ctx.context.secret)) throw new APIError("UNAUTHORIZED", { error: "invalid_signature" });
 });
 //#endregion
+//#region src/oauthClient/privileges.ts
+/**
+* Authorizes a client action against the configured `clientPrivileges` hook.
+*
+* This is the single authorization helper for every OAuth client mutation. The
+* create path enforces it at the shared creation chokepoint so that no
+* registration route can reach client persistence without it.
+*
+* @throws APIError UNAUTHORIZED when there is no session or the hook denies the action.
+* @throws APIError BAD_REQUEST when the request carries no headers.
+*/
+async function assertClientPrivileges(ctx, session, opts, action) {
+	if (!session) throw new APIError("UNAUTHORIZED");
+	if (!ctx.headers) throw new APIError("BAD_REQUEST");
+	if (opts.clientPrivileges && !await opts.clientPrivileges({
+		headers: ctx.headers,
+		action,
+		session: session.session,
+		user: session.user
+	})) throw new APIError("UNAUTHORIZED");
+}
+//#endregion
 //#region src/register.ts
 /**
 * Resolves the auth method and type for unauthenticated DCR.
@@ -1418,10 +1703,45 @@ async function checkOAuthClient(client, opts, settings) {
 		error: "invalid_client_metadata",
 		error_description: "jwks and jwks_uri are only allowed with private_key_jwt authentication"
 	});
+	if (client.backchannel_logout_uri !== void 0) {
+		if (opts.disableJwtPlugin) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri requires the jwt plugin (disableJwtPlugin must be false)"
+		});
+		let url;
+		try {
+			url = new URL(client.backchannel_logout_uri);
+		} catch {
+			throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "backchannel_logout_uri must be an absolute URL"
+			});
+		}
+		if (url.protocol !== "https:" && url.protocol !== "http:") throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must use http or https"
+		});
+		if (client.backchannel_logout_uri.includes("#")) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must not include a fragment component"
+		});
+		const loopback = isLoopbackHost(url.hostname);
+		if (!isPublic && url.protocol !== "https:" && !loopback) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must use https for confidential clients"
+		});
+		if (isPrivateHostname(url.hostname) && !loopback) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must not point to a private or reserved address"
+		});
+	}
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
 	const session = await getSessionFromCtx(ctx);
+	if (settings.isRegister) {
+		if (session) await assertClientPrivileges(ctx, session, opts, "create");
+	} else await assertClientPrivileges(ctx, session, opts, "create");
 	const isPublic = body.token_endpoint_auth_method === "none";
 	const isPrivateKeyJwt = body.token_endpoint_auth_method === "private_key_jwt";
 	await checkOAuthClient(ctx.body, opts, {
@@ -1473,7 +1793,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, backchannel_logout_uri: backchannelLogoutUri, backchannel_logout_session_required: backchannelLogoutSessionRequired, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
 	const scopes = _scope?.split(" ");
@@ -1501,6 +1821,8 @@ function oauthToSchema(input) {
 		softwareStatement,
 		redirectUris,
 		postLogoutRedirectUris,
+		backchannelLogoutUri,
+		backchannelLogoutSessionRequired,
 		tokenEndpointAuthMethod,
 		grantTypes,
 		responseTypes,
@@ -1523,7 +1845,7 @@ function oauthToSchema(input) {
 * @returns
 */
 function schemaToOAuth(input) {
-	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, backchannelLogoutUri, backchannelLogoutSessionRequired, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
 	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
 	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
@@ -1548,6 +1870,8 @@ function schemaToOAuth(input) {
 		software_statement: softwareStatement ?? void 0,
 		redirect_uris: redirectUris ?? [],
 		post_logout_redirect_uris: postLogoutRedirectUris ?? void 0,
+		backchannel_logout_uri: backchannelLogoutUri ?? void 0,
+		backchannel_logout_session_required: backchannelLogoutSessionRequired ?? void 0,
 		token_endpoint_auth_method: tokenEndpointAuthMethod ?? void 0,
 		grant_types: grantTypes ?? void 0,
 		response_types: responseTypes ?? void 0,
@@ -1767,16 +2091,6 @@ async function rotateClientSecretEndpoint(ctx, opts) {
 		clientSecret: (opts.prefix?.clientSecret ?? "") + clientSecret
 	});
 }
-async function assertClientPrivileges(ctx, session, opts, action) {
-	if (!session) throw new APIError("UNAUTHORIZED");
-	if (!ctx.headers) throw new APIError("BAD_REQUEST");
-	if (opts.clientPrivileges && !await opts.clientPrivileges({
-		headers: ctx.headers,
-		action,
-		session: session.session,
-		user: session.user
-	})) throw new APIError("UNAUTHORIZED");
-}
 //#endregion
 //#region src/oauthClient/index.ts
 const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/create-client", {
@@ -1794,13 +2108,15 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		software_version: z.string().optional(),
 		software_statement: z.string().optional(),
 		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+		backchannel_logout_uri: SafeUrlSchema.optional(),
+		backchannel_logout_session_required: z.boolean().optional(),
 		token_endpoint_auth_method: z.enum([
 			"none",
 			"client_secret_basic",
 			"client_secret_post",
 			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
-		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
@@ -1962,7 +2278,6 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		}
 	}
 }, async (ctx) => {
-	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client", {
@@ -1981,13 +2296,15 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		software_version: z.string().optional(),
 		software_statement: z.string().optional(),
 		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+		backchannel_logout_uri: SafeUrlSchema.optional(),
+		backchannel_logout_session_required: z.boolean().optional(),
 		token_endpoint_auth_method: z.enum([
 			"none",
 			"client_secret_basic",
 			"client_secret_post",
 			"private_key_jwt"
 		]).default("client_secret_basic").optional(),
-		jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+		jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 		jwks_uri: z.string().optional(),
 		grant_types: z.array(z.enum([
 			"authorization_code",
@@ -2135,7 +2452,6 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		} }
 	} }
 }, async (ctx) => {
-	await assertClientPrivileges(ctx, await getSessionFromCtx(ctx), opts, "create");
 	return createOAuthClientEndpoint(ctx, opts, { isRegister: false });
 });
 const getOAuthClient = (opts) => createAuthEndpoint("/oauth2/get-client", {
@@ -2191,6 +2507,8 @@ const adminUpdateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/updat
 			software_version: z.string().optional(),
 			software_statement: z.string().optional(),
 			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+			backchannel_logout_uri: SafeUrlSchema.optional(),
+			backchannel_logout_session_required: z.boolean().optional(),
 			grant_types: z.array(z.enum([
 				"authorization_code",
 				"client_credentials",
@@ -2233,6 +2551,8 @@ const updateOAuthClient = (opts) => createAuthEndpoint("/oauth2/update-client",
 			software_version: z.string().optional(),
 			software_statement: z.string().optional(),
 			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+			backchannel_logout_uri: SafeUrlSchema.optional(),
+			backchannel_logout_session_required: z.boolean().optional(),
 			grant_types: z.array(z.enum([
 				"authorization_code",
 				"client_credentials",
@@ -2339,12 +2659,12 @@ async function updateConsentEndpoint(ctx, opts) {
 		error_description: "no consent",
 		error: "not_found"
 	});
+	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const client = await getClient(ctx, opts, consent.clientId);
-	if (!consent) throw new APIError("NOT_FOUND", {
-		error_description: "no consent",
+	if (!client) throw new APIError("NOT_FOUND", {
+		error_description: "client not found",
 		error: "not_found"
 	});
-	if (consent.userId !== session.user.id) throw new APIError("UNAUTHORIZED");
 	const allowedScopes = client?.scopes ?? opts.scopes ?? [];
 	const updates = ctx.body.update;
 	const scopes = updates.scopes;
@@ -2412,7 +2732,14 @@ const deleteOAuthConsent = (opts) => createAuthEndpoint("/oauth2/delete-consent"
 */
 /**
 * Revokes a JWT access token against the configured JWKs.
-* (does nothing if successful since a JWT is not stored on the server)
+*
+* A JWT access token is self-contained and never stored, so there is nothing to
+* delete. Once the token is confirmed to be a valid JWT for this server, the
+* endpoint reports `unsupported_token_type` (RFC 7009 §2.2.1) instead of a
+* silent success, so callers can tell that no server-side revocation happened.
+* An expired or wrong-audience JWT is already inactive and still resolves as a
+* successful no-op. Session-bound tokens (carrying `sid`) are cut off early by
+* the session-liveness check in introspection and userinfo.
 */
 async function revokeJwtAccessToken(ctx, opts, token) {
 	const jwtPlugin = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context);
@@ -2439,6 +2766,10 @@ async function revokeJwtAccessToken(ctx, opts, token) {
 		}
 		throw new Error(error);
 	}
+	throw new APIError$1("BAD_REQUEST", {
+		error_description: "JWT access tokens are self-contained and cannot be revoked server-side",
+		error: "unsupported_token_type"
+	});
 }
 /**
 * Searches for an opaque access token in the database and validates it
@@ -2492,16 +2823,7 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 		error: "invalid_request"
 	});
 	if (refreshToken.revoked) {
-		await ctx.context.adapter.deleteMany({
-			model: "oauthRefreshToken",
-			where: [{
-				field: "clientId",
-				value: clientId
-			}, {
-				field: "userId",
-				value: refreshToken.userId
-			}]
-		});
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
 		throw new APIError$1("BAD_REQUEST", {
 			error_description: "refresh token revoked",
 			error: "invalid_request"
@@ -2509,20 +2831,31 @@ async function revokeRefreshToken(ctx, opts, token, clientId) {
 	}
 	if (!refreshToken.clientId || refreshToken.clientId !== clientId) return null;
 	const iat = Math.floor(Date.now() / 1e3);
-	await Promise.allSettled([ctx.context.adapter.deleteMany({
-		model: "oauthAccessToken",
-		where: [{
-			field: "refreshId",
-			value: refreshToken.id
-		}]
-	}), ctx.context.adapter.update({
+	if (!await ctx.context.adapter.update({
 		model: "oauthRefreshToken",
 		where: [{
 			field: "id",
 			value: refreshToken.id
+		}, {
+			field: "revoked",
+			operator: "eq",
+			value: null
 		}],
 		update: { revoked: /* @__PURE__ */ new Date(iat * 1e3) }
-	})]);
+	})) {
+		await invalidateRefreshFamily(ctx, clientId, refreshToken.userId);
+		throw new APIError$1("BAD_REQUEST", {
+			error_description: "refresh token revoked",
+			error: "invalid_request"
+		});
+	}
+	await ctx.context.adapter.deleteMany({
+		model: "oauthAccessToken",
+		where: [{
+			field: "refreshId",
+			value: refreshToken.id
+		}]
+	});
 }
 /**
 * We don't know the access token format so we try to validate it
@@ -2532,7 +2865,9 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 	try {
 		return await revokeJwtAccessToken(ctx, opts, token);
 	} catch (err) {
-		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
+		if (err instanceof APIError$1) {
+			if (err.body?.error === "unsupported_token_type") throw err;
+		} else if (err instanceof Error) throw err;
 		else throw new Error(err);
 	}
 	try {
@@ -2565,7 +2900,7 @@ async function revokeEndpoint(ctx, opts) {
 			return await revokeAccessToken(ctx, opts, client.clientId, token);
 		} catch (error) {
 			if (error instanceof APIError$1) {
-				if (token_type_hint === "access_token") throw error;
+				if (token_type_hint === "access_token" || error.body?.error === "unsupported_token_type") throw error;
 			} else if (error instanceof Error) throw error;
 			else throw new Error(error);
 		}
@@ -2583,6 +2918,7 @@ async function revokeEndpoint(ctx, opts) {
 		});
 	} catch (error) {
 		if (error instanceof APIError$1) {
+			if (error.body?.error === "unsupported_token_type") throw error;
 			if (error.name === "BAD_REQUEST") return null;
 			throw error;
 		} else if (error instanceof Error) {
@@ -2691,6 +3027,14 @@ const schema = {
 				type: "string[]",
 				required: false
 			},
+			backchannelLogoutUri: {
+				type: "string",
+				required: false
+			},
+			backchannelLogoutSessionRequired: {
+				type: "boolean",
+				required: false
+			},
 			tokenEndpointAuthMethod: {
 				type: "string",
 				required: false
@@ -2736,7 +3080,8 @@ const schema = {
 	oauthRefreshToken: { fields: {
 		token: {
 			type: "string",
-			required: true
+			required: true,
+			unique: true
 		},
 		clientId: {
 			type: "string",
@@ -2770,6 +3115,10 @@ const schema = {
 			type: "string",
 			required: false
 		},
+		resources: {
+			type: "string[]",
+			required: false
+		},
 		expiresAt: { type: "date" },
 		createdAt: { type: "date" },
 		revoked: {
@@ -2824,6 +3173,10 @@ const schema = {
 				type: "string",
 				required: false
 			},
+			resources: {
+				type: "string[]",
+				required: false
+			},
 			refreshId: {
 				type: "string",
 				required: false,
@@ -2835,6 +3188,10 @@ const schema = {
 			},
 			expiresAt: { type: "date" },
 			createdAt: { type: "date" },
+			revoked: {
+				type: "date",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: true
@@ -2866,6 +3223,10 @@ const schema = {
 				type: "string",
 				required: false
 			},
+			resources: {
+				type: "string[]",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: true
@@ -2873,12 +3234,25 @@ const schema = {
 			createdAt: { type: "date" },
 			updatedAt: { type: "date" }
 		}
+	},
+	oauthClientAssertion: {
+		modelName: "oauthClientAssertion",
+		fields: { expiresAt: {
+			type: "date",
+			required: true
+		} }
 	}
 };
 //#endregion
 //#region src/oauth.ts
 const oAuthState = defineRequestState(() => null);
 const getOAuthProviderState = oAuthState.get;
+const signedQueryIssuedAtMsKey = "signedQueryIssuedAtMs";
+function getServerContextSignedQueryIssuedAt(value) {
+	const issuedAtMs = typeof value === "number" ? value : typeof value === "string" ? Number(value) : void 0;
+	if (!issuedAtMs || !Number.isFinite(issuedAtMs) || issuedAtMs <= 0) return;
+	return new Date(issuedAtMs);
+}
 /**
 * oAuth 2.1 provider plugin for Better Auth.
 *
@@ -2943,10 +3317,195 @@ const oauthProvider = (options) => {
 	if (opts.grantTypes && opts.grantTypes.includes("refresh_token") && !opts.grantTypes.includes("authorization_code")) throw new BetterAuthError("refresh_token grant requires authorization_code grant");
 	if (opts.disableJwtPlugin && (opts.storeClientSecret === "hashed" || typeof opts.storeClientSecret === "object" && "hash" in opts.storeClientSecret)) throw new BetterAuthError("unable to store hashed secrets because id tokens will be signed with secret");
 	if (!opts.disableJwtPlugin && (opts.storeClientSecret === "encrypted" || typeof opts.storeClientSecret === "object" && ("encrypt" in opts.storeClientSecret || "decrypt" in opts.storeClientSecret))) throw new BetterAuthError("encryption method not recommended, please use 'hashed' or the 'hash' function");
+	const handleIssuerMetadataRequest = async (request, ctx) => {
+		const requestPathname = new URL(request.url).pathname;
+		const requestPath = ctx.options.advanced?.skipTrailingSlashes ? requestPathname.replace(/\/+$/, "") || "/" : requestPathname;
+		const issuer = opts.disableJwtPlugin ? ctx.baseURL : getJwtPlugin(ctx)?.options?.jwt?.issuer ?? ctx.baseURL;
+		let issuerPath = "/";
+		try {
+			issuerPath = new URL(issuer).pathname.replace(/\/$/, "") || "";
+		} catch {
+			issuerPath = new URL(ctx.baseURL).pathname.replace(/\/$/, "") || "";
+		}
+		const endpointCtx = { context: ctx };
+		const authServerMetadataPaths = new Set([`/.well-known/oauth-authorization-server${issuerPath}`, `${issuerPath}/.well-known/oauth-authorization-server`]);
+		const openIdConfigPath = `${issuerPath}/.well-known/openid-configuration`;
+		const isAuthServerMetadataRequest = authServerMetadataPaths.has(requestPath);
+		const isOpenIdConfigRequest = opts.scopes?.includes("openid") && requestPath === openIdConfigPath;
+		const createMetadataResponse = (metadata) => {
+			const response = metadataResponse(metadata);
+			if (request.method === "HEAD") return new Response(null, {
+				status: response.status,
+				headers: response.headers
+			});
+			return response;
+		};
+		if (isAuthServerMetadataRequest || isOpenIdConfigRequest) {
+			if (request.method !== "GET" && request.method !== "HEAD") return { response: new Response(null, {
+				status: 405,
+				headers: { Allow: "GET, HEAD" }
+			}) };
+		}
+		if (isAuthServerMetadataRequest) {
+			if (opts.scopes?.includes("openid")) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+			return { response: createMetadataResponse({
+				...authServerMetadata(endpointCtx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx)?.options, {
+					scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+					dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
+					public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
+					grant_types_supported: opts.grantTypes,
+					jwt_disabled: opts.disableJwtPlugin
+				}),
+				...mergeDiscoveryMetadata(opts.clientDiscovery)
+			}) };
+		}
+		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
+	};
+	const oauth2AuthorizeEndpoint = createOAuthEndpoint("/oauth2/authorize", {
+		method: "GET",
+		query: authorizationQuerySchema,
+		redirectOnError: authorizeRedirectOnError(opts),
+		errorCodesByField: {
+			response_type: { invalid: "unsupported_response_type" },
+			resource: { invalid: "invalid_target" }
+		},
+		metadata: { openapi: {
+			description: "Authorize an OAuth2 request",
+			parameters: [
+				{
+					name: "response_type",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 response type (e.g., 'code')"
+				},
+				{
+					name: "client_id",
+					in: "query",
+					required: true,
+					schema: { type: "string" },
+					description: "OAuth2 client ID"
+				},
+				{
+					name: "redirect_uri",
+					in: "query",
+					required: false,
+					schema: {
+						type: "string",
+						format: "uri"
+					},
+					description: "OAuth2 redirect URI"
+				},
+				{
+					name: "scope",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 scopes (space-separated)"
+				},
+				{
+					name: "state",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 state parameter"
+				},
+				{
+					name: "request_uri",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "Pushed Authorization Request URI referencing stored parameters"
+				},
+				{
+					name: "code_challenge",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge"
+				},
+				{
+					name: "code_challenge_method",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge method"
+				},
+				{
+					name: "nonce",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OpenID Connect nonce"
+				},
+				{
+					name: "max_age",
+					in: "query",
+					required: false,
+					schema: {
+						type: "integer",
+						minimum: 0
+					},
+					description: "Maximum authentication age in seconds; forces re-authentication when exceeded"
+				},
+				{
+					name: "resource",
+					in: "query",
+					required: false,
+					schema: {
+						type: "array",
+						items: { type: "string" }
+					},
+					description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
+				},
+				{
+					name: "prompt",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 prompt parameter"
+				}
+			],
+			responses: {
+				"302": {
+					description: "Redirect to client with code or error",
+					headers: { Location: {
+						description: "Redirect URI with code or error",
+						schema: {
+							type: "string",
+							format: "uri"
+						}
+					} }
+				},
+				"400": {
+					description: "Invalid request",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							error: { type: "string" },
+							error_description: { type: "string" },
+							state: { type: "string" }
+						},
+						required: ["error"]
+					} } }
+				}
+			}
+		} }
+	}, async (ctx) => {
+		return authorizeEndpoint(ctx, opts, ctx.authorizeSettings ?? { isAuthorize: true });
+	});
+	const runOAuth2Authorize = (ctx, settings) => dispatchAuthEndpoint(oauth2AuthorizeEndpoint, {
+		...ctx,
+		asResponse: false,
+		returnHeaders: false,
+		returnStatus: false,
+		authorizeSettings: settings ?? {}
+	});
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
 		options: opts,
+		onRequest: handleIssuerMetadataRequest,
 		init: (ctx) => {
 			if (ctx.options.secondaryStorage && ctx.options.session?.storeSessionInDatabase !== true) throw new BetterAuthError("OAuth Provider requires `session.storeSessionInDatabase: true` when using secondaryStorage");
 			if (!opts.disableJwtPlugin) {
@@ -2957,12 +3516,20 @@ const oauthProvider = (options) => {
 				try {
 					issuerPath = new URL(issuer).pathname;
 				} catch (error) {
-					if (isDynamicBaseURLInit && issuer === "") return;
-					throw error;
+					if (!isDynamicBaseURLInit || issuer !== "") throw error;
 				}
-				if (!opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
-				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
+				if (issuerPath !== void 0 && !opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
+				if (issuerPath !== void 0 && !opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
 			}
+			return { options: { databaseHooks: { session: { delete: { async before(session, hookCtx) {
+				if (!hookCtx) return;
+				const plan = await revokeAndPlanBackchannelLogout(hookCtx, opts, {
+					sessionId: session.id,
+					userId: session.userId
+				});
+				if (!plan) return;
+				await hookCtx.context.runInBackgroundOrAwait(deliverBackchannelLogoutTokens(hookCtx, plan));
+			} } } } } };
 		},
 		hooks: {
 			before: [{
@@ -2984,11 +3551,10 @@ const oauthProvider = (options) => {
 						signedQueryIssuedAt: signedQueryIssuedAt ?? void 0,
 						postLoginClearedForSession
 					});
-					if (ctx.path === "/sign-in/social") {
-						if (ctx.body.additionalData?.query) return;
-						if (!ctx.body.additionalData) ctx.body.additionalData = {};
-						ctx.body.additionalData.query = queryParams.toString();
-					}
+					if (ctx.path === "/sign-in/social") await addOAuthServerContext({
+						query: queryParams.toString(),
+						...signedQueryIssuedAt ? { [signedQueryIssuedAtMsKey]: signedQueryIssuedAt.getTime() } : {}
+					});
 				})
 			}],
 			after: [{
@@ -2998,7 +3564,9 @@ const oauthProvider = (options) => {
 				handler: createAuthMiddleware(async (ctx) => {
 					const sessionToken = parseSetCookieHeader(ctx.context.responseHeaders?.get("set-cookie") || "").get(ctx.context.authCookies.sessionToken.name)?.value.split(".")[0];
 					if (!sessionToken) return;
-					const _query = (await oAuthState.get())?.query ?? (await getOAuthState())?.query;
+					const oauthRequest = await oAuthState.get();
+					const serverContext = (await getOAuthState())?.serverContext;
+					const _query = oauthRequest?.query ?? serverContext?.query;
 					if (!_query) return;
 					const query = new URLSearchParams(_query);
 					const session = await ctx.context.internalAdapter.findSession(sessionToken);
@@ -3007,8 +3575,11 @@ const oauthProvider = (options) => {
 					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
-					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
-					return await authorizeEndpoint(ctx, opts);
+					const signedQueryIssuedAt = oauthRequest?.signedQueryIssuedAt ?? getServerContextSignedQueryIssuedAt(serverContext?.[signedQueryIssuedAtMsKey]);
+					let authorizationQuery = removePromptFromQuery(query, "login");
+					if (isSessionFreshForSignedQuery(session.session.createdAt, signedQueryIssuedAt)) authorizationQuery = removeMaxAgeFromQuery(authorizationQuery);
+					ctx.query = searchParamsToQuery(authorizationQuery);
+					return await runOAuth2Authorize(ctx);
 				})
 			}]
 		},
@@ -3021,6 +3592,7 @@ const oauthProvider = (options) => {
 				else return {
 					...authServerMetadata(ctx, opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context)?.options, {
 						scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+						dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 						public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 						grant_types_supported: opts.grantTypes,
 						jwt_disabled: opts.disableJwtPlugin
@@ -3035,135 +3607,7 @@ const oauthProvider = (options) => {
 				if (opts.scopes && !opts.scopes.includes("openid")) throw new APIError("NOT_FOUND");
 				return oidcServerMetadata(ctx, opts);
 			}),
-			oauth2Authorize: createOAuthEndpoint("/oauth2/authorize", {
-				method: "GET",
-				query: z.object({
-					response_type: z.string().pipe(z.enum(["code"])).optional(),
-					client_id: z.string(),
-					redirect_uri: SafeUrlSchema.optional(),
-					scope: z.string().optional(),
-					state: z.string().optional(),
-					request_uri: z.string().optional(),
-					code_challenge: z.string().optional(),
-					code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
-					nonce: z.string().optional(),
-					prompt: z.string().pipe(z.enum([
-						"none",
-						"consent",
-						"login",
-						"create",
-						"select_account",
-						"login consent",
-						"select_account consent"
-					])).optional()
-				}),
-				redirectOnError: authorizeRedirectOnError(opts),
-				errorCodesByField: { response_type: { invalid: "unsupported_response_type" } },
-				metadata: { openapi: {
-					description: "Authorize an OAuth2 request",
-					parameters: [
-						{
-							name: "response_type",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 response type (e.g., 'code')"
-						},
-						{
-							name: "client_id",
-							in: "query",
-							required: true,
-							schema: { type: "string" },
-							description: "OAuth2 client ID"
-						},
-						{
-							name: "redirect_uri",
-							in: "query",
-							required: false,
-							schema: {
-								type: "string",
-								format: "uri"
-							},
-							description: "OAuth2 redirect URI"
-						},
-						{
-							name: "scope",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 scopes (space-separated)"
-						},
-						{
-							name: "state",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 state parameter"
-						},
-						{
-							name: "request_uri",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "Pushed Authorization Request URI referencing stored parameters"
-						},
-						{
-							name: "code_challenge",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge"
-						},
-						{
-							name: "code_challenge_method",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge method"
-						},
-						{
-							name: "nonce",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OpenID Connect nonce"
-						},
-						{
-							name: "prompt",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 prompt parameter"
-						}
-					],
-					responses: {
-						"302": {
-							description: "Redirect to client with code or error",
-							headers: { Location: {
-								description: "Redirect URI with code or error",
-								schema: {
-									type: "string",
-									format: "uri"
-								}
-							} }
-						},
-						"400": {
-							description: "Invalid request",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" },
-									state: { type: "string" }
-								},
-								required: ["error"]
-							} } }
-						}
-					}
-				} }
-			}, async (ctx) => {
-				return authorizeEndpoint(ctx, opts, { isAuthorize: true });
-			}),
+			oauth2Authorize: oauth2AuthorizeEndpoint,
 			oauth2Consent: createAuthEndpoint("/oauth2/consent", {
 				method: "POST",
 				body: z.object({
@@ -3188,7 +3632,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return consentEndpoint(ctx, opts);
+				return consentEndpoint(ctx, opts, runOAuth2Authorize);
 			}),
 			oauth2Continue: createAuthEndpoint("/oauth2/continue", {
 				method: "POST",
@@ -3215,7 +3659,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return continueEndpoint(ctx, opts);
+				return continueEndpoint(ctx, runOAuth2Authorize);
 			}),
 			oauth2Token: createOAuthEndpoint("/oauth2/token", {
 				method: "POST",
@@ -3233,13 +3677,16 @@ const oauthProvider = (options) => {
 					code_verifier: z.string().optional(),
 					redirect_uri: SafeUrlSchema.optional(),
 					refresh_token: z.string().optional(),
-					resource: z.string().optional(),
+					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
 					scope: z.string().optional()
 				}),
-				errorCodesByField: { grant_type: {
-					missing: "invalid_request",
-					invalid: "unsupported_grant_type"
-				} },
+				errorCodesByField: {
+					grant_type: {
+						missing: "invalid_request",
+						invalid: "unsupported_grant_type"
+					},
+					resource: { invalid: "invalid_target" }
+				},
 				metadata: {
 					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
@@ -3284,8 +3731,15 @@ const oauthProvider = (options) => {
 										description: "Refresh token (for refresh_token grant)"
 									},
 									resource: {
-										type: "string",
-										description: "Requested token resource (ie audience) to obtain a JWT formatted access token"
+										oneOf: [{
+											type: "string",
+											description: "Single resource (URL)"
+										}, {
+											type: "array",
+											items: { type: "string" },
+											description: "Multiple resources (URLs)"
+										}],
+										description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token"
 									},
 									scope: {
 										type: "string",
@@ -3386,10 +3840,6 @@ const oauthProvider = (options) => {
 									token_type_hint: {
 										type: "string",
 										description: "Hint about the token type. Recognized values: `access_token`, `refresh_token`."
-									},
-									resource: {
-										type: "string",
-										description: "Introspects a token for a specific resource."
 									}
 								},
 								required: ["token"]
@@ -3537,7 +3987,7 @@ const oauthProvider = (options) => {
 				return revokeEndpoint(ctx, opts);
 			}),
 			oauth2UserInfo: createAuthEndpoint("/oauth2/userinfo", {
-				method: "GET",
+				method: ["GET", "POST"],
 				metadata: { openapi: {
 					description: "Get OpenID Connect user information (UserInfo endpoint)",
 					security: [{ bearerAuth: [] }, { OAuth2: [
@@ -3671,13 +4121,15 @@ const oauthProvider = (options) => {
 					software_version: z.string().optional(),
 					software_statement: z.string().optional(),
 					post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+					backchannel_logout_uri: SafeUrlSchema.optional(),
+					backchannel_logout_session_required: z.boolean().optional(),
 					token_endpoint_auth_method: z.enum([
 						"none",
 						"client_secret_basic",
 						"client_secret_post",
 						"private_key_jwt"
 					]).default("client_secret_basic").optional(),
-					jwks: z.union([z.array(z.record(z.string(), z.unknown())), z.object({ keys: z.array(z.record(z.string(), z.unknown())) })]).optional(),
+					jwks: z.union([z.array(z.record(z.string(), z.unknown())).min(1), z.object({ keys: z.array(z.record(z.string(), z.unknown())).min(1) })]).optional(),
 					jwks_uri: z.string().optional(),
 					grant_types: z.array(z.enum([
 						"authorization_code",
@@ -3783,6 +4235,15 @@ const oauthProvider = (options) => {
 									},
 									description: "List of allowed logout redirect uris"
 								},
+								backchannel_logout_uri: {
+									type: "string",
+									format: "uri",
+									description: "RP URL to receive signed Logout Tokens when the end-user's OP session terminates"
+								},
+								backchannel_logout_session_required: {
+									type: "boolean",
+									description: "Whether the RP requires a `sid` claim in every Logout Token"
+								},
 								token_endpoint_auth_method: {
 									type: "string",
 									description: "Requested authentication method for the token endpoint",
@@ -3891,6 +4352,19 @@ const oauthProvider = (options) => {
 //#endregion
 //#region src/authorize.ts
 /**
+* Whether a past authentication is still fresh enough for an OIDC `max_age`
+* request: true when no more than `maxAge` seconds have elapsed since the user
+* last authenticated. The caller supplies `now`, keeping this pure.
+*/
+function isWithinMaxAge(sessionCreatedAt, maxAgeSeconds, now) {
+	if (maxAgeSeconds === 0) return false;
+	return now.getTime() - sessionCreatedAt.getTime() <= maxAgeSeconds * 1e3;
+}
+function removeMaxAgeFromAuthorizationQuery(query) {
+	const { max_age: _maxAge, ...queryWithoutMaxAge } = query;
+	return queryWithoutMaxAge;
+}
+/**
 * Formats an error url. Per OIDC Core 1.0 §5 / RFC 6749 §4.2.2.1, errors on
 * implicit and hybrid flows are delivered in the URL fragment, not the query.
 * Callers on the code flow (default) omit `mode` and get query delivery.
@@ -4037,6 +4511,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		error_description: "request not found",
 		error: "invalid_request"
 	});
+	const request = ctx.request;
 	let query = ctx.query;
 	if (query.request_uri) {
 		if (!opts.requestUriResolver) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri not supported"));
@@ -4051,6 +4526,14 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (urlClientId) query.client_id = urlClientId;
 	}
 	ctx.query = query;
+	const parsedQuery = authorizationQuerySchema.safeParse(query);
+	if (!parsedQuery.success) return authorizeRedirectOnError(opts)({
+		error: "invalid_request",
+		error_description: "invalid authorization request",
+		ctx
+	});
+	query = parsedQuery.data;
+	ctx.query = query;
 	await oAuthState.set({ query: serializeAuthorizationQuery(query).toString() });
 	if (!query.client_id) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (!query.response_type) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request", "response_type is required"));
@@ -4061,6 +4544,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	const client = await getClient(ctx, opts, query.client_id);
 	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
+	if (!clientAllowsGrant(client, "authorization_code")) return handleRedirect(ctx, getErrorURL(ctx, "unauthorized_client", "client is not authorized to use the authorization_code grant"));
 	if (!findRegisteredRedirectUri(client.redirectUris, query.redirect_uri) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
 	let requestedScopes = query.scope?.split(" ").filter((s) => s);
 	if (requestedScopes) {
@@ -4082,15 +4566,24 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "code_challenge and code_challenge_method must both be provided", query.state, getIssuer(ctx, opts)));
 		if (!["S256"].includes(query.code_challenge_method)) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", "invalid code_challenge method, only S256 is supported", query.state, getIssuer(ctx, opts)));
 	}
+	const resource = query.resource;
+	if (!(await checkResource(ctx, opts, resource, requestedScopes)).success) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_target", "requested resource invalid", query.state, getIssuer(ctx, opts)));
+	const requestedResources = toResourceList(resource) ?? [];
 	const session = await getSessionFromCtx(ctx);
-	if (!session || promptSet?.has("login") || promptSet?.has("create")) {
+	const maxAgeSeconds = query.max_age;
+	const hasSatisfiedMaxAge = session != null && maxAgeSeconds !== void 0 && isWithinMaxAge(new Date(session.session.createdAt), maxAgeSeconds, /* @__PURE__ */ new Date());
+	if (!session || session != null && maxAgeSeconds !== void 0 && !hasSatisfiedMaxAge || promptSet?.has("login") || promptSet?.has("create")) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "login_required", "authentication required");
 		return redirectWithPromptCode(ctx, opts, promptSet?.has("create") ? "create" : "login");
 	}
+	if (hasSatisfiedMaxAge) {
+		query = removeMaxAgeFromAuthorizationQuery(query);
+		ctx.query = query;
+	}
 	if (settings?.isAuthorize && promptSet?.has("select_account")) return redirectWithPromptCode(ctx, opts, "select_account");
 	if (settings?.isAuthorize && opts.selectAccount) {
 		if (await opts.selectAccount.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4101,7 +4594,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	}
 	if (opts.signup?.shouldRedirect) {
 		const signupRedirect = await opts.signup.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4113,7 +4606,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	}
 	if (!settings?.postLogin && opts.postLogin) {
 		if (await opts.postLogin.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4134,7 +4627,8 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		userId: session.user.id,
 		sessionId: session.session.id,
 		authTime: new Date(session.session.createdAt).getTime(),
-		referenceId
+		referenceId,
+		resource: requestedResources
 	});
 	const consent = await ctx.context.adapter.findOne({
 		model: "oauthConsent",
@@ -4157,13 +4651,19 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
 		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	}
+	const consentedResources = consent?.resources ?? [];
+	if (requestedResources.some((requestedResource) => !consentedResources.includes(requestedResource))) {
+		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
+		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
+	}
 	return redirectWithAuthorizationCode(ctx, opts, {
 		query,
 		clientId: client.clientId,
 		userId: session.user.id,
 		sessionId: session.session.id,
 		authTime: new Date(session.session.createdAt).getTime(),
-		referenceId
+		referenceId,
+		resource: requestedResources
 	});
 }
 function serializeAuthorizationQuery(query) {
@@ -4189,7 +4689,8 @@ async function redirectWithAuthorizationCode(ctx, opts, verificationValue) {
 			userId: verificationValue.userId,
 			sessionId: verificationValue?.sessionId,
 			referenceId: verificationValue.referenceId,
-			authTime: verificationValue.authTime
+			authTime: verificationValue.authTime,
+			resource: verificationValue.resource
 		})
 	};
 	await ctx.context.internalAdapter.createVerificationValue({
@@ -4229,13 +4730,14 @@ async function signParams(ctx, opts, flags) {
 //#region src/metadata.ts
 function authServerMetadata(ctx, opts, overrides) {
 	const baseURL = ctx.context.baseURL;
+	const backchannelSupported = !overrides?.jwt_disabled;
 	return {
 		scopes_supported: overrides?.scopes_supported,
 		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
 		authorization_endpoint: `${baseURL}/oauth2/authorize`,
 		token_endpoint: `${baseURL}/oauth2/token`,
 		jwks_uri: overrides?.jwt_disabled ? void 0 : opts?.jwks?.remoteUrl ?? `${baseURL}${opts?.jwks?.jwksPath ?? "/jwks"}`,
-		registration_endpoint: `${baseURL}/oauth2/register`,
+		registration_endpoint: overrides?.dynamic_client_registration_supported ? `${baseURL}/oauth2/register` : void 0,
 		introspection_endpoint: `${baseURL}/oauth2/introspect`,
 		revocation_endpoint: `${baseURL}/oauth2/revoke`,
 		response_types_supported: overrides?.grant_types_supported && !overrides.grant_types_supported.includes("authorization_code") ? [] : ["code"],
@@ -4251,21 +4753,23 @@ function authServerMetadata(ctx, opts, overrides) {
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		token_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		token_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		introspection_endpoint_auth_methods_supported: [
 			"client_secret_basic",
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		introspection_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		introspection_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		revocation_endpoint_auth_methods_supported: [
 			"client_secret_basic",
 			"client_secret_post",
 			"private_key_jwt"
 		],
-		revocation_endpoint_auth_signing_alg_values_supported: [...ASSERTION_SIGNING_ALGORITHMS],
+		revocation_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		code_challenge_methods_supported: ["S256"],
-		authorization_response_iss_parameter_supported: true
+		authorization_response_iss_parameter_supported: true,
+		backchannel_logout_supported: backchannelSupported,
+		backchannel_logout_session_supported: backchannelSupported
 	};
 }
 function oidcServerMetadata(ctx, opts) {
@@ -4274,6 +4778,7 @@ function oidcServerMetadata(ctx, opts) {
 	return {
 		...authServerMetadata(ctx, jwtPluginOptions, {
 			scopes_supported: opts.advertisedMetadata?.scopes_supported ?? opts.scopes,
+			dynamic_client_registration_supported: opts.allowDynamicClientRegistration,
 			public_client_supported: opts.allowUnauthenticatedClientRegistration || toClientDiscoveryArray(opts.clientDiscovery).length > 0,
 			grant_types_supported: opts.grantTypes,
 			jwt_disabled: opts.disableJwtPlugin