@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.5

package/dist/index.mjs

@@ -1,8 +1,8 @@
-import { n as isPrivateHostname } from "./client-assertion-DLMKVgoj.mjs";
+import { n as isPrivateHostname } from "./client-assertion-DmT1B6_6.mjs";
 import { n as mcpHandler } from "./mcp-CYnz-MXn.mjs";
-import { C as toAudienceClaim, D as verifyOAuthQueryParams, E as validateClientCredentials, S as storeToken, T as toResourceList, _ as resolveSessionAuthTime, a as getClient, b as signedQueryIssuedAtParam, c as getSignedQueryIssuedAt, d as mergeDiscoveryMetadata, f as normalizeTimestampValue, g as removePromptFromQuery, h as postLoginClearedParam, i as extractClientCredentials, l as getStoredToken, m as parsePrompt, n as decryptStoredClientSecret, o as getJwtPlugin, p as parseClientMetadata, r as destructureCredentials, t as checkResource, u as isPKCERequired, v as resolveSubjectIdentifier, w as toClientDiscoveryArray, x as storeClientSecret, y as searchParamsToQuery } from "./utils-DKBWQ8fe.mjs";
-import { t as PACKAGE_VERSION } from "./version-nFnRm-a3.mjs";
-import { APIError, createAuthEndpoint, createAuthMiddleware, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { A as verifyOAuthQueryParams, C as signedQueryIssuedAtParam, D as toClientDiscoveryArray, E as toAudienceClaim, O as toResourceList, S as searchParamsToQuery, T as storeToken, _ as postLoginClearedParam, a as extractClientCredentials, b as resolveSessionAuthTime, d as isPKCERequired, f as isSessionFreshForSignedQuery, g as parsePrompt, h as parseClientMetadata, i as destructureCredentials, k as validateClientCredentials, l as getSignedQueryIssuedAt, m as normalizeTimestampValue, n as clientAllowsGrant, o as getClient, p as mergeDiscoveryMetadata, r as decryptStoredClientSecret, s as getJwtPlugin, t as checkResource, u as getStoredToken, v as removeMaxAgeFromQuery, w as storeClientSecret, x as resolveSubjectIdentifier, y as removePromptFromQuery } from "./utils-D2dLqo7f.mjs";
+import { t as PACKAGE_VERSION } from "./version-B1ZiRmxj.mjs";
+import { APIError, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateCodeChallenge, getJwks, verifyJwsAccessToken } from "better-auth/oauth2";
 import { APIError as APIError$1 } from "better-call";
 import { PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
@@ -19,7 +19,7 @@ import { resolveSigningKey, signJWT, toExpJWT } from "better-auth/plugins";
 import { SignJWT, base64url, compactVerify, createLocalJWKSet, decodeJwt, decodeProtectedHeader } from "jose";
 import { SafeUrlSchema } from "@better-auth/core/utils/redirect-uri";
 //#region src/consent.ts
-async function consentEndpoint(ctx, opts) {
+async function consentEndpoint(ctx, opts, authorize) {
 	const oauthRequest = await oAuthState.get();
 	const _query = oauthRequest?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
@@ -46,15 +46,11 @@ async function consentEndpoint(ctx, opts) {
 	};
 	const session = await getSessionFromCtx(ctx);
 	const hasLoginPrompt = parsePrompt(query.get("prompt") ?? "").has("login");
-	const hasSatisfiedLoginPrompt = hasLoginPrompt && sessionSatisfiesLoginPrompt(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
+	const hasSatisfiedLoginPrompt = hasLoginPrompt && isSessionFreshForSignedQuery(session?.session.createdAt, oauthRequest?.signedQueryIssuedAt);
 	if (hasLoginPrompt && !hasSatisfiedLoginPrompt) {
 		ctx?.headers?.set("accept", "application/json");
 		ctx.query = searchParamsToQuery(query);
-		const { url } = await authorizeEndpoint(ctx, opts);
-		return {
-			redirect: true,
-			url
-		};
+		return await authorize(ctx);
 	}
 	const referenceId = await opts.postLogin?.consentReferenceId?.({
 		user: session?.user,
@@ -110,32 +106,25 @@ async function consentEndpoint(ctx, opts) {
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
 	ctx?.headers?.set("accept", "application/json");
 	let authorizationQuery = removePromptFromQuery(query, "consent");
-	if (hasSatisfiedLoginPrompt) authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+	if (hasSatisfiedLoginPrompt) {
+		authorizationQuery = removePromptFromQuery(authorizationQuery, "login");
+		authorizationQuery = removeMaxAgeFromQuery(authorizationQuery);
+	}
 	ctx.query = searchParamsToQuery(authorizationQuery);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
-	return {
-		redirect: true,
-		url
-	};
-}
-function sessionSatisfiesLoginPrompt(sessionCreatedAt, signedQueryIssuedAt) {
-	if (!signedQueryIssuedAt) return false;
-	const normalized = normalizeTimestampValue(sessionCreatedAt);
-	if (!normalized) return false;
-	return normalized.getTime() >= signedQueryIssuedAt.getTime();
+	return await authorize(ctx, { postLogin: oauthRequest?.postLoginClearedForSession !== void 0 && oauthRequest.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
 //#region src/continue.ts
-async function continueEndpoint(ctx, opts) {
-	if (ctx.body.selected === true) return await selected(ctx, opts);
-	else if (ctx.body.created === true) return await created(ctx, opts);
-	else if (ctx.body.postLogin === true) return await postLogin(ctx, opts);
+async function continueEndpoint(ctx, authorize) {
+	if (ctx.body.selected === true) return await selected(ctx, authorize);
+	else if (ctx.body.created === true) return await created(ctx, authorize);
+	else if (ctx.body.postLogin === true) return await postLogin(ctx, authorize);
 	else throw new APIError("BAD_REQUEST", {
 		error_description: "Missing parameters",
 		error: "invalid_request"
 	});
 }
-async function selected(ctx, opts) {
+async function selected(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -143,13 +132,9 @@ async function selected(ctx, opts) {
 	});
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(new URLSearchParams(_query), "select_account"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function created(ctx, opts) {
+async function created(ctx, authorize) {
 	const _query = (await oAuthState.get())?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
@@ -158,14 +143,11 @@ async function created(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(removePromptFromQuery(query, "create"));
-	const { url } = await authorizeEndpoint(ctx, opts);
-	return {
-		redirect: true,
-		url
-	};
+	return await authorize(ctx);
 }
-async function postLogin(ctx, opts) {
-	const _query = (await oAuthState.get())?.query;
+async function postLogin(ctx, authorize) {
+	const state = await oAuthState.get();
+	const _query = state?.query;
 	if (!_query) throw new APIError("BAD_REQUEST", {
 		error_description: "missing oauth query",
 		error: "invalid_request"
@@ -173,51 +155,11 @@ async function postLogin(ctx, opts) {
 	const query = new URLSearchParams(_query);
 	ctx.headers?.set("accept", "application/json");
 	ctx.query = searchParamsToQuery(query);
-	const { url } = await authorizeEndpoint(ctx, opts, { postLogin: true });
-	return {
-		redirect: true,
-		url
-	};
+	const session = await getSessionFromCtx(ctx);
+	return await authorize(ctx, { postLogin: state?.postLoginClearedForSession !== void 0 && state.postLoginClearedForSession === session?.session.id });
 }
 //#endregion
 //#region src/types/zod.ts
-/**
-* Runtime schema for OAuthAuthorizationQuery.
-* Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
-*/
-const oauthAuthorizationQuerySchema = z.object({
-	response_type: z.literal("code").optional(),
-	request_uri: z.string().optional(),
-	redirect_uri: z.string(),
-	scope: z.string().optional(),
-	state: z.string().optional(),
-	client_id: z.string(),
-	prompt: z.string().optional(),
-	display: z.string().optional(),
-	ui_locales: z.string().optional(),
-	max_age: z.coerce.number().optional(),
-	acr_values: z.string().optional(),
-	login_hint: z.string().optional(),
-	id_token_hint: z.string().optional(),
-	code_challenge: z.string().optional(),
-	code_challenge_method: z.literal("S256").optional(),
-	nonce: z.string().optional(),
-	resource: z.union([z.string(), z.array(z.string())]).optional()
-}).passthrough();
-/**
-* Runtime schema for the authorization code verification value.
-* Validates structure on deserialization from the JSON blob stored in the DB.
-* Uses passthrough so future fields (e.g. from authorization challenge) don't break parsing.
-*/
-const verificationValueSchema = z.object({
-	type: z.literal("authorization_code"),
-	query: oauthAuthorizationQuerySchema,
-	sessionId: z.string(),
-	userId: z.string(),
-	referenceId: z.string().optional(),
-	authTime: z.number().optional(),
-	resource: z.array(z.string()).optional()
-}).passthrough();
 const DANGEROUS_SCHEMES = [
 	"javascript:",
 	"data:",
@@ -251,6 +193,88 @@ const ResourceUriSchema = z.string().superRefine((val, ctx) => {
 		message: "resource cannot use javascript:, data:, or vbscript: scheme"
 	});
 });
+const authorizationPromptTokenSchema = z.enum([
+	"none",
+	"consent",
+	"login",
+	"create",
+	"select_account"
+]);
+const authorizationPromptSchema = z.string().superRefine((value, ctx) => {
+	const promptTokens = value.split(" ").map((token) => token.trim()).filter(Boolean);
+	const promptSet = /* @__PURE__ */ new Set();
+	if (!promptTokens.length) {
+		ctx.addIssue({
+			code: "custom",
+			message: "prompt must include at least one value"
+		});
+		return;
+	}
+	for (const token of promptTokens) {
+		const result = authorizationPromptTokenSchema.safeParse(token);
+		if (!result.success) {
+			ctx.addIssue({
+				code: "custom",
+				message: `unsupported prompt value: ${token}`
+			});
+			continue;
+		}
+		promptSet.add(result.data);
+	}
+	if (promptSet.has("none") && promptSet.size > 1) ctx.addIssue({
+		code: "custom",
+		message: "prompt=none cannot be combined with other prompt values"
+	});
+});
+const maxAgeSchema = z.union([z.number(), z.string().trim().min(1)]).transform((value, ctx) => {
+	const maxAge = typeof value === "number" ? value : Number(value);
+	if (!Number.isInteger(maxAge) || maxAge < 0) {
+		ctx.addIssue({
+			code: "custom",
+			message: "max_age must be a non-negative integer"
+		});
+		return z.NEVER;
+	}
+	return maxAge;
+});
+/**
+* Runtime schema for OAuthAuthorizationQuery.
+* Uses passthrough to tolerate fields added by future extensions (PAR, FPA, etc.)
+*/
+const authorizationQuerySchema = z.object({
+	response_type: z.string().pipe(z.enum(["code"])).optional(),
+	request_uri: z.string().optional(),
+	redirect_uri: SafeUrlSchema.optional(),
+	scope: z.string().optional(),
+	state: z.string().optional(),
+	client_id: z.string(),
+	prompt: authorizationPromptSchema.optional(),
+	display: z.string().optional(),
+	ui_locales: z.string().optional(),
+	max_age: maxAgeSchema.optional(),
+	acr_values: z.string().optional(),
+	login_hint: z.string().optional(),
+	id_token_hint: z.string().optional(),
+	code_challenge: z.string().optional(),
+	code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
+	nonce: z.string().optional(),
+	resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional()
+}).passthrough();
+const storedAuthorizationQuerySchema = authorizationQuerySchema.extend({ redirect_uri: SafeUrlSchema });
+/**
+* Runtime schema for the authorization code verification value.
+* Validates structure on deserialization from the JSON blob stored in the DB.
+* Uses passthrough so future fields (e.g. from authorization challenge) don't break parsing.
+*/
+const verificationValueSchema = z.object({
+	type: z.literal("authorization_code"),
+	query: storedAuthorizationQuerySchema,
+	sessionId: z.string(),
+	userId: z.string(),
+	referenceId: z.string().optional(),
+	authTime: z.number().optional(),
+	resource: z.array(z.string()).optional()
+}).passthrough();
 //#endregion
 //#region src/userinfo.ts
 /**
@@ -287,6 +311,10 @@ async function userInfoEndpoint(ctx, opts) {
 		error: "invalid_request"
 	});
 	const jwt = await validateAccessToken(ctx, opts, token);
+	if (!jwt.active) throw new APIError("UNAUTHORIZED", {
+		error_description: "the access token is invalid or has been revoked",
+		error: "invalid_token"
+	});
 	const scopes = jwt.scope?.split(" ");
 	if (!scopes?.includes("openid")) throw new APIError("BAD_REQUEST", {
 		error_description: "Missing required scope",
@@ -396,6 +424,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 	const resolvedKey = !opts.disableJwtPlugin && !jwtPluginOptions?.jwt?.sign ? await resolveSigningKey(ctx, jwtPluginOptions) : void 0;
 	const signingAlg = opts.disableJwtPlugin ? "HS256" : resolvedKey?.alg ?? jwtPluginOptions?.jwks?.keyPairConfig?.alg;
 	const atHash = accessToken ? await computeOidcHash(accessToken, signingAlg) : void 0;
+	const emitSid = Boolean(client.enableEndSession || client.backchannelLogoutUri);
 	const payload = {
 		...userClaims,
 		auth_time: authTimeSec,
@@ -408,7 +437,7 @@ async function createIdToken(ctx, opts, user, client, scopes, nonce, sessionId,
 		nonce,
 		iat,
 		exp,
-		sid: client.enableEndSession ? sessionId : void 0
+		sid: emitSid ? sessionId : void 0
 	};
 	if (opts.disableJwtPlugin && !client.clientSecret) return;
 	const idToken = opts.disableJwtPlugin ? await new SignJWT(payload).setProtectedHeader({ alg: "HS256" }).sign(new TextEncoder().encode(await decryptStoredClientSecret(ctx, opts.storeClientSecret, client.clientSecret))) : await signJWT(ctx, {
@@ -572,7 +601,7 @@ async function createUserTokens(ctx, opts, params) {
 		error: "invalid_target"
 	});
 	const audience = resourceResult.audience;
-	const isRefreshToken = user && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
+	const isRefreshToken = user && clientAllowsGrant(client, "refresh_token") && (existingRefreshToken?.scopes?.includes("offline_access") || scopes.includes("offline_access"));
 	const isJwtAccessToken = audience && !opts.disableJwtPlugin;
 	const isIdToken = user && scopes.includes("openid");
 	const customFields = opts.customTokenResponseFields ? await opts.customTokenResponseFields({
@@ -695,7 +724,7 @@ async function handleAuthorizationCodeGrant(ctx, opts) {
 		error: "invalid_scope"
 	});
 	/** Verify Client */
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, preVerifiedClient);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, scopes, preVerifiedClient, "authorization_code");
 	if (isPKCERequired(client, (verificationValue.query?.scope)?.split(" ") || [])) {
 		if (!isAuthCodeWithPkce) throw new APIError("BAD_REQUEST", {
 			error_description: "PKCE is required for this client",
@@ -776,7 +805,7 @@ async function handleClientCredentialsGrant(ctx, opts) {
 		error_description: "Missing a required client_secret",
 		error: "invalid_grant"
 	});
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, void 0, preVerifiedClient, "client_credentials");
 	let requestedScopes = scope?.split(" ");
 	if (requestedScopes) {
 		const validScopes = new Set(client.scopes ?? opts.scopes);
@@ -860,7 +889,7 @@ async function handleRefreshTokenGrant(ctx, opts) {
 			error: "invalid_scope"
 		});
 	}
-	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, preVerifiedClient);
+	const client = await validateClientCredentials(ctx, opts, client_id, client_secret, requestedScopes ?? scopes, preVerifiedClient, "refresh_token");
 	const user = await ctx.context.internalAdapter.findUserById(refreshToken.userId);
 	if (!user) throw new APIError("BAD_REQUEST", {
 		error_description: "user not found",
@@ -919,12 +948,10 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 		}
 		throw new Error(error);
 	}
-	let client;
-	if (jwtPayload.azp) {
-		client = await getClient(ctx, opts, jwtPayload.azp);
-		if (!client || client?.disabled) return { active: false };
-		if (clientId && jwtPayload.azp !== clientId) return { active: false };
-	}
+	if (!jwtPayload.azp) return { active: false };
+	const client = await getClient(ctx, opts, jwtPayload.azp);
+	if (!client || client?.disabled) return { active: false };
+	if (clientId && jwtPayload.azp !== clientId) return { active: false };
 	const sessionId = jwtPayload.sid;
 	if (sessionId) {
 		const session = await ctx.context.adapter.findOne({
@@ -934,9 +961,9 @@ async function validateJwtAccessToken(ctx, opts, token, clientId) {
 				value: sessionId
 			}]
 		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) jwtPayload.sid = void 0;
+		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
 	}
-	if (jwtPayload.azp) jwtPayload.client_id = jwtPayload.azp;
+	jwtPayload.client_id = jwtPayload.azp;
 	jwtPayload.active = true;
 	return jwtPayload;
 }
@@ -964,13 +991,14 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 		error: "invalid_token"
 	});
 	if (!accessToken.expiresAt || accessToken.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
+	if (accessToken.revoked) return { active: false };
 	let client;
 	if (accessToken.clientId) {
 		client = await getClient(ctx, opts, accessToken.clientId);
 		if (!client || client?.disabled) return { active: false };
 		if (clientId && accessToken.clientId !== clientId) return { active: false };
 	}
-	let sessionId = accessToken.sessionId ?? void 0;
+	const sessionId = accessToken.sessionId ?? void 0;
 	if (sessionId) {
 		const session = await ctx.context.adapter.findOne({
 			model: "session",
@@ -979,7 +1007,7 @@ async function validateOpaqueAccessToken(ctx, opts, token, clientId) {
 				value: sessionId
 			}]
 		});
-		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) sessionId = void 0;
+		if (!session || session.expiresAt < /* @__PURE__ */ new Date()) return { active: false };
 	}
 	let user;
 	if (accessToken.userId) user = await ctx.context.internalAdapter.findUserById(accessToken?.userId);
@@ -1145,9 +1173,173 @@ async function introspectEndpoint(ctx, opts) {
 }
 //#endregion
 //#region src/logout.ts
+const BACKCHANNEL_LOGOUT_EVENT_URI = "http://schemas.openid.net/event/backchannel-logout";
+const LOGOUT_TOKEN_JWT_TYP = "logout+jwt";
+const LOGOUT_TOKEN_LIFETIME_SECONDS = 120;
+const BACKCHANNEL_DISPATCH_TIMEOUT_MS = 5e3;
 /**
-* IMPORTANT NOTES:
-* Follows OIDC RP-Initiated Logout
+* Signs a Back-Channel Logout Token per OIDC Back-Channel Logout 1.0 §2.4.
+*
+* The token reuses the ID Token signing key so any RP that validates ID Tokens
+* from this OP can validate Logout Tokens without extra configuration. The
+* caller resolves that key once and passes it in so a fan-out to many RPs does
+* not re-read it per target.
+*
+* §2.4 mandates `iss`, `aud`, `iat`, `exp`, `jti`, `events`, and at least one
+* of `sub` / `sid` (we send both). A `nonce` claim MUST NOT be present, and
+* `alg: none` is forbidden (§2.6).
+*/
+async function signLogoutToken(ctx, options, resolvedKey, claims) {
+	return signJWT(ctx, {
+		options,
+		payload: {
+			...claims,
+			events: { [BACKCHANNEL_LOGOUT_EVENT_URI]: {} }
+		},
+		header: { typ: LOGOUT_TOKEN_JWT_TYP },
+		resolvedKey: resolvedKey ?? void 0
+	});
+}
+/**
+* Synchronous phase: enumerate tokens for the session being terminated, revoke
+* them, and return a plan for the asynchronous delivery phase. Runs inline in
+* the `session.delete.before` hook so the DB state is consistent before the
+* session row disappears.
+*
+* Revocation is the stored backstop, not the primary enforcement: introspection
+* and `/userinfo` already treat a token whose session has ended as inactive
+* (see `validateOpaqueAccessToken` / `validateJwtAccessToken`), so a missed
+* `revoked` write cannot keep a session-bound token alive on its own. Access
+* tokens bound to the session are revoked as OP hardening. Refresh tokens
+* follow OIDC Back-Channel Logout 1.0 §2.7: those without `offline_access` are
+* revoked; `offline_access` refresh tokens survive so long-lived API access can
+* outlive the browser session.
+*
+* Revocation runs regardless of the JWT plugin (refresh-token revocation has no
+* dependency on signing). Only the Logout Token delivery plan needs the JWT
+* plugin, so when it is disabled we still revoke but never build a plan.
+*
+* Returns `null` when there is nothing to do, so the caller can skip the
+* background handoff entirely.
+*/
+async function revokeAndPlanBackchannelLogout(ctx, opts, input) {
+	const { sessionId, userId } = input;
+	if (!userId) return null;
+	const logger = ctx.context.logger;
+	try {
+		const where = [{
+			field: "sessionId",
+			value: sessionId
+		}];
+		const [accessTokens, refreshTokens] = await Promise.all([ctx.context.adapter.findMany({
+			model: "oauthAccessToken",
+			where
+		}), ctx.context.adapter.findMany({
+			model: "oauthRefreshToken",
+			where
+		})]);
+		const affectedClientIds = /* @__PURE__ */ new Set();
+		for (const t of accessTokens) affectedClientIds.add(t.clientId);
+		for (const t of refreshTokens) affectedClientIds.add(t.clientId);
+		if (affectedClientIds.size === 0) return null;
+		const clients = await ctx.context.adapter.findMany({
+			model: "oauthClient",
+			where: [{
+				field: "clientId",
+				operator: "in",
+				value: Array.from(affectedClientIds)
+			}]
+		});
+		const revokedAt = /* @__PURE__ */ new Date();
+		const accessToRevokeIds = accessTokens.filter((t) => !t.revoked).map((t) => t.id);
+		const refreshToRevokeIds = refreshTokens.filter((t) => !t.revoked && !t.scopes?.includes("offline_access")).map((t) => t.id);
+		const revocations = await Promise.allSettled([accessToRevokeIds.length > 0 ? ctx.context.adapter.updateMany({
+			model: "oauthAccessToken",
+			where: [{
+				field: "id",
+				operator: "in",
+				value: accessToRevokeIds
+			}],
+			update: { revoked: revokedAt }
+		}) : Promise.resolve(), refreshToRevokeIds.length > 0 ? ctx.context.adapter.updateMany({
+			model: "oauthRefreshToken",
+			where: [{
+				field: "id",
+				operator: "in",
+				value: refreshToRevokeIds
+			}],
+			update: { revoked: revokedAt }
+		}) : Promise.resolve()]);
+		for (const result of revocations) if (result.status === "rejected") logger.error("back-channel logout: token revocation update failed", result.reason);
+		const eligibleClients = opts.disableJwtPlugin ? [] : clients.filter((c) => Boolean(c.backchannelLogoutUri) && !c.disabled);
+		if (eligibleClients.length === 0) return null;
+		return {
+			sessionId,
+			targets: await Promise.all(eligibleClients.map(async (client) => ({
+				client,
+				sub: await resolveSubjectIdentifier(userId, client, opts)
+			})))
+		};
+	} catch (error) {
+		logger.error("back-channel logout revocation failed", error);
+		return null;
+	}
+}
+/**
+* Asynchronous phase: sign one Logout Token per target client and POST it to
+* the registered `backchannel_logout_uri`. The caller hands this to
+* `runInBackgroundOrAwait`, so when a background handler is configured (Vercel
+* `waitUntil`, Cloudflare `ctx.waitUntil`) it runs after the response; without
+* one it completes inline so delivery is not lost on request teardown.
+*
+* Spec §2.5: "the OP SHOULD NOT retransmit", so each RP gets a single attempt
+* within `BACKCHANNEL_DISPATCH_TIMEOUT_MS`. Every per-client failure (fetch
+* error, non-2xx response, signing error, subject resolution error) is
+* logged; none of them can reject the outer promise.
+*/
+async function deliverBackchannelLogoutTokens(ctx, plan) {
+	const logger = ctx.context.logger;
+	const jwtPluginOptions = getJwtPlugin(ctx.context)?.options;
+	const iss = jwtPluginOptions?.jwt?.issuer ?? ctx.context.baseURL;
+	const iat = Math.floor(Date.now() / 1e3);
+	const exp = iat + LOGOUT_TOKEN_LIFETIME_SECONDS;
+	const resolvedKey = jwtPluginOptions?.jwt?.sign ? null : await resolveSigningKey(ctx, jwtPluginOptions);
+	await Promise.allSettled(plan.targets.map(async ({ client, sub }) => {
+		try {
+			const jti = generateRandomString(32, "a-z", "A-Z", "0-9");
+			const token = await signLogoutToken(ctx, jwtPluginOptions, resolvedKey, {
+				iss,
+				aud: client.clientId,
+				sub,
+				sid: plan.sessionId,
+				iat,
+				exp,
+				jti
+			});
+			const response = await fetch(client.backchannelLogoutUri, {
+				method: "POST",
+				headers: {
+					"Content-Type": "application/x-www-form-urlencoded",
+					Accept: "application/json"
+				},
+				body: new URLSearchParams({ logout_token: token }),
+				signal: AbortSignal.timeout(BACKCHANNEL_DISPATCH_TIMEOUT_MS),
+				redirect: "error"
+			});
+			if (response.status !== 200 && response.status !== 204) logger.warn(`back-channel logout to client ${client.clientId} returned ${response.status}`);
+		} catch (error) {
+			logger.warn(`back-channel logout to client ${client.clientId} failed`, error);
+		}
+	}));
+}
+/**
+* RP-Initiated Logout (OIDC RP-Initiated Logout 1.0). The RP presents a signed
+* `id_token_hint`; after verification, the OP terminates the matching session
+* and optionally redirects to `post_logout_redirect_uri`.
+*
+* Session termination goes through `internalAdapter.deleteSession`, which fires
+* `session.delete.before` so the hook drives revocation and back-channel
+* notifications to every RP with tokens on the session.
 *
 * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html
 */
@@ -1195,12 +1387,10 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 		});
 		const secret = await decryptStoredClientSecret(ctx, opts.storeClientSecret, clientSecret);
 		const { payload } = await compactVerify(id_token_hint, new TextEncoder().encode(secret));
-		const idToken = new TextDecoder().decode(payload);
-		idTokenPayload = JSON.parse(idToken);
+		idTokenPayload = JSON.parse(new TextDecoder().decode(payload));
 	} else {
 		const { payload } = await compactVerify(id_token_hint, createLocalJWKSet(await getJwks(id_token_hint, { jwksFetch: jwksUrl })));
-		const idToken = new TextDecoder().decode(payload);
-		idTokenPayload = JSON.parse(idToken);
+		idTokenPayload = JSON.parse(new TextDecoder().decode(payload));
 	}
 	if (!idTokenPayload) throw new APIError$1("INTERNAL_SERVER_ERROR", {
 		error_description: "missing payload",
@@ -1232,18 +1422,13 @@ async function rpInitiatedLogoutEndpoint(ctx, opts) {
 				value: sessionId
 			}]
 		});
-		session?.token ? await ctx.context.internalAdapter.deleteSession(session?.token) : session?.id ? await ctx.context.adapter.delete({
+		if (session?.token) await ctx.context.internalAdapter.deleteSession(session.token);
+		else if (session) await ctx.context.adapter.delete({
 			model: "session",
 			where: [{
 				field: "id",
 				value: session.id
 			}]
-		}) : await ctx.context.adapter.delete({
-			model: "session",
-			where: [{
-				field: "id",
-				value: sessionId
-			}]
 		});
 	} catch {}
 	if (post_logout_redirect_uri) {
@@ -1518,6 +1703,38 @@ async function checkOAuthClient(client, opts, settings) {
 		error: "invalid_client_metadata",
 		error_description: "jwks and jwks_uri are only allowed with private_key_jwt authentication"
 	});
+	if (client.backchannel_logout_uri !== void 0) {
+		if (opts.disableJwtPlugin) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri requires the jwt plugin (disableJwtPlugin must be false)"
+		});
+		let url;
+		try {
+			url = new URL(client.backchannel_logout_uri);
+		} catch {
+			throw new APIError("BAD_REQUEST", {
+				error: "invalid_client_metadata",
+				error_description: "backchannel_logout_uri must be an absolute URL"
+			});
+		}
+		if (url.protocol !== "https:" && url.protocol !== "http:") throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must use http or https"
+		});
+		if (client.backchannel_logout_uri.includes("#")) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must not include a fragment component"
+		});
+		const loopback = isLoopbackHost(url.hostname);
+		if (!isPublic && url.protocol !== "https:" && !loopback) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must use https for confidential clients"
+		});
+		if (isPrivateHostname(url.hostname) && !loopback) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "backchannel_logout_uri must not point to a private or reserved address"
+		});
+	}
 }
 async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const body = ctx.body;
@@ -1576,7 +1793,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 * @returns
 */
 function oauthToSchema(input) {
-	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
+	const { client_id: clientId, client_secret: clientSecret, client_secret_expires_at: _expiresAt, scope: _scope, user_id: userId, client_id_issued_at: _createdAt, client_name: name, client_uri: uri, logo_uri: icon, contacts, tos_uri: tos, policy_uri: policy, jwks: inputJwks, jwks_uri: jwksUri, software_id: softwareId, software_version: softwareVersion, software_statement: softwareStatement, redirect_uris: redirectUris, post_logout_redirect_uris: postLogoutRedirectUris, backchannel_logout_uri: backchannelLogoutUri, backchannel_logout_session_required: backchannelLogoutSessionRequired, token_endpoint_auth_method: tokenEndpointAuthMethod, grant_types: grantTypes, response_types: responseTypes, public: _public, type, disabled, skip_consent: skipConsent, enable_end_session: enableEndSession, require_pkce: requirePKCE, subject_type: subjectType, reference_id: referenceId, metadata: inputMetadata, ...rest } = input;
 	const expiresAt = _expiresAt ? /* @__PURE__ */ new Date(_expiresAt * 1e3) : void 0;
 	const createdAt = _createdAt ? /* @__PURE__ */ new Date(_createdAt * 1e3) : void 0;
 	const scopes = _scope?.split(" ");
@@ -1604,6 +1821,8 @@ function oauthToSchema(input) {
 		softwareStatement,
 		redirectUris,
 		postLogoutRedirectUris,
+		backchannelLogoutUri,
+		backchannelLogoutSessionRequired,
 		tokenEndpointAuthMethod,
 		grantTypes,
 		responseTypes,
@@ -1626,7 +1845,7 @@ function oauthToSchema(input) {
 * @returns
 */
 function schemaToOAuth(input) {
-	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
+	const { clientId, clientSecret, disabled, scopes, userId, createdAt, updatedAt: _updatedAt, expiresAt, name, uri, icon, contacts, tos, policy, softwareId, softwareVersion, softwareStatement, redirectUris, postLogoutRedirectUris, backchannelLogoutUri, backchannelLogoutSessionRequired, tokenEndpointAuthMethod, grantTypes, responseTypes, public: _public, type, jwks, jwksUri, skipConsent, enableEndSession, requirePKCE, subjectType, referenceId, metadata } = input;
 	const _expiresAt = expiresAt ? Math.round(new Date(expiresAt).getTime() / 1e3) : void 0;
 	const _createdAt = createdAt ? Math.round(new Date(createdAt).getTime() / 1e3) : void 0;
 	const _scopes = scopes?.join(" ");
@@ -1651,6 +1870,8 @@ function schemaToOAuth(input) {
 		software_statement: softwareStatement ?? void 0,
 		redirect_uris: redirectUris ?? [],
 		post_logout_redirect_uris: postLogoutRedirectUris ?? void 0,
+		backchannel_logout_uri: backchannelLogoutUri ?? void 0,
+		backchannel_logout_session_required: backchannelLogoutSessionRequired ?? void 0,
 		token_endpoint_auth_method: tokenEndpointAuthMethod ?? void 0,
 		grant_types: grantTypes ?? void 0,
 		response_types: responseTypes ?? void 0,
@@ -1887,6 +2108,8 @@ const adminCreateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/creat
 		software_version: z.string().optional(),
 		software_statement: z.string().optional(),
 		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+		backchannel_logout_uri: SafeUrlSchema.optional(),
+		backchannel_logout_session_required: z.boolean().optional(),
 		token_endpoint_auth_method: z.enum([
 			"none",
 			"client_secret_basic",
@@ -2073,6 +2296,8 @@ const createOAuthClient = (opts) => createAuthEndpoint("/oauth2/create-client",
 		software_version: z.string().optional(),
 		software_statement: z.string().optional(),
 		post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+		backchannel_logout_uri: SafeUrlSchema.optional(),
+		backchannel_logout_session_required: z.boolean().optional(),
 		token_endpoint_auth_method: z.enum([
 			"none",
 			"client_secret_basic",
@@ -2282,6 +2507,8 @@ const adminUpdateOAuthClient = (opts) => createAuthEndpoint("/admin/oauth2/updat
 			software_version: z.string().optional(),
 			software_statement: z.string().optional(),
 			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+			backchannel_logout_uri: SafeUrlSchema.optional(),
+			backchannel_logout_session_required: z.boolean().optional(),
 			grant_types: z.array(z.enum([
 				"authorization_code",
 				"client_credentials",
@@ -2324,6 +2551,8 @@ const updateOAuthClient = (opts) => createAuthEndpoint("/oauth2/update-client",
 			software_version: z.string().optional(),
 			software_statement: z.string().optional(),
 			post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+			backchannel_logout_uri: SafeUrlSchema.optional(),
+			backchannel_logout_session_required: z.boolean().optional(),
 			grant_types: z.array(z.enum([
 				"authorization_code",
 				"client_credentials",
@@ -2503,7 +2732,14 @@ const deleteOAuthConsent = (opts) => createAuthEndpoint("/oauth2/delete-consent"
 */
 /**
 * Revokes a JWT access token against the configured JWKs.
-* (does nothing if successful since a JWT is not stored on the server)
+*
+* A JWT access token is self-contained and never stored, so there is nothing to
+* delete. Once the token is confirmed to be a valid JWT for this server, the
+* endpoint reports `unsupported_token_type` (RFC 7009 §2.2.1) instead of a
+* silent success, so callers can tell that no server-side revocation happened.
+* An expired or wrong-audience JWT is already inactive and still resolves as a
+* successful no-op. Session-bound tokens (carrying `sid`) are cut off early by
+* the session-liveness check in introspection and userinfo.
 */
 async function revokeJwtAccessToken(ctx, opts, token) {
 	const jwtPlugin = opts.disableJwtPlugin ? void 0 : getJwtPlugin(ctx.context);
@@ -2530,6 +2766,10 @@ async function revokeJwtAccessToken(ctx, opts, token) {
 		}
 		throw new Error(error);
 	}
+	throw new APIError$1("BAD_REQUEST", {
+		error_description: "JWT access tokens are self-contained and cannot be revoked server-side",
+		error: "unsupported_token_type"
+	});
 }
 /**
 * Searches for an opaque access token in the database and validates it
@@ -2625,7 +2865,9 @@ async function revokeAccessToken(ctx, opts, clientId, token) {
 	try {
 		return await revokeJwtAccessToken(ctx, opts, token);
 	} catch (err) {
-		if (err instanceof APIError$1) {} else if (err instanceof Error) throw err;
+		if (err instanceof APIError$1) {
+			if (err.body?.error === "unsupported_token_type") throw err;
+		} else if (err instanceof Error) throw err;
 		else throw new Error(err);
 	}
 	try {
@@ -2658,7 +2900,7 @@ async function revokeEndpoint(ctx, opts) {
 			return await revokeAccessToken(ctx, opts, client.clientId, token);
 		} catch (error) {
 			if (error instanceof APIError$1) {
-				if (token_type_hint === "access_token") throw error;
+				if (token_type_hint === "access_token" || error.body?.error === "unsupported_token_type") throw error;
 			} else if (error instanceof Error) throw error;
 			else throw new Error(error);
 		}
@@ -2676,6 +2918,7 @@ async function revokeEndpoint(ctx, opts) {
 		});
 	} catch (error) {
 		if (error instanceof APIError$1) {
+			if (error.body?.error === "unsupported_token_type") throw error;
 			if (error.name === "BAD_REQUEST") return null;
 			throw error;
 		} else if (error instanceof Error) {
@@ -2784,6 +3027,14 @@ const schema = {
 				type: "string[]",
 				required: false
 			},
+			backchannelLogoutUri: {
+				type: "string",
+				required: false
+			},
+			backchannelLogoutSessionRequired: {
+				type: "boolean",
+				required: false
+			},
 			tokenEndpointAuthMethod: {
 				type: "string",
 				required: false
@@ -2937,6 +3188,10 @@ const schema = {
 			},
 			expiresAt: { type: "date" },
 			createdAt: { type: "date" },
+			revoked: {
+				type: "date",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: true
@@ -2979,12 +3234,25 @@ const schema = {
 			createdAt: { type: "date" },
 			updatedAt: { type: "date" }
 		}
+	},
+	oauthClientAssertion: {
+		modelName: "oauthClientAssertion",
+		fields: { expiresAt: {
+			type: "date",
+			required: true
+		} }
 	}
 };
 //#endregion
 //#region src/oauth.ts
 const oAuthState = defineRequestState(() => null);
 const getOAuthProviderState = oAuthState.get;
+const signedQueryIssuedAtMsKey = "signedQueryIssuedAtMs";
+function getServerContextSignedQueryIssuedAt(value) {
+	const issuedAtMs = typeof value === "number" ? value : typeof value === "string" ? Number(value) : void 0;
+	if (!issuedAtMs || !Number.isFinite(issuedAtMs) || issuedAtMs <= 0) return;
+	return new Date(issuedAtMs);
+}
 /**
 * oAuth 2.1 provider plugin for Better Auth.
 *
@@ -3093,6 +3361,146 @@ const oauthProvider = (options) => {
 		}
 		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
 	};
+	const oauth2AuthorizeEndpoint = createOAuthEndpoint("/oauth2/authorize", {
+		method: "GET",
+		query: authorizationQuerySchema,
+		redirectOnError: authorizeRedirectOnError(opts),
+		errorCodesByField: {
+			response_type: { invalid: "unsupported_response_type" },
+			resource: { invalid: "invalid_target" }
+		},
+		metadata: { openapi: {
+			description: "Authorize an OAuth2 request",
+			parameters: [
+				{
+					name: "response_type",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 response type (e.g., 'code')"
+				},
+				{
+					name: "client_id",
+					in: "query",
+					required: true,
+					schema: { type: "string" },
+					description: "OAuth2 client ID"
+				},
+				{
+					name: "redirect_uri",
+					in: "query",
+					required: false,
+					schema: {
+						type: "string",
+						format: "uri"
+					},
+					description: "OAuth2 redirect URI"
+				},
+				{
+					name: "scope",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 scopes (space-separated)"
+				},
+				{
+					name: "state",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 state parameter"
+				},
+				{
+					name: "request_uri",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "Pushed Authorization Request URI referencing stored parameters"
+				},
+				{
+					name: "code_challenge",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge"
+				},
+				{
+					name: "code_challenge_method",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "PKCE code challenge method"
+				},
+				{
+					name: "nonce",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OpenID Connect nonce"
+				},
+				{
+					name: "max_age",
+					in: "query",
+					required: false,
+					schema: {
+						type: "integer",
+						minimum: 0
+					},
+					description: "Maximum authentication age in seconds; forces re-authentication when exceeded"
+				},
+				{
+					name: "resource",
+					in: "query",
+					required: false,
+					schema: {
+						type: "array",
+						items: { type: "string" }
+					},
+					description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
+				},
+				{
+					name: "prompt",
+					in: "query",
+					required: false,
+					schema: { type: "string" },
+					description: "OAuth2 prompt parameter"
+				}
+			],
+			responses: {
+				"302": {
+					description: "Redirect to client with code or error",
+					headers: { Location: {
+						description: "Redirect URI with code or error",
+						schema: {
+							type: "string",
+							format: "uri"
+						}
+					} }
+				},
+				"400": {
+					description: "Invalid request",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							error: { type: "string" },
+							error_description: { type: "string" },
+							state: { type: "string" }
+						},
+						required: ["error"]
+					} } }
+				}
+			}
+		} }
+	}, async (ctx) => {
+		return authorizeEndpoint(ctx, opts, ctx.authorizeSettings ?? { isAuthorize: true });
+	});
+	const runOAuth2Authorize = (ctx, settings) => dispatchAuthEndpoint(oauth2AuthorizeEndpoint, {
+		...ctx,
+		asResponse: false,
+		returnHeaders: false,
+		returnStatus: false,
+		authorizeSettings: settings ?? {}
+	});
 	return {
 		id: "oauth-provider",
 		version: PACKAGE_VERSION,
@@ -3108,12 +3516,20 @@ const oauthProvider = (options) => {
 				try {
 					issuerPath = new URL(issuer).pathname;
 				} catch (error) {
-					if (isDynamicBaseURLInit && issuer === "") return;
-					throw error;
+					if (!isDynamicBaseURLInit || issuer !== "") throw error;
 				}
-				if (!opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
-				if (!opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
+				if (issuerPath !== void 0 && !opts.silenceWarnings?.oauthAuthServerConfig && !(ctx.options.basePath === "/" && issuerPath === "/")) logger.warn(`Please ensure '/.well-known/oauth-authorization-server${issuerPath === "/" ? "" : issuerPath}' exists. Upon completion, clear with silenceWarnings.oauthAuthServerConfig.`);
+				if (issuerPath !== void 0 && !opts.silenceWarnings?.openidConfig && ctx.options.basePath !== issuerPath && opts.scopes?.includes("openid")) logger.warn(`Please ensure '${issuerPath}${issuerPath.endsWith("/") ? "" : "/"}.well-known/openid-configuration' exists. Upon completion, clear with silenceWarnings.openidConfig.`);
 			}
+			return { options: { databaseHooks: { session: { delete: { async before(session, hookCtx) {
+				if (!hookCtx) return;
+				const plan = await revokeAndPlanBackchannelLogout(hookCtx, opts, {
+					sessionId: session.id,
+					userId: session.userId
+				});
+				if (!plan) return;
+				await hookCtx.context.runInBackgroundOrAwait(deliverBackchannelLogoutTokens(hookCtx, plan));
+			} } } } } };
 		},
 		hooks: {
 			before: [{
@@ -3135,11 +3551,10 @@ const oauthProvider = (options) => {
 						signedQueryIssuedAt: signedQueryIssuedAt ?? void 0,
 						postLoginClearedForSession
 					});
-					if (ctx.path === "/sign-in/social") {
-						if (ctx.body.additionalData?.query) return;
-						if (!ctx.body.additionalData) ctx.body.additionalData = {};
-						ctx.body.additionalData.query = queryParams.toString();
-					}
+					if (ctx.path === "/sign-in/social") await addOAuthServerContext({
+						query: queryParams.toString(),
+						...signedQueryIssuedAt ? { [signedQueryIssuedAtMsKey]: signedQueryIssuedAt.getTime() } : {}
+					});
 				})
 			}],
 			after: [{
@@ -3149,7 +3564,9 @@ const oauthProvider = (options) => {
 				handler: createAuthMiddleware(async (ctx) => {
 					const sessionToken = parseSetCookieHeader(ctx.context.responseHeaders?.get("set-cookie") || "").get(ctx.context.authCookies.sessionToken.name)?.value.split(".")[0];
 					if (!sessionToken) return;
-					const _query = (await oAuthState.get())?.query ?? (await getOAuthState())?.query;
+					const oauthRequest = await oAuthState.get();
+					const serverContext = (await getOAuthState())?.serverContext;
+					const _query = oauthRequest?.query ?? serverContext?.query;
 					if (!_query) return;
 					const query = new URLSearchParams(_query);
 					const session = await ctx.context.internalAdapter.findSession(sessionToken);
@@ -3158,8 +3575,11 @@ const oauthProvider = (options) => {
 					const secFetchMode = ctx.request?.headers?.get("sec-fetch-mode")?.toLowerCase();
 					const acceptHeader = ctx.request?.headers?.get("accept")?.toLowerCase() ?? "";
 					if (!(secFetchMode === "navigate" || !secFetchMode && (acceptHeader.includes("text/html") || acceptHeader.includes("application/xhtml+xml")))) ctx.headers?.set("accept", "application/json");
-					ctx.query = searchParamsToQuery(removePromptFromQuery(query, "login"));
-					return await authorizeEndpoint(ctx, opts);
+					const signedQueryIssuedAt = oauthRequest?.signedQueryIssuedAt ?? getServerContextSignedQueryIssuedAt(serverContext?.[signedQueryIssuedAtMsKey]);
+					let authorizationQuery = removePromptFromQuery(query, "login");
+					if (isSessionFreshForSignedQuery(session.session.createdAt, signedQueryIssuedAt)) authorizationQuery = removeMaxAgeFromQuery(authorizationQuery);
+					ctx.query = searchParamsToQuery(authorizationQuery);
+					return await runOAuth2Authorize(ctx);
 				})
 			}]
 		},
@@ -3187,149 +3607,7 @@ const oauthProvider = (options) => {
 				if (opts.scopes && !opts.scopes.includes("openid")) throw new APIError("NOT_FOUND");
 				return oidcServerMetadata(ctx, opts);
 			}),
-			oauth2Authorize: createOAuthEndpoint("/oauth2/authorize", {
-				method: "GET",
-				query: z.object({
-					response_type: z.string().pipe(z.enum(["code"])).optional(),
-					client_id: z.string(),
-					redirect_uri: SafeUrlSchema.optional(),
-					scope: z.string().optional(),
-					state: z.string().optional(),
-					request_uri: z.string().optional(),
-					code_challenge: z.string().optional(),
-					code_challenge_method: z.string().pipe(z.enum(["S256"])).optional(),
-					nonce: z.string().optional(),
-					resource: z.union([ResourceUriSchema, z.array(ResourceUriSchema).min(1)]).optional(),
-					prompt: z.string().pipe(z.enum([
-						"none",
-						"consent",
-						"login",
-						"create",
-						"select_account",
-						"login consent",
-						"select_account consent"
-					])).optional()
-				}),
-				redirectOnError: authorizeRedirectOnError(opts),
-				errorCodesByField: {
-					response_type: { invalid: "unsupported_response_type" },
-					resource: { invalid: "invalid_target" }
-				},
-				metadata: { openapi: {
-					description: "Authorize an OAuth2 request",
-					parameters: [
-						{
-							name: "response_type",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 response type (e.g., 'code')"
-						},
-						{
-							name: "client_id",
-							in: "query",
-							required: true,
-							schema: { type: "string" },
-							description: "OAuth2 client ID"
-						},
-						{
-							name: "redirect_uri",
-							in: "query",
-							required: false,
-							schema: {
-								type: "string",
-								format: "uri"
-							},
-							description: "OAuth2 redirect URI"
-						},
-						{
-							name: "scope",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 scopes (space-separated)"
-						},
-						{
-							name: "state",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 state parameter"
-						},
-						{
-							name: "request_uri",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "Pushed Authorization Request URI referencing stored parameters"
-						},
-						{
-							name: "code_challenge",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge"
-						},
-						{
-							name: "code_challenge_method",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "PKCE code challenge method"
-						},
-						{
-							name: "nonce",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OpenID Connect nonce"
-						},
-						{
-							name: "resource",
-							in: "query",
-							required: false,
-							schema: {
-								type: "array",
-								items: { type: "string" }
-							},
-							description: "Requested token resource(s) (ie audience) to obtain a JWT formatted access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
-						},
-						{
-							name: "prompt",
-							in: "query",
-							required: false,
-							schema: { type: "string" },
-							description: "OAuth2 prompt parameter"
-						}
-					],
-					responses: {
-						"302": {
-							description: "Redirect to client with code or error",
-							headers: { Location: {
-								description: "Redirect URI with code or error",
-								schema: {
-									type: "string",
-									format: "uri"
-								}
-							} }
-						},
-						"400": {
-							description: "Invalid request",
-							content: { "application/json": { schema: {
-								type: "object",
-								properties: {
-									error: { type: "string" },
-									error_description: { type: "string" },
-									state: { type: "string" }
-								},
-								required: ["error"]
-							} } }
-						}
-					}
-				} }
-			}, async (ctx) => {
-				return authorizeEndpoint(ctx, opts, { isAuthorize: true });
-			}),
+			oauth2Authorize: oauth2AuthorizeEndpoint,
 			oauth2Consent: createAuthEndpoint("/oauth2/consent", {
 				method: "POST",
 				body: z.object({
@@ -3354,7 +3632,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return consentEndpoint(ctx, opts);
+				return consentEndpoint(ctx, opts, runOAuth2Authorize);
 			}),
 			oauth2Continue: createAuthEndpoint("/oauth2/continue", {
 				method: "POST",
@@ -3381,7 +3659,7 @@ const oauthProvider = (options) => {
 					} }
 				} }
 			}, async (ctx) => {
-				return continueEndpoint(ctx, opts);
+				return continueEndpoint(ctx, runOAuth2Authorize);
 			}),
 			oauth2Token: createOAuthEndpoint("/oauth2/token", {
 				method: "POST",
@@ -3709,7 +3987,7 @@ const oauthProvider = (options) => {
 				return revokeEndpoint(ctx, opts);
 			}),
 			oauth2UserInfo: createAuthEndpoint("/oauth2/userinfo", {
-				method: "GET",
+				method: ["GET", "POST"],
 				metadata: { openapi: {
 					description: "Get OpenID Connect user information (UserInfo endpoint)",
 					security: [{ bearerAuth: [] }, { OAuth2: [
@@ -3843,6 +4121,8 @@ const oauthProvider = (options) => {
 					software_version: z.string().optional(),
 					software_statement: z.string().optional(),
 					post_logout_redirect_uris: z.array(SafeUrlSchema).min(1).optional(),
+					backchannel_logout_uri: SafeUrlSchema.optional(),
+					backchannel_logout_session_required: z.boolean().optional(),
 					token_endpoint_auth_method: z.enum([
 						"none",
 						"client_secret_basic",
@@ -3955,6 +4235,15 @@ const oauthProvider = (options) => {
 									},
 									description: "List of allowed logout redirect uris"
 								},
+								backchannel_logout_uri: {
+									type: "string",
+									format: "uri",
+									description: "RP URL to receive signed Logout Tokens when the end-user's OP session terminates"
+								},
+								backchannel_logout_session_required: {
+									type: "boolean",
+									description: "Whether the RP requires a `sid` claim in every Logout Token"
+								},
 								token_endpoint_auth_method: {
 									type: "string",
 									description: "Requested authentication method for the token endpoint",
@@ -4063,6 +4352,19 @@ const oauthProvider = (options) => {
 //#endregion
 //#region src/authorize.ts
 /**
+* Whether a past authentication is still fresh enough for an OIDC `max_age`
+* request: true when no more than `maxAge` seconds have elapsed since the user
+* last authenticated. The caller supplies `now`, keeping this pure.
+*/
+function isWithinMaxAge(sessionCreatedAt, maxAgeSeconds, now) {
+	if (maxAgeSeconds === 0) return false;
+	return now.getTime() - sessionCreatedAt.getTime() <= maxAgeSeconds * 1e3;
+}
+function removeMaxAgeFromAuthorizationQuery(query) {
+	const { max_age: _maxAge, ...queryWithoutMaxAge } = query;
+	return queryWithoutMaxAge;
+}
+/**
 * Formats an error url. Per OIDC Core 1.0 §5 / RFC 6749 §4.2.2.1, errors on
 * implicit and hybrid flows are delivered in the URL fragment, not the query.
 * Callers on the code flow (default) omit `mode` and get query delivery.
@@ -4209,6 +4511,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		error_description: "request not found",
 		error: "invalid_request"
 	});
+	const request = ctx.request;
 	let query = ctx.query;
 	if (query.request_uri) {
 		if (!opts.requestUriResolver) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri not supported"));
@@ -4223,6 +4526,14 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		if (urlClientId) query.client_id = urlClientId;
 	}
 	ctx.query = query;
+	const parsedQuery = authorizationQuerySchema.safeParse(query);
+	if (!parsedQuery.success) return authorizeRedirectOnError(opts)({
+		error: "invalid_request",
+		error_description: "invalid authorization request",
+		ctx
+	});
+	query = parsedQuery.data;
+	ctx.query = query;
 	await oAuthState.set({ query: serializeAuthorizationQuery(query).toString() });
 	if (!query.client_id) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (!query.response_type) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request", "response_type is required"));
@@ -4233,6 +4544,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	const client = await getClient(ctx, opts, query.client_id);
 	if (!client) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
 	if (client.disabled) return handleRedirect(ctx, getErrorURL(ctx, "client_disabled", "client is disabled"));
+	if (!clientAllowsGrant(client, "authorization_code")) return handleRedirect(ctx, getErrorURL(ctx, "unauthorized_client", "client is not authorized to use the authorization_code grant"));
 	if (!findRegisteredRedirectUri(client.redirectUris, query.redirect_uri) || !query.redirect_uri) return handleRedirect(ctx, getErrorURL(ctx, "invalid_redirect", "invalid redirect uri"));
 	let requestedScopes = query.scope?.split(" ").filter((s) => s);
 	if (requestedScopes) {
@@ -4258,14 +4570,20 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	if (!(await checkResource(ctx, opts, resource, requestedScopes)).success) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_target", "requested resource invalid", query.state, getIssuer(ctx, opts)));
 	const requestedResources = toResourceList(resource) ?? [];
 	const session = await getSessionFromCtx(ctx);
-	if (!session || promptSet?.has("login") || promptSet?.has("create")) {
+	const maxAgeSeconds = query.max_age;
+	const hasSatisfiedMaxAge = session != null && maxAgeSeconds !== void 0 && isWithinMaxAge(new Date(session.session.createdAt), maxAgeSeconds, /* @__PURE__ */ new Date());
+	if (!session || session != null && maxAgeSeconds !== void 0 && !hasSatisfiedMaxAge || promptSet?.has("login") || promptSet?.has("create")) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "login_required", "authentication required");
 		return redirectWithPromptCode(ctx, opts, promptSet?.has("create") ? "create" : "login");
 	}
+	if (hasSatisfiedMaxAge) {
+		query = removeMaxAgeFromAuthorizationQuery(query);
+		ctx.query = query;
+	}
 	if (settings?.isAuthorize && promptSet?.has("select_account")) return redirectWithPromptCode(ctx, opts, "select_account");
 	if (settings?.isAuthorize && opts.selectAccount) {
 		if (await opts.selectAccount.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4276,7 +4594,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	}
 	if (opts.signup?.shouldRedirect) {
 		const signupRedirect = await opts.signup.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4288,7 +4606,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 	}
 	if (!settings?.postLogin && opts.postLogin) {
 		if (await opts.postLogin.shouldRedirect({
-			headers: ctx.request.headers,
+			headers: request.headers,
 			user: session.user,
 			session: session.session,
 			scopes: requestedScopes
@@ -4412,6 +4730,7 @@ async function signParams(ctx, opts, flags) {
 //#region src/metadata.ts
 function authServerMetadata(ctx, opts, overrides) {
 	const baseURL = ctx.context.baseURL;
+	const backchannelSupported = !overrides?.jwt_disabled;
 	return {
 		scopes_supported: overrides?.scopes_supported,
 		issuer: validateIssuerUrl(opts?.jwt?.issuer ?? baseURL),
@@ -4448,7 +4767,9 @@ function authServerMetadata(ctx, opts, overrides) {
 		],
 		revocation_endpoint_auth_signing_alg_values_supported: [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS],
 		code_challenge_methods_supported: ["S256"],
-		authorization_response_iss_parameter_supported: true
+		authorization_response_iss_parameter_supported: true,
+		backchannel_logout_supported: backchannelSupported,
+		backchannel_logout_session_supported: backchannelSupported
 	};
 }
 function oidcServerMetadata(ctx, opts) {