@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.6

package/dist/{client-assertion-DLMKVgoj.mjs → client-assertion-CctbJywV.mjs}

@@ -1,21 +1,14 @@
-import { a as getClient } from "./utils-DKBWQ8fe.mjs";
+import { t as __exportAll } from "./rolldown-runtime-wcPFST8Q.mjs";
+import { a as getClient } from "./utils-Baq6atYN.mjs";
+import { isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { APIError } from "better-call";
 import { CLIENT_ASSERTION_TYPE, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
+import { base64Url } from "@better-auth/utils/base64";
+import { createHash } from "@better-auth/utils/hash";
 import { createLocalJWKSet, decodeJwt, decodeProtectedHeader, jwtVerify } from "jose";
-//#region \0rolldown/runtime.js
-var __defProp = Object.defineProperty;
-var __exportAll = (all, no_symbols) => {
-	let target = {};
-	for (var name in all) __defProp(target, name, {
-		get: all[name],
-		enumerable: true
-	});
-	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
-	return target;
-};
-//#endregion
 //#region src/utils/client-assertion.ts
 var client_assertion_exports = /* @__PURE__ */ __exportAll({
+	consumeClientAssertion: () => consumeClientAssertion,
 	isPrivateHostname: () => isPrivateHostname,
 	verifyClientAssertion: () => verifyClientAssertion
 });
@@ -34,33 +27,21 @@ function setJwksCache(uri, jwks, fetchedAt) {
 	}
 }
 const ALGORITHMS_LIST = [...PRIVATE_KEY_JWT_SIGNING_ALGORITHMS];
-const pendingAssertionIds = /* @__PURE__ */ new Set();
 /**
-* Block SSRF: reject jwks_uri pointing at private/reserved IP ranges.
-* Only HTTPS with public hostnames is allowed.
+* SSRF gate for user-supplied server-side fetch targets (`jwks_uri`,
+* `backchannel_logout_uri`): returns true when the host is NOT publicly
+* routable. That covers loopback, RFC 1918 private, link-local (including AWS
+* IMDS `169.254.169.254`), shared-address-space (carrier-grade NAT),
+* IPv4-mapped IPv6, 6to4/NAT64/Teredo tunnels, every other RFC 6890
+* special-purpose range, and cloud-metadata FQDNs.
+*
+* Delegates to the audited single source of truth so this check cannot drift
+* into the kind of encoding bypass that bespoke regexes invite. This is a
+* syntactic check only: it does not resolve DNS, so a public name that
+* resolves to a private address at fetch time is not caught here.
 */
-function isPrivateIpv4(hostname) {
-	const parts = hostname.split(".");
-	if (parts.length !== 4 || parts.some((p) => !/^\d{1,3}$/.test(p))) return false;
-	const octets = parts.map(Number);
-	const a = octets[0];
-	const b = octets[1];
-	return a === 10 || a === 0 || a === 172 && b >= 16 && b <= 31 || a === 192 && b === 168 || a === 169 && b === 254 || a === 127;
-}
 function isPrivateHostname(hostname) {
-	const lower = hostname.toLowerCase();
-	const host = lower.startsWith("[") && lower.endsWith("]") ? lower.slice(1, -1) : lower;
-	if (host === "localhost" || host === "::1") return true;
-	if (isPrivateIpv4(host)) return true;
-	if (host.includes(":")) {
-		const v4MappedMatch = host.match(/^(?:0{0,4}:){0,4}:?(?:0{0,4}:)?ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
-		if (v4MappedMatch && isPrivateIpv4(v4MappedMatch[1])) return true;
-		const isLinkLocal = host.startsWith("fe8") || host.startsWith("fe9") || host.startsWith("fea") || host.startsWith("feb");
-		const isUniqueLocal = host.startsWith("fc") || host.startsWith("fd");
-		if (isLinkLocal || isUniqueLocal) return true;
-	}
-	if (host === "metadata.google.internal") return true;
-	return false;
+	return !isPublicRoutableHost(hostname);
 }
 function validateJwksUri(ctx, jwksUri, clientIdUrlOrigin) {
 	const parsed = new URL(jwksUri);
@@ -141,6 +122,84 @@ async function refetchClientJwks(client) {
 	}
 }
 /**
+* Enforces the assertion-hygiene claims every client-assertion authentication
+* method must check, independent of how the signature is verified or where the
+* verification keys come from:
+* - `aud` MUST include `expectedAudience` (RFC 7523 §3 rule 3),
+* - `exp` MUST be present, unexpired, and at most `assertionMaxLifetime`
+*   seconds away (RFC 7523 §3 rule 4),
+* - `iat`, when present, MUST be within `assertionMaxLifetime`,
+* - `jti` MUST be present and single-use; this consumes a replay tombstone keyed
+*   by `` `${namespace}:${jti}` ``, inserted under the adapter's primary key so a
+*   replay across workers fails atomically.
+*
+* A custom {@link OAuthClientAuthenticationStrategy} should call this after
+* verifying the assertion signature, so an extension method inherits the same
+* replay, lifetime, and audience guarantees as the built-in `private_key_jwt`
+* path, which calls it too.
+*
+* @param params.namespace Scopes the replay tombstone to the method and client,
+*   e.g. `` `${method}:${clientId}` ``, so the same `jti` can recur across
+*   distinct methods or clients but never within one.
+*/
+async function consumeClientAssertion(ctx, opts, params) {
+	const { namespace, payload, expectedAudience } = params;
+	if (!(Array.isArray(payload.aud) ? payload.aud : payload.aud != null ? [payload.aud] : []).includes(expectedAudience)) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion aud does not match the endpoint",
+		error: "invalid_client"
+	});
+	const maxLifetime = opts.assertionMaxLifetime ?? 300;
+	const now = Math.floor(Date.now() / 1e3);
+	if (typeof payload.exp !== "number") throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion must include exp claim",
+		error: "invalid_client"
+	});
+	if (payload.exp <= now) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion has expired",
+		error: "invalid_client"
+	});
+	if (payload.exp - now > maxLifetime) throw new APIError("BAD_REQUEST", {
+		error_description: `client assertion exp is too far in the future (max ${maxLifetime}s)`,
+		error: "invalid_client"
+	});
+	if (typeof payload.iat === "number" && now - payload.iat > maxLifetime) throw new APIError("BAD_REQUEST", {
+		error_description: `client assertion iat is too far in the past (max ${maxLifetime}s)`,
+		error: "invalid_client"
+	});
+	if (typeof payload.jti !== "string" || payload.jti.length === 0) throw new APIError("BAD_REQUEST", {
+		error_description: "client assertion must include jti claim",
+		error: "invalid_client"
+	});
+	const jtiDigest = await createHash("SHA-256").digest(new TextEncoder().encode(`${namespace}:${payload.jti}`));
+	const jtiId = base64Url.encode(new Uint8Array(jtiDigest).slice(0, 24), { padding: false });
+	try {
+		await ctx.context.adapter.create({
+			model: "oauthClientAssertion",
+			data: {
+				id: jtiId,
+				expiresAt: /* @__PURE__ */ new Date(payload.exp * 1e3)
+			},
+			forceAllowId: true
+		});
+	} catch (createErr) {
+		let alreadyUsed = false;
+		try {
+			alreadyUsed = Boolean(await ctx.context.adapter.findOne({
+				model: "oauthClientAssertion",
+				where: [{
+					field: "id",
+					value: jtiId
+				}]
+			}));
+		} catch {}
+		if (alreadyUsed) throw new APIError("BAD_REQUEST", {
+			error_description: "client assertion jti has already been used",
+			error: "invalid_client"
+		});
+		throw createErr;
+	}
+}
+/**
 * Verifies a client assertion JWT for `private_key_jwt` authentication.
 *
 * Validates: signature, iss=client_id, sub=client_id, aud=token_endpoint,
@@ -197,7 +256,6 @@ async function verifyClientAssertion(ctx, opts, clientAssertion, clientAssertion
 	});
 	const jwks = await fetchClientJwks(ctx, client);
 	const audience = expectedAudience ?? `${ctx.context.baseURL}/oauth2/token`;
-	const maxLifetime = opts.assertionMaxLifetime ?? 300;
 	const verifyOpts = {
 		issuer: clientId,
 		subject: clientId,
@@ -227,55 +285,12 @@ async function verifyClientAssertion(ctx, opts, clientAssertion, clientAssertion
 			error: "invalid_client"
 		});
 	}
-	const now = Math.floor(Date.now() / 1e3);
-	if (typeof payload.exp !== "number") throw new APIError("BAD_REQUEST", {
-		error_description: "client assertion must include exp claim",
-		error: "invalid_client"
-	});
-	if (payload.exp - now > maxLifetime) throw new APIError("BAD_REQUEST", {
-		error_description: `client assertion exp is too far in the future (max ${maxLifetime}s)`,
-		error: "invalid_client"
-	});
-	if (typeof payload.iat === "number" && now - payload.iat > maxLifetime) throw new APIError("BAD_REQUEST", {
-		error_description: `client assertion iat is too far in the past (max ${maxLifetime}s)`,
-		error: "invalid_client"
+	await consumeClientAssertion(ctx, opts, {
+		namespace: `private_key_jwt:${clientId}`,
+		payload,
+		expectedAudience: audience
 	});
-	if (!payload.jti) throw new APIError("BAD_REQUEST", {
-		error_description: "client assertion must include jti claim",
-		error: "invalid_client"
-	});
-	const jtiIdentifier = `private_key_jwt:${clientId}:${payload.jti}`;
-	if (pendingAssertionIds.has(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
-		error_description: "client assertion jti has already been used",
-		error: "invalid_client"
-	});
-	pendingAssertionIds.add(jtiIdentifier);
-	try {
-		if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
-			error_description: "client assertion jti has already been used",
-			error: "invalid_client"
-		});
-		const jtiExpiry = /* @__PURE__ */ new Date(payload.exp * 1e3);
-		try {
-			await ctx.context.internalAdapter.createVerificationValue({
-				identifier: jtiIdentifier,
-				value: clientId,
-				expiresAt: jtiExpiry
-			});
-		} catch (createErr) {
-			if (await ctx.context.internalAdapter.findVerificationValue(jtiIdentifier)) throw new APIError("BAD_REQUEST", {
-				error_description: "client assertion jti has already been used",
-				error: "invalid_client"
-			});
-			throw createErr;
-		}
-	} finally {
-		pendingAssertionIds.delete(jtiIdentifier);
-	}
-	return {
-		clientId,
-		client
-	};
+	return { clientId };
 }
 //#endregion
-export { isPrivateHostname as n, client_assertion_exports as t };
+export { consumeClientAssertion as n, isPrivateHostname as r, client_assertion_exports as t };

package/dist/client-resource.d.mts

@@ -1,4 +1,5 @@
-import { s as ResourceServerMetadata } from "./oauth-q7dn10NU.mjs";
+import { c as ResourceServerMetadata } from "./oauth-CaXmZpoL.mjs";
+import { ResourceRequestInput, VerifyAccessTokenRequestOptions } from "better-auth/oauth2";
 import { JWTPayload, JWTVerifyOptions } from "jose";
 import { BetterAuthOptions } from "better-auth/types";
 
@@ -22,7 +23,14 @@ declare const oauthProviderResourceClient: <T extends ResourceClientAuth | undef
      *
      * The optional auth parameter can fill known values automatically.
      */
-    verifyAccessToken: VerifyAccessTokenOutput<T>;
+    verifyBearerToken: VerifyAccessTokenOutput<T>;
+    /**
+     * Performs verification of a protected-resource request. Use this for
+     * new resource-server integrations so sender-constrained DPoP access
+     * tokens are enforced with the request method, URL, Authorization
+     * scheme, DPoP proof, `ath`, and `cnf.jkt` binding.
+     */
+    verifyAccessTokenRequest: VerifyAccessTokenRequestOutput<T>;
     /**
      * An authorization server does not typically publish
      * the `/.well-known/oauth-protected-resource` themselves.
@@ -49,8 +57,23 @@ interface VerifyAccessTokenRemote {
    * is also still active.
    */
   force?: boolean;
+  /**
+   * Accept introspection responses that omit the `aud` claim even when a
+   * required `audience` is configured in `verifyOptions`.
+   *
+   * By default verification fails closed: if you configure an `audience` and
+   * the introspection response has no `aud` (or a mismatching one), the token
+   * is rejected. Some authorization servers legitimately omit `aud` from
+   * introspection responses (it is OPTIONAL per RFC 7662 §2.2); only enable
+   * this if you trust the issuer to bind the token to this resource through
+   * another mechanism, as it skips the audience check in that case.
+   *
+   * @default false
+   */
+  allowMissingAudience?: boolean;
 }
 type VerifyAccessTokenOutput<T> = T extends undefined ? (token: string | undefined, opts: VerifyAccessTokenNoAuthOpts) => Promise<JWTPayload> : (token: string | undefined, opts?: VerifyAccessTokenAuthOpts) => Promise<JWTPayload>;
+type VerifyAccessTokenRequestOutput<T> = T extends undefined ? (request: Request | ResourceRequestInput, opts: VerifyAccessTokenRequestNoAuthOpts) => Promise<JWTPayload> : (request: Request | ResourceRequestInput, opts?: VerifyAccessTokenRequestAuthOpts) => Promise<JWTPayload>;
 type VerifyAccessTokenAuthOpts = {
   verifyOptions?: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience">>;
   scopes?: string[];
@@ -58,6 +81,9 @@ type VerifyAccessTokenAuthOpts = {
   remoteVerify?: VerifyAccessTokenRemote; /** Maps non-url (ie urn, client) resources to resource_metadata */
   resourceMetadataMappings?: Record<string, string>;
 };
+type VerifyAccessTokenRequestAuthOpts = VerifyAccessTokenAuthOpts & {
+  dpop?: VerifyAccessTokenRequestOptions["dpop"];
+};
 type VerifyAccessTokenNoAuthOpts = {
   verifyOptions: JWTVerifyOptions & Required<Pick<JWTVerifyOptions, "audience" | "issuer">>;
   scopes?: string[];
@@ -71,6 +97,9 @@ type VerifyAccessTokenNoAuthOpts = {
   remoteVerify: VerifyAccessTokenRemote; /** Maps non-url (ie urn, client) resources to resource_metadata */
   resourceMetadataMappings?: Record<string, string>;
 };
+type VerifyAccessTokenRequestNoAuthOpts = VerifyAccessTokenNoAuthOpts & {
+  dpop?: VerifyAccessTokenRequestOptions["dpop"];
+};
 type ProtectedResourceMetadataOutput<T> = T extends undefined ? (overrides: ResourceServerMetadata, opts?: {
   silenceWarnings?: {
     oidcScopes?: boolean;

package/dist/client-resource.mjs

@@ -1,10 +1,10 @@
-import { t as handleMcpErrors } from "./mcp-CYnz-MXn.mjs";
-import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-DKBWQ8fe.mjs";
-import { t as PACKAGE_VERSION } from "./version-nFnRm-a3.mjs";
-import { verifyAccessToken } from "better-auth/oauth2";
+import { o as getJwtPlugin, s as getOAuthProviderPlugin } from "./utils-Baq6atYN.mjs";
+import { t as PACKAGE_VERSION } from "./version-CUu3vBtU.mjs";
+import { t as raiseResourceServerChallenge } from "./resource-challenge-B-cqv4ur.mjs";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
+import { DPOP_SIGNING_ALGORITHMS, requestToResourceInput, verifyAccessTokenRequest, verifyBearerToken } from "better-auth/oauth2";
 //#region src/client-resource.ts
 const oauthProviderResourceClient = (auth) => {
 	let oauthProviderPlugin;
@@ -22,36 +22,55 @@ const oauthProviderResourceClient = (auth) => {
 		return (await getJwtPluginOptions())?.jwt?.issuer ?? authServerBaseUrl;
 	};
 	const authServerBasePath = auth?.options.basePath;
+	const resolveVerifyAccessTokenOptions = async (opts) => {
+		const jwtPluginOptions = await getJwtPluginOptions();
+		const audience = opts?.verifyOptions?.audience ?? authServerBaseUrl;
+		const issuer = opts?.verifyOptions?.issuer ?? jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
+		if (!audience) throw Error("please define opts.verifyOptions.audience");
+		if (!issuer) throw Error("please define opts.verifyOptions.issuer");
+		const jwksUrl = opts?.jwksUrl ?? jwtPluginOptions?.jwks?.remoteUrl ?? (authServerBaseUrl ? `${authServerBaseUrl + (authServerBasePath ?? "")}${jwtPluginOptions?.jwks?.jwksPath ?? "/jwks"}` : void 0);
+		const introspectUrl = opts?.remoteVerify?.introspectUrl ?? (authServerBaseUrl ? `${authServerBaseUrl}${authServerBasePath ?? ""}/oauth2/introspect` : void 0);
+		return {
+			...opts,
+			jwksUrl,
+			verifyOptions: {
+				...opts?.verifyOptions,
+				audience,
+				issuer
+			},
+			remoteVerify: opts?.remoteVerify && introspectUrl ? {
+				...opts.remoteVerify,
+				introspectUrl
+			} : void 0
+		};
+	};
+	const toResourceRequestInput = (request) => typeof request.headers?.get === "function" ? requestToResourceInput(request) : request;
 	return {
 		id: "oauth-provider-resource-client",
 		version: PACKAGE_VERSION,
 		getActions() {
 			return {
-				verifyAccessToken: (async (token, opts) => {
-					const jwtPluginOptions = await getJwtPluginOptions();
-					const audience = opts?.verifyOptions?.audience ?? authServerBaseUrl;
-					const issuer = opts?.verifyOptions?.issuer ?? jwtPluginOptions?.jwt?.issuer ?? authServerBaseUrl;
-					if (!audience) throw Error("please define opts.verifyOptions.audience");
-					if (!issuer) throw Error("please define opts.verifyOptions.issuer");
-					const jwksUrl = opts?.jwksUrl ?? jwtPluginOptions?.jwks?.remoteUrl ?? (authServerBaseUrl ? `${authServerBaseUrl + (authServerBasePath ?? "")}${jwtPluginOptions?.jwks?.jwksPath ?? "/jwks"}` : void 0);
-					const introspectUrl = opts?.remoteVerify?.introspectUrl ?? (authServerBaseUrl ? `${authServerBaseUrl}${authServerBasePath ?? ""}/oauth2/introspect` : void 0);
+				verifyBearerToken: (async (token, opts) => {
+					const verifyOptions = await resolveVerifyAccessTokenOptions(opts);
 					try {
 						if (!token?.length) throw new APIError("UNAUTHORIZED", { message: "missing authorization header" });
-						return await verifyAccessToken(token, {
-							...opts,
-							jwksUrl,
-							verifyOptions: {
-								...opts?.verifyOptions,
-								audience,
-								issuer
-							},
-							remoteVerify: opts?.remoteVerify && introspectUrl ? {
-								...opts.remoteVerify,
-								introspectUrl
-							} : void 0
+						return await verifyBearerToken(token, verifyOptions);
+					} catch (error) {
+						raiseResourceServerChallenge(error, verifyOptions.verifyOptions.audience, {
+							resourceMetadataMappings: opts?.resourceMetadataMappings,
+							dpopSigningAlgorithms: DPOP_SIGNING_ALGORITHMS
 						});
+					}
+				}),
+				verifyAccessTokenRequest: (async (request, opts) => {
+					const verifyOptions = await resolveVerifyAccessTokenOptions(opts);
+					try {
+						return await verifyAccessTokenRequest(toResourceRequestInput(request), verifyOptions);
 					} catch (error) {
-						throw handleMcpErrors(error, audience, { resourceMetadataMappings: opts?.resourceMetadataMappings });
+						raiseResourceServerChallenge(error, verifyOptions.verifyOptions.audience, {
+							resourceMetadataMappings: opts?.resourceMetadataMappings,
+							dpopSigningAlgorithms: opts?.dpop?.signingAlgorithms ?? DPOP_SIGNING_ALGORITHMS
+						});
 					}
 				}),
 				getProtectedResourceMetadata: (async (overrides, opts) => {
@@ -78,6 +97,7 @@ const oauthProviderResourceClient = (auth) => {
 					return {
 						resource,
 						authorization_servers: authorizationServer ? [authorizationServer] : void 0,
+						dpop_signing_alg_values_supported: [...oauthProviderOptions?.dpop?.signingAlgorithms ?? DPOP_SIGNING_ALGORITHMS],
 						...overrides
 					};
 				})

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { n as oauthProvider } from "./oauth-Vt3lTNHX.mjs";
+import { r as oauthProvider } from "./oauth-CAeemjD7.mjs";
 import * as _better_fetch_fetch0 from "@better-fetch/fetch";
 
 //#region src/client.d.ts

package/dist/client.mjs

@@ -1,17 +1,7 @@
-import { t as PACKAGE_VERSION } from "./version-nFnRm-a3.mjs";
+import { t as buildSignedOAuthQuery } from "./signed-query-CFv2jNMT.mjs";
+import { t as PACKAGE_VERSION } from "./version-CUu3vBtU.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
 //#region src/client.ts
-function parseSignedQuery(search) {
-	const params = new URLSearchParams(search);
-	if (params.has("sig")) {
-		const signedParams = new URLSearchParams();
-		for (const [key, value] of params.entries()) {
-			signedParams.append(key, value);
-			if (key === "sig") break;
-		}
-		return signedParams.toString();
-	}
-}
 const oauthProviderClient = () => {
 	return {
 		id: "oauth-provider-client",
@@ -26,7 +16,7 @@ const oauthProviderClient = () => {
 				if (body?.oauth_query) return;
 				if (typeof window !== "undefined" && window?.location?.search && !(ctx.method === "GET" || ctx.method === "DELETE")) ctx.body = JSON.stringify({
 					...body,
-					oauth_query: parseSignedQuery(window.location.search)
+					oauth_query: buildSignedOAuthQuery(window.location.search)
 				});
 			} }
 		}],

package/dist/index.d.mts

@@ -1,23 +1,37 @@
-import { _ as SchemaClient, a as OAuthClient, b as VerificationValue, c as TokenEndpointAuthMethod, d as OAuthAuthorizationQuery, f as OAuthConsent, g as Prompt, h as OAuthRefreshToken, i as GrantType, l as AuthorizePrompt, m as OAuthOptions, n as AuthServerMetadata, o as OIDCMetadata, p as OAuthOpaqueAccessToken, r as BearerMethodsSupported, s as ResourceServerMetadata, t as AuthMethod, u as ClientDiscovery, v as Scope, x as Awaitable, y as StoreTokenType } from "./oauth-q7dn10NU.mjs";
-import { a as OAuthErrorCode, c as OAuthRedirectOnError, i as OAuthEndpointRedirectContext, n as oauthProvider, o as OAuthFieldErrorCode, r as OAuthEndpointErrorResult, s as OAuthFieldErrorCodeMap, t as getOAuthProviderState } from "./oauth-Vt3lTNHX.mjs";
-import { verifyAccessToken } from "better-auth/oauth2";
+import { A as OAuthProviderExtension, B as StoreTokenType, C as OAuthConsent, D as OAuthOpaqueAccessToken, E as OAuthMetadataExtensionInput, F as OAuthTokenResponse, H as ClientRegistrationRequest, I as OAuthUserInfoExtensionInput, L as Prompt, M as OAuthResource, N as OAuthResourceInput, O as OAuthOptions, P as OAuthTokenIssueParams, R as SchemaClient, S as OAuthClientResource, T as OAuthExtensionGrantHandlerInput, U as ResourceUriSchema, V as VerificationValue, _ as OAuthClaimExtensionInput, a as GrantType, b as OAuthClientAuthenticationResult, c as ResourceServerMetadata, d as ActiveAccessTokenPayload, f as AuthorizePrompt, g as OAuthAuthorizationQuery, h as OAuthAuthenticatedClient, i as Confirmation, j as OAuthRefreshToken, k as OAuthProviderApi, l as TokenEndpointAuthMethod, m as InitialAccessTokenAuthorization, n as AuthServerMetadata, o as OAuthClient, p as ClientDiscovery, r as BearerMethodsSupported, s as OIDCMetadata, t as AuthMethod, u as TokenType, v as OAuthClientAuthenticationInput, w as OAuthExtensionGrantHandler, x as OAuthClientAuthenticationStrategy, y as OAuthClientAuthenticationRequest, z as Scope } from "./oauth-CaXmZpoL.mjs";
+import { a as OAuthEndpointErrorResult, c as OAuthFieldErrorCode, i as getIssuer, l as OAuthFieldErrorCodeMap, n as getOAuthProviderState, o as OAuthEndpointRedirectContext, r as oauthProvider, s as OAuthErrorCode, t as DEFAULT_OAUTH_SCOPES, u as OAuthRedirectOnError } from "./oauth-CAeemjD7.mjs";
+import { getSessionFromCtx } from "better-auth/api";
 import { JWSAlgorithms, JwtOptions } from "better-auth/plugins";
-import { JWTPayload } from "jose";
-import { GenericEndpointContext } from "@better-auth/core";
+import { AuthContext, GenericEndpointContext } from "@better-auth/core";
 import * as better_auth0 from "better-auth";
 
-//#region src/mcp.d.ts
+//#region src/extensions.d.ts
 /**
- * A request middleware handler that checks and responds with
- * a WWW-Authenticate header for unauthenticated responses.
+ * Registers an {@link OAuthProviderExtension} with the OAuth Provider plugin
+ * from a companion plugin's `init()` hook. An extension can add token grants,
+ * assertion-based client authentication methods, additive discovery metadata,
+ * access-token / ID-token / UserInfo claims, and client-id discovery, without
+ * forking provider core.
  *
- * @external
+ * Call this once, at `init()` time. It is idempotent in the same `extension`
+ * object, so re-running a plugin's `init()` (for example when one plugin factory
+ * result is shared across two `betterAuth()` instances) does not register it
+ * twice. It throws if the oauth-provider plugin is not installed, if a grant
+ * type or assertion type is not an absolute URI, if a client authentication
+ * method reuses a built-in name, or if the extension registers a grant type,
+ * auth method, or assertion type that another extension already registered
+ * (contributions must be disjoint).
+ *
+ * @example
+ * ```ts
+ * init(ctx) {
+ *   extendOAuthProvider(ctx, {
+ *     grants: { "urn:example:grant": async ({ provider }) => provider.issueTokens(...) },
+ *   });
+ * }
+ * ```
  */
-declare const mcpHandler: (/** Resource is the same url as the audience */
-
-verifyOptions: Parameters<typeof verifyAccessToken>[1], handler: (req: Request, jwt: JWTPayload) => Awaitable<Response>, opts?: {
-  /** Maps non-url (ie urn, client) resources to resource_metadata */resourceMetadataMappings: Record<string, string>;
-}) => (req: Request) => Promise<Response>;
+declare function extendOAuthProvider(ctx: AuthContext, extension: OAuthProviderExtension): void;
 //#endregion
 //#region src/metadata.d.ts
 declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptions, overrides?: {
@@ -25,8 +39,12 @@ declare function authServerMetadata(ctx: GenericEndpointContext, opts?: JwtOptio
   dynamic_client_registration_supported?: boolean;
   public_client_supported?: boolean;
   grant_types_supported?: GrantType[];
+  token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
+  endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
   jwt_disabled?: boolean;
+  dpop_signing_alg_values_supported?: JWSAlgorithms[];
 }): AuthServerMetadata;
+declare function oauthAuthorizationServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>): AuthServerMetadata;
 declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]> & {
   claims?: string[];
 }): {
@@ -52,16 +70,20 @@ declare function oidcServerMetadata(ctx: GenericEndpointContext, opts: OAuthOpti
   op_policy_uri?: string | undefined;
   op_tos_uri?: string | undefined;
   revocation_endpoint?: string | undefined;
-  revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+  revocation_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
   revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
   introspection_endpoint?: string | undefined;
-  introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
+  introspection_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
   introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
   code_challenge_methods_supported: "S256"[];
   authorization_response_iss_parameter_supported?: boolean | undefined;
   client_id_metadata_document_supported?: boolean | undefined;
+  backchannel_logout_supported?: boolean | undefined;
+  backchannel_logout_session_supported?: boolean | undefined;
+  dpop_signing_alg_values_supported?: JWSAlgorithms[] | undefined;
   id_token_signing_alg_values_supported: JWSAlgorithms[] | ["HS256"];
 };
+declare function metadataResponse(body: unknown, extraHeaders?: HeadersInit): Response;
 /**
  * Provides an exportable `/.well-known/oauth-authorization-server`.
  *
@@ -106,4 +128,67 @@ declare function checkOAuthClient(client: OAuthClient, opts: OAuthOptions<Scope[
  */
 declare function oauthToSchema(input: OAuthClient): SchemaClient<Scope[]>;
 //#endregion
-export { AuthMethod, AuthServerMetadata, AuthorizePrompt, BearerMethodsSupported, ClientDiscovery, GrantType, OAuthAuthorizationQuery, OAuthClient, OAuthConsent, type OAuthEndpointErrorResult, type OAuthEndpointRedirectContext, type OAuthErrorCode, type OAuthFieldErrorCode, type OAuthFieldErrorCodeMap, OAuthOpaqueAccessToken, OAuthOptions, type OAuthRedirectOnError, OAuthRefreshToken, OIDCMetadata, Prompt, ResourceServerMetadata, SchemaClient, Scope, StoreTokenType, TokenEndpointAuthMethod, VerificationValue, authServerMetadata, checkOAuthClient, getOAuthProviderState, mcpHandler, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata };
+//#region src/resource-challenge.d.ts
+/**
+ * Raise an OAuth resource-server challenge for a failed access-token request.
+ *
+ * Missing/invalid bearer credentials are reported with RFC 6750 plus the RFC
+ * 9728 `resource_metadata` pointer. DPoP-bound-token failures are reported with
+ * RFC 9449's `DPoP` challenge so clients know which proof algorithms to use.
+ * Non-URL resources (for example a `urn:` or a client id) resolve their
+ * metadata URL through `resourceMetadataMappings`.
+ *
+ * @internal
+ */
+declare function raiseResourceServerChallenge(error: unknown, resource: string | string[], opts?: {
+  /** Maps non-URL (urn, client) resources to their resource_metadata URL. */resourceMetadataMappings?: Record<string, string>; /** DPoP JWS algorithms to advertise in RFC 9449 challenges. */
+  dpopSigningAlgorithms?: readonly string[]; /** Space-delimited scopes to advertise in RFC 6750 bearer challenges. */
+  scope?: string;
+}): never;
+//#endregion
+//#region src/token.d.ts
+/**
+ * Returns the OAuth Provider's server-side capability surface bound to `ctx`.
+ * The token endpoint passes one (pre-bound to the dispatched grant) to each
+ * extension grant handler; a companion plugin's own endpoint calls this directly
+ * with its grant type. `grantType` is bound here, not per issuance, so a handler
+ * cannot mislabel the grant; omit it for capabilities that do not issue tokens
+ * (`getClient`, `validateAccessToken`, `requireActiveAccessToken`), and
+ * `issueTokens` then throws.
+ */
+declare function getOAuthProviderApi(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>, grantType?: GrantType): OAuthProviderApi;
+//#endregion
+//#region src/utils/client-assertion.d.ts
+/**
+ * Enforces the assertion-hygiene claims every client-assertion authentication
+ * method must check, independent of how the signature is verified or where the
+ * verification keys come from:
+ * - `aud` MUST include `expectedAudience` (RFC 7523 §3 rule 3),
+ * - `exp` MUST be present, unexpired, and at most `assertionMaxLifetime`
+ *   seconds away (RFC 7523 §3 rule 4),
+ * - `iat`, when present, MUST be within `assertionMaxLifetime`,
+ * - `jti` MUST be present and single-use; this consumes a replay tombstone keyed
+ *   by `` `${namespace}:${jti}` ``, inserted under the adapter's primary key so a
+ *   replay across workers fails atomically.
+ *
+ * A custom {@link OAuthClientAuthenticationStrategy} should call this after
+ * verifying the assertion signature, so an extension method inherits the same
+ * replay, lifetime, and audience guarantees as the built-in `private_key_jwt`
+ * path, which calls it too.
+ *
+ * @param params.namespace Scopes the replay tombstone to the method and client,
+ *   e.g. `` `${method}:${clientId}` ``, so the same `jti` can recur across
+ *   distinct methods or clients but never within one.
+ */
+declare function consumeClientAssertion(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>, params: {
+  namespace: string;
+  payload: {
+    aud?: unknown;
+    exp?: unknown;
+    iat?: unknown;
+    jti?: unknown;
+  };
+  expectedAudience: string;
+}): Promise<void>;
+//#endregion
+export { ActiveAccessTokenPayload, AuthMethod, AuthServerMetadata, AuthorizePrompt, BearerMethodsSupported, ClientDiscovery, ClientRegistrationRequest, Confirmation, DEFAULT_OAUTH_SCOPES, GrantType, InitialAccessTokenAuthorization, OAuthAuthenticatedClient, OAuthAuthorizationQuery, OAuthClaimExtensionInput, type OAuthClient, OAuthClientAuthenticationInput, OAuthClientAuthenticationRequest, OAuthClientAuthenticationResult, OAuthClientAuthenticationStrategy, OAuthClientResource, OAuthConsent, type OAuthEndpointErrorResult, type OAuthEndpointRedirectContext, type OAuthErrorCode, OAuthExtensionGrantHandler, OAuthExtensionGrantHandlerInput, type OAuthFieldErrorCode, type OAuthFieldErrorCodeMap, OAuthMetadataExtensionInput, OAuthOpaqueAccessToken, OAuthOptions, OAuthProviderApi, OAuthProviderExtension, type OAuthRedirectOnError, OAuthRefreshToken, OAuthResource, OAuthResourceInput, OAuthTokenIssueParams, OAuthTokenResponse, OAuthUserInfoExtensionInput, OIDCMetadata, Prompt, type ResourceServerMetadata, ResourceUriSchema, SchemaClient, Scope, StoreTokenType, TokenEndpointAuthMethod, TokenType, VerificationValue, authServerMetadata, checkOAuthClient, consumeClientAssertion, extendOAuthProvider, getIssuer, getOAuthProviderApi, getOAuthProviderState, metadataResponse, oauthAuthorizationServerMetadata, oauthProvider, oauthProviderAuthServerMetadata, oauthProviderOpenIdConfigMetadata, oauthToSchema, oidcServerMetadata, raiseResourceServerChallenge };