@better-auth/oauth-provider 1.7.0-beta.4 → 1.7.0-beta.6

package/dist/{version-nFnRm-a3.mjs → version-CUu3vBtU.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.4";
+const PACKAGE_VERSION = "1.7.0-beta.6";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.7.0-beta.4",
+  "version": "1.7.0-beta.6",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -61,18 +61,17 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.4",
-    "better-auth": "1.7.0-beta.4"
+    "@better-auth/core": "1.7.0-beta.6",
+    "better-auth": "1.7.0-beta.6"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.1.21",
-    "better-call": "1.3.5",
-    "@better-auth/core": "^1.7.0-beta.4",
-    "better-auth": "^1.7.0-beta.4"
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
+    "better-call": "1.3.6",
+    "@better-auth/core": "^1.7.0-beta.6",
+    "better-auth": "^1.7.0-beta.6"
   },
   "scripts": {
     "build": "tsdown",

package/dist/mcp-CYnz-MXn.mjs

@@ -1,56 +0,0 @@
-import { isAPIError } from "better-auth/api";
-import { verifyAccessToken } from "better-auth/oauth2";
-import { APIError as APIError$1 } from "better-call";
-//#region src/mcp.ts
-/**
-* A request middleware handler that checks and responds with
-* a WWW-Authenticate header for unauthenticated responses.
-*
-* @external
-*/
-const mcpHandler = (verifyOptions, handler, opts) => {
-	return async (req) => {
-		const authorization = req.headers?.get("authorization") ?? void 0;
-		const accessToken = authorization?.startsWith("Bearer ") ? authorization.replace("Bearer ", "") : authorization;
-		try {
-			if (!accessToken?.length) throw new APIError$1("UNAUTHORIZED", { message: "missing authorization header" });
-			return handler(req, await verifyAccessToken(accessToken, verifyOptions));
-		} catch (error) {
-			try {
-				handleMcpErrors(error, verifyOptions.verifyOptions.audience, opts);
-			} catch (err) {
-				if (err instanceof APIError$1) return new Response(err.message, {
-					...err,
-					status: err.statusCode
-				});
-				throw new Error(String(err));
-			}
-			throw new Error(String(error));
-		}
-	};
-};
-/**
-* The following handles all MCP errors and API errors
-*
-* @internal
-*/
-function handleMcpErrors(error, resource, opts) {
-	if (isAPIError(error) && error.status === "UNAUTHORIZED") {
-		const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((v) => {
-			let audiencePath;
-			if (URL.canParse?.(v)) {
-				const url = new URL(v);
-				audiencePath = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
-				return `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${audiencePath}"`;
-			} else {
-				const resourceMetadata = opts?.resourceMetadataMappings?.[v];
-				if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${v}` });
-				return `Bearer resource_metadata=${resourceMetadata}`;
-			}
-		}).join(", ");
-		throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
-	} else if (error instanceof Error) throw error;
-	else throw new Error(error);
-}
-//#endregion
-export { mcpHandler as n, handleMcpErrors as t };

package/dist/utils-DKBWQ8fe.mjs

@@ -1,492 +0,0 @@
-import { APIError } from "better-call";
-import { decodeBasicCredentials } from "@better-auth/core/oauth2";
-import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
-import { BetterAuthError } from "@better-auth/core/error";
-import { base64Url } from "@better-auth/utils/base64";
-import { createHash } from "@better-auth/utils/hash";
-//#region src/utils/index.ts
-var TTLCache = class {
-	cache = /* @__PURE__ */ new Map();
-	constructor() {}
-	set(key, value) {
-		this.cache.set(key, value);
-	}
-	get(key) {
-		const entry = this.cache.get(key);
-		if (!entry) return void 0;
-		if (entry.expiresAt && entry.expiresAt < /* @__PURE__ */ new Date()) {
-			this.cache.delete(key);
-			return;
-		}
-		return entry;
-	}
-};
-/**
-* Gets the oAuth Provider Plugin
-* @internal
-*/
-const getOAuthProviderPlugin = (ctx) => {
-	return ctx.getPlugin("oauth-provider");
-};
-/**
-* Gets the JWT Plugin
-* @internal
-*/
-const getJwtPlugin = (ctx) => {
-	const plugin = ctx.getPlugin("jwt");
-	if (!plugin) throw new BetterAuthError("jwt_config");
-	return plugin;
-};
-/**
-* Normalizes timestamp-like values returned by adapters.
-*
-* Accepts Date instances, epoch milliseconds as numbers, and strings that are
-* either ISO dates or numeric millisecond values such as "1774295570569.0".
-*/
-function normalizeTimestampValue(value) {
-	if (value == null) return;
-	if (value instanceof Date) return Number.isFinite(value.getTime()) ? value : void 0;
-	if (typeof value === "number") {
-		if (!Number.isFinite(value)) return;
-		const parsed = new Date(value);
-		return Number.isFinite(parsed.getTime()) ? parsed : void 0;
-	}
-	if (typeof value === "string") {
-		const trimmed = value.trim();
-		if (!trimmed.length) return;
-		const numeric = Number(trimmed);
-		if (Number.isFinite(numeric)) {
-			const parsed = new Date(numeric);
-			return Number.isFinite(parsed.getTime()) ? parsed : void 0;
-		}
-		const parsed = new Date(trimmed);
-		return Number.isFinite(parsed.getTime()) ? parsed : void 0;
-	}
-}
-/**
-* Resolves a session auth time from common adapter return shapes.
-*/
-function resolveSessionAuthTime(value) {
-	if (value instanceof Date) return normalizeTimestampValue(value);
-	if (!value || typeof value !== "object") return normalizeTimestampValue(value);
-	const direct = normalizeTimestampValue(value.createdAt) ?? normalizeTimestampValue(value.created_at);
-	if (direct) return direct;
-	const nested = value.session;
-	if (!nested || typeof nested !== "object") return;
-	return normalizeTimestampValue(nested.createdAt) ?? normalizeTimestampValue(nested.created_at);
-}
-/**
-* Normalizes OAuth resource values into a non-empty string array.
-*/
-function toResourceList(value) {
-	if (typeof value === "string") return [value];
-	if (!value?.length) return void 0;
-	return value;
-}
-/**
-* Normalizes audience values for JWT claims.
-*/
-function toAudienceClaim(audience) {
-	if (typeof audience === "string") return audience;
-	if (!audience?.length) return void 0;
-	return audience.length === 1 ? audience.at(0) : audience;
-}
-/**
-* Checks the resource parameter, if provided,
-* and returns either a valid audience or a tagged validation error.
-*/
-async function checkResource(ctx, opts, resource, scopes) {
-	const normalizedResource = toResourceList(resource);
-	const audience = normalizedResource ? [...normalizedResource] : void 0;
-	if (audience) {
-		const hasOpenId = scopes.includes("openid");
-		const baseUrl = ctx.context.baseURL;
-		const userInfoEndpoint = `${baseUrl}/oauth2/userinfo`;
-		if (hasOpenId && !audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
-		const filteredValidAudiences = opts.validAudiences?.filter((aud) => aud.length);
-		const validAudiences = new Set(filteredValidAudiences?.length ? filteredValidAudiences : [baseUrl]);
-		if (hasOpenId) validAudiences.add(userInfoEndpoint);
-		for (const aud of audience) if (!validAudiences.has(aud)) return {
-			success: false,
-			error: "invalid_resource"
-		};
-	}
-	return {
-		success: true,
-		audience: toAudienceClaim(audience)
-	};
-}
-const cachedTrustedClients = new TTLCache();
-async function verifyOAuthQueryParams(oauth_query, secret) {
-	const queryParams = new URLSearchParams(oauth_query);
-	const sig = queryParams.get("sig");
-	const exp = Number(queryParams.get("exp"));
-	queryParams.delete("sig");
-	const verifySig = await makeSignature(queryParams.toString(), secret);
-	return !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
-}
-/**
-* Get a client by ID, checking trusted clients first, then database
-*/
-async function getClient(ctx, options, clientId) {
-	const trustedClient = cachedTrustedClients.get(clientId);
-	if (trustedClient) return Object.assign({}, trustedClient);
-	let dbClient = await ctx.context.adapter.findOne({
-		model: options.schema?.oauthClient?.modelName ?? "oauthClient",
-		where: [{
-			field: "clientId",
-			value: clientId
-		}]
-	});
-	const discoveries = toClientDiscoveryArray(options.clientDiscovery);
-	for (const discovery of discoveries) {
-		if (!discovery.matches(clientId)) continue;
-		const resolved = await discovery.resolve(ctx, clientId, dbClient);
-		if (resolved) {
-			dbClient = resolved;
-			break;
-		}
-	}
-	if (dbClient && options.cachedTrustedClients?.has(clientId)) cachedTrustedClients.set(clientId, Object.assign({}, dbClient));
-	return dbClient;
-}
-/**
-* Normalize the `clientDiscovery` option into an array. Accepts a single
-* {@link ClientDiscovery}, an array of them, or `undefined`.
-*
-* @internal
-*/
-function toClientDiscoveryArray(discovery) {
-	if (!discovery) return [];
-	return Array.isArray(discovery) ? discovery : [discovery];
-}
-/**
-* Merge `discoveryMetadata` from every configured {@link ClientDiscovery}
-* into a single object. Entries are spread in order; later entries override
-* earlier ones on key collisions.
-*
-* @internal
-*/
-function mergeDiscoveryMetadata(discovery) {
-	return toClientDiscoveryArray(discovery).reduce((acc, d) => ({
-		...acc,
-		...d.discoveryMetadata ?? {}
-	}), {});
-}
-/**
-* Default client secret hasher using SHA-256
-*
-* @internal
-*/
-const defaultHasher = async (value) => {
-	const hash = await createHash("SHA-256").digest(new TextEncoder().encode(value));
-	return base64Url.encode(new Uint8Array(hash), { padding: false });
-};
-/**
-* Decrypts a storedClientSecret for signing
-*
-* @internal
-*/
-async function decryptStoredClientSecret(ctx, storageMethod, storedClientSecret) {
-	if (storageMethod === "encrypted") return await symmetricDecrypt({
-		key: ctx.context.secretConfig,
-		data: storedClientSecret
-	});
-	else if (typeof storageMethod === "object" && "decrypt" in storageMethod) return await storageMethod.decrypt(storedClientSecret);
-	throw new BetterAuthError(`Unsupported decryption storageMethod type '${storageMethod}'`);
-}
-/**
-* Verify stored client secret against provided client secret
-*
-* @internal
-*/
-async function verifyStoredClientSecret(ctx, opts, storedClientSecret, clientSecret) {
-	const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
-	if (clientSecret && opts.prefix?.clientSecret) if (clientSecret.startsWith(opts.prefix?.clientSecret)) clientSecret = clientSecret.replace(opts.prefix.clientSecret, "");
-	else throw new APIError("UNAUTHORIZED", {
-		error_description: "invalid client_secret",
-		error: "invalid_client"
-	});
-	if (storageMethod === "hashed") {
-		const hashedClientSecret = clientSecret ? await defaultHasher(clientSecret) : void 0;
-		return !!hashedClientSecret && constantTimeEqual(hashedClientSecret, storedClientSecret);
-	} else if (typeof storageMethod === "object" && "hash" in storageMethod) if (storageMethod.verify) return !!clientSecret && await storageMethod.verify(clientSecret, storedClientSecret);
-	else {
-		const hashedClientSecret = clientSecret ? await storageMethod.hash(clientSecret) : void 0;
-		return !!hashedClientSecret && constantTimeEqual(hashedClientSecret, storedClientSecret);
-	}
-	else if (storageMethod === "encrypted") try {
-		const decryptedClientSecret = await decryptStoredClientSecret(ctx, storageMethod, storedClientSecret);
-		return !!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret);
-	} catch {
-		return false;
-	}
-	else if (typeof storageMethod === "object" && "decrypt" in storageMethod) {
-		const decryptedClientSecret = await decryptStoredClientSecret(ctx, storageMethod, storedClientSecret);
-		return !!clientSecret && constantTimeEqual(decryptedClientSecret, clientSecret);
-	}
-	throw new BetterAuthError(`Unsupported verify storageMethod type '${storageMethod}'`);
-}
-/**
-* Store client secret according to the configured storage method
-*
-* @internal
-*/
-async function storeClientSecret(ctx, opts, clientSecret) {
-	const storageMethod = opts.storeClientSecret ?? (opts.disableJwtPlugin ? "encrypted" : "hashed");
-	if (storageMethod === "encrypted") return await symmetricEncrypt({
-		key: ctx.context.secretConfig,
-		data: clientSecret
-	});
-	else if (storageMethod === "hashed") return await defaultHasher(clientSecret);
-	else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(clientSecret);
-	else if (typeof storageMethod === "object" && "encrypt" in storageMethod) return await storageMethod.encrypt(clientSecret);
-	throw new BetterAuthError(`Unsupported storeClientSecret type '${storageMethod}'`);
-}
-/**
-* Stores a token value (ie opaque tokens, refresh tokens, transaction tokens, verification codes)
-* on the database in a secure hashed format.
-*
-* @internal
-*/
-async function storeToken(storageMethod = "hashed", token, type) {
-	if (storageMethod === "hashed") return await defaultHasher(token);
-	else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(token, type);
-	throw new BetterAuthError(`storeToken: unsupported storageMethod type '${storageMethod}'`);
-}
-/**
-* Gets a hashed token value to find on the database.
-*
-* @internal
-*/
-async function getStoredToken(storageMethod = "hashed", token, type) {
-	if (storageMethod === "hashed") return await defaultHasher(token);
-	else if (typeof storageMethod === "object" && "hash" in storageMethod) return await storageMethod.hash(token, type);
-	throw new BetterAuthError(`getStoredToken: unsupported storageMethod type '${storageMethod}'`);
-}
-/**
-* Converts a BASIC authorization header
-* into its client_id and client_secret representation
-*
-* @internal
-*/
-const BASIC_SCHEME_PREFIX = /^Basic +/i;
-function basicToClientCredentials(authorization) {
-	if (!BASIC_SCHEME_PREFIX.test(authorization)) return;
-	try {
-		const { clientId, clientSecret } = decodeBasicCredentials(authorization);
-		return {
-			client_id: clientId,
-			client_secret: clientSecret
-		};
-	} catch {
-		throw new APIError("BAD_REQUEST", {
-			error_description: "invalid authorization header format",
-			error: "invalid_client"
-		});
-	}
-}
-/**
-* Validates client credentials failing on mismatches
-* and incorrectly provided information
-*
-* @internal
-*/
-async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient) {
-	const client = preVerifiedClient ?? await getClient(ctx, options, clientId);
-	if (!client) throw new APIError("BAD_REQUEST", {
-		error_description: "missing client",
-		error: "invalid_client"
-	});
-	if (client.disabled) throw new APIError("BAD_REQUEST", {
-		error_description: "client is disabled",
-		error: "invalid_client"
-	});
-	if (client.tokenEndpointAuthMethod === "private_key_jwt" && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
-		error_description: "client registered for private_key_jwt must use client_assertion",
-		error: "invalid_client"
-	});
-	if (!preVerifiedClient) {
-		if (!client.public && !clientSecret) throw new APIError("BAD_REQUEST", {
-			error_description: "client secret must be provided",
-			error: "invalid_client"
-		});
-		if (clientSecret && !client.clientSecret) throw new APIError("BAD_REQUEST", {
-			error_description: "public client, client secret should not be received",
-			error: "invalid_client"
-		});
-		if (clientSecret && !await verifyStoredClientSecret(ctx, options, client.clientSecret, clientSecret)) throw new APIError("UNAUTHORIZED", {
-			error_description: "invalid client_secret",
-			error: "invalid_client"
-		});
-	}
-	if (scopes && client.scopes) {
-		const validScopes = new Set(client.scopes);
-		for (const sc of scopes) if (!validScopes.has(sc)) throw new APIError("BAD_REQUEST", {
-			error_description: `client does not allow scope ${sc}`,
-			error: "invalid_scope"
-		});
-	}
-	return client;
-}
-/**
-* Parse client metadata that may be stored as JSON string or already parsed object.
-* Handles database adapters that auto-parse JSON columns.
-*
-* @internal
-*/
-function parseClientMetadata(metadata) {
-	if (!metadata) return void 0;
-	return typeof metadata === "string" ? JSON.parse(metadata) : metadata;
-}
-/** Unwraps ExtractedCredentials into the fields each grant handler needs. */
-function destructureCredentials(credentials) {
-	return {
-		clientId: credentials?.clientId,
-		clientSecret: credentials?.method === "client_secret_basic" || credentials?.method === "client_secret_post" ? credentials.clientSecret : void 0,
-		preVerifiedClient: credentials?.method === "private_key_jwt" ? credentials.client : void 0
-	};
-}
-/**
-* Extracts and resolves client credentials from the request.
-* Supports: client_secret_basic, client_secret_post, private_key_jwt, and none (public).
-*/
-async function extractClientCredentials(ctx, opts, expectedAudience) {
-	const body = ctx.body ?? {};
-	const authorization = ctx.request?.headers.get("authorization") ?? void 0;
-	if (body.client_assertion_type || body.client_assertion) {
-		if (!body.client_assertion || !body.client_assertion_type) throw new APIError("BAD_REQUEST", {
-			error_description: "client_assertion and client_assertion_type must both be provided",
-			error: "invalid_client"
-		});
-		if (body.client_secret || authorization?.startsWith("Basic ")) throw new APIError("BAD_REQUEST", {
-			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
-			error: "invalid_client"
-		});
-		const { verifyClientAssertion: verify } = await import("./client-assertion-DLMKVgoj.mjs").then((n) => n.t);
-		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
-		return {
-			method: "private_key_jwt",
-			clientId: result.clientId,
-			client: result.client
-		};
-	}
-	if (authorization?.startsWith("Basic ")) {
-		const res = basicToClientCredentials(authorization);
-		if (res) return {
-			method: "client_secret_basic",
-			clientId: res.client_id,
-			clientSecret: res.client_secret
-		};
-	}
-	if (body.client_id && body.client_secret) return {
-		method: "client_secret_post",
-		clientId: body.client_id,
-		clientSecret: body.client_secret
-	};
-	if (body.client_id) return {
-		method: "none",
-		clientId: body.client_id
-	};
-	return null;
-}
-/**
-* Parse space-separated prompt string into a set of prompts
-*
-* @param prompt
-*/
-function parsePrompt(prompt) {
-	const prompts = prompt.split(" ").map((p) => p.trim());
-	const set = /* @__PURE__ */ new Set();
-	for (const p of prompts) if (p === "login" || p === "consent" || p === "create" || p === "select_account" || p === "none") set.add(p);
-	return new Set(set);
-}
-/**
-* Extracts the sector identifier (hostname) from a client's first redirect URI.
-*
-* @see https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
-* @internal
-*/
-function getSectorIdentifier(client) {
-	const uri = client.redirectUris?.[0];
-	if (!uri) throw new BetterAuthError("Client has no redirect URIs for sector identifier");
-	return new URL(uri).host;
-}
-/**
-* Computes a pairwise subject identifier using HMAC-SHA256.
-*
-* @see https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
-* @internal
-*/
-async function computePairwiseSub(userId, client, secret) {
-	return makeSignature(`${getSectorIdentifier(client)}.${userId}`, secret);
-}
-/**
-* Returns the appropriate subject identifier for a user+client pair.
-* Uses pairwise when the client opts in and the server has a secret configured.
-*
-* @internal
-*/
-async function resolveSubjectIdentifier(userId, client, opts) {
-	if (client.subjectType === "pairwise" && opts.pairwiseSecret) return computePairwiseSub(userId, client, opts.pairwiseSecret);
-	return userId;
-}
-/**
-* Converts URLSearchParams to a plain object, preserving
-* multi-valued keys as arrays instead of discarding duplicates.
-*/
-function searchParamsToQuery(params) {
-	const result = Object.create(null);
-	for (const key of new Set(params.keys())) {
-		const values = params.getAll(key);
-		result[key] = values.length === 1 ? values[0] : values;
-	}
-	return result;
-}
-const signedQueryIssuedAtParam = "ba_iat";
-const postLoginClearedParam = "ba_pl";
-function getSignedQueryIssuedAt(oauthQuery) {
-	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
-	if (!raw) return null;
-	const issuedAt = Number(raw);
-	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
-	return new Date(issuedAt);
-}
-function removePromptFromQuery(query, prompt) {
-	const nextQuery = new URLSearchParams(query);
-	const prompts = nextQuery.get("prompt")?.split(" ");
-	const foundPrompt = prompts?.findIndex((v) => v === prompt) ?? -1;
-	if (foundPrompt >= 0) {
-		prompts?.splice(foundPrompt, 1);
-		prompts?.length ? nextQuery.set("prompt", prompts.join(" ")) : nextQuery.delete("prompt");
-	}
-	return nextQuery;
-}
-var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
-	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
-	PKCERequirementErrors["OFFLINE_ACCESS_SCOPE"] = "pkce is required when requesting offline_access scope";
-	PKCERequirementErrors["CLIENT_REQUIRE_PKCE"] = "pkce is required for this client";
-	return PKCERequirementErrors;
-}(PKCERequirementErrors || {});
-/**
-* Determines if PKCE is required for a given client and scope.
-*
-* PKCE is always required for:
-* 1. Public clients (cannot securely store client_secret)
-* 2. Requests with offline_access scope (refresh token security)
-*
-* For confidential clients without offline_access:
-* - Uses client.requirePKCE if set (defaults to true)
-*
-* Returns false if PKCE is not required, or the reason it is required.
-*
-* @internal
-*/
-function isPKCERequired(client, requestedScopes) {
-	if (client.tokenEndpointAuthMethod === "none" || client.type === "native" || client.type === "user-agent-based" || client.public === true) return PKCERequirementErrors.PUBLIC_CLIENT;
-	if (requestedScopes?.includes("offline_access")) return PKCERequirementErrors.OFFLINE_ACCESS_SCOPE;
-	if (client.requirePKCE ?? true) return PKCERequirementErrors.CLIENT_REQUIRE_PKCE;
-	return false;
-}
-//#endregion
-export { toAudienceClaim as C, verifyOAuthQueryParams as D, validateClientCredentials as E, storeToken as S, toResourceList as T, resolveSessionAuthTime as _, getClient as a, signedQueryIssuedAtParam as b, getSignedQueryIssuedAt as c, mergeDiscoveryMetadata as d, normalizeTimestampValue as f, removePromptFromQuery as g, postLoginClearedParam as h, extractClientCredentials as i, getStoredToken as l, parsePrompt as m, decryptStoredClientSecret as n, getJwtPlugin as o, parseClientMetadata as p, destructureCredentials as r, getOAuthProviderPlugin as s, checkResource as t, isPKCERequired as u, resolveSubjectIdentifier as v, toClientDiscoveryArray as w, storeClientSecret as x, searchParamsToQuery as y };