@better-auth/oauth-provider 1.7.0-beta.5 → 1.7.0-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/{client-assertion-DmT1B6_6.mjs → client-assertion-CctbJywV.mjs} +88 -64
  2. package/dist/client-resource.d.mts +17 -2
  3. package/dist/client-resource.mjs +45 -25
  4. package/dist/client.d.mts +1 -1
  5. package/dist/client.mjs +3 -13
  6. package/dist/index.d.mts +100 -17
  7. package/dist/index.mjs +1239 -1699
  8. package/dist/introspect-BXNvkz8S.mjs +2119 -0
  9. package/dist/{oauth-BXrYl5x6.d.mts → oauth-CPWY2Few.d.mts} +836 -33
  10. package/dist/{oauth-DU6NeviY.d.mts → oauth-CqOygaZd.d.mts} +265 -148
  11. package/dist/resource-challenge-B-cqv4ur.mjs +63 -0
  12. package/dist/rolldown-runtime-wcPFST8Q.mjs +13 -0
  13. package/dist/signed-query-CFv2jNMT.mjs +44 -0
  14. package/dist/{utils-D2dLqo7f.mjs → utils-Baq6atYN.mjs} +310 -68
  15. package/dist/{version-B1ZiRmxj.mjs → version-DkFgXWfN.mjs} +1 -1
  16. package/package.json +7 -8
  17. package/dist/mcp-CYnz-MXn.mjs +0 -56
package/dist/{oauth-DU6NeviY.d.mts → oauth-CqOygaZd.d.mts} RENAMED
@@ -1,9 +1,9 @@
1
- import { a as OAuthClient, c as TokenEndpointAuthMethod, f as OAuthConsent, g as Prompt, i as GrantType, m as OAuthOptions, t as AuthMethod, v as Scope } from "./oauth-BXrYl5x6.mjs";
1
+ import { C as OAuthConsent, F as OAuthTokenResponse, L as Prompt, M as OAuthResource, O as OAuthOptions, a as GrantType, l as TokenEndpointAuthMethod, n as AuthServerMetadata, o as OAuthClient, z as Scope } from "./oauth-CPWY2Few.mjs";
2
2
  import * as better_call0 from "better-call";
3
3
  import * as z from "zod";
4
- import * as better_auth_plugins0 from "better-auth/plugins";
5
4
  import * as jose from "jose";
6
- import { GenericEndpointContext } from "@better-auth/core";
5
+ import * as better_auth_plugins0 from "better-auth/plugins";
6
+ import { AuthContext, GenericEndpointContext } from "@better-auth/core";
7
7
  import * as better_auth0 from "better-auth";
8
8
 
9
9
  //#region src/oauth-endpoint.d.ts
@@ -41,8 +41,18 @@ type OAuthRedirectResult = {
41
41
  redirect: true;
42
42
  url: string;
43
43
  };
44
+ /**
45
+ * Gets the issuer identifier
46
+ */
47
+ declare function getIssuer(ctx: GenericEndpointContext, opts: OAuthOptions<Scope[]>): string;
44
48
  //#endregion
45
49
  //#region src/oauth.d.ts
50
+ /**
51
+ * Default scopes advertised and accepted when a configuration sets none. Shared
52
+ * with the MCP preset so the resource metadata it serves matches what the
53
+ * authorization-server metadata advertises.
54
+ */
55
+ declare const DEFAULT_OAUTH_SCOPES: readonly ["openid", "profile", "email", "offline_access"];
46
56
  declare module "@better-auth/core" {
47
57
  interface BetterAuthPluginRegistry<AuthOptions, Options> {
48
58
  "oauth-provider": {
@@ -71,7 +81,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
71
81
  } | {
72
82
  request: Request;
73
83
  } | void>;
74
- init: (ctx: better_auth0.AuthContext) => {
84
+ init: (ctx: better_auth0.AuthContext) => Promise<{
75
85
  options: {
76
86
  databaseHooks: {
77
87
  session: {
@@ -90,7 +100,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
90
100
  };
91
101
  };
92
102
  };
93
- };
103
+ }>;
94
104
  hooks: {
95
105
  before: {
96
106
  matcher(ctx: better_auth0.HookEndpointContext): any;
@@ -114,68 +124,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
114
124
  metadata: {
115
125
  SERVER_ONLY: true;
116
126
  };
117
- }, {
118
- jwks_uri?: string | undefined;
119
- userinfo_endpoint: string;
120
- acr_values_supported: string[];
121
- subject_types_supported: ("public" | "pairwise")[];
122
- claims_supported: string[];
123
- end_session_endpoint: string;
124
- prompt_values_supported: Prompt[];
125
- issuer: string;
126
- authorization_endpoint: string;
127
- token_endpoint: string;
128
- registration_endpoint?: string | undefined;
129
- scopes_supported?: string[] | undefined;
130
- response_types_supported: "code"[];
131
- response_modes_supported: "query"[];
132
- grant_types_supported: GrantType[];
133
- token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
134
- token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
135
- service_documentation?: string | undefined;
136
- ui_locales_supported?: string[] | undefined;
137
- op_policy_uri?: string | undefined;
138
- op_tos_uri?: string | undefined;
139
- revocation_endpoint?: string | undefined;
140
- revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
141
- revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
142
- introspection_endpoint?: string | undefined;
143
- introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
144
- introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
145
- code_challenge_methods_supported: "S256"[];
146
- authorization_response_iss_parameter_supported?: boolean | undefined;
147
- client_id_metadata_document_supported?: boolean | undefined;
148
- backchannel_logout_supported?: boolean | undefined;
149
- backchannel_logout_session_supported?: boolean | undefined;
150
- id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
151
- } | {
152
- issuer: string;
153
- authorization_endpoint: string;
154
- token_endpoint: string;
155
- jwks_uri?: string;
156
- registration_endpoint?: string;
157
- scopes_supported?: string[];
158
- response_types_supported: "code"[];
159
- response_modes_supported: "query"[];
160
- grant_types_supported: GrantType[];
161
- token_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[];
162
- token_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
163
- service_documentation?: string;
164
- ui_locales_supported?: string[];
165
- op_policy_uri?: string;
166
- op_tos_uri?: string;
167
- revocation_endpoint?: string;
168
- revocation_endpoint_auth_methods_supported?: AuthMethod[];
169
- revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
170
- introspection_endpoint?: string;
171
- introspection_endpoint_auth_methods_supported?: AuthMethod[];
172
- introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[];
173
- code_challenge_methods_supported: "S256"[];
174
- authorization_response_iss_parameter_supported?: boolean;
175
- client_id_metadata_document_supported?: boolean;
176
- backchannel_logout_supported?: boolean;
177
- backchannel_logout_session_supported?: boolean;
178
- }>;
127
+ }, AuthServerMetadata>;
179
128
  /**
180
129
  * A server-only endpoint that helps provide the
181
130
  * OpenId configuration at the well-known endpoint.
@@ -211,16 +160,17 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
211
160
  op_policy_uri?: string | undefined;
212
161
  op_tos_uri?: string | undefined;
213
162
  revocation_endpoint?: string | undefined;
214
- revocation_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
163
+ revocation_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
215
164
  revocation_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
216
165
  introspection_endpoint?: string | undefined;
217
- introspection_endpoint_auth_methods_supported?: AuthMethod[] | undefined;
166
+ introspection_endpoint_auth_methods_supported?: TokenEndpointAuthMethod[] | undefined;
218
167
  introspection_endpoint_auth_signing_alg_values_supported?: better_auth0.PrivateKeyJwtSigningAlgorithm[] | undefined;
219
168
  code_challenge_methods_supported: "S256"[];
220
169
  authorization_response_iss_parameter_supported?: boolean | undefined;
221
170
  client_id_metadata_document_supported?: boolean | undefined;
222
171
  backchannel_logout_supported?: boolean | undefined;
223
172
  backchannel_logout_session_supported?: boolean | undefined;
173
+ dpop_signing_alg_values_supported?: better_auth_plugins0.JWSAlgorithms[] | undefined;
224
174
  id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
225
175
  }>;
226
176
  oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
@@ -246,6 +196,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
246
196
  S256: "S256";
247
197
  }>>>;
248
198
  nonce: z.ZodOptional<z.ZodString>;
199
+ dpop_jkt: z.ZodOptional<z.ZodString>;
249
200
  resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
250
201
  }, z.core.$loose>;
251
202
  redirectOnError: OAuthRedirectOnError<GenericEndpointContext, OAuthRedirectResult>;
@@ -475,12 +426,9 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
475
426
  }, OAuthRedirectResult>;
476
427
  oauth2Token: better_call0.StrictEndpoint<"/oauth2/token", {
477
428
  method: "POST";
429
+ cloneRequest: true;
478
430
  body: z.ZodObject<{
479
- grant_type: z.ZodPipe<z.ZodString, z.ZodEnum<{
480
- authorization_code: "authorization_code";
481
- client_credentials: "client_credentials";
482
- refresh_token: "refresh_token";
483
- }>>;
431
+ grant_type: z.ZodString;
484
432
  client_id: z.ZodOptional<z.ZodString>;
485
433
  client_secret: z.ZodOptional<z.ZodString>;
486
434
  client_assertion: z.ZodOptional<z.ZodString>;
@@ -491,7 +439,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
491
439
  refresh_token: z.ZodOptional<z.ZodString>;
492
440
  resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
493
441
  scope: z.ZodOptional<z.ZodString>;
494
- }, z.core.$strip>;
442
+ }, z.core.$loose>;
495
443
  errorCodesByField: {
496
444
  grant_type: {
497
445
  missing: "invalid_request";
@@ -502,9 +450,19 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
502
450
  };
503
451
  };
504
452
  metadata: {
453
+ noStore: boolean;
505
454
  allowedMediaTypes: string[];
506
455
  openapi: {
507
456
  description: string;
457
+ parameters: {
458
+ name: string;
459
+ in: "header";
460
+ required: false;
461
+ schema: {
462
+ type: "string";
463
+ };
464
+ description: string;
465
+ }[];
508
466
  requestBody: {
509
467
  required: boolean;
510
468
  content: {
@@ -514,7 +472,6 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
514
472
  properties: {
515
473
  grant_type: {
516
474
  type: string;
517
- enum: string[];
518
475
  description: string;
519
476
  };
520
477
  client_id: {
@@ -630,15 +587,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
630
587
  };
631
588
  };
632
589
  };
633
- }, {
634
- access_token: string;
635
- expires_in: number;
636
- expires_at: number;
637
- token_type: "Bearer";
638
- refresh_token: string | undefined;
639
- scope: string;
640
- id_token: string | undefined;
641
- }>;
590
+ }, OAuthTokenResponse>;
642
591
  oauth2Introspect: better_call0.StrictEndpoint<"/oauth2/introspect", {
643
592
  method: "POST";
644
593
  body: z.ZodObject<{
@@ -650,6 +599,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
650
599
  token_type_hint: z.ZodOptional<z.ZodString>;
651
600
  }, z.core.$strip>;
652
601
  metadata: {
602
+ noStore: boolean;
653
603
  allowedMediaTypes: string[];
654
604
  openapi: {
655
605
  description: string;
@@ -854,6 +804,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
854
804
  oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
855
805
  method: ("GET" | "POST")[];
856
806
  metadata: {
807
+ noStore: boolean;
857
808
  openapi: {
858
809
  description: string;
859
810
  security: ({
@@ -964,13 +915,13 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
964
915
  };
965
916
  };
966
917
  }, {
918
+ sub: string;
967
919
  email?: string | undefined;
968
920
  email_verified?: boolean | undefined;
969
921
  name?: string | undefined;
970
922
  picture?: string | undefined;
971
923
  given_name?: string | undefined;
972
924
  family_name?: string | undefined;
973
- sub: string;
974
925
  }>;
975
926
  oauth2EndSession: better_call0.StrictEndpoint<"/oauth2/end-session", {
976
927
  method: "GET";
@@ -1012,7 +963,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1012
963
  registerOAuthClient: better_call0.StrictEndpoint<"/oauth2/register", {
1013
964
  method: "POST";
1014
965
  body: z.ZodObject<{
1015
- redirect_uris: z.ZodArray<z.ZodURL>;
966
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1016
967
  scope: z.ZodOptional<z.ZodString>;
1017
968
  client_name: z.ZodOptional<z.ZodString>;
1018
969
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1026,24 +977,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1026
977
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1027
978
  backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1028
979
  backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1029
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1030
- none: "none";
1031
- client_secret_basic: "client_secret_basic";
1032
- client_secret_post: "client_secret_post";
1033
- private_key_jwt: "private_key_jwt";
1034
- }>>>;
980
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1035
981
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1036
982
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1037
983
  }, z.core.$strip>]>>;
1038
984
  jwks_uri: z.ZodOptional<z.ZodString>;
1039
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1040
- authorization_code: "authorization_code";
1041
- client_credentials: "client_credentials";
1042
- refresh_token: "refresh_token";
1043
- }>>>>;
1044
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
985
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
986
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1045
987
  code: "code";
1046
- }>>>>;
988
+ }>>>;
1047
989
  type: z.ZodOptional<z.ZodEnum<{
1048
990
  web: "web";
1049
991
  native: "native";
@@ -1053,19 +995,23 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1053
995
  public: "public";
1054
996
  pairwise: "pairwise";
1055
997
  }>>;
998
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
999
+ resources: z.ZodOptional<z.ZodArray<z.ZodString>>;
1056
1000
  skip_consent: z.ZodOptional<z.ZodNever>;
1057
1001
  }, z.core.$strip>;
1058
1002
  errorCodesByField: {
1059
1003
  redirect_uris: "invalid_redirect_uri";
1060
1004
  post_logout_redirect_uris: "invalid_redirect_uri";
1061
1005
  software_statement: "invalid_software_statement";
1006
+ resources: "invalid_target";
1062
1007
  };
1063
1008
  defaultError: "invalid_client_metadata";
1064
1009
  metadata: {
1010
+ noStore: boolean;
1065
1011
  openapi: {
1066
1012
  description: string;
1067
1013
  responses: {
1068
- "200": {
1014
+ "201": {
1069
1015
  description: string;
1070
1016
  content: {
1071
1017
  "application/json": {
@@ -1163,13 +1109,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1163
1109
  token_endpoint_auth_method: {
1164
1110
  type: string;
1165
1111
  description: string;
1166
- enum: string[];
1167
1112
  };
1168
1113
  grant_types: {
1169
1114
  type: string;
1170
1115
  items: {
1171
1116
  type: string;
1172
- enum: string[];
1173
1117
  };
1174
1118
  description: string;
1175
1119
  };
@@ -1207,7 +1151,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1207
1151
  adminCreateOAuthClient: better_call0.StrictEndpoint<"/admin/oauth2/create-client", {
1208
1152
  method: "POST";
1209
1153
  body: z.ZodObject<{
1210
- redirect_uris: z.ZodArray<z.ZodURL>;
1154
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1211
1155
  scope: z.ZodOptional<z.ZodString>;
1212
1156
  client_name: z.ZodOptional<z.ZodString>;
1213
1157
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1221,24 +1165,15 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1221
1165
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1222
1166
  backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1223
1167
  backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1224
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1225
- none: "none";
1226
- client_secret_basic: "client_secret_basic";
1227
- client_secret_post: "client_secret_post";
1228
- private_key_jwt: "private_key_jwt";
1229
- }>>>;
1168
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1230
1169
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1231
1170
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1232
1171
  }, z.core.$strip>]>>;
1233
1172
  jwks_uri: z.ZodOptional<z.ZodString>;
1234
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1235
- authorization_code: "authorization_code";
1236
- client_credentials: "client_credentials";
1237
- refresh_token: "refresh_token";
1238
- }>>>>;
1239
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1173
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1174
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1240
1175
  code: "code";
1241
- }>>>>;
1176
+ }>>>;
1242
1177
  type: z.ZodOptional<z.ZodEnum<{
1243
1178
  web: "web";
1244
1179
  native: "native";
@@ -1248,6 +1183,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1248
1183
  skip_consent: z.ZodOptional<z.ZodBoolean>;
1249
1184
  enable_end_session: z.ZodOptional<z.ZodBoolean>;
1250
1185
  require_pkce: z.ZodOptional<z.ZodBoolean>;
1186
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1251
1187
  subject_type: z.ZodOptional<z.ZodEnum<{
1252
1188
  public: "public";
1253
1189
  pairwise: "pairwise";
@@ -1255,11 +1191,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1255
1191
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1256
1192
  }, z.core.$strip>;
1257
1193
  metadata: {
1194
+ noStore: boolean;
1258
1195
  SERVER_ONLY: true;
1259
1196
  openapi: {
1260
1197
  description: string;
1261
1198
  responses: {
1262
- "200": {
1199
+ "201": {
1263
1200
  description: string;
1264
1201
  content: {
1265
1202
  "application/json": {
@@ -1340,13 +1277,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1340
1277
  token_endpoint_auth_method: {
1341
1278
  type: string;
1342
1279
  description: string;
1343
- enum: string[];
1344
1280
  };
1345
1281
  grant_types: {
1346
1282
  type: string;
1347
1283
  items: {
1348
1284
  type: string;
1349
- enum: string[];
1350
1285
  };
1351
1286
  description: string;
1352
1287
  };
@@ -1418,7 +1353,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1418
1353
  };
1419
1354
  }>)[];
1420
1355
  body: z.ZodObject<{
1421
- redirect_uris: z.ZodArray<z.ZodURL>;
1356
+ redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1422
1357
  scope: z.ZodOptional<z.ZodString>;
1423
1358
  client_name: z.ZodOptional<z.ZodString>;
1424
1359
  client_uri: z.ZodOptional<z.ZodString>;
@@ -1432,35 +1367,28 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1432
1367
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1433
1368
  backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1434
1369
  backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1435
- token_endpoint_auth_method: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
1436
- none: "none";
1437
- client_secret_basic: "client_secret_basic";
1438
- client_secret_post: "client_secret_post";
1439
- private_key_jwt: "private_key_jwt";
1440
- }>>>;
1370
+ token_endpoint_auth_method: z.ZodOptional<z.ZodString>;
1441
1371
  jwks: z.ZodOptional<z.ZodUnion<readonly [z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>, z.ZodObject<{
1442
1372
  keys: z.ZodArray<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1443
1373
  }, z.core.$strip>]>>;
1444
1374
  jwks_uri: z.ZodOptional<z.ZodString>;
1445
- grant_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1446
- authorization_code: "authorization_code";
1447
- client_credentials: "client_credentials";
1448
- refresh_token: "refresh_token";
1449
- }>>>>;
1450
- response_types: z.ZodOptional<z.ZodDefault<z.ZodArray<z.ZodEnum<{
1375
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1376
+ response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1451
1377
  code: "code";
1452
- }>>>>;
1378
+ }>>>;
1453
1379
  type: z.ZodOptional<z.ZodEnum<{
1454
1380
  web: "web";
1455
1381
  native: "native";
1456
1382
  "user-agent-based": "user-agent-based";
1457
1383
  }>>;
1384
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1458
1385
  }, z.core.$strip>;
1459
1386
  metadata: {
1387
+ noStore: boolean;
1460
1388
  openapi: {
1461
1389
  description: string;
1462
1390
  responses: {
1463
- "200": {
1391
+ "201": {
1464
1392
  description: string;
1465
1393
  content: {
1466
1394
  "application/json": {
@@ -1541,13 +1469,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1541
1469
  token_endpoint_auth_method: {
1542
1470
  type: string;
1543
1471
  description: string;
1544
- enum: string[];
1545
1472
  };
1546
1473
  grant_types: {
1547
1474
  type: string;
1548
1475
  items: {
1549
1476
  type: string;
1550
- enum: string[];
1551
1477
  };
1552
1478
  description: string;
1553
1479
  };
@@ -1719,11 +1645,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1719
1645
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1720
1646
  backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1721
1647
  backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1722
- grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1723
- authorization_code: "authorization_code";
1724
- client_credentials: "client_credentials";
1725
- refresh_token: "refresh_token";
1726
- }>>>;
1648
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1727
1649
  response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1728
1650
  code: "code";
1729
1651
  }>>>;
@@ -1735,6 +1657,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1735
1657
  client_secret_expires_at: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodNumber]>>;
1736
1658
  skip_consent: z.ZodOptional<z.ZodBoolean>;
1737
1659
  enable_end_session: z.ZodOptional<z.ZodBoolean>;
1660
+ dpop_bound_access_tokens: z.ZodOptional<z.ZodBoolean>;
1738
1661
  metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
1739
1662
  }, z.core.$strip>;
1740
1663
  }, z.core.$strip>;
@@ -1787,11 +1710,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1787
1710
  post_logout_redirect_uris: z.ZodOptional<z.ZodArray<z.ZodURL>>;
1788
1711
  backchannel_logout_uri: z.ZodOptional<z.ZodURL>;
1789
1712
  backchannel_logout_session_required: z.ZodOptional<z.ZodBoolean>;
1790
- grant_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1791
- authorization_code: "authorization_code";
1792
- client_credentials: "client_credentials";
1793
- refresh_token: "refresh_token";
1794
- }>>>;
1713
+ grant_types: z.ZodOptional<z.ZodArray<z.ZodString>>;
1795
1714
  response_types: z.ZodOptional<z.ZodArray<z.ZodEnum<{
1796
1715
  code: "code";
1797
1716
  }>>>;
@@ -1837,6 +1756,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
1837
1756
  client_id: z.ZodString;
1838
1757
  }, z.core.$strip>;
1839
1758
  metadata: {
1759
+ noStore: boolean;
1840
1760
  openapi: {
1841
1761
  description: string;
1842
1762
  };
@@ -2012,6 +1932,92 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2012
1932
  };
2013
1933
  };
2014
1934
  }, void>;
1935
+ adminCreateOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources", {
1936
+ method: "POST";
1937
+ body: z.ZodObject<{
1938
+ identifier: z.ZodNonOptional<z.ZodOptional<z.ZodString>>;
1939
+ name: z.ZodOptional<z.ZodString>;
1940
+ accessTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1941
+ refreshTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1942
+ signingAlgorithm: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
1943
+ RS256: "RS256";
1944
+ PS256: "PS256";
1945
+ ES256: "ES256";
1946
+ ES512: "ES512";
1947
+ EdDSA: "EdDSA";
1948
+ }>>>;
1949
+ signingKeyId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
1950
+ allowedScopes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
1951
+ customClaims: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1952
+ dpopBoundAccessTokensRequired: z.ZodOptional<z.ZodBoolean>;
1953
+ disabled: z.ZodOptional<z.ZodBoolean>;
1954
+ metadata: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1955
+ }, z.core.$strip>;
1956
+ metadata: {
1957
+ SERVER_ONLY: true;
1958
+ };
1959
+ }, OAuthResource>;
1960
+ adminListOAuthResources: better_call0.StrictEndpoint<"/admin/oauth2/resources", {
1961
+ method: "GET";
1962
+ metadata: {
1963
+ SERVER_ONLY: true;
1964
+ };
1965
+ }, OAuthResource[]>;
1966
+ adminGetOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1967
+ method: "GET";
1968
+ metadata: {
1969
+ SERVER_ONLY: true;
1970
+ };
1971
+ }, OAuthResource>;
1972
+ adminUpdateOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1973
+ method: "PATCH";
1974
+ body: z.ZodObject<{
1975
+ identifier: z.ZodOptional<z.ZodString>;
1976
+ name: z.ZodOptional<z.ZodString>;
1977
+ accessTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1978
+ refreshTokenTtl: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
1979
+ signingAlgorithm: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
1980
+ RS256: "RS256";
1981
+ PS256: "PS256";
1982
+ ES256: "ES256";
1983
+ ES512: "ES512";
1984
+ EdDSA: "EdDSA";
1985
+ }>>>;
1986
+ signingKeyId: z.ZodOptional<z.ZodNullable<z.ZodString>>;
1987
+ allowedScopes: z.ZodOptional<z.ZodNullable<z.ZodArray<z.ZodString>>>;
1988
+ customClaims: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1989
+ dpopBoundAccessTokensRequired: z.ZodOptional<z.ZodBoolean>;
1990
+ disabled: z.ZodOptional<z.ZodBoolean>;
1991
+ metadata: z.ZodOptional<z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
1992
+ }, z.core.$strip>;
1993
+ metadata: {
1994
+ SERVER_ONLY: true;
1995
+ };
1996
+ }, OAuthResource>;
1997
+ adminDeleteOAuthResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier", {
1998
+ method: "DELETE";
1999
+ metadata: {
2000
+ SERVER_ONLY: true;
2001
+ };
2002
+ }, {
2003
+ deleted: boolean;
2004
+ }>;
2005
+ adminLinkClientResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier/clients/:client_id", {
2006
+ method: "POST";
2007
+ metadata: {
2008
+ SERVER_ONLY: true;
2009
+ };
2010
+ }, {
2011
+ linked: boolean;
2012
+ }>;
2013
+ adminUnlinkClientResource: better_call0.StrictEndpoint<"/admin/oauth2/resources/:identifier/clients/:client_id", {
2014
+ method: "DELETE";
2015
+ metadata: {
2016
+ SERVER_ONLY: true;
2017
+ };
2018
+ }, {
2019
+ unlinked: boolean;
2020
+ }>;
2015
2021
  };
2016
2022
  schema: {
2017
2023
  oauthClient: {
@@ -2148,6 +2154,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2148
2154
  type: "boolean";
2149
2155
  required: false;
2150
2156
  };
2157
+ dpopBoundAccessTokens: {
2158
+ type: "boolean";
2159
+ required: false;
2160
+ defaultValue: false;
2161
+ };
2151
2162
  referenceId: {
2152
2163
  type: "string";
2153
2164
  required: false;
@@ -2158,6 +2169,104 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2158
2169
  };
2159
2170
  };
2160
2171
  };
2172
+ oauthResource: {
2173
+ modelName: string;
2174
+ fields: {
2175
+ identifier: {
2176
+ type: "string";
2177
+ required: true;
2178
+ unique: true;
2179
+ };
2180
+ name: {
2181
+ type: "string";
2182
+ required: true;
2183
+ };
2184
+ accessTokenTtl: {
2185
+ type: "number";
2186
+ required: false;
2187
+ };
2188
+ refreshTokenTtl: {
2189
+ type: "number";
2190
+ required: false;
2191
+ };
2192
+ signingAlgorithm: {
2193
+ type: "string";
2194
+ required: false;
2195
+ };
2196
+ signingKeyId: {
2197
+ type: "string";
2198
+ required: false;
2199
+ };
2200
+ allowedScopes: {
2201
+ type: "string[]";
2202
+ required: false;
2203
+ };
2204
+ customClaims: {
2205
+ type: "json";
2206
+ required: false;
2207
+ };
2208
+ dpopBoundAccessTokensRequired: {
2209
+ type: "boolean";
2210
+ required: false;
2211
+ defaultValue: false;
2212
+ };
2213
+ disabled: {
2214
+ type: "boolean";
2215
+ required: false;
2216
+ defaultValue: false;
2217
+ };
2218
+ createdAt: {
2219
+ type: "date";
2220
+ required: false;
2221
+ };
2222
+ updatedAt: {
2223
+ type: "date";
2224
+ required: false;
2225
+ };
2226
+ policyVersion: {
2227
+ type: "number";
2228
+ required: false;
2229
+ defaultValue: number;
2230
+ };
2231
+ metadata: {
2232
+ type: "json";
2233
+ required: false;
2234
+ };
2235
+ };
2236
+ };
2237
+ oauthClientResource: {
2238
+ modelName: string;
2239
+ fields: {
2240
+ clientId: {
2241
+ type: "string";
2242
+ required: true;
2243
+ references: {
2244
+ model: string;
2245
+ field: string;
2246
+ onDelete: "cascade";
2247
+ };
2248
+ index: true;
2249
+ };
2250
+ resourceId: {
2251
+ type: "string";
2252
+ required: true;
2253
+ references: {
2254
+ model: string;
2255
+ field: string;
2256
+ onDelete: "cascade";
2257
+ };
2258
+ index: true;
2259
+ };
2260
+ metadata: {
2261
+ type: "json";
2262
+ required: false;
2263
+ };
2264
+ createdAt: {
2265
+ type: "date";
2266
+ required: false;
2267
+ };
2268
+ };
2269
+ };
2161
2270
  oauthRefreshToken: {
2162
2271
  fields: {
2163
2272
  token: {
@@ -2215,6 +2324,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2215
2324
  type: "date";
2216
2325
  required: false;
2217
2326
  };
2327
+ confirmation: {
2328
+ type: "json";
2329
+ required: false;
2330
+ };
2218
2331
  scopes: {
2219
2332
  type: "string[]";
2220
2333
  required: true;
@@ -2283,6 +2396,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2283
2396
  type: "date";
2284
2397
  required: false;
2285
2398
  };
2399
+ confirmation: {
2400
+ type: "json";
2401
+ required: false;
2402
+ };
2286
2403
  scopes: {
2287
2404
  type: "string[]";
2288
2405
  required: true;
@@ -2367,4 +2484,4 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
2367
2484
  })[];
2368
2485
  };
2369
2486
  //#endregion
2370
- export { OAuthErrorCode as a, OAuthRedirectOnError as c, OAuthEndpointRedirectContext as i, oauthProvider as n, OAuthFieldErrorCode as o, OAuthEndpointErrorResult as r, OAuthFieldErrorCodeMap as s, getOAuthProviderState as t };
2487
+ export { OAuthEndpointErrorResult as a, OAuthFieldErrorCode as c, getIssuer as i, OAuthFieldErrorCodeMap as l, getOAuthProviderState as n, OAuthEndpointRedirectContext as o, oauthProvider as r, OAuthErrorCode as s, DEFAULT_OAUTH_SCOPES as t, OAuthRedirectOnError as u };