@better-auth/oauth-provider 1.7.0-beta.5 → 1.7.0-beta.7

package/dist/resource-challenge-B-cqv4ur.mjs

@@ -0,0 +1,63 @@
+import { isAPIError } from "better-auth/api";
+import { APIError as APIError$1 } from "better-call";
+import { DPOP_SIGNING_ALGORITHMS } from "better-auth/oauth2";
+//#region src/resource-challenge.ts
+const DPOP_CHALLENGE_ERRORS = new Set(["invalid_dpop_proof"]);
+function quoteAuthParam(value) {
+	return value.replace(/[\r\n]+/g, " ").replace(/\\/g, "\\\\").replace(/"/g, "\\\"");
+}
+function extractDpopError(error) {
+	const body = error.body;
+	return {
+		errorCode: typeof body?.error === "string" ? body.error : void 0,
+		description: typeof body?.error_description === "string" ? body.error_description : typeof body?.message === "string" ? body.message : error.message
+	};
+}
+function isDpopChallengeError(error) {
+	const { errorCode, description } = extractDpopError(error);
+	return !!errorCode && (DPOP_CHALLENGE_ERRORS.has(errorCode) || errorCode === "invalid_token" && description.includes("DPoP"));
+}
+function buildDpopChallenge(error, opts) {
+	const { errorCode, description } = extractDpopError(error);
+	const algorithms = opts?.dpopSigningAlgorithms ?? DPOP_SIGNING_ALGORITHMS;
+	return [
+		`DPoP error="${quoteAuthParam(errorCode ?? "invalid_dpop_proof")}"`,
+		`error_description="${quoteAuthParam(description)}"`,
+		`algs="${quoteAuthParam(algorithms.join(" "))}"`
+	].join(", ");
+}
+/**
+* Raise an OAuth resource-server challenge for a failed access-token request.
+*
+* Missing/invalid bearer credentials are reported with RFC 6750 plus the RFC
+* 9728 `resource_metadata` pointer. DPoP-bound-token failures are reported with
+* RFC 9449's `DPoP` challenge so clients know which proof algorithms to use.
+* Non-URL resources (for example a `urn:` or a client id) resolve their
+* metadata URL through `resourceMetadataMappings`.
+*
+* @internal
+*/
+function raiseResourceServerChallenge(error, resource, opts) {
+	if (isAPIError(error) && error.status === "UNAUTHORIZED") {
+		if (isDpopChallengeError(error)) throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": buildDpopChallenge(error, opts) });
+		const wwwAuthenticateValue = (Array.isArray(resource) ? resource : [resource]).map((value) => {
+			const url = URL.canParse?.(value) ? new URL(value) : null;
+			if (url && url.origin !== "null") {
+				const resourcePath = url.pathname.endsWith("/") ? url.pathname.slice(0, -1) : url.pathname;
+				let challenge = `Bearer resource_metadata="${url.origin}/.well-known/oauth-protected-resource${resourcePath}${url.search}"`;
+				if (opts?.scope) challenge += `, scope="${quoteAuthParam(opts.scope)}"`;
+				return challenge;
+			}
+			const resourceMetadata = opts?.resourceMetadataMappings?.[value];
+			if (!resourceMetadata) throw new APIError$1("INTERNAL_SERVER_ERROR", { message: `missing resource_metadata mapping for ${value}` });
+			let challenge = `Bearer resource_metadata="${resourceMetadata}"`;
+			if (opts?.scope) challenge += `, scope="${quoteAuthParam(opts.scope)}"`;
+			return challenge;
+		}).join(", ");
+		throw new APIError$1("UNAUTHORIZED", { message: error.message }, { "WWW-Authenticate": wwwAuthenticateValue });
+	}
+	if (error instanceof Error) throw error;
+	throw new Error(error);
+}
+//#endregion
+export { raiseResourceServerChallenge as t };

package/dist/rolldown-runtime-wcPFST8Q.mjs

@@ -0,0 +1,13 @@
+//#region \0rolldown/runtime.js
+var __defProp = Object.defineProperty;
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+//#endregion
+export { __exportAll as t };

package/dist/signed-query-CFv2jNMT.mjs

@@ -0,0 +1,44 @@
+//#region src/signed-query.ts
+const signedQueryIssuedAtParam = "ba_iat";
+const postLoginClearedParam = "ba_pl";
+const signedQueryParameterNameParam = "ba_param";
+function canonicalizeOAuthQueryParams(params) {
+	const canonicalParams = new URLSearchParams();
+	const entries = [...params.entries()].sort(([keyA, valueA], [keyB, valueB]) => {
+		if (keyA < keyB) return -1;
+		if (keyA > keyB) return 1;
+		if (valueA < valueB) return -1;
+		if (valueA > valueB) return 1;
+		return 0;
+	});
+	for (const [key, value] of entries) canonicalParams.append(key, value);
+	return canonicalParams;
+}
+function setSignedOAuthQueryParameterNames(params) {
+	params.delete(signedQueryParameterNameParam);
+	const signedParameterNames = [...new Set([...params.keys(), signedQueryParameterNameParam])].sort();
+	for (const parameterName of signedParameterNames) params.append(signedQueryParameterNameParam, parameterName);
+}
+function getSignedOAuthQueryParameterNames(params) {
+	const signedParameterNames = params.getAll(signedQueryParameterNameParam);
+	if (!signedParameterNames.length) return;
+	return new Set(signedParameterNames);
+}
+function buildSignedOAuthQuery(search) {
+	const params = new URLSearchParams(search);
+	if (!params.has("sig")) return;
+	const signedParameterNames = getSignedOAuthQueryParameterNames(params);
+	if (!signedParameterNames) return;
+	const signedParams = new URLSearchParams();
+	for (const [key, value] of params.entries()) if (key === "sig" || key === signedQueryParameterNameParam || signedParameterNames.has(key)) signedParams.append(key, value);
+	return signedParams.toString();
+}
+function getSignedQueryIssuedAt(oauthQuery) {
+	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
+	if (!raw) return null;
+	const issuedAt = Number(raw);
+	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
+	return new Date(issuedAt);
+}
+//#endregion
+export { setSignedOAuthQueryParameterNames as a, postLoginClearedParam as i, canonicalizeOAuthQueryParams as n, signedQueryIssuedAtParam as o, getSignedQueryIssuedAt as r, buildSignedOAuthQuery as t };

package/dist/{utils-D2dLqo7f.mjs → utils-Baq6atYN.mjs}

@@ -1,10 +1,262 @@
-import { APIError } from "better-call";
-import { decodeBasicCredentials } from "@better-auth/core/oauth2";
+import { n as canonicalizeOAuthQueryParams } from "./signed-query-CFv2jNMT.mjs";
 import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
+import { APIError } from "better-call";
+import { logger } from "@better-auth/core/env";
 import { BetterAuthError } from "@better-auth/core/error";
+import { CLIENT_ASSERTION_TYPE, decodeBasicCredentials } from "@better-auth/core/oauth2";
 import { base64Url } from "@better-auth/utils/base64";
 import { createHash } from "@better-auth/utils/hash";
+//#region src/extensions.ts
+const DEFAULT_GRANT_TYPES = [
+	"authorization_code",
+	"client_credentials",
+	"refresh_token"
+];
+const BUILT_IN_CONFIDENTIAL_AUTH_METHODS = [
+	"client_secret_basic",
+	"client_secret_post",
+	"private_key_jwt"
+];
+const RESERVED_TOKEN_ENDPOINT_AUTH_METHODS = ["none", ...BUILT_IN_CONFIDENTIAL_AUTH_METHODS];
+const RESERVED_TOKEN_ENDPOINT_AUTH_METHOD_SET = new Set(RESERVED_TOKEN_ENDPOINT_AUTH_METHODS);
+function assertNonEmptyExtensionValue(name, value) {
+	if (value.trim().length > 0) return;
+	throw new BetterAuthError(`OAuth Provider extension ${name} cannot be empty`);
+}
+function assertAbsoluteUri(name, value) {
+	assertNonEmptyExtensionValue(name, value);
+	let url;
+	try {
+		url = new URL(value);
+	} catch {
+		url = void 0;
+	}
+	if (url?.protocol) return;
+	throw new BetterAuthError(`OAuth Provider extension ${name} must be an absolute URI: ${value}`);
+}
+function assertExtensionGrantType(grantType) {
+	assertAbsoluteUri("grant type", grantType);
+}
+function assertExtensionTokenEndpointAuthMethod(method) {
+	assertNonEmptyExtensionValue("token_endpoint_auth_method", method);
+	if (!RESERVED_TOKEN_ENDPOINT_AUTH_METHOD_SET.has(method)) return;
+	throw new BetterAuthError(`OAuth Provider extension token_endpoint_auth_method is reserved: ${method}`);
+}
+function assertExtensionClientAssertionType(assertionType) {
+	assertAbsoluteUri("client_assertion_type", assertionType);
+	if (assertionType !== CLIENT_ASSERTION_TYPE) return;
+	throw new BetterAuthError(`OAuth Provider extension client_assertion_type is reserved: ${assertionType}`);
+}
+/**
+* Validates one extension's dispatched keys (grant types, auth methods,
+* assertion types) and returns them for the cross-extension disjointness check.
+* Throws on a non-absolute grant/assertion URI, a reserved auth-method name, or
+* an empty assertion-type list.
+*/
+function collectExtensionKeys(extension) {
+	const grantTypes = Object.keys(extension.grants ?? {});
+	for (const grantType of grantTypes) assertExtensionGrantType(grantType);
+	const authMethods = [];
+	const assertionTypes = [];
+	for (const [method, strategy] of Object.entries(extension.clientAuthentication ?? {})) {
+		assertExtensionTokenEndpointAuthMethod(method);
+		authMethods.push(method);
+		const methodAssertionTypes = strategy.assertionTypes ?? [method];
+		if (methodAssertionTypes.length === 0) throw new BetterAuthError(`OAuth Provider extension client_assertion_type list cannot be empty for ${method}`);
+		for (const assertionType of methodAssertionTypes) {
+			assertExtensionClientAssertionType(assertionType);
+			assertionTypes.push(assertionType);
+		}
+	}
+	return {
+		grantTypes,
+		authMethods,
+		assertionTypes
+	};
+}
+function assertNoDuplicateAcrossExtensions(label, values) {
+	const seen = /* @__PURE__ */ new Set();
+	for (const value of values) {
+		if (seen.has(value)) throw new BetterAuthError(`OAuth Provider extensions register ${label} "${value}" more than once. Extension contributions must be disjoint.`);
+		seen.add(value);
+	}
+}
+/**
+* Validates every extension and rejects two extensions registering the same
+* grant type, auth method, or assertion type: otherwise the first would win and
+* the second be silently unreachable. Runs at setup over the whole list;
+* extensions number in the single digits, so a full re-scan per registration is
+* cheaper than the bookkeeping to cache it.
+*/
+function validateOAuthProviderExtensions(extensions) {
+	const keys = (extensions ?? []).map(collectExtensionKeys);
+	assertNoDuplicateAcrossExtensions("grant type", keys.flatMap((k) => k.grantTypes));
+	assertNoDuplicateAcrossExtensions("token_endpoint_auth_method", keys.flatMap((k) => k.authMethods));
+	assertNoDuplicateAcrossExtensions("client_assertion_type", keys.flatMap((k) => k.assertionTypes));
+}
+function getOAuthProviderExtensions(opts) {
+	return opts.extensions ?? [];
+}
+/**
+* Flattens the client-id discovery sources contributed by every registered
+* extension into a single ordered list. `getClient()` consults them in order;
+* the metadata endpoints merge their `discoveryMetadata`.
+*/
+function getClientDiscoveries(opts) {
+	return getOAuthProviderExtensions(opts).flatMap((extension) => {
+		const discovery = extension.clientDiscovery;
+		if (!discovery) return [];
+		return Array.isArray(discovery) ? discovery : [discovery];
+	});
+}
+/**
+* Registers an {@link OAuthProviderExtension} with the OAuth Provider plugin
+* from a companion plugin's `init()` hook. An extension can add token grants,
+* assertion-based client authentication methods, additive discovery metadata,
+* access-token / ID-token / UserInfo claims, and client-id discovery, without
+* forking provider core.
+*
+* Call this once, at `init()` time. It is idempotent in the same `extension`
+* object, so re-running a plugin's `init()` (for example when one plugin factory
+* result is shared across two `betterAuth()` instances) does not register it
+* twice. It throws if the oauth-provider plugin is not installed, if a grant
+* type or assertion type is not an absolute URI, if a client authentication
+* method reuses a built-in name, or if the extension registers a grant type,
+* auth method, or assertion type that another extension already registered
+* (contributions must be disjoint).
+*
+* @example
+* ```ts
+* init(ctx) {
+*   extendOAuthProvider(ctx, {
+*     grants: { "urn:example:grant": async ({ provider }) => provider.issueTokens(...) },
+*   });
+* }
+* ```
+*/
+function extendOAuthProvider(ctx, extension) {
+	const provider = ctx.getPlugin("oauth-provider");
+	if (!provider) throw new BetterAuthError("extendOAuthProvider requires the oauth-provider plugin.");
+	const existing = provider.options.extensions ?? [];
+	if (existing.includes(extension)) return;
+	const extensions = [...existing, extension];
+	validateOAuthProviderExtensions(extensions);
+	provider.options.extensions = extensions;
+}
+function getExtensionGrantTypes(opts) {
+	return getOAuthProviderExtensions(opts).flatMap((extension) => Object.keys(extension.grants ?? {}));
+}
+function getSupportedGrantTypes(opts) {
+	return Array.from(new Set([...opts.grantTypes ?? DEFAULT_GRANT_TYPES, ...getExtensionGrantTypes(opts)]));
+}
+function getExtensionGrantHandler(opts, grantType) {
+	for (const extension of getOAuthProviderExtensions(opts)) {
+		const handler = extension.grants?.[grantType];
+		if (handler) return handler;
+	}
+}
+function getExtensionTokenEndpointAuthMethods(opts) {
+	return getOAuthProviderExtensions(opts).flatMap((extension) => Object.keys(extension.clientAuthentication ?? {}));
+}
+/**
+* Confidential and extension client-authentication methods the provider
+* supports. Pass `includeNone` to prepend `"none"` for the token endpoint and
+* DCR, where public clients are allowed; the introspection and revocation
+* endpoints, which never accept public clients, omit it (the default).
+*/
+function getSupportedAuthMethods(opts, settings) {
+	return Array.from(new Set([
+		...settings?.includeNone ? ["none"] : [],
+		...BUILT_IN_CONFIDENTIAL_AUTH_METHODS,
+		...getExtensionTokenEndpointAuthMethods(opts)
+	]));
+}
+function isExtensionTokenEndpointAuthMethod(opts, method) {
+	return method ? getExtensionTokenEndpointAuthMethods(opts).includes(method) : false;
+}
+function getExtensionClientAuthenticationStrategy(opts, assertionType) {
+	if (assertionType === CLIENT_ASSERTION_TYPE) return void 0;
+	for (const extension of getOAuthProviderExtensions(opts)) {
+		const strategies = extension.clientAuthentication ?? {};
+		for (const [method, strategy] of Object.entries(strategies)) if ((strategy.assertionTypes ?? [method]).includes(assertionType)) return {
+			method,
+			strategy
+		};
+	}
+}
+/**
+* Merges each registered extension's `metadata()` contribution into `document`,
+* first-wins: the provider owns every key it already wrote, so an extension can
+* add fields but never override core. Each contributor sees the base `document`,
+* not the running accumulation, so contributions stay order-independent.
+*/
+function applyOAuthProviderMetadataExtensions(ctx, opts, type, document) {
+	const next = { ...document };
+	for (const extension of getOAuthProviderExtensions(opts)) {
+		const contribution = extension.metadata?.({
+			ctx,
+			opts,
+			type,
+			document
+		});
+		for (const [key, value] of Object.entries(contribution ?? {})) if (!(key in next)) next[key] = value;
+	}
+	return next;
+}
+async function collectClaims(opts, run) {
+	const claims = {};
+	for (const extension of getOAuthProviderExtensions(opts)) {
+		const contribution = await run(extension) ?? {};
+		for (const [key, value] of Object.entries(contribution)) {
+			if (key in claims) {
+				logger.warn(`oauth-provider: two extensions contributed the claim "${key}"; keeping the first-registered value.`);
+				continue;
+			}
+			claims[key] = value;
+		}
+	}
+	return claims;
+}
+function collectExtensionAccessTokenClaims(opts, input) {
+	return collectClaims(opts, (extension) => extension.claims?.accessToken?.(input));
+}
+function collectExtensionIdTokenClaims(opts, input) {
+	return collectClaims(opts, (extension) => extension.claims?.idToken?.(input));
+}
+function collectExtensionUserInfoClaims(opts, input) {
+	return collectClaims(opts, (extension) => extension.claims?.userInfo?.(input));
+}
+/**
+* Whether any registered extension contributes UserInfo claims. Lets the
+* UserInfo endpoint skip loading the client when nothing needs it.
+*/
+function hasUserInfoClaimExtension(opts) {
+	return getOAuthProviderExtensions(opts).some((extension) => extension.claims?.userInfo);
+}
+//#endregion
 //#region src/utils/index.ts
+/**
+* Extracts the credentials from an `Authorization: Bearer <token>` header.
+*
+* Returns `undefined` when the header is absent or carries a non-Bearer scheme,
+* leaving the caller to decide whether that is an error. Throws an
+* `invalid_request` `APIError` when the Bearer scheme is present but the
+* credentials are missing or the header carries extra parts. The scheme match
+* is case-insensitive and the credentials are the single token after it.
+*
+* @see https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
+* @see https://datatracker.ietf.org/doc/html/rfc7235#section-2.1
+*/
+function parseBearerToken(authorization) {
+	if (!authorization) return void 0;
+	const [scheme, credentials, ...extraParts] = authorization.trim().split(/\s+/);
+	if (scheme?.toLowerCase() !== "bearer") return void 0;
+	if (!credentials || extraParts.length > 0) throw new APIError("BAD_REQUEST", {
+		error: "invalid_request",
+		error_description: "Malformed Bearer Authorization header"
+	});
+	return credentials;
+}
 var TTLCache = class {
 	cache = /* @__PURE__ */ new Map();
 	constructor() {}
@@ -91,39 +343,15 @@ function toAudienceClaim(audience) {
 	if (!audience?.length) return void 0;
 	return audience.length === 1 ? audience.at(0) : audience;
 }
-/**
-* Checks the resource parameter, if provided,
-* and returns either a valid audience or a tagged validation error.
-*/
-async function checkResource(ctx, opts, resource, scopes) {
-	const normalizedResource = toResourceList(resource);
-	const audience = normalizedResource ? [...normalizedResource] : void 0;
-	if (audience) {
-		const hasOpenId = scopes.includes("openid");
-		const baseUrl = ctx.context.baseURL;
-		const userInfoEndpoint = `${baseUrl}/oauth2/userinfo`;
-		if (hasOpenId && !audience.includes(userInfoEndpoint)) audience.push(userInfoEndpoint);
-		const filteredValidAudiences = opts.validAudiences?.filter((aud) => aud.length);
-		const validAudiences = new Set(filteredValidAudiences?.length ? filteredValidAudiences : [baseUrl]);
-		if (hasOpenId) validAudiences.add(userInfoEndpoint);
-		for (const aud of audience) if (!validAudiences.has(aud)) return {
-			success: false,
-			error: "invalid_resource"
-		};
-	}
-	return {
-		success: true,
-		audience: toAudienceClaim(audience)
-	};
-}
 const cachedTrustedClients = new TTLCache();
 async function verifyOAuthQueryParams(oauth_query, secret) {
 	const queryParams = new URLSearchParams(oauth_query);
 	const sig = queryParams.get("sig");
+	const sigs = queryParams.getAll("sig");
 	const exp = Number(queryParams.get("exp"));
 	queryParams.delete("sig");
-	const verifySig = await makeSignature(queryParams.toString(), secret);
-	return !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
+	const verifySig = await makeSignature(canonicalizeOAuthQueryParams(queryParams).toString(), secret);
+	return sigs.length === 1 && !!sig && constantTimeEqual(sig, verifySig) && /* @__PURE__ */ new Date(exp * 1e3) >= /* @__PURE__ */ new Date();
 }
 /**
 * Get a client by ID, checking trusted clients first, then database
@@ -138,7 +366,7 @@ async function getClient(ctx, options, clientId) {
 			value: clientId
 		}]
 	});
-	const discoveries = toClientDiscoveryArray(options.clientDiscovery);
+	const discoveries = getClientDiscoveries(options);
 	for (const discovery of discoveries) {
 		if (!discovery.matches(clientId)) continue;
 		const resolved = await discovery.resolve(ctx, clientId, dbClient);
@@ -151,24 +379,14 @@ async function getClient(ctx, options, clientId) {
 	return dbClient;
 }
 /**
-* Normalize the `clientDiscovery` option into an array. Accepts a single
-* {@link ClientDiscovery}, an array of them, or `undefined`.
-*
-* @internal
-*/
-function toClientDiscoveryArray(discovery) {
-	if (!discovery) return [];
-	return Array.isArray(discovery) ? discovery : [discovery];
-}
-/**
-* Merge `discoveryMetadata` from every configured {@link ClientDiscovery}
+* Merge `discoveryMetadata` from every contributed {@link ClientDiscovery}
 * into a single object. Entries are spread in order; later entries override
 * earlier ones on key collisions.
 *
 * @internal
 */
-function mergeDiscoveryMetadata(discovery) {
-	return toClientDiscoveryArray(discovery).reduce((acc, d) => ({
+function mergeDiscoveryMetadata(discoveries) {
+	return discoveries.reduce((acc, d) => ({
 		...acc,
 		...d.discoveryMetadata ?? {}
 	}), {});
@@ -302,13 +520,16 @@ function clientAllowsGrant(client, grantType) {
 	return allowedGrants.includes(grantType);
 }
 /**
-* Validates client credentials failing on mismatches
-* and incorrectly provided information
+* Resolves the registered client by id and authorizes it: existence, disabled
+* state, registered auth method, requested scopes, and grant type. The record is
+* always resolved here via `getClient`, so a client-auth strategy proves the
+* caller controls `clientId` but never supplies the record. `preVerified` marks
+* that an assertion already proved control, so the client-secret check is skipped.
 *
 * @internal
 */
-async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerifiedClient, grantType) {
-	const client = preVerifiedClient ?? await getClient(ctx, options, clientId);
+async function validateClientCredentials(ctx, options, clientId, clientSecret, scopes, preVerified, grantType, authMethod) {
+	const client = await getClient(ctx, options, clientId);
 	if (!client) throw new APIError("BAD_REQUEST", {
 		error_description: "missing client",
 		error: "invalid_client"
@@ -317,11 +538,18 @@ async function validateClientCredentials(ctx, options, clientId, clientSecret, s
 		error_description: "client is disabled",
 		error: "invalid_client"
 	});
-	if (client.tokenEndpointAuthMethod === "private_key_jwt" && !preVerifiedClient) throw new APIError("BAD_REQUEST", {
-		error_description: "client registered for private_key_jwt must use client_assertion",
+	if (preVerified && authMethod) {
+		const registeredAuthMethod = client.tokenEndpointAuthMethod ?? "client_secret_basic";
+		if (registeredAuthMethod !== authMethod) throw new APIError("BAD_REQUEST", {
+			error_description: `client registered for ${registeredAuthMethod} cannot use ${authMethod}`,
+			error: "invalid_client"
+		});
+	}
+	if ((client.tokenEndpointAuthMethod === "private_key_jwt" || isExtensionTokenEndpointAuthMethod(options, client.tokenEndpointAuthMethod)) && !preVerified) throw new APIError("BAD_REQUEST", {
+		error_description: `client registered for ${client.tokenEndpointAuthMethod} must use client_assertion`,
 		error: "invalid_client"
 	});
-	if (!preVerifiedClient) {
+	if (!preVerified) {
 		if (!client.public && !clientSecret) throw new APIError("BAD_REQUEST", {
 			error_description: "client secret must be provided",
 			error: "invalid_client"
@@ -362,8 +590,10 @@ function parseClientMetadata(metadata) {
 function destructureCredentials(credentials) {
 	return {
 		clientId: credentials?.clientId,
-		clientSecret: credentials?.method === "client_secret_basic" || credentials?.method === "client_secret_post" ? credentials.clientSecret : void 0,
-		preVerifiedClient: credentials?.method === "private_key_jwt" ? credentials.client : void 0
+		clientSecret: credentials?.kind === "client_secret" ? credentials.clientSecret : void 0,
+		preVerified: credentials?.kind === "pre_verified",
+		authMethod: credentials?.method,
+		confirmation: credentials?.kind === "pre_verified" ? credentials.confirmation : void 0
 	};
 }
 /**
@@ -378,32 +608,53 @@ async function extractClientCredentials(ctx, opts, expectedAudience) {
 			error_description: "client_assertion and client_assertion_type must both be provided",
 			error: "invalid_client"
 		});
-		if (body.client_secret || authorization?.startsWith("Basic ")) throw new APIError("BAD_REQUEST", {
+		if (body.client_secret || authorization && BASIC_SCHEME_PREFIX.test(authorization)) throw new APIError("BAD_REQUEST", {
 			error_description: "client_assertion cannot be combined with client_secret or Basic auth",
 			error: "invalid_client"
 		});
-		const { verifyClientAssertion: verify } = await import("./client-assertion-DmT1B6_6.mjs").then((n) => n.t);
-		const result = await verify(ctx, opts, body.client_assertion, body.client_assertion_type, body.client_id, expectedAudience);
+		const assertion = body.client_assertion;
+		const assertionType = body.client_assertion_type;
+		const extensionStrategy = getExtensionClientAuthenticationStrategy(opts, assertionType);
+		if (extensionStrategy) {
+			const result = await extensionStrategy.strategy.authenticate({
+				ctx,
+				opts,
+				assertion,
+				assertionType,
+				clientId: body.client_id,
+				expectedAudience
+			});
+			return {
+				kind: "pre_verified",
+				method: extensionStrategy.method,
+				clientId: result.clientId,
+				confirmation: result.confirmation
+			};
+		}
+		const { verifyClientAssertion: verify } = await import("./client-assertion-CctbJywV.mjs").then((n) => n.t);
 		return {
+			kind: "pre_verified",
 			method: "private_key_jwt",
-			clientId: result.clientId,
-			client: result.client
+			clientId: (await verify(ctx, opts, assertion, assertionType, body.client_id, expectedAudience)).clientId
 		};
 	}
-	if (authorization?.startsWith("Basic ")) {
+	if (authorization && BASIC_SCHEME_PREFIX.test(authorization)) {
 		const res = basicToClientCredentials(authorization);
 		if (res) return {
+			kind: "client_secret",
 			method: "client_secret_basic",
 			clientId: res.client_id,
 			clientSecret: res.client_secret
 		};
 	}
 	if (body.client_id && body.client_secret) return {
+		kind: "client_secret",
 		method: "client_secret_post",
 		clientId: body.client_id,
 		clientSecret: body.client_secret
 	};
 	if (body.client_id) return {
+		kind: "public",
 		method: "none",
 		clientId: body.client_id
 	};
@@ -462,15 +713,6 @@ function searchParamsToQuery(params) {
 	}
 	return result;
 }
-const signedQueryIssuedAtParam = "ba_iat";
-const postLoginClearedParam = "ba_pl";
-function getSignedQueryIssuedAt(oauthQuery) {
-	const raw = new URLSearchParams(oauthQuery).get(signedQueryIssuedAtParam);
-	if (!raw) return null;
-	const issuedAt = Number(raw);
-	if (!Number.isFinite(issuedAt) || issuedAt <= 0) return null;
-	return new Date(issuedAt);
-}
 function isSessionFreshForSignedQuery(sessionCreatedAt, signedQueryIssuedAt) {
 	if (!signedQueryIssuedAt) return false;
 	const normalized = normalizeTimestampValue(sessionCreatedAt);
@@ -519,4 +761,4 @@ function isPKCERequired(client, requestedScopes) {
 	return false;
 }
 //#endregion
-export { verifyOAuthQueryParams as A, signedQueryIssuedAtParam as C, toClientDiscoveryArray as D, toAudienceClaim as E, toResourceList as O, searchParamsToQuery as S, storeToken as T, postLoginClearedParam as _, extractClientCredentials as a, resolveSessionAuthTime as b, getOAuthProviderPlugin as c, isPKCERequired as d, isSessionFreshForSignedQuery as f, parsePrompt as g, parseClientMetadata as h, destructureCredentials as i, validateClientCredentials as k, getSignedQueryIssuedAt as l, normalizeTimestampValue as m, clientAllowsGrant as n, getClient as o, mergeDiscoveryMetadata as p, decryptStoredClientSecret as r, getJwtPlugin as s, checkResource as t, getStoredToken as u, removeMaxAgeFromQuery as v, storeClientSecret as w, resolveSubjectIdentifier as x, removePromptFromQuery as y };
+export { collectExtensionUserInfoClaims as A, toAudienceClaim as C, applyOAuthProviderMetadataExtensions as D, verifyOAuthQueryParams as E, getSupportedGrantTypes as F, hasUserInfoClaimExtension as I, isExtensionTokenEndpointAuthMethod as L, getClientDiscoveries as M, getExtensionGrantHandler as N, collectExtensionAccessTokenClaims as O, getSupportedAuthMethods as P, validateOAuthProviderExtensions as R, storeToken as S, validateClientCredentials as T, removePromptFromQuery as _, getClient as a, searchParamsToQuery as b, getStoredToken as c, mergeDiscoveryMetadata as d, normalizeTimestampValue as f, removeMaxAgeFromQuery as g, parsePrompt as h, extractClientCredentials as i, extendOAuthProvider as j, collectExtensionIdTokenClaims as k, isPKCERequired as l, parseClientMetadata as m, decryptStoredClientSecret as n, getJwtPlugin as o, parseBearerToken as p, destructureCredentials as r, getOAuthProviderPlugin as s, clientAllowsGrant as t, isSessionFreshForSignedQuery as u, resolveSessionAuthTime as v, toResourceList as w, storeClientSecret as x, resolveSubjectIdentifier as y };

package/dist/{version-B1ZiRmxj.mjs → version-DkFgXWfN.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.5";
+const PACKAGE_VERSION = "1.7.0-beta.7";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.7.0-beta.5",
+  "version": "1.7.0-beta.7",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -61,18 +61,17 @@
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@modelcontextprotocol/sdk": "^1.27.1",
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.5",
-    "better-auth": "1.7.0-beta.5"
+    "@better-auth/core": "1.7.0-beta.7",
+    "better-auth": "1.7.0-beta.7"
   },
   "peerDependencies": {
-    "@better-auth/utils": "0.4.1",
-    "@better-fetch/fetch": "1.2.2",
+    "@better-auth/utils": "0.4.2",
+    "@better-fetch/fetch": "1.3.1",
     "better-call": "1.3.6",
-    "@better-auth/core": "^1.7.0-beta.5",
-    "better-auth": "^1.7.0-beta.5"
+    "@better-auth/core": "^1.7.0-beta.7",
+    "better-auth": "^1.7.0-beta.7"
   },
   "scripts": {
     "build": "tsdown",