@better-auth/oauth-provider 1.7.0-beta.7 → 1.7.0-beta.9

package/dist/{oauth-CqOygaZd.d.mts → oauth-C7baUP-L.d.mts}

@@ -1,4 +1,4 @@
-import { C as OAuthConsent, F as OAuthTokenResponse, L as Prompt, M as OAuthResource, O as OAuthOptions, a as GrantType, l as TokenEndpointAuthMethod, n as AuthServerMetadata, o as OAuthClient, z as Scope } from "./oauth-CPWY2Few.mjs";
+import { C as OAuthConsent, F as OAuthTokenResponse, L as Prompt, M as OAuthResource, O as OAuthOptions, a as GrantType, l as TokenEndpointAuthMethod, n as AuthServerMetadata, o as OAuthClient, z as Scope } from "./oauth-Di-k6QeJ.mjs";
 import * as better_call0 from "better-call";
 import * as z from "zod";
 import * as jose from "jose";
@@ -140,10 +140,13 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
     }, {
       jwks_uri?: string | undefined;
       userinfo_endpoint: string;
-      acr_values_supported: string[];
+      acr_values_supported?: string[] | undefined;
       subject_types_supported: ("public" | "pairwise")[];
       claims_supported: string[];
+      claims_parameter_supported?: boolean | undefined;
       end_session_endpoint: string;
+      request_parameter_supported?: boolean | undefined;
+      request_uri_parameter_supported?: boolean | undefined;
       prompt_values_supported: Prompt[];
       issuer: string;
       authorization_endpoint: string;
@@ -174,41 +177,11 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
     }>;
     oauth2Authorize: better_call0.StrictEndpoint<"/oauth2/authorize", {
-      method: "GET";
-      query: z.ZodObject<{
-        response_type: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
-          code: "code";
-        }>>>;
-        request_uri: z.ZodOptional<z.ZodString>;
-        redirect_uri: z.ZodOptional<z.ZodURL>;
-        scope: z.ZodOptional<z.ZodString>;
-        state: z.ZodOptional<z.ZodString>;
-        client_id: z.ZodString;
-        prompt: z.ZodOptional<z.ZodString>;
-        display: z.ZodOptional<z.ZodString>;
-        ui_locales: z.ZodOptional<z.ZodString>;
-        max_age: z.ZodOptional<z.ZodPipe<z.ZodUnion<readonly [z.ZodNumber, z.ZodString]>, z.ZodTransform<number, string | number>>>;
-        acr_values: z.ZodOptional<z.ZodString>;
-        login_hint: z.ZodOptional<z.ZodString>;
-        id_token_hint: z.ZodOptional<z.ZodString>;
-        code_challenge: z.ZodOptional<z.ZodString>;
-        code_challenge_method: z.ZodOptional<z.ZodPipe<z.ZodString, z.ZodEnum<{
-          S256: "S256";
-        }>>>;
-        nonce: z.ZodOptional<z.ZodString>;
-        dpop_jkt: z.ZodOptional<z.ZodString>;
-        resource: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodArray<z.ZodString>]>>;
-      }, z.core.$loose>;
+      method: ("GET" | "POST")[];
+      body: z.ZodObject<{}, z.core.$loose>;
       redirectOnError: OAuthRedirectOnError<GenericEndpointContext, OAuthRedirectResult>;
-      errorCodesByField: {
-        response_type: {
-          invalid: "unsupported_response_type";
-        };
-        resource: {
-          invalid: "invalid_target";
-        };
-      };
       metadata: {
+        allowedMediaTypes: string[];
         openapi: {
           description: string;
           parameters: ({
@@ -313,6 +286,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
       body: z.ZodObject<{
         accept: z.ZodBoolean;
         scope: z.ZodOptional<z.ZodString>;
+        claims: z.ZodOptional<z.ZodUnion<readonly [z.ZodString, z.ZodRecord<z.ZodString, z.ZodUnknown>]>>;
         oauth_query: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
@@ -803,8 +777,12 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
     }, null | undefined>;
     oauth2UserInfo: better_call0.StrictEndpoint<"/oauth2/userinfo", {
       method: ("GET" | "POST")[];
+      body: z.ZodOptional<z.ZodObject<{
+        access_token: z.ZodOptional<z.ZodString>;
+      }, z.core.$loose>>;
       metadata: {
         noStore: boolean;
+        allowedMediaTypes: string[];
         openapi: {
           description: string;
           security: ({
@@ -915,13 +893,7 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
         };
       };
     }, {
-      sub: string;
-      email?: string | undefined;
-      email_verified?: boolean | undefined;
-      name?: string | undefined;
-      picture?: string | undefined;
-      given_name?: string | undefined;
-      family_name?: string | undefined;
+      sub: unknown;
     }>;
     oauth2EndSession: better_call0.StrictEndpoint<"/oauth2/end-session", {
       method: "GET";
@@ -2306,10 +2278,19 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string";
           required: false;
         };
+        authorizationCodeId: {
+          type: "string";
+          required: false;
+          index: true;
+        };
         resources: {
           type: "string[]";
           required: false;
         };
+        requestedUserInfoClaims: {
+          type: "string[]";
+          required: false;
+        };
         expiresAt: {
           type: "date";
         };
@@ -2373,10 +2354,19 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string";
           required: false;
         };
+        authorizationCodeId: {
+          type: "string";
+          required: false;
+          index: true;
+        };
         resources: {
           type: "string[]";
           required: false;
         };
+        requestedUserInfoClaims: {
+          type: "string[]";
+          required: false;
+        };
         refreshId: {
           type: "string";
           required: false;
@@ -2435,6 +2425,10 @@ declare const oauthProvider: <O extends OAuthOptions<Scope[]>>(options: O) => {
           type: "string[]";
           required: false;
         };
+        requestedUserInfoClaims: {
+          type: "string[]";
+          required: false;
+        };
         scopes: {
           type: "string[]";
           required: true;

package/dist/{oauth-CPWY2Few.d.mts → oauth-Di-k6QeJ.d.mts}

@@ -335,10 +335,19 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      authorizationCodeId: {
+        type: "string";
+        required: false;
+        index: true;
+      };
       resources: {
         type: "string[]";
         required: false;
       };
+      requestedUserInfoClaims: {
+        type: "string[]";
+        required: false;
+      };
       expiresAt: {
         type: "date";
       };
@@ -414,10 +423,19 @@ declare const schema: {
         type: "string";
         required: false;
       };
+      authorizationCodeId: {
+        type: "string";
+        required: false;
+        index: true;
+      };
       resources: {
         type: "string[]";
         required: false;
       };
+      requestedUserInfoClaims: {
+        type: "string[]";
+        required: false;
+      };
       refreshId: {
         type: "string";
         required: false;
@@ -476,6 +494,10 @@ declare const schema: {
         type: "string[]";
         required: false;
       };
+      requestedUserInfoClaims: {
+        type: "string[]";
+        required: false;
+      };
       scopes: {
         type: "string[]";
         required: true;
@@ -670,6 +692,13 @@ interface OAuthTokenIssueParams {
   resources?: string[];
   /** Full original authorized resources for the grant, used to seed refresh tokens. */
   originalResources?: string[];
+  /**
+   * OIDC UserInfo claim names requested by the authorization request's
+   * `claims.userinfo` object. The authorization server persists these names so
+   * refresh-token rotation and opaque access tokens continue honoring the same
+   * UserInfo request contract.
+   */
+  requestedUserInfoClaims?: string[];
   /**
    * Additional JWT access-token claims for this single issuance.
    *
@@ -867,6 +896,11 @@ interface OAuthUserInfoExtensionInput {
   scopes: string[];
   jwt: JWTPayload;
   client?: SchemaClient<Scope[]>;
+  /**
+   * Claim names explicitly requested through the OIDC `claims.userinfo`
+   * authorization request parameter.
+   */
+  requestedClaims: string[];
 }
 /**
  * What a companion plugin contributes to the OAuth Provider, registered through
@@ -1121,8 +1155,9 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * Allow unauthenticated dynamic client registration.
    *
    * When enabled, the `/oauth2/register` endpoint accepts requests
-   * without a session, but only for public clients
-   * (`token_endpoint_auth_method: "none"`).
+   * without a session. Public clients use
+   * `token_endpoint_auth_method: "none"`; confidential clients receive a
+   * one-time `client_secret` in the registration response.
    *
    * For verified client discovery (MCP), consider installing the
    * `@better-auth/cimd` plugin, which verifies client identity through
@@ -1139,8 +1174,8 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * - session-backed: a logged-in user with client-create privileges.
    * - token-backed: a valid initial access token, when
    *   {@link OAuthOptions.validateInitialAccessToken} is defined.
-   * - open public-only: unauthenticated registration constrained to public
-   *   clients, when {@link OAuthOptions.allowUnauthenticatedClientRegistration}
+   * - open: unauthenticated registration, when
+   *   {@link OAuthOptions.allowUnauthenticatedClientRegistration}
    *   is enabled.
    *
    * @default false
@@ -1209,6 +1244,17 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * @default - clientRegistrationDefaultScopes
    */
   clientRegistrationAllowedScopes?: Scopes;
+  /**
+   * Whether dynamically registered confidential clients require PKCE by default.
+   *
+   * This is server-owned registration policy. Dynamic client registration does
+   * not accept `require_pkce` from the client request, and public clients or
+   * authorization requests with `offline_access` still require PKCE unless the
+   * confidential OIDC request includes both `openid` and `nonce`.
+   *
+   * @default true
+   */
+  clientRegistrationRequirePKCE?: boolean;
   /**
    * How long a dynamically created confidential client
    * should last for.
@@ -1294,11 +1340,16 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    *
    * - `client_id` - The ID of the client.
    * - `scope` - The requested scopes.
+   * - `claims` - The OIDC claims request, when the client requested specific
+   *   claims. Consent pages should surface `claims.userinfo` names alongside
+   *   scopes because accepted UserInfo claims can affect the UserInfo response.
    * - `code` - The authorization code.
    *
    * once the user consents, you need to call the `/oauth2/consent` endpoint
-   * with the code and `accept: true` to complete the authorization. Which will
-   * then return the client to the `redirect_uri` with the authorization code.
+   * with the code and `accept: true` to complete the authorization. Include a
+   * `claims` object if the user accepted only some requested UserInfo claims.
+   * The endpoint will then return the client to the `redirect_uri` with the
+   * authorization code.
    *
    * @example
    * ```ts
@@ -1492,6 +1543,11 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
      * in the /userinfo request (matches jwt.scopes) */
     scopes: Scopes; /** The access token payload used in the /userinfo request */
     jwt: JWTPayload;
+    /**
+     * Claim names explicitly requested through the OIDC `claims.userinfo`
+     * authorization request parameter.
+     */
+    requestedClaims: string[];
   }) => Awaitable<Record<string, any>>;
   /**
    * Custom claims attached to OIDC id tokens.
@@ -1501,6 +1557,11 @@ interface OAuthOptions<Scopes extends readonly Scope[] = InternallySupportedScop
    * example.com should namespace an organization at
    * https://example.com/organization.
    *
+   * Reserved ID token claim names (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`,
+   * `jti`, `nonce`, `sid`, `at_hash`, `c_hash`, `s_hash`, `auth_time`, `acr`,
+   * `amr`, `azp`) are stripped at issuance with a warning log. The
+   * authorization server owns these values.
+   *
    * @param info - context that may be useful when creating custom claims
    */
   customIdTokenClaims?: (info: {
@@ -1797,6 +1858,13 @@ interface OAuthAuthorizationQuery {
    * Optional in the query when using request_uri (PAR) — resolved from stored params.
    */
   response_type?: "code";
+  /**
+   * OpenID Connect Request Object by value.
+   *
+   * The parameter is parsed so unsupported use can be rejected with
+   * `request_not_supported`; Better Auth does not process Request Objects yet.
+   */
+  request?: string;
   /**
    * PAR request_uri. When present, other params are resolved from the stored request.
    */
@@ -1904,6 +1972,14 @@ interface OAuthAuthorizationQuery {
    * with the Claim Value being the nonce value sent in the Authentication Request.
    */
   nonce?: string;
+  /**
+   * OIDC Claims request parameter. In an authorization request it is a
+   * form-encoded JSON string; Request Object resolvers may provide the parsed
+   * object form.
+   *
+   * @see https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
+   */
+  claims?: string | Record<string, unknown>;
   /**
    * RFC 9449 authorization request parameter. When present, the authorization
    * code is bound to this JWK thumbprint and the token request must present a
@@ -1998,6 +2074,17 @@ interface OAuthClientResource {
   metadata?: Record<string, unknown> | null;
   createdAt: Date;
 }
+/**
+ * The authorization request as persisted alongside a minted code. Identical to
+ * {@link OAuthAuthorizationQuery} except `redirect_uri` is optional: a headless
+ * authorization request (first-party-apps / device-style) carries none, and
+ * RFC 6749 §4.1.3 only binds `redirect_uri` at the token endpoint when the
+ * authorization request included one. Mirrors the runtime
+ * `storedAuthorizationQuerySchema`.
+ */
+interface StoredAuthorizationQuery extends Omit<OAuthAuthorizationQuery, "redirect_uri"> {
+  redirect_uri?: string;
+}
 /**
  * Stored within the verification.value field
  * in JSON format.
@@ -2007,7 +2094,7 @@ interface OAuthClientResource {
  */
 interface VerificationValue {
   type: "authorization_code";
-  query: OAuthAuthorizationQuery;
+  query: StoredAuthorizationQuery;
   sessionId: string;
   userId: string;
   resource?: string[];
@@ -2098,7 +2185,7 @@ interface SchemaClient<Scopes extends readonly Scope[] = InternallySupportedScop
   tokenEndpointAuthMethod?: TokenEndpointAuthMethod;
   grantTypes?: GrantType[];
   responseTypes?: "code"[];
-  /** Client's JSON Web Key Set for `private_key_jwt` authentication. Mutually exclusive with `jwksUri`. */
+  /** Client's JSON Web Key Set metadata. Mutually exclusive with `jwksUri`. */
   jwks?: string;
   /** URI for the client's JSON Web Key Set. Mutually exclusive with `jwks`. Must be HTTPS. */
   jwksUri?: string;
@@ -2181,6 +2268,11 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
    * where no user is involved.
    */
   referenceId?: string;
+  /**
+   * Stored authorization-code identifier that produced this token family.
+   * Used to revoke tokens after authorization-code replay is detected.
+   */
+  authorizationCodeId?: string;
   /**
    * The refresh token the access token is associated with.
    *
@@ -2207,6 +2299,11 @@ interface OAuthOpaqueAccessToken<Scopes extends readonly Scope[] = InternallySup
    * Resources allowed for this access token.
    */
   resources?: string[];
+  /**
+   * OIDC UserInfo claim names requested by the authorization request's
+   * `claims.userinfo` object.
+   */
+  requestedUserInfoClaims?: string[];
   /**
    * RFC 7800 `cnf` confirmation that sender-constrains this access token (for
    * example DPoP `{ jkt }`). Surfaced as the `cnf` claim at introspection.
@@ -2221,6 +2318,7 @@ interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupporte
   sessionId?: string;
   userId: string;
   referenceId?: string;
+  authorizationCodeId?: string;
   clientId?: string;
   expiresAt: Date;
   createdAt: Date;
@@ -2243,6 +2341,11 @@ interface OAuthRefreshToken<Scopes extends readonly Scope[] = InternallySupporte
    * Resources allowed for this refresh token
    */
   resources?: string[];
+  /**
+   * OIDC UserInfo claim names requested by the authorization request's
+   * `claims.userinfo` object. Carried forward on rotation.
+   */
+  requestedUserInfoClaims?: string[];
   /**
    * RFC 7800 `cnf` confirmation that sender-constrains this refresh-token
    * family (for example DPoP `{ jkt }`). Carried forward on rotation.
@@ -2258,6 +2361,11 @@ type OAuthConsent<Scopes extends readonly Scope[] = InternallySupportedScopes[]>
   userId: string;
   resources?: string[];
   referenceId?: string;
+  /**
+   * OIDC UserInfo claim names consented from the authorization request's
+   * `claims.userinfo` object.
+   */
+  requestedUserInfoClaims?: string[];
   scopes: Scopes;
   createdAt: Date;
   updatedAt: Date;
@@ -2506,19 +2614,16 @@ interface OIDCMetadata extends AuthServerMetadata {
    */
   userinfo_endpoint: string;
   /**
-   * acr_values supported.
-   *
-   * - `urn:mace:incommon:iap:silver`: Silver level of assurance
-   * - `urn:mace:incommon:iap:bronze`: Bronze level of assurance
+   * Authentication Context Class Reference values supported.
    *
-   * Determination of acr_value is considered bronze by default.
-   * Silver level determination coming soon.
+   * Better Auth does not advertise this field by default because it does not
+   * currently evaluate requested Authentication Context Class References.
    *
    * @default
-   * ["urn:mace:incommon:iap:bronze"]
-   * @see https://incommon.org/federation/attributes.html
+   * undefined
+   * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
    */
-  acr_values_supported: string[];
+  acr_values_supported?: string[];
   /**
    * Supported subject types.
    *
@@ -2546,12 +2651,36 @@ interface OIDCMetadata extends AuthServerMetadata {
    * ["sub", "iss", "aud", "exp", "nbf", "iat", "jti", "email", "email_verified", "name", "family_name", "given_name", "sid", "scope", "azp"]
    */
   claims_supported: string[];
+  /**
+   * Whether the OP supports the OIDC `claims` request parameter.
+   *
+   * @default true
+   * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+   */
+  claims_parameter_supported?: boolean;
   /**
    * RP-Initiated Logout Endpoint
    *
    * @see https://openid.net/specs/openid-connect-rpinitiated-1_0.html
    */
   end_session_endpoint: string;
+  /**
+   * Whether the OP supports OpenID Connect Request Objects by value.
+   *
+   * @default false
+   * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+   */
+  request_parameter_supported?: boolean;
+  /**
+   * Whether the OP supports OpenID Connect Request Objects by reference.
+   *
+   * Discovery defaults this field to true when omitted, so providers that do
+   * not support it should advertise false explicitly.
+   *
+   * @default false
+   * @see https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
+   */
+  request_uri_parameter_supported?: boolean;
   /**
    * Prompt values supported by this OIDC server
    *
@@ -2619,8 +2748,9 @@ interface OAuthClient {
    *
    * @default true
    *
-   * Note: PKCE is always required for public clients and when
-   * requesting offline_access scope, regardless of this setting.
+   * Note: PKCE is always required for public clients. When requesting
+   * offline_access without PKCE, confidential OIDC clients must send both
+   * `openid` and `nonce`.
    */
   require_pkce?: boolean;
   /**
@@ -2676,4 +2806,4 @@ interface ResourceServerMetadata {
   dpop_bound_access_tokens_required?: boolean;
 }
 //#endregion
-export { OAuthProviderExtension as A, StoreTokenType as B, OAuthConsent as C, OAuthOpaqueAccessToken as D, OAuthMetadataExtensionInput as E, OAuthTokenResponse as F, ClientRegistrationRequest as H, OAuthUserInfoExtensionInput as I, Prompt as L, OAuthResource as M, OAuthResourceInput as N, OAuthOptions as O, OAuthTokenIssueParams as P, SchemaClient as R, OAuthClientResource as S, OAuthExtensionGrantHandlerInput as T, ResourceUriSchema as U, VerificationValue as V, OAuthClaimExtensionInput as _, GrantType as a, OAuthClientAuthenticationResult as b, ResourceServerMetadata as c, ActiveAccessTokenPayload as d, AuthorizePrompt as f, OAuthAuthorizationQuery as g, OAuthAuthenticatedClient as h, Confirmation as i, OAuthRefreshToken as j, OAuthProviderApi as k, TokenEndpointAuthMethod as l, InitialAccessTokenAuthorization as m, AuthServerMetadata as n, OAuthClient as o, ClientDiscovery as p, BearerMethodsSupported as r, OIDCMetadata as s, AuthMethod as t, TokenType as u, OAuthClientAuthenticationInput as v, OAuthExtensionGrantHandler as w, OAuthClientAuthenticationStrategy as x, OAuthClientAuthenticationRequest as y, Scope as z };
+export { OAuthProviderExtension as A, StoreTokenType as B, OAuthConsent as C, OAuthOpaqueAccessToken as D, OAuthMetadataExtensionInput as E, OAuthTokenResponse as F, VerificationValue as H, OAuthUserInfoExtensionInput as I, Prompt as L, OAuthResource as M, OAuthResourceInput as N, OAuthOptions as O, OAuthTokenIssueParams as P, SchemaClient as R, OAuthClientResource as S, OAuthExtensionGrantHandlerInput as T, ClientRegistrationRequest as U, StoredAuthorizationQuery as V, ResourceUriSchema as W, OAuthClaimExtensionInput as _, GrantType as a, OAuthClientAuthenticationResult as b, ResourceServerMetadata as c, ActiveAccessTokenPayload as d, AuthorizePrompt as f, OAuthAuthorizationQuery as g, OAuthAuthenticatedClient as h, Confirmation as i, OAuthRefreshToken as j, OAuthProviderApi as k, TokenEndpointAuthMethod as l, InitialAccessTokenAuthorization as m, AuthServerMetadata as n, OAuthClient as o, ClientDiscovery as p, BearerMethodsSupported as r, OIDCMetadata as s, AuthMethod as t, TokenType as u, OAuthClientAuthenticationInput as v, OAuthExtensionGrantHandler as w, OAuthClientAuthenticationStrategy as x, OAuthClientAuthenticationRequest as y, Scope as z };

package/dist/{utils-Baq6atYN.mjs → utils-DO8lmoDw.mjs}

@@ -1,4 +1,4 @@
-import { n as canonicalizeOAuthQueryParams } from "./signed-query-CFv2jNMT.mjs";
+import { n as canonicalizeOAuthQueryParams } from "./signed-query-Df1MNiSH.mjs";
 import { constantTimeEqual, makeSignature, symmetricDecrypt, symmetricEncrypt } from "better-auth/crypto";
 import { APIError } from "better-call";
 import { logger } from "@better-auth/core/env";
@@ -631,7 +631,7 @@ async function extractClientCredentials(ctx, opts, expectedAudience) {
 				confirmation: result.confirmation
 			};
 		}
-		const { verifyClientAssertion: verify } = await import("./client-assertion-CctbJywV.mjs").then((n) => n.t);
+		const { verifyClientAssertion: verify } = await import("./client-assertion-D-tAYsKC.mjs").then((n) => n.t);
 		return {
 			kind: "pre_verified",
 			method: "private_key_jwt",
@@ -736,27 +736,32 @@ function removeMaxAgeFromQuery(query) {
 }
 var PKCERequirementErrors = /* @__PURE__ */ function(PKCERequirementErrors) {
 	PKCERequirementErrors["PUBLIC_CLIENT"] = "pkce is required for public clients";
-	PKCERequirementErrors["OFFLINE_ACCESS_SCOPE"] = "pkce is required when requesting offline_access scope";
+	PKCERequirementErrors["OFFLINE_ACCESS_SCOPE"] = "pkce or OIDC nonce is required when requesting offline_access scope";
 	PKCERequirementErrors["CLIENT_REQUIRE_PKCE"] = "pkce is required for this client";
 	return PKCERequirementErrors;
 }(PKCERequirementErrors || {});
 /**
-* Determines if PKCE is required for a given client and scope.
+* Determines if PKCE is required for a given client and authorization request.
 *
 * PKCE is always required for:
 * 1. Public clients (cannot securely store client_secret)
-* 2. Requests with offline_access scope (refresh token security)
+* 2. Requests with offline_access scope unless a confidential OIDC request
+*    already uses nonce as its authorization-code injection countermeasure.
 *
-* For confidential clients without offline_access:
+* For confidential clients:
 * - Uses client.requirePKCE if set (defaults to true)
 *
 * Returns false if PKCE is not required, or the reason it is required.
 *
 * @internal
 */
-function isPKCERequired(client, requestedScopes) {
+function isPKCERequired(client, request) {
 	if (client.tokenEndpointAuthMethod === "none" || client.type === "native" || client.type === "user-agent-based" || client.public === true) return PKCERequirementErrors.PUBLIC_CLIENT;
-	if (requestedScopes?.includes("offline_access")) return PKCERequirementErrors.OFFLINE_ACCESS_SCOPE;
+	const requestScopes = request?.scopes ?? [];
+	const isOpenIdRequest = requestScopes.includes("openid");
+	const hasNonce = typeof request?.nonce === "string" && request.nonce.length > 0;
+	const hasOidcNonce = isOpenIdRequest && hasNonce;
+	if (requestScopes.includes("offline_access") && !hasOidcNonce) return PKCERequirementErrors.OFFLINE_ACCESS_SCOPE;
 	if (client.requirePKCE ?? true) return PKCERequirementErrors.CLIENT_REQUIRE_PKCE;
 	return false;
 }

package/dist/{version-DkFgXWfN.mjs → version-M87fotrf.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.7.0-beta.7";
+const PACKAGE_VERSION = "1.7.0-beta.9";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/oauth-provider",
-  "version": "1.7.0-beta.7",
+  "version": "1.7.0-beta.9",
   "description": "An oauth provider plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -63,15 +63,15 @@
   "devDependencies": {
     "listhen": "^1.9.0",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.7.0-beta.7",
-    "better-auth": "1.7.0-beta.7"
+    "@better-auth/core": "1.7.0-beta.9",
+    "better-auth": "1.7.0-beta.9"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.2",
     "@better-fetch/fetch": "1.3.1",
     "better-call": "1.3.6",
-    "@better-auth/core": "^1.7.0-beta.7",
-    "better-auth": "^1.7.0-beta.7"
+    "@better-auth/core": "^1.7.0-beta.9",
+    "better-auth": "^1.7.0-beta.9"
   },
   "scripts": {
     "build": "tsdown",