@better-auth/oauth-provider 1.7.0-beta.8 → 1.7.0-beta.9

package/dist/index.mjs

@@ -1,20 +1,20 @@
-import { D as applyOAuthProviderMetadataExtensions, E as verifyOAuthQueryParams, F as getSupportedGrantTypes, L as isExtensionTokenEndpointAuthMethod, M as getClientDiscoveries, P as getSupportedAuthMethods, R as validateOAuthProviderExtensions, S as storeToken, T as validateClientCredentials, _ as removePromptFromQuery, a as getClient, b as searchParamsToQuery, c as getStoredToken, d as mergeDiscoveryMetadata, g as removeMaxAgeFromQuery, h as parsePrompt, i as extractClientCredentials, j as extendOAuthProvider, l as isPKCERequired, m as parseClientMetadata, n as decryptStoredClientSecret, o as getJwtPlugin, p as parseBearerToken, r as destructureCredentials, t as clientAllowsGrant, u as isSessionFreshForSignedQuery, w as toResourceList, x as storeClientSecret, y as resolveSubjectIdentifier } from "./utils-Baq6atYN.mjs";
-import { a as setSignedOAuthQueryParameterNames, i as postLoginClearedParam, n as canonicalizeOAuthQueryParams, o as signedQueryIssuedAtParam, r as getSignedQueryIssuedAt } from "./signed-query-CFv2jNMT.mjs";
-import { _ as invalidateResourceCache, a as invalidateRefreshFamily, b as resolveResourcePolicy, c as ResourceUriSchema, d as clientRegistrationRequestSchema, f as JWS_ALGORITHMS, g as getResource, h as extractRepeatedResourceFromForm, i as getOAuthProviderApi, l as SafeUrlSchema, m as buildClientResourceLinkId, o as tokenEndpoint, p as assertIdentifierValid, r as decodeRefreshToken, s as userInfoEndpoint, t as introspectEndpoint, u as authorizationQuerySchema, v as isAudienceClaimAllowed, x as seedResources, y as logEnforcePerClientResourcesResolution } from "./introspect-BXNvkz8S.mjs";
-import { n as consumeClientAssertion, r as isPrivateHostname } from "./client-assertion-CctbJywV.mjs";
-import { t as PACKAGE_VERSION } from "./version-bmpg6tAD.mjs";
+import { C as STANDARD_CLAIM_NAMES, D as getRequestedUserInfoClaims, E as filterClaimsRequestUserInfoClaims, S as STANDARD_CLAIMS, T as claimsRequestParameterSchema, _ as invalidateResourceCache, a as invalidateRefreshFamily, b as resolveResourcePolicy, c as ResourceUriSchema, d as clientRegistrationRequestSchema, f as JWS_ALGORITHMS, g as getResource, h as extractRepeatedResourceFromForm, i as getOAuthProviderApi, l as SafeUrlSchema, m as buildClientResourceLinkId, o as tokenEndpoint, p as assertIdentifierValid, r as decodeRefreshToken, s as userInfoEndpoint, t as introspectEndpoint, u as authorizationQuerySchema, v as isAudienceClaimAllowed, w as getSupportedClaims, x as seedResources, y as logEnforcePerClientResourcesResolution } from "./introspect-Bzbar3iY.mjs";
+import { D as applyOAuthProviderMetadataExtensions, E as verifyOAuthQueryParams, F as getSupportedGrantTypes, L as isExtensionTokenEndpointAuthMethod, M as getClientDiscoveries, P as getSupportedAuthMethods, R as validateOAuthProviderExtensions, S as storeToken, T as validateClientCredentials, _ as removePromptFromQuery, a as getClient, b as searchParamsToQuery, c as getStoredToken, d as mergeDiscoveryMetadata, g as removeMaxAgeFromQuery, h as parsePrompt, i as extractClientCredentials, j as extendOAuthProvider, l as isPKCERequired, m as parseClientMetadata, n as decryptStoredClientSecret, o as getJwtPlugin, p as parseBearerToken, r as destructureCredentials, t as clientAllowsGrant, u as isSessionFreshForSignedQuery, w as toResourceList, x as storeClientSecret, y as resolveSubjectIdentifier } from "./utils-DO8lmoDw.mjs";
+import { a as setSignedOAuthQueryParameterNames, i as postLoginClearedParam, n as canonicalizeOAuthQueryParams, o as signedQueryIssuedAtParam, r as getSignedQueryIssuedAt } from "./signed-query-Df1MNiSH.mjs";
+import { n as consumeClientAssertion, r as isPrivateHostname } from "./client-assertion-D-tAYsKC.mjs";
+import { t as PACKAGE_VERSION } from "./version-M87fotrf.mjs";
 import { t as raiseResourceServerChallenge } from "./resource-challenge-B-cqv4ur.mjs";
 import { isBrowserFetchRequest } from "@better-auth/core/utils/fetch-metadata";
 import { isLoopbackHost, isLoopbackIP } from "@better-auth/core/utils/host";
 import { APIError, NO_STORE_HEADERS, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, dispatchAuthEndpoint, getOAuthState, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { generateRandomString, makeSignature } from "better-auth/crypto";
 import { APIError as APIError$1 } from "better-call";
-import { defineRequestState, runWithTransaction } from "@better-auth/core/context";
 import { logger } from "@better-auth/core/env";
+import * as z from "zod";
+import { defineRequestState, runWithTransaction } from "@better-auth/core/context";
 import { BetterAuthError } from "@better-auth/core/error";
 import { parseSetCookieHeader } from "better-auth/cookies";
 import { mergeSchema } from "better-auth/db";
-import * as z from "zod";
 import { DPOP_SIGNING_ALGORITHMS, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS } from "@better-auth/core/oauth2";
 import { getJwks, stripAccessTokenAuthorizationScheme } from "better-auth/oauth2";
 import { compactVerify, createLocalJWKSet, decodeJwt, jwtVerify } from "jose";
@@ -29,6 +29,8 @@ async function consentEndpoint(ctx, opts, authorize) {
 	});
 	const query = new URLSearchParams(_query);
 	const originalRequestedScopes = query.get("scope")?.split(" ") ?? [];
+	const supportedClaims = getSupportedClaims(opts);
+	const originalRequestedUserInfoClaims = getRequestedUserInfoClaims(query.get("claims"), supportedClaims);
 	const clientId = query.get("client_id");
 	if (!clientId) throw new APIError("BAD_REQUEST", {
 		error_description: "client_id is required",
@@ -41,6 +43,12 @@ async function consentEndpoint(ctx, opts, authorize) {
 			error: "invalid_request"
 		});
 	}
+	const acceptedClaims = ctx.body.claims;
+	const acceptedUserInfoClaims = acceptedClaims !== void 0 ? getRequestedUserInfoClaims(acceptedClaims, supportedClaims) : originalRequestedUserInfoClaims;
+	if (acceptedClaims !== void 0 && !acceptedUserInfoClaims.every((claim) => originalRequestedUserInfoClaims.includes(claim))) throw new APIError("BAD_REQUEST", {
+		error_description: "Claim not originally requested",
+		error: "invalid_request"
+	});
 	if (!(ctx.body.accept === true)) return {
 		redirect: true,
 		url: formatErrorURL(query.get("redirect_uri") ?? "", "access_denied", "User denied access", query.get("state") ?? void 0, getIssuer(ctx, opts))
@@ -81,6 +89,7 @@ async function consentEndpoint(ctx, opts, authorize) {
 		clientId,
 		userId: session?.user.id,
 		scopes: requestedScopes ?? originalRequestedScopes,
+		requestedUserInfoClaims: acceptedUserInfoClaims,
 		createdAt: /* @__PURE__ */ new Date(iat * 1e3),
 		updatedAt: /* @__PURE__ */ new Date(iat * 1e3),
 		resources: resource.length ? resource : void 0,
@@ -95,6 +104,7 @@ async function consentEndpoint(ctx, opts, authorize) {
 		update: {
 			resources: consent.resources,
 			scopes: consent.scopes,
+			requestedUserInfoClaims: consent.requestedUserInfoClaims,
 			updatedAt: /* @__PURE__ */ new Date(iat * 1e3)
 		}
 	}) : await ctx.context.adapter.create({
@@ -105,6 +115,11 @@ async function consentEndpoint(ctx, opts, authorize) {
 		}
 	});
 	if (requestedScopes) query.set("scope", consent.scopes.join(" "));
+	if (acceptedClaims !== void 0) {
+		const claimsRequest = filterClaimsRequestUserInfoClaims(query.get("claims"), acceptedUserInfoClaims);
+		if (claimsRequest) query.set("claims", JSON.stringify(claimsRequest));
+		else query.delete("claims");
+	}
 	ctx?.headers?.set("accept", "application/json");
 	let authorizationQuery = removePromptFromQuery(query, "consent");
 	if (hasSatisfiedLoginPrompt) {
@@ -510,9 +525,11 @@ function oidcServerMetadata(ctx, opts) {
 	const { jwtPluginOptions, clientDiscoveries, authMetadata } = buildAuthServerMetadata(ctx, opts);
 	const metadata = {
 		...authMetadata,
-		claims_supported: opts?.advertisedMetadata?.claims_supported ?? opts?.claims ?? [],
+		claims_supported: getSupportedClaims(opts),
+		claims_parameter_supported: true,
 		userinfo_endpoint: `${baseURL}/oauth2/userinfo`,
 		subject_types_supported: opts.pairwiseSecret ? ["public", "pairwise"] : ["public"],
+		acr_values_supported: ["0"],
 		id_token_signing_alg_values_supported: (() => {
 			if (opts.disableJwtPlugin) return ["HS256"];
 			const primary = jwtPluginOptions?.jwks?.keyPairConfig?.alg ?? "EdDSA";
@@ -520,7 +537,8 @@ function oidcServerMetadata(ctx, opts) {
 			return Array.from(new Set([primary, ...extras]));
 		})(),
 		end_session_endpoint: `${baseURL}/oauth2/end-session`,
-		acr_values_supported: ["urn:mace:incommon:iap:bronze"],
+		request_parameter_supported: false,
+		request_uri_parameter_supported: false,
 		prompt_values_supported: [
 			"login",
 			"consent",
@@ -768,22 +786,27 @@ async function authorizeInitialAccessToken(ctx, opts, clientMetadata) {
 }
 //#endregion
 //#region src/register.ts
-/**
-* Resolves the auth method and type for unauthenticated DCR.
-* Overrides confidential methods to "none" per RFC 7591 Section 3.2.1.
-* When overriding, clears type "web" since it is only valid for confidential clients.
-*/
-function resolveUnauthenticatedAuth(body) {
-	if (body.token_endpoint_auth_method === "none") return {
-		tokenEndpointAuthMethod: "none",
-		type: body.type
-	};
-	return {
-		tokenEndpointAuthMethod: "none",
-		type: body.type === "web" ? void 0 : body.type
-	};
-}
 const DEFAULT_REGISTRATION_GRANT_TYPES = ["authorization_code"];
+const PRIVATE_JWK_MEMBER_NAMES = [
+	"d",
+	"p",
+	"q",
+	"dp",
+	"dq",
+	"qi",
+	"oth"
+];
+function hasStringJwkMember(key, memberName) {
+	return typeof key[memberName] === "string" && key[memberName].length > 0;
+}
+function isSupportedPublicJwk(key) {
+	switch (key.kty) {
+		case "RSA": return hasStringJwkMember(key, "n") && hasStringJwkMember(key, "e");
+		case "EC": return hasStringJwkMember(key, "crv") && hasStringJwkMember(key, "x") && hasStringJwkMember(key, "y");
+		case "OKP": return hasStringJwkMember(key, "crv") && hasStringJwkMember(key, "x");
+		default: return false;
+	}
+}
 function resolveRegistrationGrantTypes(client) {
 	const grantTypes = client.grant_types ?? [...DEFAULT_REGISTRATION_GRANT_TYPES];
 	if (grantTypes.length > 0) return grantTypes;
@@ -805,6 +828,23 @@ function applyOAuthClientRegistrationDefaults(client) {
 		response_types: resolveRegistrationResponseTypes(client, grantTypes)
 	};
 }
+function validatePublicJwks(jwks) {
+	const keys = Array.isArray(jwks) ? jwks : jwks.keys;
+	if (!Array.isArray(keys) || keys.length === 0) throw new APIError("BAD_REQUEST", {
+		error: "invalid_client_metadata",
+		error_description: "jwks must be a non-empty array of JWK objects or a JWKS document {keys:[...]}"
+	});
+	for (const key of keys) {
+		if (key.kty === "oct" || "k" in key || PRIVATE_JWK_MEMBER_NAMES.some((name) => name in key)) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "jwks must contain only public asymmetric keys"
+		});
+		if (!isSupportedPublicJwk(key)) throw new APIError("BAD_REQUEST", {
+			error: "invalid_client_metadata",
+			error_description: "jwks keys must be supported public JWKs with required key parameters"
+		});
+	}
+}
 async function registerEndpoint(ctx, opts) {
 	const body = ctx.body;
 	if (!opts.allowDynamicClientRegistration) throw new APIError("FORBIDDEN", {
@@ -823,9 +863,6 @@ async function registerEndpoint(ctx, opts) {
 			error: "invalid_client_metadata",
 			error_description: "client_credentials grant requires authenticated registration"
 		});
-		const resolved = resolveUnauthenticatedAuth(body);
-		body.token_endpoint_auth_method = resolved.tokenEndpointAuthMethod;
-		body.type = resolved.type;
 	}
 	if (!body.scope) body.scope = (opts.clientRegistrationDefaultScopes ?? opts.scopes)?.join(" ");
 	const requestedResources = Array.isArray(body.resources) ? [...new Set(body.resources.filter((resource) => typeof resource === "string" && resource.length > 0))] : [];
@@ -917,12 +954,7 @@ async function checkOAuthClient(client, opts, settings) {
 		error: "invalid_client_metadata",
 		error_description: `pkce is required for registered clients.`
 	});
-	const usesAssertionKeyMaterial = tokenEndpointAuthMethod === "private_key_jwt" || isExtensionTokenEndpointAuthMethod(opts, tokenEndpointAuthMethod);
 	if (clientWithDefaults.jwks || clientWithDefaults.jwks_uri) {
-		if (!usesAssertionKeyMaterial) throw new APIError("BAD_REQUEST", {
-			error: "invalid_client_metadata",
-			error_description: "jwks and jwks_uri are only allowed with private_key_jwt or an assertion-based authentication method"
-		});
 		if (clientWithDefaults.jwks && clientWithDefaults.jwks_uri) throw new APIError("BAD_REQUEST", {
 			error: "invalid_client_metadata",
 			error_description: "jwks and jwks_uri are mutually exclusive"
@@ -948,13 +980,7 @@ async function checkOAuthClient(client, opts, settings) {
 				error_description: "jwks_uri must be a valid URL"
 			});
 		}
-		if (clientWithDefaults.jwks) {
-			const keys = Array.isArray(clientWithDefaults.jwks) ? clientWithDefaults.jwks : clientWithDefaults.jwks.keys;
-			if (!Array.isArray(keys) || keys.length === 0) throw new APIError("BAD_REQUEST", {
-				error: "invalid_client_metadata",
-				error_description: "jwks must be a non-empty array of JWK objects or a JWKS document {keys:[...]}"
-			});
-		}
+		if (clientWithDefaults.jwks) validatePublicJwks(clientWithDefaults.jwks);
 	}
 	if (tokenEndpointAuthMethod === "private_key_jwt" && !clientWithDefaults.jwks && !clientWithDefaults.jwks_uri) throw new APIError("BAD_REQUEST", {
 		error: "invalid_client_metadata",
@@ -1007,6 +1033,8 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 	const clientId = opts.generateClientId?.() || generateRandomString(32, "a-z", "A-Z");
 	const clientSecret = isPublic || isPrivateKeyJwt || isExtensionAuthMethod ? void 0 : opts.generateClientSecret?.() || generateRandomString(32, "a-z", "A-Z");
 	const storedClientSecret = clientSecret ? await storeClientSecret(ctx, opts, clientSecret) : void 0;
+	const isPKCEOptionalForRegisteredClient = settings.isRegister && !isPublic && opts.clientRegistrationRequirePKCE === false;
+	const requirePKCE = body.require_pkce ?? (isPKCEOptionalForRegisteredClient ? false : void 0);
 	const iat = Math.floor(Date.now() / 1e3);
 	const referenceId = settings.referenceId ?? (session && opts.clientReference ? await opts.clientReference({
 		user: session.user,
@@ -1020,6 +1048,7 @@ async function createOAuthClientEndpoint(ctx, opts, settings) {
 		client_id: clientId,
 		client_secret: storedClientSecret,
 		client_id_issued_at: iat,
+		require_pkce: requirePKCE,
 		public: isPublic,
 		user_id: referenceId ? void 0 : session?.session.userId,
 		reference_id: referenceId
@@ -1135,7 +1164,7 @@ function schemaToOAuth(input) {
 		contacts: contacts ?? void 0,
 		tos_uri: tos ?? void 0,
 		policy_uri: policy ?? void 0,
-		jwks: jwks ? JSON.parse(jwks).keys : void 0,
+		jwks: jwks ? JSON.parse(jwks) : void 0,
 		jwks_uri: jwksUri ?? void 0,
 		software_id: softwareId ?? void 0,
 		software_version: softwareVersion ?? void 0,
@@ -2781,10 +2810,19 @@ const schema = {
 			type: "string",
 			required: false
 		},
+		authorizationCodeId: {
+			type: "string",
+			required: false,
+			index: true
+		},
 		resources: {
 			type: "string[]",
 			required: false
 		},
+		requestedUserInfoClaims: {
+			type: "string[]",
+			required: false
+		},
 		expiresAt: { type: "date" },
 		createdAt: { type: "date" },
 		revoked: {
@@ -2843,10 +2881,19 @@ const schema = {
 				type: "string",
 				required: false
 			},
+			authorizationCodeId: {
+				type: "string",
+				required: false,
+				index: true
+			},
 			resources: {
 				type: "string[]",
 				required: false
 			},
+			requestedUserInfoClaims: {
+				type: "string[]",
+				required: false
+			},
 			refreshId: {
 				type: "string",
 				required: false,
@@ -2901,6 +2948,10 @@ const schema = {
 				type: "string[]",
 				required: false
 			},
+			requestedUserInfoClaims: {
+				type: "string[]",
+				required: false
+			},
 			scopes: {
 				type: "string[]",
 				required: true
@@ -2965,13 +3016,7 @@ const oauthProvider = (options) => {
 		"sid",
 		"scope",
 		"azp",
-		...scopes.has("email") ? ["email", "email_verified"] : [],
-		...scopes.has("profile") ? [
-			"name",
-			"picture",
-			"family_name",
-			"given_name"
-		] : []
+		...STANDARD_CLAIM_NAMES.filter((name) => scopes.has(STANDARD_CLAIMS[name].scope))
 	]);
 	const opts = {
 		codeExpiresIn: 600,
@@ -3034,135 +3079,134 @@ const oauthProvider = (options) => {
 		if (isOpenIdConfigRequest) return { response: createMetadataResponse(oidcServerMetadata(endpointCtx, opts)) };
 	};
 	const oauth2AuthorizeEndpoint = createOAuthEndpoint("/oauth2/authorize", {
-		method: "GET",
-		query: authorizationQuerySchema,
+		method: ["GET", "POST"],
+		body: z.object({}).passthrough(),
 		redirectOnError: authorizeRedirectOnError(opts),
-		errorCodesByField: {
-			response_type: { invalid: "unsupported_response_type" },
-			resource: { invalid: "invalid_target" }
-		},
-		metadata: { openapi: {
-			description: "Authorize an OAuth2 request",
-			parameters: [
-				{
-					name: "response_type",
-					in: "query",
-					required: false,
-					schema: { type: "string" },
-					description: "OAuth2 response type (e.g., 'code')"
-				},
-				{
-					name: "client_id",
-					in: "query",
-					required: true,
-					schema: { type: "string" },
-					description: "OAuth2 client ID"
-				},
-				{
-					name: "redirect_uri",
-					in: "query",
-					required: false,
-					schema: {
-						type: "string",
-						format: "uri"
+		metadata: {
+			allowedMediaTypes: ["application/x-www-form-urlencoded"],
+			openapi: {
+				description: "Authorize an OAuth 2.1 request from query parameters or an application/x-www-form-urlencoded POST body",
+				parameters: [
+					{
+						name: "response_type",
+						in: "query",
+						required: false,
+						schema: { type: "string" },
+						description: "OAuth 2.1 response type (e.g., 'code')"
 					},
-					description: "OAuth2 redirect URI"
-				},
-				{
-					name: "scope",
-					in: "query",
-					required: false,
-					schema: { type: "string" },
-					description: "OAuth2 scopes (space-separated)"
-				},
-				{
-					name: "state",
-					in: "query",
-					required: false,
-					schema: { type: "string" },
-					description: "OAuth2 state parameter"
-				},
-				{
-					name: "request_uri",
-					in: "query",
-					required: false,
-					schema: { type: "string" },
-					description: "Pushed Authorization Request URI referencing stored parameters"
-				},
-				{
-					name: "code_challenge",
-					in: "query",
-					required: false,
-					schema: { type: "string" },
-					description: "PKCE code challenge"
-				},
-				{
-					name: "code_challenge_method",
-					in: "query",
-					required: false,
-					schema: { type: "string" },
-					description: "PKCE code challenge method"
-				},
-				{
-					name: "nonce",
-					in: "query",
-					required: false,
-					schema: { type: "string" },
-					description: "OpenID Connect nonce"
-				},
-				{
-					name: "max_age",
-					in: "query",
-					required: false,
-					schema: {
-						type: "integer",
-						minimum: 0
+					{
+						name: "client_id",
+						in: "query",
+						required: true,
+						schema: { type: "string" },
+						description: "OAuth 2.1 client ID"
 					},
-					description: "Maximum authentication age in seconds; forces re-authentication when exceeded"
-				},
-				{
-					name: "resource",
-					in: "query",
-					required: false,
-					schema: {
-						type: "array",
-						items: { type: "string" }
-					},
-					description: "Requested protected resource(s) for the access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
-				},
-				{
-					name: "prompt",
-					in: "query",
-					required: false,
-					schema: { type: "string" },
-					description: "OAuth2 prompt parameter"
-				}
-			],
-			responses: {
-				"302": {
-					description: "Redirect to client with code or error",
-					headers: { Location: {
-						description: "Redirect URI with code or error",
+					{
+						name: "redirect_uri",
+						in: "query",
+						required: false,
 						schema: {
 							type: "string",
 							format: "uri"
-						}
-					} }
-				},
-				"400": {
-					description: "Invalid request",
-					content: { "application/json": { schema: {
-						type: "object",
-						properties: {
-							error: { type: "string" },
-							error_description: { type: "string" },
-							state: { type: "string" }
 						},
-						required: ["error"]
-					} } }
+						description: "OAuth 2.1 redirect URI"
+					},
+					{
+						name: "scope",
+						in: "query",
+						required: false,
+						schema: { type: "string" },
+						description: "OAuth 2.1 scopes (space-separated)"
+					},
+					{
+						name: "state",
+						in: "query",
+						required: false,
+						schema: { type: "string" },
+						description: "OAuth 2.1 state parameter"
+					},
+					{
+						name: "request_uri",
+						in: "query",
+						required: false,
+						schema: { type: "string" },
+						description: "Pushed Authorization Request URI referencing stored parameters"
+					},
+					{
+						name: "code_challenge",
+						in: "query",
+						required: false,
+						schema: { type: "string" },
+						description: "PKCE code challenge"
+					},
+					{
+						name: "code_challenge_method",
+						in: "query",
+						required: false,
+						schema: { type: "string" },
+						description: "PKCE code challenge method"
+					},
+					{
+						name: "nonce",
+						in: "query",
+						required: false,
+						schema: { type: "string" },
+						description: "OpenID Connect nonce"
+					},
+					{
+						name: "max_age",
+						in: "query",
+						required: false,
+						schema: {
+							type: "integer",
+							minimum: 0
+						},
+						description: "Maximum authentication age in seconds; forces re-authentication when exceeded"
+					},
+					{
+						name: "resource",
+						in: "query",
+						required: false,
+						schema: {
+							type: "array",
+							items: { type: "string" }
+						},
+						description: "Requested protected resource(s) for the access token. May be supplied multiple times as repeated 'resource' query parameters (RFC 8707) or as an array of strings."
+					},
+					{
+						name: "prompt",
+						in: "query",
+						required: false,
+						schema: { type: "string" },
+						description: "OAuth2 prompt parameter"
+					}
+				],
+				responses: {
+					"302": {
+						description: "Redirect to client with code or error",
+						headers: { Location: {
+							description: "Redirect URI with code or error",
+							schema: {
+								type: "string",
+								format: "uri"
+							}
+						} }
+					},
+					"400": {
+						description: "Invalid request",
+						content: { "application/json": { schema: {
+							type: "object",
+							properties: {
+								error: { type: "string" },
+								error_description: { type: "string" },
+								state: { type: "string" }
+							},
+							required: ["error"]
+						} } }
+					}
 				}
 			}
-		} }
+		}
 	}, async (ctx) => {
 		return authorizeEndpoint(ctx, opts, ctx.authorizeSettings ?? { isAuthorize: true });
 	});
@@ -3278,6 +3322,7 @@ const oauthProvider = (options) => {
 				body: z.object({
 					accept: z.boolean().meta({ description: "Accept or deny user consent for a set of scopes" }),
 					scope: z.string().optional().meta({ description: "List of accept of accepted space-separated scopes. If none is provided, then all originally requested scopes are accepted." }),
+					claims: claimsRequestParameterSchema.optional().meta({ description: "Accepted OIDC claims request object. If none is provided, then all originally requested claims are accepted." }),
 					oauth_query: z.string().optional().meta({ description: "The redirected page's query parameters" })
 				}),
 				use: [sessionMiddleware],
@@ -3658,8 +3703,10 @@ const oauthProvider = (options) => {
 			}),
 			oauth2UserInfo: createAuthEndpoint("/oauth2/userinfo", {
 				method: ["GET", "POST"],
+				body: z.object({ access_token: z.string().optional() }).passthrough().optional(),
 				metadata: {
 					noStore: true,
+					allowedMediaTypes: ["application/x-www-form-urlencoded"],
 					openapi: {
 						description: "Get OpenID Connect user information (UserInfo endpoint)",
 						security: [{ bearerAuth: [] }, { OAuth2: [
@@ -4037,6 +4084,24 @@ function deriveResponseMode(raw) {
 	if (responseType && /\b(token|id_token)\b/.test(responseType)) return "fragment";
 	return "query";
 }
+const authorizationQueryErrorCodesByField = {
+	response_type: { invalid: "unsupported_response_type" },
+	resource: { invalid: "invalid_target" }
+};
+function isRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function getStringParameter(value) {
+	return typeof value === "string" ? value : void 0;
+}
+function getAuthorizationRequestParameters(ctx, settings) {
+	const source = ctx.method === "POST" && settings?.isAuthorize === true ? ctx.body : ctx.query;
+	return { ...isRecord(source) ? source : {} };
+}
+function isAcrValuesRequestSupported(acrValues) {
+	if (acrValues === void 0) return true;
+	return acrValues.split(" ").filter(Boolean).includes("0");
+}
 const handleRedirect = (ctx, uri) => {
 	const fromFetch = isBrowserFetchRequest(ctx.request?.headers);
 	const acceptJson = ctx.headers?.get("accept")?.includes("application/json");
@@ -4153,31 +4218,68 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		error: "invalid_request"
 	});
 	const request = ctx.request;
-	let query = ctx.query;
-	if (query.request_uri) {
-		if (!opts.requestUriResolver) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri not supported"));
+	let query = getAuthorizationRequestParameters(ctx, settings);
+	ctx.query = query;
+	const requestObject = getStringParameter(query.request);
+	const requestUri = getStringParameter(query.request_uri);
+	if (requestObject !== void 0 && requestUri !== void 0) return authorizeRedirectOnError(opts)({
+		error: "invalid_request",
+		error_description: "request and request_uri cannot be used together",
+		ctx
+	});
+	if (requestObject !== void 0) return authorizeRedirectOnError(opts)({
+		error: "request_not_supported",
+		error_description: "request object not supported",
+		ctx
+	});
+	if (requestUri !== void 0) {
+		const clientId = getStringParameter(query.client_id);
+		if (!clientId) return authorizeRedirectOnError(opts)({
+			error: "invalid_request",
+			error_description: "client_id is required",
+			ctx
+		});
+		if (!opts.requestUriResolver) return authorizeRedirectOnError(opts)({
+			error: "request_uri_not_supported",
+			error_description: "request_uri not supported",
+			ctx
+		});
 		const resolvedParams = await opts.requestUriResolver({
-			requestUri: query.request_uri,
-			clientId: query.client_id ?? "",
+			requestUri,
+			clientId,
+			ctx
+		});
+		if (!resolvedParams) return authorizeRedirectOnError(opts)({
+			error: "invalid_request_uri",
+			error_description: "request_uri is invalid or expired",
 			ctx
 		});
-		if (!resolvedParams) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request_uri", "request_uri is invalid or expired"));
 		const urlClientId = query.client_id;
 		query = resolvedParams;
 		if (urlClientId) query.client_id = urlClientId;
 	}
 	ctx.query = query;
 	const parsedQuery = authorizationQuerySchema.safeParse(query);
-	if (!parsedQuery.success) return authorizeRedirectOnError(opts)({
+	if (!parsedQuery.success) {
+		const mappedError = mapIssuesToOAuthError(parsedQuery.error.issues, authorizationQueryErrorCodesByField);
+		return authorizeRedirectOnError(opts)({
+			...mappedError,
+			ctx
+		});
+	}
+	query = parsedQuery.data;
+	ctx.query = query;
+	if (!isAcrValuesRequestSupported(query.acr_values)) return authorizeRedirectOnError(opts)({
 		error: "invalid_request",
-		error_description: "invalid authorization request",
+		error_description: "unsupported acr_values",
 		ctx
 	});
-	query = parsedQuery.data;
-	ctx.query = query;
 	await oAuthState.set({ query: serializeAuthorizationQuery(query).toString() });
-	if (!query.client_id) return handleRedirect(ctx, getErrorURL(ctx, "invalid_client", "client_id is required"));
-	if (!query.response_type) return handleRedirect(ctx, getErrorURL(ctx, "invalid_request", "response_type is required"));
+	if (!query.response_type) return authorizeRedirectOnError(opts)({
+		error: "invalid_request",
+		error_description: "response_type is required",
+		ctx
+	});
 	const promptSet = ctx.query?.prompt ? parsePrompt(ctx.query?.prompt) : void 0;
 	const promptNone = promptSet?.has("none") ?? false;
 	if (promptSet?.has("select_account") && !opts.selectAccount?.page) return handleRedirect(ctx, getErrorURL(ctx, `unsupported_prompt_select_account`, "unsupported prompt type"));
@@ -4199,6 +4301,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		requestedScopes = client.scopes ?? opts.scopes ?? [];
 		query.scope = requestedScopes.join(" ");
 	}
+	const requestedUserInfoClaims = getRequestedUserInfoClaims(query.claims, getSupportedClaims(opts));
 	if (query.resource !== void 0) try {
 		await resolveResourcePolicy(ctx, opts, {
 			resource: query.resource,
@@ -4213,7 +4316,10 @@ async function authorizeEndpoint(ctx, opts, settings) {
 		}
 		throw err;
 	}
-	const pkceRequired = isPKCERequired(client, requestedScopes);
+	const pkceRequired = isPKCERequired(client, {
+		scopes: requestedScopes,
+		nonce: query.nonce
+	});
 	if (pkceRequired) {
 		if (!query.code_challenge || !query.code_challenge_method) return handleRedirect(ctx, formatErrorURL(query.redirect_uri, "invalid_request", pkceRequired.valueOf(), query.state, getIssuer(ctx, opts)));
 	}
@@ -4300,7 +4406,7 @@ async function authorizeEndpoint(ctx, opts, settings) {
 			}] : []
 		]
 	});
-	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val))) {
+	if (!consent || !requestedScopes.every((val) => consent.scopes.includes(val)) || !requestedUserInfoClaims.every((claim) => (consent.requestedUserInfoClaims ?? []).includes(claim))) {
 		if (promptNone) return redirectWithPromptNoneError(ctx, opts, query, "consent_required", "End-User consent is required");
 		return redirectWithPromptCode(ctx, opts, "consent", { sessionId: session.session.id });
 	}
@@ -4324,6 +4430,7 @@ function serializeAuthorizationQuery(query) {
 	for (const [key, value] of Object.entries(query)) {
 		if (value == null) continue;
 		if (Array.isArray(value)) for (const v of value) params.append(key, String(v));
+		else if (key === "claims" && typeof value === "object") params.set(key, JSON.stringify(value));
 		else params.set(key, String(value));
 	}
 	return params;