better-auth 1.7.0-beta.6 → 1.7.0-beta.7

package/dist/api/routes/account.mjs

@@ -7,7 +7,7 @@ import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { decryptOAuthToken } from "../../oauth2/token-encryption.mjs";
 import { persistOAuthAccount } from "../../oauth2/persist-account.mjs";
 import { applyUpdateUserInfoOnLink } from "../../oauth2/resolve-account.mjs";
-import { generateState } from "../../oauth2/state.mjs";
+import { generateIdTokenNonce, generateState } from "../../oauth2/state.mjs";
 import { freshSessionMiddleware, getSessionFromCtx, isStateful, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { additionalAuthorizationParamsSchema, readGrantedScopes, supportsIdTokenSignIn, verifyProviderIdToken } from "@better-auth/core/oauth2";
@@ -184,9 +184,11 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 	}
 	const stateNonce = generateRandomString(32);
 	const codeVerifier = generateRandomString(128);
+	const idTokenNonce = generateIdTokenNonce(provider);
 	const { url, requestedScopes } = await provider.createAuthorizationURL({
 		state: stateNonce,
 		codeVerifier,
+		idTokenNonce,
 		redirectURI: `${c.context.baseURL}${provider.callbackPath}`,
 		scopes: c.body.scopes,
 		loginHint: c.body.loginHint,
@@ -200,7 +202,8 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		additionalData: c.body.additionalData,
 		requestedScopes,
 		state: stateNonce,
-		codeVerifier
+		codeVerifier,
+		idTokenNonce
 	});
 	if (!c.body.disableRedirect) c.setHeader("Location", url.toString());
 	return c.json({
@@ -291,7 +294,7 @@ async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId,
 		const accessTokenExpired = account.accessTokenExpiresAt && new Date(account.accessTokenExpiresAt).getTime() - Date.now() < 5e3;
 		if (account.refreshToken && accessTokenExpired && provider.refreshAccessToken) {
 			const refreshToken = await decryptOAuthToken(account.refreshToken, ctx.context);
-			newTokens = await provider.refreshAccessToken(refreshToken);
+			newTokens = await provider.refreshAccessToken(refreshToken, ctx);
 			await persistOAuthAccount(ctx, {
 				userId: account.userId,
 				providerId: account.providerId,
@@ -420,7 +423,7 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	if (!refreshToken) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.REFRESH_TOKEN_NOT_FOUND);
 	try {
 		const decryptedRefreshToken = await decryptOAuthToken(refreshToken, ctx.context);
-		const tokens = await provider.refreshAccessToken(decryptedRefreshToken);
+		const tokens = await provider.refreshAccessToken(decryptedRefreshToken, ctx);
 		await persistOAuthAccount(ctx, {
 			userId: account.userId,
 			providerId: account.providerId,

package/dist/api/routes/callback.mjs

@@ -6,7 +6,7 @@ import { getAwaitableValue } from "../../context/helpers.mjs";
 import { OAUTH_CALLBACK_ERROR_CODES, missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { persistOAuthAccount } from "../../oauth2/persist-account.mjs";
 import { applyUpdateUserInfoOnLink } from "../../oauth2/resolve-account.mjs";
-import { generateState, parseState } from "../../oauth2/state.mjs";
+import { generateIdTokenNonce, generateState, parseState } from "../../oauth2/state.mjs";
 import { signInWithOAuthIdentity } from "../../oauth2/sign-in-with-oauth-identity.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { safeJSONParse } from "@better-auth/core/utils/json";
@@ -60,15 +60,18 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		if (provider?.allowIdpInitiated) {
 			const state = generateRandomString(32);
 			const codeVerifier = generateRandomString(128);
+			const idTokenNonce = generateIdTokenNonce(provider);
 			const { url: authUrl, requestedScopes } = await provider.createAuthorizationURL({
 				state,
 				codeVerifier,
+				idTokenNonce,
 				redirectURI: `${c.context.baseURL}${provider.callbackPath}`
 			});
 			await generateState(c, {
 				requestedScopes,
 				state,
-				codeVerifier
+				codeVerifier,
+				idTokenNonce
 			});
 			throw c.redirect(authUrl.toString());
 		}
@@ -78,7 +81,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		const url = `${defaultErrorURL}${defaultErrorURL.includes("?") ? "&" : "?"}error=state_not_found`;
 		throw c.redirect(url);
 	}
-	const { codeVerifier, callbackURL, link, errorURL, newUserURL, requestSignUp, requestedScopes } = await parseState(c);
+	const { codeVerifier, callbackURL, link, errorURL, newUserURL, requestSignUp, requestedScopes, idTokenNonce } = await parseState(c);
 	function redirectOnError(error, description) {
 		const baseURL = errorURL ?? defaultErrorURL;
 		const params = new URLSearchParams({ error });
@@ -103,6 +106,10 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 		});
 		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.ISSUER_MISMATCH);
 	}
+	if (provider.requiresIdTokenNonce && !idTokenNonce) {
+		c.context.logger.error("OAuth id_token nonce binding required but no expected nonce was found in state", { providerId: provider.id });
+		throw redirectOnError(OAUTH_CALLBACK_ERROR_CODES.NONCE_BINDING_MISSING);
+	}
 	let tokens;
 	try {
 		tokens = await provider.validateAuthorizationCode({
@@ -119,6 +126,7 @@ const callbackOAuth = createAuthEndpoint("/callback/:id", {
 	const parsedUserData = userData ? safeJSONParse(userData) : null;
 	const providerResult = await provider.getUserInfo({
 		...tokens,
+		...idTokenNonce ? { expectedIdTokenNonce: idTokenNonce } : {},
 		user: parsedUserData ?? void 0
 	});
 	if (!providerResult?.user || providerResult.user.id === void 0 || providerResult.user.id === null || providerResult.user.id === "") {

package/dist/api/routes/sign-in.mjs

@@ -4,7 +4,7 @@ import { generateRandomString } from "../../crypto/random.mjs";
 import { setSessionCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { OAUTH_CALLBACK_ERROR_CODES, missingEmailLogMessage } from "../../oauth2/errors.mjs";
-import { generateState } from "../../oauth2/state.mjs";
+import { generateIdTokenNonce, generateState } from "../../oauth2/state.mjs";
 import { signInWithOAuthIdentity } from "../../oauth2/sign-in-with-oauth-identity.mjs";
 import { createEmailVerificationToken } from "./email-verification.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
@@ -144,9 +144,11 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 	}
 	const state = generateRandomString(32);
 	const codeVerifier = generateRandomString(128);
+	const idTokenNonce = generateIdTokenNonce(provider);
 	const { url, requestedScopes } = await provider.createAuthorizationURL({
 		state,
 		codeVerifier,
+		idTokenNonce,
 		redirectURI: `${c.context.baseURL}${provider.callbackPath}`,
 		scopes: c.body.scopes,
 		loginHint: c.body.loginHint,
@@ -156,7 +158,8 @@ const signInSocial = () => createAuthEndpoint("/sign-in/social", {
 		additionalData: c.body.additionalData,
 		requestedScopes,
 		state,
-		codeVerifier
+		codeVerifier,
+		idTokenNonce
 	});
 	if (!c.body.disableRedirect) c.setHeader("Location", url.toString());
 	return c.json({

package/dist/index.d.mts

@@ -7,7 +7,7 @@ import { InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPlug
 import { Auth } from "./types/auth.mjs";
 import { BetterAuthAdvancedOptions, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, StoreIdentifierOption, UserProvisioningSource, ValidateUserInfoAction, ValidateUserInfoMethod, ValidateUserInfoOAuthInfo, ValidateUserInfoResult, ValidateUserInfoSSOInfo, ValidateUserInfoSource } from "./types/index.mjs";
 import { betterAuth } from "./auth/full.mjs";
-import { GenerateStateOptions, generateState, parseState } from "./oauth2/state.mjs";
+import { GenerateStateOptions, generateIdTokenNonce, generateState, parseState } from "./oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "./state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
 import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
@@ -27,4 +27,4 @@ export * from "@better-auth/core/utils/json";
 export * from "@better-auth/core/social-providers";
 export * from "better-call";
 export * from "zod";
-export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, GenerateStateOptions, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, UserProvisioningSource, ValidateUserInfoAction, ValidateUserInfoMethod, ValidateUserInfoOAuthInfo, ValidateUserInfoResult, ValidateUserInfoSSOInfo, ValidateUserInfoSource, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };
+export { APIError, Account, AdditionalSessionFieldsInput, AdditionalUserFieldsInput, Auth, BetterAuthAdvancedOptions, BetterAuthClientOptions, BetterAuthClientPlugin, BetterAuthCookies, BetterAuthOptions, BetterAuthPlugin, BetterAuthRateLimitOptions, ClientAtomListener, ClientStore, DBAdapter, DBAdapterInstance, DBAdapterSchemaCreation, DBTransactionAdapter, ExtractPluginField, FilteredAPI, GenerateStateOptions, HIDE_METADATA, HasRequiredKeys, InferAPI, InferActions, InferAdditionalFromClient, InferClientAPI, InferErrorCodes, InferOptionSchema, InferPluginContext, InferPluginErrorCodes, InferPluginFieldFromTuple, InferPluginIDs, InferPluginTypes, InferSessionAPI, InferSessionFromClient, InferUserFromClient, IsAny, IsSignal, type JSONWebKeySet, type JWTPayload, JoinConfig, JoinOption, OverrideMerge, Prettify, PrettifyDeep, RateLimit, RequiredKeysOf, Session, SessionQueryParams, type StandardSchemaV1, StateData, StoreIdentifierOption, StripEmptyObjects, type TelemetryEvent, UnionToIntersection, User, UserProvisioningSource, ValidateUserInfoAction, ValidateUserInfoMethod, ValidateUserInfoOAuthInfo, ValidateUserInfoResult, ValidateUserInfoSSOInfo, ValidateUserInfoSource, Verification, Where, betterAuth, createTelemetry, generateGenericState, generateIdTokenNonce, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/index.mjs

@@ -1,6 +1,6 @@
 import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./utils/url.mjs";
 import { generateGenericState, parseGenericState } from "./state.mjs";
-import { generateState, parseState } from "./oauth2/state.mjs";
+import { generateIdTokenNonce, generateState, parseState } from "./oauth2/state.mjs";
 import { HIDE_METADATA } from "./utils/hide-metadata.mjs";
 import { APIError } from "./api/index.mjs";
 import { betterAuth } from "./auth/full.mjs";
@@ -14,4 +14,4 @@ export * from "@better-auth/core/oauth2";
 export * from "@better-auth/core/utils/error-codes";
 export * from "@better-auth/core/utils/id";
 export * from "@better-auth/core/utils/json";
-export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };
+export { APIError, HIDE_METADATA, betterAuth, createTelemetry, generateGenericState, generateIdTokenNonce, generateState, getBaseURL, getCurrentAdapter, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, getTelemetryAuthConfig, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, parseGenericState, parseState, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes };

package/dist/oauth2/errors.mjs

@@ -11,6 +11,7 @@ const OAUTH_CALLBACK_ERROR_CODES = {
 	ISSUER_MISSING: "issuer_missing",
 	ISSUER_MISMATCH: "issuer_mismatch",
 	INVALID_CODE: "invalid_code",
+	NONCE_BINDING_MISSING: "nonce_binding_missing",
 	UNABLE_TO_GET_USER_INFO: "unable_to_get_user_info",
 	NO_CALLBACK_URL: "no_callback_url",
 	UNABLE_TO_LINK_ACCOUNT: "unable_to_link_account",

package/dist/oauth2/index.d.mts

@@ -1,7 +1,7 @@
-import { GenerateStateOptions, generateState, parseState } from "./state.mjs";
+import { GenerateStateOptions, generateIdTokenNonce, generateState, parseState } from "./state.mjs";
 import { PersistOAuthAccountMode, PersistOAuthAccountParams, persistOAuthAccount } from "./persist-account.mjs";
 import { OAuthLinkPolicy, ResolveOAuthUserError, ResolveOAuthUserParams, ResolvedOAuthUser, applyUpdateUserInfoOnLink, canLinkImplicitly, resolveOAuthUser } from "./resolve-account.mjs";
 import { signInWithOAuthIdentity } from "./sign-in-with-oauth-identity.mjs";
 import { decryptOAuthToken, setTokenUtil } from "./token-encryption.mjs";
 export * from "@better-auth/core/oauth2";
-export { GenerateStateOptions, OAuthLinkPolicy, PersistOAuthAccountMode, PersistOAuthAccountParams, ResolveOAuthUserError, ResolveOAuthUserParams, ResolvedOAuthUser, applyUpdateUserInfoOnLink, canLinkImplicitly, decryptOAuthToken, generateState, parseState, persistOAuthAccount, resolveOAuthUser, setTokenUtil, signInWithOAuthIdentity };
+export { GenerateStateOptions, OAuthLinkPolicy, PersistOAuthAccountMode, PersistOAuthAccountParams, ResolveOAuthUserError, ResolveOAuthUserParams, ResolvedOAuthUser, applyUpdateUserInfoOnLink, canLinkImplicitly, decryptOAuthToken, generateIdTokenNonce, generateState, parseState, persistOAuthAccount, resolveOAuthUser, setTokenUtil, signInWithOAuthIdentity };

package/dist/oauth2/index.mjs

@@ -1,7 +1,7 @@
 import { decryptOAuthToken, setTokenUtil } from "./token-encryption.mjs";
 import { persistOAuthAccount } from "./persist-account.mjs";
 import { applyUpdateUserInfoOnLink, canLinkImplicitly, resolveOAuthUser } from "./resolve-account.mjs";
-import { generateState, parseState } from "./state.mjs";
+import { generateIdTokenNonce, generateState, parseState } from "./state.mjs";
 import { signInWithOAuthIdentity } from "./sign-in-with-oauth-identity.mjs";
 export * from "@better-auth/core/oauth2";
-export { applyUpdateUserInfoOnLink, canLinkImplicitly, decryptOAuthToken, generateState, parseState, persistOAuthAccount, resolveOAuthUser, setTokenUtil, signInWithOAuthIdentity };
+export { applyUpdateUserInfoOnLink, canLinkImplicitly, decryptOAuthToken, generateIdTokenNonce, generateState, parseState, persistOAuthAccount, resolveOAuthUser, setTokenUtil, signInWithOAuthIdentity };

package/dist/oauth2/state.d.mts

@@ -1,6 +1,16 @@
 import { GenericEndpointContext } from "@better-auth/core";
 
 //#region src/oauth2/state.d.ts
+/**
+ * Mint the OIDC `nonce` for the redirect flow, or `undefined` when the provider
+ * does not require ID-token nonce binding. Every redirect entrypoint (social
+ * sign-in, account linking, IDP-initiated bounce, and the OAuth popup) mints
+ * through this helper, so the value sent on the authorization URL and the value
+ * persisted in state are produced one way and cannot drift apart.
+ */
+declare function generateIdTokenNonce(provider: {
+  requiresIdTokenNonce?: boolean | undefined;
+}): string | undefined;
 /**
  * Inputs for {@link generateState}. Grouped into one object so call sites read
  * by name instead of by position.
@@ -27,6 +37,8 @@ interface GenerateStateOptions {
   state?: string | undefined;
   /** The PKCE `codeVerifier` already used to build the authorization URL. Minted when omitted. */
   codeVerifier?: string | undefined;
+  /** The OIDC nonce already sent as the authorization URL `nonce` parameter. */
+  idTokenNonce?: string | undefined;
 }
 declare function generateState(c: GenericEndpointContext, options?: GenerateStateOptions): Promise<{
   state: string;
@@ -45,8 +57,9 @@ declare function parseState(c: GenericEndpointContext): Promise<{
     userId: string;
   } | undefined;
   requestSignUp?: boolean | undefined;
+  idTokenNonce?: string | undefined;
   requestedScopes?: string[] | undefined;
   serverContext?: Record<string, unknown> | undefined;
 }>;
 //#endregion
-export { GenerateStateOptions, generateState, parseState };
+export { GenerateStateOptions, generateIdTokenNonce, generateState, parseState };

package/dist/oauth2/state.mjs

@@ -4,6 +4,16 @@ import { getOAuthServerContext, setOAuthState } from "../api/state/oauth.mjs";
 import { StateError, generateGenericState, parseGenericState } from "../state.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 //#region src/oauth2/state.ts
+/**
+* Mint the OIDC `nonce` for the redirect flow, or `undefined` when the provider
+* does not require ID-token nonce binding. Every redirect entrypoint (social
+* sign-in, account linking, IDP-initiated bounce, and the OAuth popup) mints
+* through this helper, so the value sent on the authorization URL and the value
+* persisted in state are produced one way and cannot drift apart.
+*/
+function generateIdTokenNonce(provider) {
+	return provider.requiresIdTokenNonce ? generateRandomString(32) : void 0;
+}
 async function generateState(c, options) {
 	const callbackURL = c.body?.callbackURL || c.context.options.baseURL;
 	if (!callbackURL) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.CALLBACK_URL_REQUIRED);
@@ -20,7 +30,8 @@ async function generateState(c, options) {
 		serverContext,
 		expiresAt: Date.now() + 600 * 1e3,
 		requestSignUp: c.body?.requestSignUp,
-		requestedScopes: options?.requestedScopes
+		requestedScopes: options?.requestedScopes,
+		idTokenNonce: options?.idTokenNonce
 	};
 	await setOAuthState(stateData);
 	try {
@@ -54,4 +65,4 @@ async function parseState(c) {
 	return parsedData;
 }
 //#endregion
-export { generateState, parseState };
+export { generateIdTokenNonce, generateState, parseState };

package/dist/package.mjs

@@ -1,4 +1,4 @@
 //#region package.json
-var version = "1.7.0-beta.6";
+var version = "1.7.0-beta.7";
 //#endregion
 export { version };

package/dist/plugins/generic-oauth/index.mjs

@@ -125,6 +125,7 @@ const genericOAuth = (options) => {
 					callbackPath: `/callback/${c.providerId}`,
 					issuer,
 					idToken: idTokenConfig,
+					requiresIdTokenNonce: idTokenConfig !== void 0 && c.disableIdTokenNonceBinding !== true,
 					allowIdpInitiated: c.allowIdpInitiated,
 					createAuthorizationURL(data) {
 						if (!authorizationUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.INVALID_OAUTH_CONFIGURATION);
@@ -148,6 +149,7 @@ const genericOAuth = (options) => {
 							accessType: c.accessType,
 							responseType: c.responseType,
 							responseMode: c.responseMode,
+							nonce: data.idTokenNonce,
 							additionalParams: {
 								...c.authorizationUrlParams ?? {},
 								...data.additionalParams ?? {}
@@ -175,13 +177,14 @@ const genericOAuth = (options) => {
 						}), c.accessTokenExpiresIn);
 					},
 					async getUserInfo(tokens) {
-						if (tokens.idToken && provider.idToken) {
-							if (!await verifyProviderIdToken(provider, tokens.idToken)) {
-								ctx.logger.error(`Provider "${c.providerId}": id_token failed verification against the discovery JWKS`);
+						const { expectedIdTokenNonce, ...oauthTokens } = tokens;
+						if (oauthTokens.idToken && provider.idToken) {
+							if (!await verifyProviderIdToken(provider, oauthTokens.idToken, expectedIdTokenNonce)) {
+								ctx.logger.error(`Provider "${c.providerId}": id_token failed verification against the discovery JWKS or expected nonce`);
 								return null;
 							}
 						}
-						const raw = c.getUserInfo ? await c.getUserInfo(tokens) : await fetchUserInfo(tokens, userInfoUrl);
+						const raw = c.getUserInfo ? await c.getUserInfo(oauthTokens) : await fetchUserInfo(oauthTokens, userInfoUrl);
 						if (!raw) return null;
 						const mapped = c.mapProfileToUser ? await c.mapProfileToUser(raw) : {};
 						const rawId = isNonEmptyOAuthId(mapped.id) ? mapped.id : isNonEmptyOAuthId(raw.id) ? raw.id : isNonEmptyOAuthId(raw.sub) ? raw.sub : void 0;
@@ -202,8 +205,9 @@ const genericOAuth = (options) => {
 							data: raw
 						};
 					},
-					async refreshAccessToken(refreshToken) {
+					async refreshAccessToken(refreshToken, refreshCtx) {
 						if (!tokenUrl) throw APIError.from("BAD_REQUEST", GENERIC_OAUTH_ERROR_CODES.TOKEN_URL_NOT_FOUND);
+						const resolvedRefreshParams = typeof c.refreshTokenParams === "function" ? await c.refreshTokenParams(refreshCtx) : c.refreshTokenParams;
 						return applyDefaultAccessTokenExpiry(await refreshAccessToken({
 							refreshToken,
 							options: {
@@ -212,7 +216,8 @@ const genericOAuth = (options) => {
 							},
 							authentication: c.authentication,
 							tokenEndpointAuth,
-							tokenEndpoint: tokenUrl
+							tokenEndpoint: tokenUrl,
+							extraParams: resolvedRefreshParams
 						}), c.accessTokenExpiresIn);
 					},
 					disableImplicitSignUp: c.disableImplicitSignUp,

package/dist/plugins/generic-oauth/types.d.mts

@@ -1,5 +1,6 @@
+import { Awaitable } from "@better-auth/core";
 import { User } from "@better-auth/core/db";
-import { OAuth2Tokens, OAuth2UserInfo, TokenEndpointAuth } from "@better-auth/core/oauth2";
+import { OAuth2Tokens, OAuth2UserInfo, OAuthRefreshContext, TokenEndpointAuth } from "@better-auth/core/oauth2";
 
 //#region src/plugins/generic-oauth/types.d.ts
 type GenericOAuthUserInfo = Omit<OAuth2UserInfo, "id"> & {
@@ -136,6 +137,26 @@ interface GenericOAuthConfig<ID extends string = string> {
    * tokenEndpointAuth.
    */
   tokenUrlParams?: Record<string, string> | undefined;
+  /**
+   * Additional body params merged into the token endpoint request when
+   * refreshing an access token. Useful for multi-tenant OIDC providers that
+   * need to change `scope`, `audience`, `resource`, or a tenant identifier on
+   * the refresh call — e.g. Zitadel's `urn:zitadel:iam:org:id:{orgId}` scope
+   * on workspace switch or Auth0 `audience` rotation — without forcing a new
+   * authorization redirect.
+   *
+   * The function form is invoked at refresh time and receives request
+   * metadata for the triggering request, so dynamic
+   * per-request values like an active organization id read from cookies or
+   * headers can be injected directly. Headers and cookies are
+   * attacker-controlled: callers MUST validate any value derived from them
+   * against the authenticated user's entitlements before forwarding it as a
+   * `scope`, `audience`, or tenant claim. Resolved values are merged into the
+   * form body; `grant_type` and `refresh_token` are protected from override,
+   * and `client_id` is set by the configured token-endpoint authentication
+   * after the merge so it cannot be overridden here.
+   */
+  refreshTokenParams?: Record<string, string> | ((ctx?: OAuthRefreshContext) => Awaitable<Record<string, string> | undefined>) | undefined;
   /**
    * Disable implicit sign up for new users. When set to true for the provider,
    * sign-in need to be called with with requestSignUp as true to create new users.
@@ -191,6 +212,19 @@ interface GenericOAuthConfig<ID extends string = string> {
    * @default false
    */
   allowIdpInitiated?: boolean | undefined;
+  /**
+   * Disable OIDC `nonce` binding for this provider's `id_token`.
+   *
+   * Providers configured with `discoveryUrl` that publish a JWKS bind the
+   * `id_token` to the authorization request by default: Better Auth sends a
+   * server-generated `nonce` and rejects a callback whose `id_token` does not
+   * echo it (OIDC Core 1.0 §3.1.3.7). Set this to `true` only for OIDC
+   * providers that do not return the `nonce` claim in the authorization-code
+   * flow; doing so removes `id_token` replay protection for this provider.
+   *
+   * @default false
+   */
+  disableIdTokenNonceBinding?: boolean | undefined;
 }
 //#endregion
 export { GenericOAuthConfig, GenericOAuthOptions, GenericOAuthUserInfo };

package/dist/plugins/oauth-popup/index.mjs

@@ -4,6 +4,7 @@ import { expireCookie } from "../../cookies/index.mjs";
 import { getAwaitableValue } from "../../context/helpers.mjs";
 import { setOAuthState } from "../../api/state/oauth.mjs";
 import { INTERNAL_STATE_KEYS, generateGenericState } from "../../state.mjs";
+import { generateIdTokenNonce } from "../../oauth2/state.mjs";
 import { HIDE_METADATA } from "../../utils/hide-metadata.mjs";
 import { PACKAGE_VERSION } from "../../version.mjs";
 import { OAUTH_POPUP_DATA_ELEMENT_ID, OAUTH_POPUP_MESSAGE_TYPE, POPUP_MARKER_COOKIE } from "./constants.mjs";
@@ -132,11 +133,13 @@ const oauthPopupStart = createAuthEndpoint("/oauth-popup/start", {
 	let url;
 	try {
 		const codeVerifier = generateRandomString(128);
+		const idTokenNonce = generateIdTokenNonce(provider);
 		const parsedAdditionalData = c.query.additionalData ? safeJSONParse(c.query.additionalData) ?? {} : {};
 		const stateData = {
 			...Object.fromEntries(Object.entries(parsedAdditionalData).filter(([key]) => !INTERNAL_STATE_KEYS.has(key))),
 			callbackURL,
 			codeVerifier,
+			idTokenNonce,
 			errorURL: c.query.errorCallbackURL,
 			newUserURL: c.query.newUserCallbackURL,
 			requestSignUp: c.query.requestSignUp === "true" ? true : void 0,
@@ -152,6 +155,7 @@ const oauthPopupStart = createAuthEndpoint("/oauth-popup/start", {
 		({url} = await provider.createAuthorizationURL({
 			state,
 			codeVerifier,
+			idTokenNonce,
 			redirectURI: `${c.context.baseURL}/callback/${provider.id}`,
 			scopes: c.query.scopes ? c.query.scopes.split(",") : void 0
 		}));

package/dist/state.d.mts

@@ -19,6 +19,11 @@ declare const stateDataSchema: z.ZodObject<{
     userId: z.ZodCoercedString<unknown>;
   }, z.core.$strip>>;
   requestSignUp: z.ZodOptional<z.ZodBoolean>;
+  /**
+   * OIDC nonce sent as the authorization request `nonce` parameter when the
+   * provider requires an ID token to be bound to this redirect flow.
+   */
+  idTokenNonce: z.ZodOptional<z.ZodString>;
   /**
    * The effective set of scopes requested in the authorization URL, captured
    * from `createAuthorizationURL`. Persisted so the callback can fall back to
@@ -57,6 +62,7 @@ declare function parseGenericState(c: GenericEndpointContext, state: string | un
     userId: string;
   } | undefined;
   requestSignUp?: boolean | undefined;
+  idTokenNonce?: string | undefined;
   requestedScopes?: string[] | undefined;
   serverContext?: Record<string, unknown> | undefined;
 }>;

package/dist/state.mjs

@@ -16,6 +16,7 @@ const stateDataSchema = z.looseObject({
 		userId: z.coerce.string()
 	}).optional(),
 	requestSignUp: z.boolean().optional(),
+	idTokenNonce: z.string().optional(),
 	requestedScopes: z.array(z.string()).optional(),
 	serverContext: z.record(z.string(), z.unknown()).optional()
 });

package/dist/utils/index.d.mts

@@ -1,4 +1,4 @@
-import { GenerateStateOptions, generateState, parseState } from "../oauth2/state.mjs";
+import { GenerateStateOptions, generateIdTokenNonce, generateState, parseState } from "../oauth2/state.mjs";
 import { StateData, generateGenericState, parseGenericState } from "../state.mjs";
 import { HIDE_METADATA } from "./hide-metadata.mjs";
 import { getBaseURL, getHost, getHostFromSource, getOrigin, getProtocol, getProtocolFromSource, isDynamicBaseURLConfig, isRequestLike, matchesHostPattern, resolveBaseURL, resolveDynamicBaseURL, trimTrailingSlashes } from "./url.mjs";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "better-auth",
-  "version": "1.7.0-beta.6",
+  "version": "1.7.0-beta.7",
   "description": "The most comprehensive authentication framework for TypeScript.",
   "type": "module",
   "license": "MIT",
@@ -465,13 +465,13 @@
     "kysely": "^0.28.17 || ^0.29.0",
     "nanostores": "^1.1.1",
     "zod": "^4.3.6",
-    "@better-auth/core": "1.7.0-beta.6",
-    "@better-auth/drizzle-adapter": "1.7.0-beta.6",
-    "@better-auth/kysely-adapter": "1.7.0-beta.6",
-    "@better-auth/memory-adapter": "1.7.0-beta.6",
-    "@better-auth/mongo-adapter": "1.7.0-beta.6",
-    "@better-auth/prisma-adapter": "1.7.0-beta.6",
-    "@better-auth/telemetry": "1.7.0-beta.6"
+    "@better-auth/core": "1.7.0-beta.7",
+    "@better-auth/drizzle-adapter": "1.7.0-beta.7",
+    "@better-auth/kysely-adapter": "1.7.0-beta.7",
+    "@better-auth/memory-adapter": "1.7.0-beta.7",
+    "@better-auth/mongo-adapter": "1.7.0-beta.7",
+    "@better-auth/prisma-adapter": "1.7.0-beta.7",
+    "@better-auth/telemetry": "1.7.0-beta.7"
   },
   "devDependencies": {
     "@lynx-js/react": "^0.116.3",