An upgrade to oidc-provider plugin that makes it oauth2.1 compliant and has a configuration that is secure by default.
Plans for the deprecation of oidc-provider plugin due to many inherent flaws in its design. Internally, plugin functions now share logic, providing for better future extensibility if new code_grants need to be written or user/client jwt or opaque tokens need to be written. Furthermore, as an oAuth 2.1 provider, it provides logic valid for an MCP server. When using the scope "openid" (optional, enabled by default), the server acts like an OpenId server able to issue id tokens and provides a /userinfo endpoint.
Features
OAuth 2.1 by default
Properly supports authorization_code, refresh_token, and client_credentials grants
PKCE by default (removes plain completely)
Public and confidential client registration
JWT plugin is required by default, but can be disabled using disableJWTPlugin flag
Access tokens can now be received in JWT verifiable format using the resource parameter (ie JWT aud field)
Id tokens are still verifiable by JWKS when using JWT Plugin, or clientSecret if disabled. Fixes issue to prevent public clients when disableJWTPlugin: true from obtaining id tokens directly even when they shouldn't be allowed an id token and should use /userinfo instead.
Protects /userinfo with scope check
Separates Refresh Token and Access token on database schema to allow multiple access tokens per refresh and multiple refresh tokens per login session.
oauthAccessToken strictly deals with opaque tokens
Opaque tokens are given only when resource parameter (aka audience) is not provided
Option to Encode and Decode refresh tokens
allowDynamicClientRegistration with allowUnauthenticatedClientRegistration flags
Separation of default expiration times
Proper creation of public and confidential clients
Prevents misconfiguration between .well-known/openid-configuration endpoint and plugin settings
scopeExpirations to assign scopes specific expiration
Custom claims through separated functions: customAccessTokenClaims, customIdTokenClaims, and customUserInfoClaims
Organizational support through activeOrganizationalId on a session such as through the organizational plugin. Attaches to oAuthClient via reference_id.
Rp-initiated logout
Account Selection via prompt=select_account.
Account Creation via prompt=create.
Prompt combinations prompt=select_account+consent and prompt=login+consent
Docs available at https://www.better-auth.com/docs/plugins/oauth-provider (pr: https://github.com/better-auth/better-auth/blob/main/docs/content/docs/plugins/oauth-provider.mdx)
An upgrade to oidc-provider plugin that makes it oauth2.1 compliant and has a configuration that is secure by default.
Plans for the deprecation of oidc-provider plugin due to many inherent flaws in its design. Internally, plugin functions now share logic, providing for better future extensibility if new code_grants need to be written or user/client jwt or opaque tokens need to be written. Furthermore, as an oAuth 2.1 provider, it provides logic valid for an MCP server. When using the scope "openid" (optional, enabled by default), the server acts like an OpenId server able to issue id tokens and provides a /userinfo endpoint.
Features
OAuth 2.1 by default
Properly supports authorization_code, refresh_token, and client_credentials grants
PKCE by default (removes plain completely)
Public and confidential client registration
JWT plugin is required by default, but can be disabled using disableJWTPlugin flag
Access tokens can now be received in JWT verifiable format using the resource parameter (ie JWT aud field)
Id tokens are still verifiable by JWKS when using JWT Plugin, or clientSecret if disabled. Fixes issue to prevent public clients when disableJWTPlugin: true from obtaining id tokens directly even when they shouldn't be allowed an id token and should use /userinfo instead.
Protects /userinfo with scope check
Separates Refresh Token and Access token on database schema to allow multiple access tokens per refresh and multiple refresh tokens per login session.
oauthAccessToken strictly deals with opaque tokens
Opaque tokens are given only when resource parameter (aka audience) is not provided
Option to Encode and Decode refresh tokens
allowDynamicClientRegistration with allowUnauthenticatedClientRegistration flags
Separation of default expiration times
Proper creation of public and confidential clients
Prevents misconfiguration between .well-known/openid-configuration endpoint and plugin settings
scopeExpirations to assign scopes specific expiration
Custom claims through separated functions: customAccessTokenClaims, customIdTokenClaims, and customUserInfoClaims
Organizational support through activeOrganizationalId on a session such as through the organizational plugin. Attaches to oAuthClient via reference_id.
Rp-initiated logout
Account Selection via prompt=select_account.
Account Creation via prompt=create.
Prompt combinations prompt=select_account+consent and prompt=login+consent
Docs available at https://www.better-auth.com/docs/plugins/oauth-provider (pr: https://github.com/better-auth/better-auth/blob/main/docs/content/docs/plugins/oauth-provider.mdx)
