An upgrade to oidc-provider plugin that makes it oauth2.1 compliant and has a configuration that is secure by default.
Plans for the deprecation of oidc-provider plugin due to many inherent flaws in its design. Internally, plugin functions now share logic, providing for better future extensibility if new code_grants need to be written or user/client jwt or opaque tokens need to be written. Furthermore, as an oAuth 2.1 provider, it provides logic valid for an MCP server. When using the scope "openid" (optional, enabled by default), the server acts like an OpenId server able to issue id tokens and provides a /userinfo endpoint.
Features
OAuth 2.1 by default
Properly supports authorization_code, refresh_token, and client_credentials grants
PKCE by default (removes plain completely)
Public and confidential client registration
JWT plugin is required by default, but can be disabled using disableJWTPlugin flag
Access tokens can now be received in JWT verifiable format using the resource parameter (ie JWT aud field)
Id tokens are still verifiable by JWKS when using JWT Plugin, or clientSecret if disabled. Fixes issue to prevent public clients when disableJWTPlugin: true from obtaining id tokens directly even when they shouldn't be allowed an id token and should use /userinfo instead.
Protects /userinfo with scope check
Separates Refresh Token and Access token on database schema to allow multiple access tokens per refresh and multiple refresh tokens per login session.
oauthAccessToken strictly deals with opaque tokens
Opaque tokens are given only when resource parameter (aka audience) is not provided
Option to Encode and Decode refresh tokens
allowDynamicClientRegistration with allowUnauthenticatedClientRegistration flags
Separation of default expiration times
Proper creation of public and confidential clients
Prevents misconfiguration between .well-known/openid-configuration endpoint and plugin settings
scopeExpirations to assign scopes specific expiration
Custom claims through separated functions: customAccessTokenClaims, customIdTokenClaims, and customUserInfoClaims
Organizational support through activeOrganizationalId on a session such as through the organizational plugin. Attaches to oAuthClient via reference_id.
Rp-initiated logout
Account Selection via prompt=select_account.
Account Creation via prompt=create.
Prompt combinations prompt=select_account+consent and prompt=login+consent
Docs available at https://www.better-auth.com/docs/plugins/oauth-provider (pr: https://github.com/better-auth/better-auth/blob/main/docs/content/docs/plugins/oauth-provider.mdx)
* feat: remove the artificial resource limit so that code can check
Also change `permission` to `permissions` (clearer for end user). `permission` is left for backwards compatibility.
* docs: add examples for multiple perms checking
* refactor: check `permissions` first, then legacy one
* feat: use union types for `permission` & `permissions`
* fix: properly use union types
* fix: remove accidental `@deprecated` comment
* chore: lint
* fix test
* chore: add oneTimeToken plugin to client barrel exports (#2224)
* docs(expo): add id token usage
* feat(oauth2): override user info on provider sign-in (#2148)
* feat(oauth2): override user info on provider sign-in
* improve email verification handling
* resolve mrge
* fix(sso): update overrideUserInfo handling to use provider configuration
* fix param
* chore: change plugin interface middleware type (#2195)
* fix: delete from session table when stopImpersonate called (#2230)
* chore: fix active organization inferred type
* chore: fix admin test
---------
Co-authored-by: Bereket Engida <bekacru@gmail.com>
Co-authored-by: Wade Fletcher <3798059+wadefletch@users.noreply.github.com>
Co-authored-by: Bereket Engida <86073083+Bekacru@users.noreply.github.com>
Co-authored-by: KinfeMichael Tariku <65047246+Kinfe123@users.noreply.github.com>
* init
* wip
* wip
* wip
* wip
* wip
* wip
* wip
* wip
* wip
* feat(stripe): enable subscription support and update pricing plans
* feat(stripe): add Vitest configuration and initial tests for Stripe integration
* feat(stripe): implement setCookieToHeader function and update tests for customer creation and subscription handling
* feat(stripe): add seats support for subscriptions and update related endpoints
* feat(stripe): update schema to include unique referenceId, stripeSubscriptionId, and periodEnd fields
* wip docs
* docs
* docs: imporves
* fix(stripe): update webhook handlers to use correct subscription identification
* refactor(stripe): simplify customer management by storing Stripe customer ID directly on user
* chore(stripe): update package configuration and build setup
- Migrated from tsup to unbuild for build configuration
- Updated package.json with improved export and dependency management
- Added build configuration for better module support
- Removed tsup configuration file
* chore(stripe): update pnpm lockfile dependencies
- Moved `better-auth` from devDependencies to dependencies
- Added `zod` as a direct dependency
- Reorganized package dependencies in the lockfile
* feat(stripe): enhance subscription management and error handling
- Added toast error handling for subscription upgrades in the dashboard
- Updated Stripe price IDs for different plans
- Improved Stripe plugin documentation with beta warning and team subscription details
- Implemented intermediate redirect for checkout success to handle race conditions
- Added support for fetching and updating subscription status after checkout
- Fixed Next.js cookie handling and build configuration
* chore: update snapshot
