[PR #7185] feat(oauth-provider): add Client ID Metadata Document support for dynamic client discovery #15376

New Issue

GiteaMirror · 2026-04-13T09:59:45-05:00

GiteaMirror commented

2026-04-13 09:59:45 -05:00

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/7185
Author: @dvanmali
Created: 1/7/2026
Status: 🔄 Open

Base: next ← Head: cimd

📝 Commits (1)

2ec168b feat(oauth-provider): rework CIMD to Client ID Metadata Document

📊 Changes

14 files changed (+1607 additions, -9 deletions)

View changed files

➕ .changeset/oauth-provider-client-id-metadata-document.md (+40 -0)
📝 .cspell/auth-terms.txt (+1 -0)
📝 demo/nextjs/lib/auth.ts (+1 -0)
📝 docs/content/docs/plugins/oauth-provider.mdx (+40 -2)
➕ packages/oauth-provider/src/cimd.test.ts (+276 -0)
📝 packages/oauth-provider/src/metadata.ts (+6 -1)
📝 packages/oauth-provider/src/oauth.ts (+2 -0)
📝 packages/oauth-provider/src/types/index.ts (+60 -4)
📝 packages/oauth-provider/src/types/oauth.ts (+7 -0)
📝 packages/oauth-provider/src/types/zod.ts (+1 -1)
➕ packages/oauth-provider/src/utils/cimd.test.ts (+459 -0)
➕ packages/oauth-provider/src/utils/cimd.ts (+250 -0)
📝 packages/oauth-provider/src/utils/index.ts (+24 -1)
➕ packages/oauth-provider/src/utils/validate-metadata-document.ts (+440 -0)

📄 Description

Implements Client ID Metadata Documents (draft-ietf-oauth-client-id-metadata-document) for verified dynamic client discovery. This is the mechanism MCP uses for authorization servers to discover clients without prior registration.

New option: `clientIdMetadataDocument`

When enabled, clients can use an HTTPS URL as their client_id. The server fetches and validates the metadata document at that URL, creating a client automatically on first authorization request.

oauthProvider({
  clientIdMetadataDocument: {
    refreshRate: "60m",
    originBoundFields: ["redirect_uris", "post_logout_redirect_uris", "client_uri"],
    onClientCreated({ client, metadata, ctx }) { },
    onClientRefreshed({ client, metadata, ctx }) { },
  },
})

Configuration:

refreshRate: TTL before re-fetching (default "60m", accepts seconds or duration strings)
originBoundFields: fields whose URLs must share the client_id origin (localhost always allowed for native app flows)
onClientCreated / onClientRefreshed: lifecycle hooks for post-processing (trust levels, logo prefetching, change detection)

Supports token_endpoint_auth_method: "none" and "private_key_jwt" (with jwks or jwks_uri).

Security

SSRF protection: private/reserved IP ranges (RFC 6890), IPv4-mapped IPv6, cloud metadata endpoints; runtime-agnostic (no node:dns)
Spec compliance: client_id must equal fetch URL, no shared secrets, no symmetric auth methods, path required, no fragments/credentials/dot-segments
Origin-bound fields prevent cross-domain redirect URI injection
Admin-only fields (skip_consent, enable_end_session, disabled) stripped from external documents
Only recognized RFC 7591 fields persisted; arbitrary fields discarded
5 KB response size limit, 5-second fetch timeout, no redirect following

Demo

https://github.com/user-attachments/assets/abee40ad-04a6-4ca4-915b-f3511b3fb73d

Closes #7184

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/7185 **Author:** [@dvanmali](https://github.com/dvanmali) **Created:** 1/7/2026 **Status:** 🔄 Open **Base:** `next` ← **Head:** `cimd` --- ### 📝 Commits (1) - [`2ec168b`](https://github.com/better-auth/better-auth/commit/2ec168b6e4c6f02dc7a853dc0371918af3cb55b1) feat(oauth-provider): rework CIMD to Client ID Metadata Document ### 📊 Changes **14 files changed** (+1607 additions, -9 deletions) <details> <summary>View changed files</summary> ➕ `.changeset/oauth-provider-client-id-metadata-document.md` (+40 -0) 📝 `.cspell/auth-terms.txt` (+1 -0) 📝 `demo/nextjs/lib/auth.ts` (+1 -0) 📝 `docs/content/docs/plugins/oauth-provider.mdx` (+40 -2) ➕ `packages/oauth-provider/src/cimd.test.ts` (+276 -0) 📝 `packages/oauth-provider/src/metadata.ts` (+6 -1) 📝 `packages/oauth-provider/src/oauth.ts` (+2 -0) 📝 `packages/oauth-provider/src/types/index.ts` (+60 -4) 📝 `packages/oauth-provider/src/types/oauth.ts` (+7 -0) 📝 `packages/oauth-provider/src/types/zod.ts` (+1 -1) ➕ `packages/oauth-provider/src/utils/cimd.test.ts` (+459 -0) ➕ `packages/oauth-provider/src/utils/cimd.ts` (+250 -0) 📝 `packages/oauth-provider/src/utils/index.ts` (+24 -1) ➕ `packages/oauth-provider/src/utils/validate-metadata-document.ts` (+440 -0) </details> ### 📄 Description Implements [Client ID Metadata Documents](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) (draft-ietf-oauth-client-id-metadata-document) for verified dynamic client discovery. This is the mechanism [MCP](https://modelcontextprotocol.io/specification/draft/basic/authorization#client-id-metadata-documents-flow) uses for authorization servers to discover clients without prior registration. ## New option: `clientIdMetadataDocument` When enabled, clients can use an HTTPS URL as their `client_id`. The server fetches and validates the metadata document at that URL, creating a client automatically on first authorization request. ```ts oauthProvider({ clientIdMetadataDocument: { refreshRate: "60m", originBoundFields: ["redirect_uris", "post_logout_redirect_uris", "client_uri"], onClientCreated({ client, metadata, ctx }) { }, onClientRefreshed({ client, metadata, ctx }) { }, }, }) ``` Configuration: - `refreshRate`: TTL before re-fetching (default `"60m"`, accepts seconds or duration strings) - `originBoundFields`: fields whose URLs must share the client_id origin (localhost always allowed for native app flows) - `onClientCreated` / `onClientRefreshed`: lifecycle hooks for post-processing (trust levels, logo prefetching, change detection) Supports `token_endpoint_auth_method: "none"` and `"private_key_jwt"` (with `jwks` or `jwks_uri`). ## Security - SSRF protection: private/reserved IP ranges (RFC 6890), IPv4-mapped IPv6, cloud metadata endpoints; runtime-agnostic (no `node:dns`) - Spec compliance: `client_id` must equal fetch URL, no shared secrets, no symmetric auth methods, path required, no fragments/credentials/dot-segments - Origin-bound fields prevent cross-domain redirect URI injection - Admin-only fields (`skip_consent`, `enable_end_session`, `disabled`) stripped from external documents - Only recognized RFC 7591 fields persisted; arbitrary fields discarded - 5 KB response size limit, 5-second fetch timeout, no redirect following ## Demo https://github.com/user-attachments/assets/abee40ad-04a6-4ca4-915b-f3511b3fb73d Closes #7184 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-13 09:59:45 -05:00

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#15376

[PR #7185] feat(oauth-provider): add Client ID Metadata Document support for dynamic client discovery #15376