github-starred/better-auth
2
0
Fork 0
mirror of https://github.com/better-auth/better-auth.git synced 2026-05-22 22:32:01 -05:00
Code Issues 2.5k Packages Projects Releases 112 Wiki Activity

[PR #7609] [MERGED] feat(oauth): add support for legacy OAuth clients that don't use PKCE #15686

New Issue
Closed
opened 2026-04-13 10:10:25 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-13 10:10:25 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/better-auth/better-auth/pull/7609
Author: @OscarCornish
Created: 1/25/2026
Status: Merged
Merged: 2/16/2026
Merged by: @Bekacru

Base: canaryHead: feat/oauth-provider-pkce-support

📝 Commits (10+)

  • 1f7a189 feat(oauth): Add support for non-PKCE capable clients
  • 33978ca chore(oauth): Add test for optional PKCE
  • e5d2b50 docs(oauth): update docs
  • 56b3c8b Apply suggestion from @Copilot
  • e667b5a Merge branch 'canary' into feat/oauth-provider-pkce-support
  • 9db868d Merge branch 'canary' into feat/oauth-provider-pkce-support
  • e995dc2 correct typing in tests
  • 8e1942f more detailed PKCE errors
  • af7ee43 don't allow require_pkce on non-admin endpoints
  • 57ce99f Fail fast on malformed requests token

📊 Changes

10 files changed (+974 additions, -57 deletions)

View changed files

📝 docs/content/docs/plugins/oauth-provider.mdx (+72 -1)
📝 packages/oauth-provider/src/authorize.ts (+53 -29)
📝 packages/oauth-provider/src/oauthClient/index.ts (+6 -0)
packages/oauth-provider/src/pkce-optional.test.ts (+697 -0)
📝 packages/oauth-provider/src/register.ts (+11 -0)
📝 packages/oauth-provider/src/schema.ts (+4 -0)
📝 packages/oauth-provider/src/token.ts (+66 -27)
📝 packages/oauth-provider/src/types/index.ts (+9 -0)
📝 packages/oauth-provider/src/types/oauth.ts (+9 -0)
📝 packages/oauth-provider/src/utils/index.ts (+47 -0)

📄 Description

  • feat(oauth): Add support for non-PKCE capable clients
  • chore(oauth): Add test for optional PKCE
  • docs(oauth): update docs

Summary by cubic

Adds per-client PKCE configuration with an admin-only opt-out for legacy confidential clients, while keeping PKCE mandatory for public clients and any request with offline_access. Tightens authorize/token flows with explicit S256-only checks, robust PKCE validation, and clearer errors; updates registration rules, docs, and tests.

  • New Features

    • Added require_pkce to client schema and adminCreateOAuthClient (default true; admin-only; ignored on non-admin/dynamic registration).
    • Authorization endpoint uses isPKCERequired, validates optional PKCE params (must be provided together), enforces S256-only, and returns specific reasons when PKCE is required (public client, offline_access, per-client).
    • Token endpoint requires either code_verifier or client_secret, applies PKCE rules per client and scope, and adds strict auth/token PKCE consistency checks with fail-fast 400/401 errors.

  • Migration

    • Removed global requirePKCE; use per-client require_pkce via the admin API for legacy confidential clients.
    • PKCE remains required for public clients and any request with offline_access; only set require_pkce: false for confidential legacy clients that cannot be updated.

Written for commit 0706f9766f. Summary will update on new commits.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/better-auth/better-auth/pull/7609 **Author:** [@OscarCornish](https://github.com/OscarCornish) **Created:** 1/25/2026 **Status:** ✅ Merged **Merged:** 2/16/2026 **Merged by:** [@Bekacru](https://github.com/Bekacru) **Base:** `canary` ← **Head:** `feat/oauth-provider-pkce-support` --- ### 📝 Commits (10+) - [`1f7a189`](https://github.com/better-auth/better-auth/commit/1f7a189769cf96263384c79314802f5ad320f088) feat(oauth): Add support for non-PKCE capable clients - [`33978ca`](https://github.com/better-auth/better-auth/commit/33978ca0a837ac32c43a2e9032b34218427d287c) chore(oauth): Add test for optional PKCE - [`e5d2b50`](https://github.com/better-auth/better-auth/commit/e5d2b50c12c9c13bfac8aa7e98a61b3330e91d46) docs(oauth): update docs - [`56b3c8b`](https://github.com/better-auth/better-auth/commit/56b3c8b8ed0f8f974e12f36204c0ecb6ee1518f4) Apply suggestion from @Copilot - [`e667b5a`](https://github.com/better-auth/better-auth/commit/e667b5a8d6411492759cc9971238aadb82e10476) Merge branch 'canary' into feat/oauth-provider-pkce-support - [`9db868d`](https://github.com/better-auth/better-auth/commit/9db868da8809c76b135bcd7088243d5825fd4b77) Merge branch 'canary' into feat/oauth-provider-pkce-support - [`e995dc2`](https://github.com/better-auth/better-auth/commit/e995dc2c2ce0cfe2cc3eb41785eb6fc7972b4735) correct typing in tests - [`8e1942f`](https://github.com/better-auth/better-auth/commit/8e1942f6e6044e5e349a010320228183f269fd4f) more detailed PKCE errors - [`af7ee43`](https://github.com/better-auth/better-auth/commit/af7ee437c67764cdc8dac5a0771a8c7865f9219f) don't allow require_pkce on non-admin endpoints - [`57ce99f`](https://github.com/better-auth/better-auth/commit/57ce99fad039937fcaca384301478207dfcefec0) Fail fast on malformed requests token ### 📊 Changes **10 files changed** (+974 additions, -57 deletions) <details> <summary>View changed files</summary> 📝 `docs/content/docs/plugins/oauth-provider.mdx` (+72 -1) 📝 `packages/oauth-provider/src/authorize.ts` (+53 -29) 📝 `packages/oauth-provider/src/oauthClient/index.ts` (+6 -0) ➕ `packages/oauth-provider/src/pkce-optional.test.ts` (+697 -0) 📝 `packages/oauth-provider/src/register.ts` (+11 -0) 📝 `packages/oauth-provider/src/schema.ts` (+4 -0) 📝 `packages/oauth-provider/src/token.ts` (+66 -27) 📝 `packages/oauth-provider/src/types/index.ts` (+9 -0) 📝 `packages/oauth-provider/src/types/oauth.ts` (+9 -0) 📝 `packages/oauth-provider/src/utils/index.ts` (+47 -0) </details> ### 📄 Description - **feat(oauth): Add support for non-PKCE capable clients** - **chore(oauth): Add test for optional PKCE** - **docs(oauth): update docs** <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Adds per-client PKCE configuration with an admin-only opt-out for legacy confidential clients, while keeping PKCE mandatory for public clients and any request with offline_access. Tightens authorize/token flows with explicit S256-only checks, robust PKCE validation, and clearer errors; updates registration rules, docs, and tests. - New Features - Added require_pkce to client schema and adminCreateOAuthClient (default true; admin-only; ignored on non-admin/dynamic registration). - Authorization endpoint uses isPKCERequired, validates optional PKCE params (must be provided together), enforces S256-only, and returns specific reasons when PKCE is required (public client, offline_access, per-client). - Token endpoint requires either code_verifier or client_secret, applies PKCE rules per client and scope, and adds strict auth/token PKCE consistency checks with fail-fast 400/401 errors. - Migration - Removed global requirePKCE; use per-client require_pkce via the admin API for legacy confidential clients. - PKCE remains required for public clients and any request with offline_access; only set require_pkce: false for confidential legacy clients that cannot be updated. <sup>Written for commit 0706f9766ff5dd683563cdf1445c00f3b68093e3. Summary will update on new commits.</sup> <!-- End of auto-generated description by cubic. --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-13 10:10:25 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
adapter
astro
awaiting external contributor
blocked
breaking
breaking change
bug
c-devops
core
credentials
database
dependencies
devops
devtools
docs
documentation
duplicate
elysia
enhancement
enterprise
expo
express
fastify
good first issue
help wanted
hono
identity
infra
integration
invalid
javascript
locked
maintenance
need-more-information
needs: info
needs: repro
nextjs
nuxt
oauth
organization
P0
payments
perf
platform
plugin
pull-request
Mirrored from GitHub Pull Request
 question
ready
regression
remix
security
social-provider
solid
stale
svelte
tanstack-start
tracking
version-bump
vue
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#15686
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?