[GH-ISSUE #8150] OAuth Provider: /oauth/public-client is not actually public #19636

New Issue

GiteaMirror · 2026-04-15T18:55:09-05:00

GiteaMirror commented

2026-04-15 18:55:09 -05:00

Originally created by @rbayliss on GitHub (Feb 25, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/8150

Originally assigned to: @Paola3stefania on GitHub.

Is this suited for github?

Yes, this is suited for github

To Reproduce

Create a backend that uses the oauth-provider plugin.
Create an OAuth client.
Observe that curl {baseURL}/oauth2/public-client?client_id={client_id} responds with an unauthorized message.

Current vs. Expected behavior

The /oauth2/public-client endpoint requires authentication to use. I'd like to be able to use this in pre-auth flows (eg: "You are about to log into {client_name}"). I'd expect that this endpoint would allow it based on the name, but alas, I'm not due to the session middleware that's applied.

What version of Better Auth are you using?

1.5.0-beta.16

System info

{
  "system": {
    "platform": "darwin",
    "arch": "arm64",
    "version": "Darwin Kernel Version 25.3.0: Wed Jan 28 20:48:41 PST 2026; root:xnu-12377.81.4~5/RELEASE_ARM64_T6041",
    "release": "25.3.0",
    "cpuCount": 14,
    "cpuModel": "Apple M4 Pro",
    "totalMemory": "48.00 GB",
    "freeMemory": "0.13 GB"
  },
  "node": {
    "version": "v24.13.0",
    "env": "development"
  },
  "packageManager": {
    "name": "npm",
    "version": "11.10.1"
  },
  "frameworks": [
    {
      "name": "hono",
      "version": "4.12.1"
    }
  ],
  "databases": [
    {
      "name": "better-sqlite3",
      "version": "12.6.2"
    },
    {
      "name": "pg",
      "version": "8.18.0"
    },
    {
      "name": "drizzle",
      "version": "^0.45.0"
    }
  ],
  "betterAuth": {
    "version": "1.5.0-beta.16",
    "config": null
  }
}

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { betterAuth } from "better-auth"
export const auth = betterAuth({
  emailAndPassword: {  
    enabled: true
  },
});

Additional context

No response

Originally created by @rbayliss on GitHub (Feb 25, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/8150 Originally assigned to: @Paola3stefania on GitHub. ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Create a backend that uses the oauth-provider plugin. Create an OAuth client. Observe that `curl {baseURL}/oauth2/public-client?client_id={client_id}` responds with an unauthorized message. ### Current vs. Expected behavior The `/oauth2/public-client` endpoint requires authentication to use. I'd like to be able to use this in pre-auth flows (eg: "You are about to log into {client_name}"). I'd expect that this endpoint would allow it based on the name, but alas, I'm not due to the session middleware that's applied. ### What version of Better Auth are you using? 1.5.0-beta.16 ### System info ```bash { "system": { "platform": "darwin", "arch": "arm64", "version": "Darwin Kernel Version 25.3.0: Wed Jan 28 20:48:41 PST 2026; root:xnu-12377.81.4~5/RELEASE_ARM64_T6041", "release": "25.3.0", "cpuCount": 14, "cpuModel": "Apple M4 Pro", "totalMemory": "48.00 GB", "freeMemory": "0.13 GB" }, "node": { "version": "v24.13.0", "env": "development" }, "packageManager": { "name": "npm", "version": "11.10.1" }, "frameworks": [ { "name": "hono", "version": "4.12.1" } ], "databases": [ { "name": "better-sqlite3", "version": "12.6.2" }, { "name": "pg", "version": "8.18.0" }, { "name": "drizzle", "version": "^0.45.0" } ], "betterAuth": { "version": "1.5.0-beta.16", "config": null } } ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { betterAuth } from "better-auth" export const auth = betterAuth({ emailAndPassword: { enabled: true }, }); ``` ### Additional context _No response_

GiteaMirror added the locked bug labels 2026-04-15 18:55:09 -05:00

GiteaMirror closed this issue

2026-04-15 18:55:10 -05:00

GiteaMirror commented

2026-04-15 18:55:12 -05:00

@dosubot[bot] commented on GitHub (Feb 25, 2026):

This looks like a bug. The /oauth2/public-client endpoint has sessionMiddleware applied, which requires authentication even though:

The endpoint name suggests it's for public access
The OpenAPI description explicitly says it "Gets publically available client fields"
The endpoint only returns non-sensitive data (client name, URI, icon, ToS, policy) and explicitly excludes client_secret
Your use case (pre-auth "You are about to log into {client_name}" flows) is exactly what this endpoint should support

This is similar to a bug in v1.4.1 where /oauth2/userinfo incorrectly required cookie-based authentication due to misapplied sessionMiddleware. That was fixed in PR #6282.

The fix would be to remove sessionMiddleware from the endpoint definition in packages/oauth-provider/src/oauthClient/index.ts.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Feb 25, 2026):  This looks like a bug. The [`/oauth2/public-client` endpoint has `sessionMiddleware` applied](https://github.com/better-auth/better-auth/blob/074478e928624ca038a579817b47174ac15ef56a/packages/oauth-provider/src/oauthClient/index.ts#L436-L454), which requires authentication even though: 1. The endpoint name suggests it's for public access 2. The OpenAPI description explicitly says it ["Gets publically available client fields"](https://github.com/better-auth/better-auth/blob/074478e928624ca038a579817b47174ac15ef56a/packages/oauth-provider/src/oauthClient/index.ts#L445) 3. The endpoint only returns [non-sensitive data](https://github.com/better-auth/better-auth/blob/074478e928624ca038a579817b47174ac15ef56a/packages/oauth-provider/src/oauthClient/endpoints.ts#L55-L83) (client name, URI, icon, ToS, policy) and explicitly excludes `client_secret` 4. Your use case (pre-auth "You are about to log into {client_name}" flows) is exactly what this endpoint should support This is similar to a [bug in v1.4.1 where `/oauth2/userinfo` incorrectly required cookie-based authentication](https://github.com/better-auth/better-auth/issues/6284) due to misapplied `sessionMiddleware`. That was fixed in PR #6282. The fix would be to remove `sessionMiddleware` from the endpoint definition in `packages/oauth-provider/src/oauthClient/index.ts`.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/1079a23d-7929-4a61-b6f9-92b478330b4b?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/1079a23d-7929-4a61-b6f9-92b478330b4b?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/1079a23d-7929-4a61-b6f9-92b478330b4b?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/1079a23d-7929-4a61-b6f9-92b478330b4b?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/1079a23d-7929-4a61-b6f9-92b478330b4b?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/1079a23d-7929-4a61-b6f9-92b478330b4b?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/1079a23d-7929-4a61-b6f9-92b478330b4b?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20looks%20like%20a%20bug.%20The%20%5B%60/oauth2/public-client%60%20endpoint%20has%20%60sessionMiddleware%60%20applied%5D%28https%3A//github.com/better-auth/better-auth/blob/074478e928624ca038a579817b47174ac15ef56a/packages/oauth-provider/src/oauthClient/index.ts%23L436-L454%29%2C%20which%20requires%20authentication%20even%20though%3A%0A%0A1.%20The%20endpoint%20name%20suggests%20it%27s%20for%20public%20access%0A2.%20The%20OpenAPI%20description%20explicitly%20says%20it%20%5B%22Gets%20publically%20available%20client%20fields%22%5D%28https%3A//github.com/better-auth/better-auth/blob/074478e928624ca038a579817b47174ac15ef56a/packages/oauth-provider/src/oauthClient/index.ts%23L445%29%0A3.%20The%20endpoint%20only%20returns%20%5Bnon-sensitive%20data%5D%28https%3A//github.com/better-auth/better-auth/blob/074478e928624ca038a579817b47174ac15ef56a/packages/oauth-provider/src/oauthClient/endpoints.ts%23L55-L83%29%20%28client%20name%2C%20URI%2C%20icon%2C%20ToS%2C%20policy%29%20and%20explicitly%20excludes%20%60client_secret%60%0A4.%20Your%20use%20case%20%28pre-auth%20%22You%20are%20about%20to%20log%20into%20%7Bclient_name%7D%22%20flows%29%20is%20exactly%20what%20this%20endpoint%20should%20support%0A%0AThis%20is%20similar%20to%20a%20%5Bbug%20in%20v1.4.1%20where%20%60/oauth2/userinfo%60%20incorrectly%20required%20cookie-based%20authentication%5D%28https%3A//github.com/better-auth/better-auth/issues/6284%29%20due%20to%20misapplied%20%60sessionMiddleware%60.%20That%20was%20fixed%20in%20PR%20%236282.%0A%0AThe%20fix%20would%20be%20to%20remove%20%60sessionMiddleware%60%20from%20the%20endpoint%20definition%20in%20%60packages/oauth-provider/src/oauthClient/index.ts%60.) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/8150)

GiteaMirror commented

2026-04-15 18:55:12 -05:00

@dvanmali commented on GitHub (Feb 28, 2026):

This is intentional. Keeping this open would allow any bad actor to receive data about any client.

Its functionality is thus useful post login. If you desire pre login, you'd likely want to create your own endpoint and perform oauth_query validation for the endpoint.

@dvanmali commented on GitHub (Feb 28, 2026): This is intentional. Keeping this open would allow any bad actor to receive data about any client. Its functionality is thus useful post login. If you desire pre login, you'd likely want to create your own endpoint and perform oauth_query validation for the endpoint.

GiteaMirror commented

2026-04-15 18:55:13 -05:00

@github-actions[bot] commented on GitHub (Mar 31, 2026):

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

@github-actions[bot] commented on GitHub (Mar 31, 2026): This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

Sign in to join this conversation.

Branches Tags

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-227a091249

dependabot/github_actions/github-actions-98f3470200

2026-05-13/ci/stabilize-docker-startup

dependabot/npm_and_yarn/samlify-2.13.0

changeset-release/main

main

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

2026-05-14/fix/passkey-verify-error-and-claim

changeset-release/next

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#19636