[GH-ISSUE #8423] oauthProvider plugin OAuth metadata should advertise none auth method for public clients that specify it #28410

New Issue

GiteaMirror · 2026-04-17T19:52:03-05:00

GiteaMirror commented

2026-04-17 19:52:03 -05:00

Originally created by @shadiramadan on GitHub (Mar 5, 2026).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/8423

Is this suited for github?

Yes, this is suited for github

To Reproduce

Setup oauthProvider
Create a public oauth client.

async function seed() {
  await db
    .insert(oauthClients)
    .values({
      clientId: "example",
      name: "Example",
      // RFC 8252 §7.3: Loopback redirects should match host+path, allowing any port.
      // Native apps bind to ephemeral ports at runtime.
      redirectUris: ["http://127.0.0.1/callback"],
      tokenEndpointAuthMethod: "none",
      grantTypes: ["authorization_code", "refresh_token"],
      public: true,
      skipConsent: true,
      enableEndSession: true,
      createdAt: new Date(),
      updatedAt: new Date(),
      scopes: ["openid", "profile", "email", "offline_access"],
    })
    .onConflictDoNothing({ target: oauthClients.clientId });
}

Current vs. Expected behavior

When a public OAuth client is registered with tokenEndpointAuthMethod: "none", the discovery metadata /.well-known/oauth-authorization-server should include "none" in token_endpoint_auth_methods_supported.

Well-known endpoints only report:

  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],

What version of Better Auth are you using?

1.4.19

System info

N/A

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

Additional context

No response

Originally created by @shadiramadan on GitHub (Mar 5, 2026). Original GitHub issue: https://github.com/better-auth/better-auth/issues/8423 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce Setup oauthProvider Create a public oauth client. ```ts async function seed() { await db .insert(oauthClients) .values({ clientId: "example", name: "Example", // RFC 8252 §7.3: Loopback redirects should match host+path, allowing any port. // Native apps bind to ephemeral ports at runtime. redirectUris: ["http://127.0.0.1/callback"], tokenEndpointAuthMethod: "none", grantTypes: ["authorization_code", "refresh_token"], public: true, skipConsent: true, enableEndSession: true, createdAt: new Date(), updatedAt: new Date(), scopes: ["openid", "profile", "email", "offline_access"], }) .onConflictDoNothing({ target: oauthClients.clientId }); } ``` ### Current vs. Expected behavior When a public OAuth client is registered with tokenEndpointAuthMethod: "none", the discovery metadata `/.well-known/oauth-authorization-server` should include "none" in `token_endpoint_auth_methods_supported`. Well-known endpoints only report: ``` "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ], ``` ### What version of Better Auth are you using? 1.4.19 ### System info ```bash N/A ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript ``` ### Additional context _No response_

GiteaMirror added the locked enhancement labels 2026-04-17 19:52:03 -05:00

GiteaMirror closed this issue

2026-04-17 19:52:05 -05:00

GiteaMirror commented

2026-04-17 19:52:08 -05:00

@dosubot[bot] commented on GitHub (Mar 5, 2026):

This is a valid observation. The "none" auth method is currently only included when allowUnauthenticatedClientRegistration is true:

token_endpoint_auth_methods_supported: [
    ...(overrides?.public_client_supported
        ? (["none"] satisfies TokenEndpointAuthMethod[])
        : []),
    "client_secret_basic",
    "client_secret_post",
],

The metadata is generated statically based on plugin configuration, not by querying registered clients. So even though individual clients can be registered with tokenEndpointAuthMethod: "none", this doesn't affect the discovery endpoint.

Workaround: Enable allowUnauthenticatedClientRegistration in your OAuth provider config to include "none" in the advertised methods, even if you're manually registering clients.

This is similar to #3359 where "refresh_token" isn't included in grant_types_supported — it suggests the metadata generation could benefit from dynamically reflecting actual capabilities.

To reply, just mention @dosu.

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

@dosubot[bot] commented on GitHub (Mar 5, 2026):  This is a valid observation. The `"none"` auth method is currently [only included when `allowUnauthenticatedClientRegistration` is true](https://github.com/better-auth/better-auth/blob/c15f6d9c0addd4218077f38c13be51cc17b69b42/packages/oauth-provider/src/metadata.ts#L47-L53): ```typescript token_endpoint_auth_methods_supported: [ ...(overrides?.public_client_supported ? (["none"] satisfies TokenEndpointAuthMethod[]) : []), "client_secret_basic", "client_secret_post", ], ``` The metadata is generated statically based on plugin configuration, not by querying registered clients. So even though individual clients can be registered with `tokenEndpointAuthMethod: "none"`, this doesn't affect the discovery endpoint. **Workaround**: Enable `allowUnauthenticatedClientRegistration` in your OAuth provider config to include `"none"` in the advertised methods, even if you're manually registering clients. This is similar to [#3359](https://github.com/better-auth/better-auth/issues/3359) where `"refresh_token"` isn't included in `grant_types_supported` — it suggests the metadata generation could benefit from dynamically reflecting actual capabilities.  *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/1c0a0708-9b4d-4703-afc0-90dc248cbf6d?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/1c0a0708-9b4d-4703-afc0-90dc248cbf6d?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/1c0a0708-9b4d-4703-afc0-90dc248cbf6d?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/1c0a0708-9b4d-4703-afc0-90dc248cbf6d?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/1c0a0708-9b4d-4703-afc0-90dc248cbf6d?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/1c0a0708-9b4d-4703-afc0-90dc248cbf6d?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/1c0a0708-9b4d-4703-afc0-90dc248cbf6d?feedback_type=other)</sup> [![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github) [![Open in Cursor](https://dosu.dev/dosu-in-cursor.svg)](https://cursor.com/link/prompt?text=This%20is%20a%20valid%20observation.%20The%20%60%22none%22%60%20auth%20method%20is%20currently%20%5Bonly%20included%20when%20%60allowUnauthenticatedClientRegistration%60%20is%20true%5D%28https%3A//github.com/better-auth/better-auth/blob/c15f6d9c0addd4218077f38c13be51cc17b69b42/packages/oauth-provider/src/metadata.ts%23L47-L53%29%3A%0A%0A%60%60%60typescript%0Atoken_endpoint_auth_methods_supported%3A%20%5B%0A%20%20%20%20...%28overrides%3F.public_client_supported%0A%20%20%20%20%20%20%20%20%3F%20%28%5B%22none%22%5D%20satisfies%20TokenEndpointAuthMethod%5B%5D%29%0A%20%20%20%20%20%20%20%20%3A%20%5B%5D%29%2C%0A%20%20%20%20%22client_secret_basic%22%2C%0A%20%20%20%20%22client_secret_post%22%2C%0A%5D%2C%0A%60%60%60%0A%0AThe%20metadata%20is%20generated%20statically%20based%20on%20plugin%20configuration%2C%20not%20by%20querying%20registered%20clients.%20So%20even%20though%20individual%20clients%20can%20be%20registered%20with%20%60tokenEndpointAuthMethod%3A%20%22none%22%60%2C%20this%20doesn%27t%20affect%20the%20discovery%20endpoint.%0A%0A%2A%2AWorkaround%2A%2A%3A%20Enable%20%60allowUnauthenticatedClientRegistration%60%20in%20your%20OAuth%20provider%20config%20to%20include%20%60%22none%22%60%20in%20the%20advertised%20methods%2C%20even%20if%20you%27re%20manually%20registering%20clients.%0A%0AThis%20is%20similar%20to%20%5B%233359%5D%28https%3A//github.com/better-auth/better-auth/issues/3359%29%20where%20%60%22refresh_token%22%60%20isn%27t%20included%20in%20%60grant_types_supported%60%20%E2%80%94%20it%20suggests%20the%20metadata%20generation%20could%20benefit%20from%20dynamically%20reflecting%20actual%20capabilities.) [![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot) [![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/8423)

GiteaMirror commented

2026-04-17 19:52:08 -05:00

@luchersou commented on GitHub (Mar 11, 2026):

Hi! I would like to work on this issue if it's available.

@luchersou commented on GitHub (Mar 11, 2026): Hi! I would like to work on this issue if it's available.

GiteaMirror commented

2026-04-17 19:52:08 -05:00

@dvanmali commented on GitHub (Mar 11, 2026):

Equivalent #7700

@dvanmali commented on GitHub (Mar 11, 2026): Equivalent #7700

GiteaMirror commented

2026-04-17 19:52:09 -05:00

@dvanmali commented on GitHub (Mar 13, 2026):

@shadiramadan this could be closed, pushed out a fix

@dvanmali commented on GitHub (Mar 13, 2026): @shadiramadan this could be closed, pushed out a fix

GiteaMirror commented

2026-04-17 19:52:09 -05:00

@shadiramadan commented on GitHub (Mar 13, 2026):

Awesome! Thanks

@shadiramadan commented on GitHub (Mar 13, 2026): Awesome! Thanks

GiteaMirror commented

2026-04-17 19:52:10 -05:00

@github-actions[bot] commented on GitHub (Mar 31, 2026):

This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

@github-actions[bot] commented on GitHub (Mar 31, 2026): This issue has been locked as it was closed more than 7 days ago. If you're experiencing a similar problem or you have additional context, please open a new issue and reference this one.

Sign in to join this conversation.

Branches Tags

2026-05-22/chore/adopt-agents-md

2026-05-22/refactor/string-case-utils

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/turbo-2.9.14

changeset-release/main

main

2026-05-14/fix/passkey-verify-error-and-claim

dependabot/npm_and_yarn/samlify-2.13.0

dependabot/npm_and_yarn/ws-8.20.1

changeset-release/next

dependabot/npm_and_yarn/demo/electron/demo-minor-patch-519ef7475f

dependabot/github_actions/github-actions-98f3470200

client-assertions-main

2026-05-15/ci/fix-sqlite-abi-mismatch

2026-05-15/fix/organization-team-add-cascade

2026-05-15/fix/parse-set-cookie-value-validation

2026-05-13/feat/captcha-wildcard-endpoints

2026-05-13/ci/stabilize-docker-startup

fix/i18n-before-hook-translation

fix/disable-migration-generate

2026-05-07/fix/admin-set-password-upsert

2026-05-10/fix/cookie-drain-order

2026-05-10/feat/hooks-finally

2026-05-09/fix/cookie-drain-order

2026-05-09/feat/hooks-finally

2026-05-08/feat/register-before-send

fix/stripe/subscription-data-merge

2026-05-01/chore/pnpm-v11-harden

chore/pnpm-v11

2026-04-29/feat/google-include-granted-scopes

2026-04-29/fix/oauth-account-scope-semantics

2026-04-27/fix/nextcookies-idempotent-writes

2026-04-26/fix/harden-proxy-host-validation

2026-04-26/refactor/stripe-callback-signature-cleanup

2026-04-26/fix/stripe-subscription-callback-timing

2026-04-11/fix/sveltekit-app-modules

feat/open-api-zod-contract

feat/oauth-provider-backchannel-logout-next

feat/oauth-idp-initiated-bounce

refactor/sign-in-challenges

2026-04-21/fix/oauth-rfc-input-validation

fix/release-notes-new-packages

fix/two-factor-identity-guard

fix/resource

feat/emailpassword-authorize

2026-04-12/security/dynamic-baseurl-proxy-trust-default

feat/oauth-provider-at-hash-v2

fix/release-grep-fallback

claude/address-review-comments-JhFLr

claude/slack-update-stripe-docs-consistency-8Sc0w

feat/async-auth

fix/two-factor-totp-verified-enrollment

feat/plugin-ui

codex/blog-1-6-release-post

2026-04-06/fix/type-any-guards

2026-04-05/chore/downgrade-better-call

2026-04-04/ci/skip-vercel-fork-prs

2026-03-28/ci/add-autofix-ci

chore/release-preview-script

himself65/2026/02/19/role

2026-03-24/fix/update-user-info-on-link

2026-03-20/docs/improve-website

2026-03-20/fix/anonymous-onlinkaccount-expo

2026-02-17/fix/anonymous-link-state

fix/8607-saml-inresponseto

fix/8549-scim-patch-noop

v1.4.x

refactor/migration-snapshot-tests

worktree-magic-link-additional-data

chore/migrate-build-to-rollup

worktree-fix-dynamic-baseurl-8447

2026-03-06/chore/public-api-check

fix/close-8156-regression-test

fix/secondary-storage-json-error-handling

himself65/verification-namespace

cursor/issue-8307-validation-79a3

himself65/2026/01/30/error-mdx

v1.4.x-staging

fix/email-otp-user

fix/restrict-full-organization-access-roles

himself65/2026/02/12/count

himself65/2026/02/04/define-plugin

2026-02-04/feat/add-pluralize

cursor/better-auth-js-integration-ec21

cursor/expo-state-mismatch-394c

2026-02-01/fix/org-update-role-sync-members

cursor/issue-7607-investigation-e146

cursor/email-generation-helper-0ff6

himself65/2026/01/21/avoid-spread-operator

himself65/2026/01/14/cli

claude/slack-add-docs-pr-NMvgO

claude/slack-add-advanced-useplural-WHKYL

feat/hooks-pos

feat/2fa-phone

feat/2fa

fix/rotation

fix/username-check

v1.3.x

refactor/organization

feat/multiple-client-ids-social-providers

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/better-auth#28410