686fba4e11
An upgrade to oidc-provider plugin that makes it oauth2.1 compliant and has a configuration that is secure by default. Plans for the deprecation of oidc-provider plugin due to many inherent flaws in its design. Internally, plugin functions now share logic, providing for better future extensibility if new code_grants need to be written or user/client jwt or opaque tokens need to be written. Furthermore, as an oAuth 2.1 provider, it provides logic valid for an MCP server. When using the scope "openid" (optional, enabled by default), the server acts like an OpenId server able to issue id tokens and provides a /userinfo endpoint. Features OAuth 2.1 by default Properly supports authorization_code, refresh_token, and client_credentials grants PKCE by default (removes plain completely) Public and confidential client registration JWT plugin is required by default, but can be disabled using disableJWTPlugin flag Access tokens can now be received in JWT verifiable format using the resource parameter (ie JWT aud field) Id tokens are still verifiable by JWKS when using JWT Plugin, or clientSecret if disabled. Fixes issue to prevent public clients when disableJWTPlugin: true from obtaining id tokens directly even when they shouldn't be allowed an id token and should use /userinfo instead. Protects /userinfo with scope check Separates Refresh Token and Access token on database schema to allow multiple access tokens per refresh and multiple refresh tokens per login session. oauthAccessToken strictly deals with opaque tokens Opaque tokens are given only when resource parameter (aka audience) is not provided Option to Encode and Decode refresh tokens allowDynamicClientRegistration with allowUnauthenticatedClientRegistration flags Separation of default expiration times Proper creation of public and confidential clients Prevents misconfiguration between .well-known/openid-configuration endpoint and plugin settings scopeExpirations to assign scopes specific expiration Custom claims through separated functions: customAccessTokenClaims, customIdTokenClaims, and customUserInfoClaims Organizational support through activeOrganizationalId on a session such as through the organizational plugin. Attaches to oAuthClient via reference_id. Rp-initiated logout Account Selection via prompt=select_account. Account Creation via prompt=create. Prompt combinations prompt=select_account+consent and prompt=login+consent Docs available at https://www.better-auth.com/docs/plugins/oauth-provider (pr: https://github.com/better-auth/better-auth/blob/main/docs/content/docs/plugins/oauth-provider.mdx)
Better Auth
The most comprehensive authentication framework for TypeScript
Learn more »
Discord
·
Website
·
Issues
About the Project
Better Auth is framework-agnostic authentication (and authorization) library for TypeScript. It provides a comprehensive set of features out of the box and includes a plugin ecosystem that simplifies adding advanced functionalities with minimal code in short amount of time. Whether you need 2FA, multi-tenant support, or other complex features. It lets you focus on building your actual application instead of reinventing the wheel.
Why Better Auth
Authentication in the TypeScript ecosystem is a half-solved problem. Other open-source libraries often require a lot of additional code for anything beyond basic authentication. Rather than just pushing third-party services as the solution, I believe we can do better as a community—hence, Better Auth.
Contribution
Better Auth is free and open source project licensed under the MIT License. You are free to do whatever you want with it.
You could help continuing its development by:
Security
If you discover a security vulnerability within Better Auth, please send an e-mail to security@better-auth.com.
All reports will be promptly addressed, and you'll be credited accordingly.