mirror of
https://github.com/better-auth/better-auth.git
synced 2026-05-23 15:42:09 -05:00
686fba4e11
An upgrade to oidc-provider plugin that makes it oauth2.1 compliant and has a configuration that is secure by default. Plans for the deprecation of oidc-provider plugin due to many inherent flaws in its design. Internally, plugin functions now share logic, providing for better future extensibility if new code_grants need to be written or user/client jwt or opaque tokens need to be written. Furthermore, as an oAuth 2.1 provider, it provides logic valid for an MCP server. When using the scope "openid" (optional, enabled by default), the server acts like an OpenId server able to issue id tokens and provides a /userinfo endpoint. Features OAuth 2.1 by default Properly supports authorization_code, refresh_token, and client_credentials grants PKCE by default (removes plain completely) Public and confidential client registration JWT plugin is required by default, but can be disabled using disableJWTPlugin flag Access tokens can now be received in JWT verifiable format using the resource parameter (ie JWT aud field) Id tokens are still verifiable by JWKS when using JWT Plugin, or clientSecret if disabled. Fixes issue to prevent public clients when disableJWTPlugin: true from obtaining id tokens directly even when they shouldn't be allowed an id token and should use /userinfo instead. Protects /userinfo with scope check Separates Refresh Token and Access token on database schema to allow multiple access tokens per refresh and multiple refresh tokens per login session. oauthAccessToken strictly deals with opaque tokens Opaque tokens are given only when resource parameter (aka audience) is not provided Option to Encode and Decode refresh tokens allowDynamicClientRegistration with allowUnauthenticatedClientRegistration flags Separation of default expiration times Proper creation of public and confidential clients Prevents misconfiguration between .well-known/openid-configuration endpoint and plugin settings scopeExpirations to assign scopes specific expiration Custom claims through separated functions: customAccessTokenClaims, customIdTokenClaims, and customUserInfoClaims Organizational support through activeOrganizationalId on a session such as through the organizational plugin. Attaches to oAuthClient via reference_id. Rp-initiated logout Account Selection via prompt=select_account. Account Creation via prompt=create. Prompt combinations prompt=select_account+consent and prompt=login+consent Docs available at https://www.better-auth.com/docs/plugins/oauth-provider (pr: https://github.com/better-auth/better-auth/blob/main/docs/content/docs/plugins/oauth-provider.mdx)