github better-auth/better-auth v1.7.0-beta.9
on GitHub

latest release: v1.6.20
pre-release4 hours ago

@better-auth/oauth-provider

❗ Breaking Changes

  • Restricted customIdTokenClaims, extension ID-token claims, and per-issuance idTokenClaims from overriding protected OIDC/JWT protocol claims (#10140)

Migration: Remove any iss, sub, aud, exp, nonce, auth_time, acr, amr, or azp fields from customIdTokenClaims, extension ID-token claims, and per-issuance idTokenClaims. Use namespaced custom claims (e.g., "https://example.com/role") for application-specific data instead.

Features

  • Added support for confidential DCR clients to complete authorization-code flows without PKCE when clientRegistrationRequirePKCE: false is set (#10146)
  • Added support for the claims.userinfo authorization request parameter, allowing clients to request specific standard claims from the UserInfo endpoint (#10156)

Bug Fixes

  • Fixed the UserInfo endpoint to accept bearer tokens in application/x-www-form-urlencoded POST request bodies (#10155)
  • Fixed confidential clients that opted out of PKCE to successfully request offline_access when the authorization includes both openid scope and a nonce (#10153)
  • Fixed the OIDC authorization endpoint to accept form-encoded POST requests and return proper errors for unsupported request and request_uri parameters (#10151)
  • Fixed the UserInfo endpoint to correctly return profile and email scope claims, and added rejection of unsupported acr_values in authorization requests (#10152)
  • Fixed the token endpoint to only require redirect_uri when the original authorization request included one, and to return invalid_grant on mismatches (#10159)
  • Fixed Dynamic Client Registration to preserve client key metadata across updates (#10144)
  • Fixed authorization requests missing response_type to redirect errors to the client redirect URI instead of the provider error page (#10149)
  • Fixed authorization code replay to correctly return invalid_grant and revoke all tokens previously issued from the replayed code (#10150)
  • Fixed refresh token validation to return invalid_grant when a client attempts to use a refresh token issued to a different client (#10154)

For detailed changes, see CHANGELOG

Contributors

Thanks to everyone who contributed to this release:

@gustavovalverde

Full changelog: v1.7.0-beta.8...v1.7.0-beta.9

Check out latest releases or
releases around better-auth/better-auth v1.7.0-beta.9

Don't miss a new better-auth release

NewReleases is sending notifications on new releases.

Get notifications