feat(auth): add support for OAuth refresh tokens

- Added SysOauthRefreshToken to the manifest and system object definitions.
- Updated auth configuration schema to include new refresh token data-plane table.
- Enhanced system object names to include OAUTH_REFRESH_TOKEN.
- Updated pnpm-lock.yaml to include @better-auth/oauth-provider version 1.6.9.
- Created sys_oauth_refresh_token object schema with necessary fields and indexes.

Author: hotlong

content/docs/references/system/auth-config.mdx

@@ -76,6 +76,8 @@ Advanced / low-level Better-Auth options
 | **twoFactor** | `boolean` | ✅ | Enable 2FA |
 | **passkeys** | `boolean` | ✅ | Enable Passkey support |
 | **magicLink** | `boolean` | ✅ | Enable Magic Link login |
+| **oidcProvider** | `boolean` | ✅ | Enable the OpenID Connect provider plugin (acts as an OIDC IdP) |
+| **deviceAuthorization** | `boolean` | ✅ | Enable RFC 8628 Device Authorization Grant (CLI / TV-style login) |
 
 
 ---

packages/platform-objects/src/identity/index.ts

@@ -28,4 +28,5 @@ export { SysUserPreference } from './sys-user-preference.object.js';
 // ── OIDC Provider Objects ──────────────────────────────────────────────────
 export { SysOauthApplication } from './sys-oauth-application.object.js';
 export { SysOauthAccessToken } from './sys-oauth-access-token.object.js';
+export { SysOauthRefreshToken } from './sys-oauth-refresh-token.object.js';
 export { SysOauthConsent } from './sys-oauth-consent.object.js';

packages/platform-objects/src/identity/sys-oauth-access-token.object.ts

@@ -3,10 +3,15 @@
 import { ObjectSchema, Field } from '@objectstack/spec/data';
 
 /**
- * sys_oauth_access_token — Issued OAuth/OIDC access + refresh token pair
+ * sys_oauth_access_token — Issued OAuth/OIDC opaque access token
  *
- * Backed by better-auth's `oidc-provider` plugin. One row per token issuance.
- * Tokens are short-lived; expired rows can be safely pruned.
+ * Backed by `@better-auth/oauth-provider`'s `oauthAccessToken` model. One
+ * row per opaque access token issuance. Tokens are short-lived; expired
+ * rows can be safely pruned.
+ *
+ * Refresh tokens have been split into a sibling table — see
+ * {@link SysOauthRefreshToken}. The optional `refresh_id` column links an
+ * access token back to the refresh-token row that minted it.
  *
  * @namespace sys
  */
@@ -16,8 +21,8 @@ export const SysOauthAccessToken = ObjectSchema.create({
   pluralLabel: 'OAuth Access Tokens',
   icon: 'ticket',
   isSystem: true,
-  description: 'OAuth access and refresh tokens issued to client applications',
-  compactLayout: ['client_id', 'user_id', 'access_token_expires_at'],
+  description: 'Opaque OAuth access tokens issued to client applications',
+  compactLayout: ['client_id', 'user_id', 'expires_at'],
 
   fields: {
     id: Field.text({
@@ -26,26 +31,11 @@ export const SysOauthAccessToken = ObjectSchema.create({
       readonly: true,
     }),
 
-    access_token: Field.text({
-      label: 'Access Token',
-      required: true,
-      maxLength: 1024,
-    }),
-
-    refresh_token: Field.text({
-      label: 'Refresh Token',
+    token: Field.text({
+      label: 'Token',
       required: true,
       maxLength: 1024,
-    }),
-
-    access_token_expires_at: Field.datetime({
-      label: 'Access Token Expires At',
-      required: true,
-    }),
-
-    refresh_token_expires_at: Field.datetime({
-      label: 'Refresh Token Expires At',
-      required: true,
+      description: 'Opaque access token value',
     }),
 
     client_id: Field.text({
@@ -54,36 +44,55 @@ export const SysOauthAccessToken = ObjectSchema.create({
       description: 'Foreign key to sys_oauth_application.client_id',
     }),
 
+    session_id: Field.text({
+      label: 'Session ID',
+      required: false,
+      description: 'Foreign key to sys_session.id',
+    }),
+
     user_id: Field.text({
       label: 'User ID',
       required: false,
       description: 'Foreign key to sys_user.id',
     }),
 
-    scopes: Field.text({
-      label: 'Scopes',
+    refresh_id: Field.text({
+      label: 'Refresh Token ID',
       required: false,
-      maxLength: 1024,
+      description: 'Foreign key to sys_oauth_refresh_token.id',
     }),
 
-    created_at: Field.datetime({
-      label: 'Created At',
-      defaultValue: 'NOW()',
-      readonly: true,
+    reference_id: Field.text({
+      label: 'Reference ID',
+      required: false,
+      maxLength: 255,
+      description: 'Caller-supplied correlation identifier',
     }),
 
-    updated_at: Field.datetime({
-      label: 'Updated At',
+    scopes: Field.textarea({
+      label: 'Scopes',
+      required: true,
+      description: 'JSON-serialized list of scopes granted to this token',
+    }),
+
+    expires_at: Field.datetime({
+      label: 'Expires At',
+      required: true,
+    }),
+
+    created_at: Field.datetime({
+      label: 'Created At',
       defaultValue: 'NOW()',
       readonly: true,
     }),
   },
 
   indexes: [
-    { fields: ['access_token'], unique: true },
-    { fields: ['refresh_token'], unique: true },
+    { fields: ['token'], unique: true },
     { fields: ['client_id'] },
+    { fields: ['session_id'] },
     { fields: ['user_id'] },
+    { fields: ['refresh_id'] },
   ],
 
   enable: {

packages/platform-objects/src/identity/sys-oauth-application.object.ts

@@ -5,9 +5,15 @@ import { ObjectSchema, Field } from '@objectstack/spec/data';
 /**
  * sys_oauth_application — Registered OAuth/OIDC client application
  *
- * Backed by better-auth's `oidc-provider` plugin. Each row represents an
- * external application that has been registered to authenticate users
- * against this ObjectStack server (acting as an OpenID Connect IdP).
+ * Backed by `@better-auth/oauth-provider`'s `oauthClient` model. Each row
+ * represents an external application that has been registered to authenticate
+ * users against this ObjectStack server (acting as an OpenID Connect IdP).
+ *
+ * The table name is preserved from the deprecated `oidc-provider` plugin
+ * (which used the `oauthApplication` model name) so existing data remains
+ * accessible. The new model exposes a richer set of OAuth 2.1 / OIDC
+ * registration fields — see RFC 7591 (Dynamic Client Registration) and
+ * RFC 8414 (Authorization Server Metadata).
  *
  * @namespace sys
  */
@@ -33,7 +39,7 @@ export const SysOauthApplication = ObjectSchema.create({
 
     name: Field.text({
       label: 'Name',
-      required: true,
+      required: false,
       searchable: true,
       maxLength: 255,
       group: 'Identity',
@@ -46,6 +52,32 @@ export const SysOauthApplication = ObjectSchema.create({
       group: 'Identity',
     }),
 
+    uri: Field.url({
+      label: 'Home URI',
+      required: false,
+      description: 'Public homepage of the registered client',
+      group: 'Identity',
+    }),
+
+    contacts: Field.textarea({
+      label: 'Contacts',
+      required: false,
+      description: 'JSON-serialized list of contact email addresses',
+      group: 'Identity',
+    }),
+
+    tos: Field.url({
+      label: 'Terms of Service',
+      required: false,
+      group: 'Identity',
+    }),
+
+    policy: Field.url({
+      label: 'Privacy Policy',
+      required: false,
+      group: 'Identity',
+    }),
+
     metadata: Field.textarea({
       label: 'Metadata',
       required: false,
@@ -71,35 +103,137 @@ export const SysOauthApplication = ObjectSchema.create({
       group: 'Credentials',
     }),
 
-    redirect_urls: Field.textarea({
-      label: 'Redirect URLs',
+    redirect_uris: Field.textarea({
+      label: 'Redirect URIs',
       required: true,
-      description: 'Comma-separated list of allowed redirect URIs',
+      description: 'JSON-serialized list of allowed redirect URIs',
+      group: 'Credentials',
+    }),
+
+    post_logout_redirect_uris: Field.textarea({
+      label: 'Post-logout Redirect URIs',
+      required: false,
+      description: 'JSON-serialized list of allowed post-logout redirect URIs',
       group: 'Credentials',
     }),
 
     type: Field.select(['web', 'native', 'user-agent-based', 'public'], {
       label: 'Client Type',
-      required: true,
+      required: false,
       defaultValue: 'web',
       group: 'Credentials',
     }),
 
+    public: Field.boolean({
+      label: 'Public Client',
+      required: false,
+      description: 'Marks the client as a public (non-confidential) OAuth client',
+      group: 'Credentials',
+    }),
+
+    require_pkce: Field.boolean({
+      label: 'Require PKCE',
+      required: false,
+      group: 'Credentials',
+    }),
+
+    token_endpoint_auth_method: Field.text({
+      label: 'Token Endpoint Auth Method',
+      required: false,
+      maxLength: 64,
+      description: 'e.g. client_secret_basic, client_secret_post, none',
+      group: 'Credentials',
+    }),
+
+    grant_types: Field.textarea({
+      label: 'Grant Types',
+      required: false,
+      description: 'JSON-serialized list of allowed grant types',
+      group: 'Credentials',
+    }),
+
+    response_types: Field.textarea({
+      label: 'Response Types',
+      required: false,
+      description: 'JSON-serialized list of allowed response types',
+      group: 'Credentials',
+    }),
+
+    scopes: Field.textarea({
+      label: 'Allowed Scopes',
+      required: false,
+      description: 'JSON-serialized list of scopes the client may request',
+      group: 'Credentials',
+    }),
+
+    subject_type: Field.text({
+      label: 'Subject Type',
+      required: false,
+      maxLength: 32,
+      description: 'OIDC subject type (e.g. public, pairwise)',
+      group: 'Credentials',
+    }),
+
+    // ── Behaviour flags ──────────────────────────────────────────
     disabled: Field.boolean({
       label: 'Disabled',
       required: false,
       defaultValue: false,
-      group: 'Credentials',
+      group: 'Behaviour',
+    }),
+
+    skip_consent: Field.boolean({
+      label: 'Skip Consent',
+      required: false,
+      description: 'Treat as a trusted client and bypass the consent screen',
+      group: 'Behaviour',
     }),
 
-    // ── Ownership ────────────────────────────────────────────────
+    enable_end_session: Field.boolean({
+      label: 'Enable End Session',
+      required: false,
+      description: 'Allow the client to call the OIDC end-session endpoint',
+      group: 'Behaviour',
+    }),
+
+    // ── Software statement (RFC 7591 §2.3) ───────────────────────
+    software_id: Field.text({
+      label: 'Software ID',
+      required: false,
+      maxLength: 255,
+      group: 'Software',
+    }),
+
+    software_version: Field.text({
+      label: 'Software Version',
+      required: false,
+      maxLength: 64,
+      group: 'Software',
+    }),
+
+    software_statement: Field.textarea({
+      label: 'Software Statement',
+      required: false,
+      description: 'Signed JWT asserting the client metadata (RFC 7591 §2.3)',
+      group: 'Software',
+    }),
+
+    // ── Ownership / system ───────────────────────────────────────
     user_id: Field.text({
       label: 'Owner User ID',
       required: false,
       description: 'User who registered this application',
       group: 'System',
     }),
 
+    reference_id: Field.text({
+      label: 'Reference ID',
+      required: false,
+      maxLength: 255,
+      description: 'Caller-supplied correlation identifier',
+      group: 'System',
+    }),
+
     created_at: Field.datetime({
       label: 'Created At',
       defaultValue: 'NOW()',
@@ -118,6 +252,7 @@ export const SysOauthApplication = ObjectSchema.create({
   indexes: [
     { fields: ['client_id'], unique: true },
     { fields: ['user_id'] },
+    { fields: ['reference_id'] },
   ],
 
   enable: {