From 6a6993ab620f859dd4d0eed29bbbdb51eff1d6d8 Mon Sep 17 00:00:00 2001
From: YG Park <ygpark80@gmail.com>
Date: Wed, 17 Dec 2025 18:08:40 +0900
Subject: [PATCH] fix(issuer): add token_type to authorization code flow token
 responses

Add token_type: 'Bearer' to token endpoint responses for both authorization_code and refresh_token grant types to comply with RFC 6749 Section 5.1.

- Add token_type to authorization_code grant response (line 883)
- Add token_type to refresh_token grant response (line 951)
- Update tests to verify token_type is present in refresh token responses

Per RFC 6749 Section 5.1 (https://tools.ietf.org/html/rfc6749#section-5.1):
"The authorization server MUST include the token_type parameter in the response."
---
 packages/openauth/src/issuer.ts       | 2 ++
 packages/openauth/test/issuer.test.ts | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/packages/openauth/src/issuer.ts b/packages/openauth/src/issuer.ts
index f4c1f277..389d9a83 100644
--- a/packages/openauth/src/issuer.ts
+++ b/packages/openauth/src/issuer.ts
@@ -881,6 +881,7 @@ export function issuer<
         await Storage.remove(storage, key)
         return c.json({
           access_token: tokens.access,
+          token_type: "Bearer",
           expires_in: tokens.expiresIn,
           refresh_token: tokens.refresh,
         })
@@ -949,6 +950,7 @@ export function issuer<
         })
         return c.json({
           access_token: tokens.access,
+          token_type: "Bearer",
           refresh_token: tokens.refresh,
           expires_in: tokens.expiresIn,
         })
diff --git a/packages/openauth/test/issuer.test.ts b/packages/openauth/test/issuer.test.ts
index be303d77..94fa1ed3 100644
--- a/packages/openauth/test/issuer.test.ts
+++ b/packages/openauth/test/issuer.test.ts
@@ -221,6 +221,7 @@ describe("refresh token", () => {
     const refreshed = await response.json()
     expect(refreshed).toStrictEqual({
       access_token: expectNonEmptyString,
+      token_type: "Bearer",
       refresh_token: expectNonEmptyString,
       expires_in: expect.any(Number),
     })
@@ -247,6 +248,7 @@ describe("refresh token", () => {
     const refreshed = await response.json()
     expect(refreshed).toStrictEqual({
       access_token: expectNonEmptyString,
+      token_type: "Bearer",
       refresh_token: expectNonEmptyString,
       expires_in: expect.any(Number),
     })