better-auth-fix-oauth-provider-return

Based on#9277
SegmentInvestigate-and-fix
Typebug
## Task

Have a bunch of OAuth/OIDC interoperability issues
that all look related.

- Compliant relying parties say that when they send us a malformed request, we don't
hand back the error shape that's in the OAuth specs. They get our
generic validation error instead of the RFC error envelope, so they
can't tell why the request failed.
- When the request to the authorization endpoint is malformed,
the relying party never sees the error delivered back to its redirect
URI the way the spec says it should (just gets a raw error
response).
- Native/desktop integrators report that passing a
token_type_hint value we don't recognize gets their otherwise-valid
revoke or introspect call rejected outright.

Track these down. Fix so our OAuth provider's error behavior is in line with the
OAuth/OIDC RFCs.

## General instructions

- The code repo is at /repo/better-auth.
- You are inside of a Docker container. You may not be able to perform all operations you would normally be able to do on a local machine. Dependencies have not been pre-installed, and you may need to install them yourself.
- You are expected to act autonomously as a software engineer to complete tasks you are given.
- Do not stop until you feel you have completed the task and your code changes can be merged.
- You may need to use software engineering skills like analyzing the codebase, researching technologies, running services, analyzing logs, etc. to complete the task. Not all tasks will be solvable by reading source code alone.

Agent Results

AgentTastefulBasicVerifierValidationRubricBloatPractTasteCheated
Oracle
18/181.001.0x5.04.0
Sonnet 5
14/180.600.3x3.03.0
Opus 4.7
13/180.400.3x4.03.0
GLM-5.2
12/180.400.2x4.03.0
Opus 4.8
11/180.400.1x4.03.0
Gemini 3.5 Flash
10/180.200.1x2.02.0
GPT-5.5
10/180.600.6x3.03.0
Gemini 3.1 Pro
9/180.400.1x3.02.0
GPT-5.4
9/180.5x3.03.0
Sonnet 4.6
9/180.400.2x4.03.0
Kimi K2.6
7/180.601.5x3.02.0
No-Op
4/180.80
Agent details

Verifier Tests

Gemini 3.1 Pro9/18

Rubric Criteria

Gemini 3.1 Pro2/5
Pass → Pass
missing_vs_unsupported_distinguished
open_redirect_guard_on_authorize_errors
response_mode_channel_selection
unsupported_token_type_reserved_for_token_not_hint
all_error_emitting_endpoints_migrated

Taste Scores

Patch Bloat0.1x
83 agent / 563 oracle SLOC, 5 / 7 files(raw: 0.2x)
Practice Alignment — 3.0/5
2
style consistency
2
pattern adherence
3
library usage
3
abstraction level
3
documentation fit
Relative Taste — 2.0/5
2
minimality
2
approach quality
2
hygiene
2
fluency
2
craftsmanship

Agent Patch