better_auth-sso 0.6.2 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e57052c749ed1cc476cde2b203dc6f1965345a5f032666b801973d9215fe7e7
-  data.tar.gz: b8b1214d8de33f3b1a24a80d97d36048cb80fbeb67a26c7d3ff87eda0721bc89
+  metadata.gz: d4f762319ea61412d5e0eb1ac83d359c9b533f761ba2f655d166544ad2d21b83
+  data.tar.gz: aa5768114552b9cdb59dd3ae6ac5b394172d0ae859193f4d6ac3495e8ef00f6a
 SHA512:
-  metadata.gz: 954ad27f4c4f388f1a5b937e584cd7cacdcb5a0cda037896c1b885e2bf0c5b12cf4875fa5bb69d118d46c4f596ad21f728a2949026a54e9971dba129f5560153
-  data.tar.gz: a03a6cba0f4a05fa925152a8574a0aee37c4adf66137796d9cf71c87312f16aaab46a50330a0ee8ddc9d574c8f61d1a4acab6091eb36c4c74da63eb0374550ce
+  metadata.gz: 147d540a80e7584227916a79c3fa2e34508de75c39de90332c2a1fd4c37913d00b31285830a18b95e27bc0d8679953565506e4f6f506692c5fb83f24273e4dff
+  data.tar.gz: 31807bffa4c57fa065295b2bc2ff27f5f346990597c314e63b86d531d44cf13a4466b6717efae71626ea51a44a8708e4f71fef2d6ee97ea306f77ecdbdd7d7b0

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## Unreleased
+
+## 0.7.0 - 2026-05-05
+
+- Fixed SAML config validation for `singleSignOnService` and added validation for `singleLogoutService`.
+- Hardened OIDC callbacks by binding signed state `providerId` to the callback route and verifying `nonce` on JWKS-backed ID tokens.
+- Changed SSO domain verification to require exact TXT record matches and corrected the insufficient access error code to `INSUFFICIENT_ACCESS`.
+- Declared `jwt` as a direct runtime dependency for the SSO gem.
+- Added regression coverage for SAML SP metadata XML responses.
+
 ## 0.2.0 - 2026-04-29
 
 - Improved SSO upstream parity for OIDC and SAML provider flows, organization handling, callback behavior, metadata parsing, account linking, and response/error shapes.

data/README.md

@@ -2,7 +2,10 @@
 
 External SSO plugin package for `better_auth`.
 
-SSO is the app-facing feature. It supports OIDC SSO and SAML SSO. SAML is not the same thing as SSO; SAML is one protocol used by SSO.
+SSO is the app-facing feature. It supports OIDC SSO, SAML SSO, provider management,
+domain verification, SAML replay protection, runtime OIDC discovery, organization
+assignment, and SAML Single Logout. SAML is not the same thing as SSO; SAML is
+one protocol used by SSO.
 
 ```ruby
 require "better_auth"
@@ -15,7 +18,11 @@ BetterAuth.auth(
 )
 ```
 
-SAML XML validation is included in this package and backed by `ruby-saml`:
+SAML XML validation is included in this package and backed by `ruby-saml`.
+Production XML SAML deployments should configure `BetterAuth::SSO::SAML.sso_options`
+or compatible SAML hooks so AuthnRequest generation and SAMLResponse parsing use
+the real XML/SAML boundary instead of the lightweight JSON/base64 fallback used by
+local tests:
 
 ```ruby
 require "better_auth/sso"
@@ -43,3 +50,30 @@ SAML SLO follows upstream route shapes when `saml.enableSingleLogout` is enabled
 Ruby keeps the lightweight JSON/base64 fallback used by the local SAML test adapter, and real XML deployments should configure `BetterAuth::SSO::SAML.sso_options` or compatible SAML hooks.
 
 SCIM is a separate provisioning feature and lives in `better_auth-scim`.
+
+## Organization Assignment
+
+When the organization plugin is installed, SSO can add users to an organization
+linked to an SSO provider. SSO login flows assign from the matched provider.
+Generic OAuth callbacks under `/callback/:provider` also assign by verified SSO
+email domain when domain verification is enabled, matching upstream behavior for
+users who sign in through non-SSO OAuth but share an enterprise domain.
+
+## Schema Compatibility
+
+The Ruby package intentionally keeps the historical default SSO provider model
+name `ssoProviders` for backward compatibility. Upstream Better Auth defaults to
+`ssoProvider`; configure `model_name:` if your application needs a different
+storage model name.
+
+Field mapping options are supported through `fields:` for the SSO provider
+schema, including `issuer`, `oidcConfig`, `samlConfig`, `userId`, `providerId`,
+`organizationId`, `domain`, and `domainVerified`.
+
+## Scope and Non-Goals
+
+This package does not currently imply support for advanced enterprise features
+such as `private_key_jwt`, mTLS client authentication, every SAML XML edge case,
+or large internal SSO refactors. Those items are tracked in the
+[upstream and product alignment backlog](../../.docs/backlog/upstream-product-alignment.md)
+until they have explicit product scope and upstream parity decisions.

data/lib/better_auth/plugins/sso.rb

@@ -91,11 +91,60 @@ module BetterAuth
         init: ->(_ctx) { {options: {advanced: {disable_origin_check: ["/sso/saml2/callback", "/sso/saml2/sp/acs", "/sso/saml2/sp/slo"]}}} },
         schema: BetterAuth::SSO::Routes::Schemas.plugin_schema(config),
         endpoints: endpoints,
+        hooks: sso_hooks(config),
         error_codes: SSO_ERROR_CODES,
         options: config
       )
     end
 
+    def sso_hooks(config = {})
+      {
+        before: [
+          {
+            matcher: ->(ctx) { ctx.path == "/sign-out" },
+            handler: ->(ctx) { sso_before_sign_out(ctx, config) }
+          }
+        ],
+        after: [
+          {
+            matcher: ->(ctx) { ctx.path.to_s.match?(%r{\A/callback/[^/]+\z}) },
+            handler: ->(ctx) { sso_after_generic_callback(ctx, config) }
+          }
+        ]
+      }
+    end
+
+    def sso_before_sign_out(ctx, config = {})
+      return unless config.dig(:saml, :enable_single_logout)
+
+      token_cookie = ctx.context.auth_cookies[:session_token]
+      session_token = ctx.get_signed_cookie(token_cookie.name, ctx.context.secret)
+      return if session_token.to_s.empty?
+
+      lookup_key = "#{SSO_SAML_SESSION_BY_ID_KEY_PREFIX}#{session_token}"
+      session_lookup = ctx.context.internal_adapter.find_verification_value(lookup_key)
+      saml_session_key = session_lookup&.fetch("value", nil)
+      ctx.context.internal_adapter.delete_verification_by_identifier(saml_session_key) if saml_session_key
+      ctx.context.internal_adapter.delete_verification_by_identifier(lookup_key)
+      nil
+    rescue
+      nil
+    end
+
+    def sso_after_generic_callback(ctx, config = {})
+      new_session = ctx.context.new_session if ctx.context.respond_to?(:new_session)
+      return unless new_session && new_session[:user]
+      return unless defined?(BetterAuth::SSO::Linking::OrgAssignment)
+
+      BetterAuth::SSO::Linking::OrgAssignment.assign_organization_by_domain(
+        ctx,
+        user: new_session.fetch(:user),
+        provisioning_options: config[:organization_provisioning],
+        domain_verification: config[:domain_verification]
+      )
+      nil
+    end
+
     def sso_schema(config = {})
       BetterAuth::SSO::Routes::Schemas.plugin_schema(config)
     end
@@ -245,7 +294,7 @@ module BetterAuth
       end
     end
 
-    def sso_update_provider_endpoint
+    def sso_update_provider_endpoint(config = {})
       Endpoint.new(path: "/sso/update-provider", method: "POST") do |ctx|
         session = Routes.current_session(ctx)
         body = normalize_hash(ctx.body)
@@ -264,13 +313,17 @@ module BetterAuth
           current = sso_provider_config_hash(provider["oidcConfig"])
           raise APIError.new("BAD_REQUEST", message: "Cannot update OIDC config for a provider that doesn't have OIDC configured") if current.empty?
 
-          update[:oidcConfig] = current.merge(normalize_hash(body[:oidc_config]))
+          resolved_issuer = update[:issuer] || current[:issuer] || provider["issuer"]
+          update[:oidcConfig] = current.merge(normalize_hash(body[:oidc_config])).merge(issuer: resolved_issuer).compact
         end
         if body.key?(:saml_config)
           current = sso_provider_config_hash(provider["samlConfig"])
           raise APIError.new("BAD_REQUEST", message: "Cannot update SAML config for a provider that doesn't have SAML configured") if current.empty?
 
-          update[:samlConfig] = current.merge(normalize_hash(body[:saml_config]))
+          resolved_issuer = update[:issuer] || current[:issuer] || provider["issuer"]
+          merged_saml_config = current.merge(normalize_hash(body[:saml_config])).merge(issuer: resolved_issuer).compact
+          sso_validate_saml_config!(merged_saml_config, config)
+          update[:samlConfig] = merged_saml_config
         end
         updated = ctx.context.adapter.update(model: "ssoProvider", where: [{field: "id", value: provider.fetch("id")}], update: update)
         ctx.json(sso_sanitize_provider(updated, ctx.context))
@@ -313,7 +366,11 @@ module BetterAuth
 
         if provider["oidcConfig"] && provider_type != "saml"
           provider = sso_ensure_runtime_oidc_provider(ctx, provider, config)
-          state = BetterAuth::Crypto.sign_jwt(state_data.merge(sso_oidc_pkce_state(provider)), ctx.context.secret, expires_in: 600)
+          state = BetterAuth::Crypto.sign_jwt(
+            state_data.merge({nonce: BetterAuth::Crypto.random_string(32)}).merge(sso_oidc_pkce_state(provider)),
+            ctx.context.secret,
+            expires_in: 600
+          )
           url = sso_oidc_authorization_url(provider, ctx, state, config, body)
         elsif provider["samlConfig"]
           relay_state = sso_generate_saml_relay_state(ctx, state_data)
@@ -352,6 +409,10 @@ module BetterAuth
         description = ctx.query[:error_description] || ctx.query["error_description"]
         return sso_redirect(ctx, sso_append_error(error_url, error, description))
       end
+      state_provider_id = state["providerId"] || state[:providerId]
+      if state_provider_id.to_s != provider_id.to_s
+        return sso_redirect(ctx, sso_append_error(error_url, "invalid_state", "provider mismatch"))
+      end
 
       provider = sso_callback_provider(ctx, config, provider_id)
       return sso_redirect(ctx, sso_append_error(error_url, "invalid_provider", "provider not found")) unless provider
@@ -377,7 +438,7 @@ module BetterAuth
           # Fall through to the upstream callback error when JWKS is still unavailable.
         end
       end
-      user_info = sso_oidc_user_info(ctx, oidc_config, tokens, config)
+      user_info = sso_oidc_user_info(ctx, oidc_config, tokens, config, expected_nonce: state["nonce"] || state[:nonce])
       if user_info[:_sso_error]
         return sso_redirect(ctx, sso_append_error(error_url, "invalid_provider", user_info[:_sso_error]))
       end
@@ -430,13 +491,18 @@ module BetterAuth
         provider = sso_find_provider!(ctx, sso_fetch(ctx.params, :provider_id))
         relay_state = sso_fetch(ctx.body, :relay_state) || sso_fetch(ctx.query, :relay_state)
         if sso_fetch(ctx.body, :saml_response) || sso_fetch(ctx.query, :saml_response)
-          sso_process_saml_logout_response(ctx, sso_fetch(ctx.body, :saml_response) || sso_fetch(ctx.query, :saml_response))
+          raw_response = sso_fetch(ctx.body, :saml_response) || sso_fetch(ctx.query, :saml_response)
+          sso_validate_saml_slo_signature!(ctx, raw_response, "Invalid LogoutResponse") if config.dig(:saml, :want_logout_response_signed)
+          sso_process_saml_logout_response(ctx, raw_response)
           Cookies.delete_session_cookie(ctx)
           next sso_redirect(ctx, sso_safe_slo_redirect_url(ctx, relay_state, provider.fetch("providerId")))
         end
 
-        sso_process_saml_logout_request(ctx, provider, sso_fetch(ctx.body, :saml_request) || sso_fetch(ctx.query, :saml_request))
-        response = Base64.strict_encode64("<samlp:LogoutResponse xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"_#{BetterAuth::Crypto.random_string(32)}\" Version=\"2.0\" IssueInstant=\"#{Time.now.utc.iso8601}\" Destination=\"#{sso_saml_logout_destination(provider)}\"><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status></samlp:LogoutResponse>")
+        raw_request = sso_fetch(ctx.body, :saml_request) || sso_fetch(ctx.query, :saml_request)
+        sso_validate_saml_slo_signature!(ctx, raw_request, "Invalid LogoutRequest") if config.dig(:saml, :want_logout_request_signed)
+        logout_request_data = sso_process_saml_logout_request(ctx, provider, raw_request)
+        in_response_to = logout_request_data[:id].to_s.empty? ? "" : " InResponseTo=\"#{CGI.escapeHTML(logout_request_data[:id].to_s)}\""
+        response = Base64.strict_encode64("<samlp:LogoutResponse xmlns:samlp=\"urn:oasis:names:tc:SAML:2.0:protocol\" ID=\"_#{BetterAuth::Crypto.random_string(32)}\"#{in_response_to} Version=\"2.0\" IssueInstant=\"#{Time.now.utc.iso8601}\" Destination=\"#{sso_saml_logout_destination(provider)}\"><samlp:Status><samlp:StatusCode Value=\"urn:oasis:names:tc:SAML:2.0:status:Success\"/></samlp:Status></samlp:LogoutResponse>")
         if sso_fetch(ctx.body, :saml_request)
           next sso_saml_post_form(sso_saml_logout_destination(provider), "SAMLResponse", response, relay_state)
         end
@@ -526,7 +592,7 @@ module BetterAuth
 
         records = sso_resolve_txt_records("#{identifier}.#{hostname}", config)
         expected = "#{identifier}=#{active.fetch("value")}"
-        unless records.flatten.any? { |record| record.to_s.include?(expected) }
+        unless sso_txt_record_exact_match?(records, expected)
           raise APIError.new("BAD_GATEWAY", message: "Unable to verify domain ownership. Try again later", code: "DOMAIN_VERIFICATION_FAILED")
         end
 
@@ -677,9 +743,27 @@ module BetterAuth
       end
       sso_validate_url!(saml_config[:entry_point], "SAML entryPoint must be a valid URL") unless saml_config[:entry_point].to_s.empty?
       unless saml_config[:single_sign_on_service].to_s.empty?
-        sso_validate_url!(saml_config[:single_sign_on_service], "SAML singleLogoutService must be a valid URL")
+        sso_validate_url!(saml_config[:single_sign_on_service], "SAML singleSignOnService must be a valid URL")
+      end
+      unless saml_config[:single_logout_service].to_s.empty?
+        sso_validate_url!(saml_config[:single_logout_service], "SAML singleLogoutService must be a valid URL")
       end
 
+      config_algorithm_xml = +""
+      unless saml_config[:signature_algorithm].to_s.empty?
+        config_algorithm_xml << "<ds:SignatureMethod Algorithm=\"#{saml_config[:signature_algorithm]}\"/>"
+      end
+      unless saml_config[:digest_algorithm].to_s.empty?
+        config_algorithm_xml << "<ds:DigestMethod Algorithm=\"#{saml_config[:digest_algorithm]}\"/>"
+      end
+      sso_validate_saml_algorithms!(
+        config_algorithm_xml,
+        on_deprecated: plugin_config.dig(:saml, :algorithms, :on_deprecated) || saml_config[:on_deprecated_algorithm] || "warn",
+        allowed_signature_algorithms: plugin_config.dig(:saml, :algorithms, :allowed_signature_algorithms) || saml_config[:allowed_signature_algorithms],
+        allowed_digest_algorithms: plugin_config.dig(:saml, :algorithms, :allowed_digest_algorithms) || saml_config[:allowed_digest_algorithms],
+        allowed_key_encryption_algorithms: plugin_config.dig(:saml, :algorithms, :allowed_key_encryption_algorithms) || saml_config[:allowed_key_encryption_algorithms],
+        allowed_data_encryption_algorithms: plugin_config.dig(:saml, :algorithms, :allowed_data_encryption_algorithms) || saml_config[:allowed_data_encryption_algorithms]
+      )
       sso_validate_saml_algorithms!(
         metadata.to_s,
         on_deprecated: plugin_config.dig(:saml, :algorithms, :on_deprecated) || saml_config[:on_deprecated_algorithm] || "warn",
@@ -842,11 +926,11 @@ module BetterAuth
 
     def sso_process_saml_logout_request(ctx, provider, raw_request)
       data = sso_parse_saml_logout_request(raw_request)
-      return if data[:name_id].to_s.empty?
+      return data if data[:name_id].to_s.empty?
 
       session_identifier = "#{SSO_SAML_SESSION_KEY_PREFIX}#{provider.fetch("providerId")}:#{data[:name_id]}"
       verification = ctx.context.internal_adapter.find_verification_value(session_identifier)
-      return unless verification
+      return data unless verification
 
       record = JSON.parse(verification.fetch("value"))
       session_token = record["sessionToken"]
@@ -854,8 +938,9 @@ module BetterAuth
       ctx.context.internal_adapter.delete_session(session_token) if session_token && session_index_matches
       ctx.context.internal_adapter.delete_verification_by_identifier(session_identifier)
       ctx.context.internal_adapter.delete_verification_by_identifier("#{SSO_SAML_SESSION_BY_ID_KEY_PREFIX}#{session_token}") if session_token
+      data
     rescue
-      nil
+      {}
     end
 
     def sso_store_saml_logout_request(ctx, provider, request_id, config)
@@ -883,6 +968,7 @@ module BetterAuth
     def sso_parse_saml_logout_request(raw_request)
       xml = Base64.decode64(raw_request.to_s.gsub(/\s+/, ""))
       {
+        id: xml[/\bID=['"]([^'"]+)['"]/, 1],
         name_id: xml[%r{<(?:\w+:)?NameID[^>]*>([^<]+)</(?:\w+:)?NameID>}, 1],
         session_index: xml[%r{<(?:\w+:)?SessionIndex[^>]*>([^<]+)</(?:\w+:)?SessionIndex>}, 1]
       }
@@ -890,6 +976,19 @@ module BetterAuth
       {}
     end
 
+    def sso_validate_saml_slo_signature!(ctx, raw_message, error_message)
+      return true if !sso_fetch(ctx.body, :signature).to_s.empty? || !sso_fetch(ctx.query, :signature).to_s.empty?
+
+      xml = Base64.decode64(raw_message.to_s.gsub(/\s+/, ""))
+      return true if xml.include?("<Signature") || xml.include?(":Signature")
+
+      raise APIError.new("BAD_REQUEST", message: error_message)
+    rescue APIError
+      raise
+    rescue
+      raise APIError.new("BAD_REQUEST", message: error_message)
+    end
+
     def sso_parse_saml_logout_response(raw_response)
       xml = Base64.decode64(raw_response.to_s.gsub(/\s+/, ""))
       {
@@ -1187,6 +1286,8 @@ module BetterAuth
         scope: scopes.join(" "),
         state: state
       }.compact
+      nonce = sso_decode_state(state, ctx.context.secret)&.fetch("nonce", nil)
+      query[:nonce] = nonce if nonce && !nonce.to_s.empty?
       login_hint = body[:login_hint] || body[:email]
       query[:login_hint] = login_hint if login_hint
       code_verifier = sso_decode_state(state, ctx.context.secret)&.fetch("codeVerifier", nil)
@@ -1382,7 +1483,7 @@ module BetterAuth
       normalize_hash(JSON.parse(response.body))
     end
 
-    def sso_oidc_user_info(ctx, oidc_config, tokens, plugin_config)
+    def sso_oidc_user_info(ctx, oidc_config, tokens, plugin_config, expected_nonce: nil)
       user_callback = oidc_config[:get_user_info]
       raw = if user_callback.respond_to?(:call)
         user_callback.call(tokens)
@@ -1396,7 +1497,8 @@ module BetterAuth
           jwks_endpoint: oidc_config[:jwks_endpoint],
           audience: oidc_config[:client_id],
           issuer: oidc_config[:issuer],
-          fetch: plugin_config[:oidc_jwks_fetch]
+          fetch: plugin_config[:oidc_jwks_fetch],
+          expected_nonce: expected_nonce
         ) || {_sso_error: "token_not_verified"}
       else
         {}
@@ -1429,7 +1531,7 @@ module BetterAuth
       {}
     end
 
-    def sso_validate_oidc_id_token(token, jwks_endpoint:, audience:, issuer:, fetch: nil)
+    def sso_validate_oidc_id_token(token, jwks_endpoint:, audience:, issuer:, fetch: nil, expected_nonce: nil)
       jwks = sso_fetch_oidc_jwks(jwks_endpoint, fetch: fetch)
       payload, = ::JWT.decode(
         token.to_s,
@@ -1442,6 +1544,11 @@ module BetterAuth
         iss: issuer,
         verify_iss: true
       )
+      if expected_nonce && !expected_nonce.to_s.empty?
+        token_nonce = payload["nonce"] || payload[:nonce]
+        return nil if token_nonce.to_s.empty?
+        return nil unless BetterAuth::Crypto.constant_time_compare(token_nonce.to_s, expected_nonce.to_s)
+      end
       payload
     rescue
       nil
@@ -1628,7 +1735,11 @@ module BetterAuth
       end
       return if provider["userId"] == user_id && is_org_member
 
-      raise APIError.new("FORBIDDEN", message: "User must be owner of or belong to the SSO provider organization", code: "INSUFICCIENT_ACCESS")
+      raise APIError.new("FORBIDDEN", message: "User must be owner of or belong to the SSO provider organization", code: "INSUFFICIENT_ACCESS")
+    end
+
+    def sso_txt_record_exact_match?(records, expected)
+      Array(records).flatten.any? { |record| record.to_s.strip == expected.to_s }
     end
 
     def sso_domain_verification_identifier(config, provider_id)

data/lib/better_auth/sso/linking/org_assignment.rb

@@ -66,9 +66,6 @@ module BetterAuth
 
         def organization_plugin?(ctx)
           context = ctx.context
-          return context.hasPlugin("organization") if context.respond_to?(:hasPlugin)
-          return context.has_plugin?("organization") if context.respond_to?(:has_plugin?)
-
           plugins = context.options.respond_to?(:plugins) ? context.options.plugins : []
           plugins.any? { |plugin| plugin.respond_to?(:id) && plugin.id == "organization" }
         end

data/lib/better_auth/sso/routes/schemas.rb

@@ -44,17 +44,18 @@ module BetterAuth
 
         def plugin_schema(config = {})
           normalized = BetterAuth::Plugins.normalize_hash(config || {})
+          field_mappings = BetterAuth::Plugins.normalize_hash(normalized[:fields] || {})
           fields = {
-            issuer: {type: "string", required: true},
-            oidcConfig: {type: "string", required: false},
-            samlConfig: {type: "string", required: false},
-            userId: {type: "string", required: true},
-            providerId: {type: "string", required: true, unique: true},
-            domain: {type: "string", required: true},
-            organizationId: {type: "string", required: false}
+            issuer: field("issuer", {type: "string", required: true}, field_mappings),
+            oidcConfig: field("oidcConfig", {type: "string", required: false}, field_mappings),
+            samlConfig: field("samlConfig", {type: "string", required: false}, field_mappings),
+            userId: field("userId", {type: "string", required: true, references: {model: "user", field: "id"}}, field_mappings),
+            providerId: field("providerId", {type: "string", required: true, unique: true}, field_mappings),
+            domain: field("domain", {type: "string", required: true}, field_mappings),
+            organizationId: field("organizationId", {type: "string", required: false}, field_mappings)
           }
           if normalized.dig(:domain_verification, :enabled)
-            fields[:domainVerified] = {type: "boolean", required: false, default_value: false}
+            fields[:domainVerified] = field("domainVerified", {type: "boolean", required: false, default_value: false}, field_mappings)
           end
           {
             ssoProvider: {
@@ -71,6 +72,11 @@ module BetterAuth
         def saml_config_key?(key)
           SAML_CONFIG_KEYS.include?(BetterAuth::Plugins.normalize_key(key))
         end
+
+        def field(logical_name, attributes, mappings)
+          mapping = mappings[BetterAuth::Plugins.normalize_key(logical_name)]
+          mapping ? attributes.merge(field_name: mapping) : attributes
+        end
       end
     end
   end

data/lib/better_auth/sso/routes/sso.rb

@@ -20,7 +20,7 @@ module BetterAuth
             initiate_slo: BetterAuth::Plugins.sso_initiate_slo_endpoint(normalized),
             list_sso_providers: BetterAuth::Plugins.sso_list_providers_endpoint,
             get_sso_provider: BetterAuth::Plugins.sso_get_provider_endpoint,
-            update_sso_provider: BetterAuth::Plugins.sso_update_provider_endpoint,
+            update_sso_provider: BetterAuth::Plugins.sso_update_provider_endpoint(normalized),
             delete_sso_provider: BetterAuth::Plugins.sso_delete_provider_endpoint
           }
           if normalized.dig(:domain_verification, :enabled)

data/lib/better_auth/sso/saml_state.rb

@@ -7,7 +7,7 @@ module BetterAuth
 
       def generate_relay_state(ctx, link = nil, additional_data = {})
         callback_url = BetterAuth::Plugins.sso_fetch(ctx.body, :callback_url)
-        raise APIError.new("BAD_REQUEST", message: "callbackURL is required") if callback_url.to_s.empty?
+        raise BetterAuth::APIError.new("BAD_REQUEST", message: "callbackURL is required") if callback_url.to_s.empty?
 
         extra = (additional_data == false) ? {} : (additional_data || {})
         BetterAuth::Plugins.sso_generate_saml_relay_state(

data/lib/better_auth/sso/version.rb

@@ -2,7 +2,7 @@
 
 module BetterAuth
   module SSO
-    VERSION = "0.6.2"
+    VERSION = "0.7.0"
     PACKAGE_VERSION = VERSION
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: better_auth-sso
 version: !ruby/object:Gem::Version
-  version: 0.6.2
+  version: 0.7.0
 platform: ruby
 authors:
 - Sebastian Sala
@@ -43,6 +43,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.8'
 - !ruby/object:Gem::Dependency
   name: logger
   requirement: !ruby/object:Gem::Requirement