RubyGems - better_auth-sso - Versions diffs - 0.6.2 → 0.8.0 - Mend

better_auth-sso 0.6.2 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/README.md +36 -2
data/lib/better_auth/plugins/sso.rb +10 -1766
data/lib/better_auth/sso/linking/org_assignment.rb +0 -3
data/lib/better_auth/sso/plugin/core.rb +139 -0
data/lib/better_auth/sso/plugin/endpoints.rb +151 -0
data/lib/better_auth/sso/plugin/oidc_discovery.rb +75 -0
data/lib/better_auth/sso/plugin/oidc_runtime.rb +420 -0
data/lib/better_auth/sso/plugin/provider_utils.rb +216 -0
data/lib/better_auth/sso/plugin/providers.rb +131 -0
data/lib/better_auth/sso/plugin/saml_metadata_and_logout.rb +352 -0
data/lib/better_auth/sso/plugin/saml_response.rb +150 -0
data/lib/better_auth/sso/plugin/saml_validation_and_state.rb +183 -0
data/lib/better_auth/sso/plugin/sign_in_and_oidc_callbacks.rb +125 -0
data/lib/better_auth/sso/routes/schemas.rb +14 -8
data/lib/better_auth/sso/routes/sso.rb +1 -1
data/lib/better_auth/sso/saml_state.rb +1 -1
data/lib/better_auth/sso/version.rb +1 -1
metadata +27 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e57052c749ed1cc476cde2b203dc6f1965345a5f032666b801973d9215fe7e7
-  data.tar.gz: b8b1214d8de33f3b1a24a80d97d36048cb80fbeb67a26c7d3ff87eda0721bc89
+  metadata.gz: 7aeb07725d9147d0ea71a45cd26ce3d5a8ea62668a6f20a3b52a85faa75b2a0c
+  data.tar.gz: 33904ef6ca664b29892995aa1d8acc7d18e254a31f598a1c2890fb15e1410c8c
 SHA512:
-  metadata.gz: 954ad27f4c4f388f1a5b937e584cd7cacdcb5a0cda037896c1b885e2bf0c5b12cf4875fa5bb69d118d46c4f596ad21f728a2949026a54e9971dba129f5560153
-  data.tar.gz: a03a6cba0f4a05fa925152a8574a0aee37c4adf66137796d9cf71c87312f16aaab46a50330a0ee8ddc9d574c8f61d1a4acab6091eb36c4c74da63eb0374550ce
+  metadata.gz: 60cee7f073bf639c84fc8f966524416666d8e42d71a9c62b0491b69c0825c77bf779721a38ffe4fe514aabf097c4b07f80e6c797821a0fe3d6aa42e60f3c9b01
+  data.tar.gz: 335191868b3b4d82a3dd77ea32ff3c38b37a0ff609036c402a3e1a5e2750712da8775f8f3193b105e65a2436422de94bf6708ec9ab5f049f0733124ea30d5639

data/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,15 @@
 # Changelog
+## Unreleased
+## 0.7.0 - 2026-05-05
+- Fixed SAML config validation for `singleSignOnService` and added validation for `singleLogoutService`.
+- Hardened OIDC callbacks by binding signed state `providerId` to the callback route and verifying `nonce` on JWKS-backed ID tokens.
+- Changed SSO domain verification to require exact TXT record matches and corrected the insufficient access error code to `INSUFFICIENT_ACCESS`.
+- Declared `jwt` as a direct runtime dependency for the SSO gem.
+- Added regression coverage for SAML SP metadata XML responses.
 ## 0.2.0 - 2026-04-29
 - Improved SSO upstream parity for OIDC and SAML provider flows, organization handling, callback behavior, metadata parsing, account linking, and response/error shapes.

data/README.md CHANGED Viewed

@@ -2,7 +2,10 @@
 External SSO plugin package for `better_auth`.
-SSO is the app-facing feature. It supports OIDC SSO and SAML SSO. SAML is not the same thing as SSO; SAML is one protocol used by SSO.
+SSO is the app-facing feature. It supports OIDC SSO, SAML SSO, provider management,
+domain verification, SAML replay protection, runtime OIDC discovery, organization
+assignment, and SAML Single Logout. SAML is not the same thing as SSO; SAML is
+one protocol used by SSO.
 ```ruby
 require "better_auth"
@@ -15,7 +18,11 @@ BetterAuth.auth(
 )
 ```
-SAML XML validation is included in this package and backed by `ruby-saml`:
+SAML XML validation is included in this package and backed by `ruby-saml`.
+Production XML SAML deployments should configure `BetterAuth::SSO::SAML.sso_options`
+or compatible SAML hooks so AuthnRequest generation and SAMLResponse parsing use
+the real XML/SAML boundary instead of the lightweight JSON/base64 fallback used by
+local tests:
 ```ruby
 require "better_auth/sso"
@@ -43,3 +50,30 @@ SAML SLO follows upstream route shapes when `saml.enableSingleLogout` is enabled
 Ruby keeps the lightweight JSON/base64 fallback used by the local SAML test adapter, and real XML deployments should configure `BetterAuth::SSO::SAML.sso_options` or compatible SAML hooks.
 SCIM is a separate provisioning feature and lives in `better_auth-scim`.
+## Organization Assignment
+When the organization plugin is installed, SSO can add users to an organization
+linked to an SSO provider. SSO login flows assign from the matched provider.
+Generic OAuth callbacks under `/callback/:provider` also assign by verified SSO
+email domain when domain verification is enabled, matching upstream behavior for
+users who sign in through non-SSO OAuth but share an enterprise domain.
+## Schema Compatibility
+The Ruby package intentionally keeps the historical default SSO provider model
+name `ssoProviders` for backward compatibility. Upstream Better Auth defaults to
+`ssoProvider`; configure `model_name:` if your application needs a different
+storage model name.
+Field mapping options are supported through `fields:` for the SSO provider
+schema, including `issuer`, `oidcConfig`, `samlConfig`, `userId`, `providerId`,
+`organizationId`, `domain`, and `domainVerified`.
+## Scope and Non-Goals
+This package does not currently imply support for advanced enterprise features
+such as `private_key_jwt`, mTLS client authentication, every SAML XML edge case,
+or large internal SSO refactors. Those items are tracked in the
+[upstream and product alignment backlog](../../.docs/backlog/upstream-product-alignment.md)
+until they have explicit product scope and upstream parity decisions.