@better-auth/sso 1.4.6-beta.3 → 1.4.6-beta.6

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.4.6-beta.3 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.6-beta.6 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.17.0 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             58.73 kB │ gzip: 10.41 kB
+ℹ dist/index.mjs             59.70 kB │ gzip: 10.49 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
+ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
 ℹ dist/index.d.mts            0.21 kB │ gzip:  0.15 kB
-ℹ dist/index-D-JmJR9N.d.mts  25.42 kB │ gzip:  3.95 kB
-ℹ 5 files, total: 85.01 kB
-✔ Build complete in 10982ms
+ℹ dist/index-CYgzSZS4.d.mts  25.84 kB │ gzip:  4.13 kB
+ℹ 5 files, total: 86.39 kB
+✔ Build complete in 11274ms

package/bump.config.ts

@@ -0,0 +1,5 @@
+import { defineConfig } from "bumpp";
+
+export default defineConfig({
+	files: ["package.json"],
+});

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-D-JmJR9N.mjs";
+import { t as SSOPlugin } from "./index-CYgzSZS4.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-D-JmJR9N.d.mts → index-CYgzSZS4.d.mts}

@@ -216,7 +216,13 @@ interface SSOOptions {
    *
    * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
    * providers in the `trustedProviders` list.
+   *
    * @default false
+   *
+   * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
+   * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
+   * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
+   * This option may be removed in a future major version.
    */
   trustEmailVerified?: boolean | undefined;
   /**

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-D-JmJR9N.mjs";
+import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-CYgzSZS4.mjs";
 export { OIDCConfig, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, sso };

package/dist/index.mjs

@@ -185,19 +185,14 @@ const verifyDomain = (options) => {
 
 //#endregion
 //#region src/utils.ts
-const validateEmailDomain = (email, domain) => {
-	const emailDomain = email.split("@")[1]?.toLowerCase();
-	const providerDomain = domain.toLowerCase();
-	if (!emailDomain || !providerDomain) return false;
-	return emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`);
-};
-
-//#endregion
-//#region src/routes/sso.ts
 /**
-* Safely parses a value that might be a JSON string or already a parsed object
+* Safely parses a value that might be a JSON string or already a parsed object.
 * This handles cases where ORMs like Drizzle might return already parsed objects
-* instead of JSON strings from TEXT/JSON columns
+* instead of JSON strings from TEXT/JSON columns.
+*
+* @param value - The value to parse (string, object, null, or undefined)
+* @returns The parsed object or null
+* @throws Error if string parsing fails
 */
 function safeJsonParse(value) {
 	if (!value) return null;
@@ -209,6 +204,15 @@ function safeJsonParse(value) {
 	}
 	return null;
 }
+const validateEmailDomain = (email, domain) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	const providerDomain = domain.toLowerCase();
+	if (!emailDomain || !providerDomain) return false;
+	return emailDomain === providerDomain || emailDomain.endsWith(`.${providerDomain}`);
+};
+
+//#endregion
+//#region src/routes/sso.ts
 const spMetadataQuerySchema = z.object({
 	providerId: z.string(),
 	format: z.enum(["xml", "json"]).default("xml")
@@ -587,8 +591,8 @@ const registerSSOProvider = (options) => {
 		}
 		return ctx.json({
 			...provider,
-			oidcConfig: JSON.parse(provider.oidcConfig),
-			samlConfig: JSON.parse(provider.samlConfig),
+			oidcConfig: safeJsonParse(provider.oidcConfig),
+			samlConfig: safeJsonParse(provider.samlConfig),
 			redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
 			...options?.domainVerification?.enabled ? { domainVerified } : {},
 			...options?.domainVerification?.enabled ? { domainVerificationToken } : {}
@@ -897,6 +901,7 @@ const callbackSSO = (options) => {
 			userInfo = userInfoResponse.data;
 		}
 		if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}/error?error=invalid_provider&error_description=missing_user_info`);
+		const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
 		const linked = await handleOAuthUserInfo(ctx, {
 			userInfo: {
 				email: userInfo.email,
@@ -917,7 +922,8 @@ const callbackSSO = (options) => {
 			},
 			callbackURL,
 			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
-			overrideUserInfo: config.overrideUserInfo
+			overrideUserInfo: config.overrideUserInfo,
+			isTrustedProvider
 		});
 		if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}/error?error=${linked.error}`);
 		const { session, user } = linked.data;
@@ -1117,38 +1123,52 @@ const callbackSSOSAML = (options) => {
 				value: userInfo.email
 			}]
 		});
-		if (existingUser) user = existingUser;
-		else {
+		if (existingUser) {
+			if (!await ctx.context.adapter.findOne({
+				model: "account",
+				where: [
+					{
+						field: "userId",
+						value: existingUser.id
+					},
+					{
+						field: "providerId",
+						value: provider.providerId
+					},
+					{
+						field: "accountId",
+						value: userInfo.id
+					}
+				]
+			})) {
+				if (!(ctx.context.options.account?.accountLinking?.trustedProviders?.includes(provider.providerId) || "domainVerified" in provider && provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain))) {
+					const redirectUrl = RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+					throw ctx.redirect(`${redirectUrl}?error=account_not_linked`);
+				}
+				await ctx.context.internalAdapter.createAccount({
+					userId: existingUser.id,
+					providerId: provider.providerId,
+					accountId: userInfo.id,
+					accessToken: "",
+					refreshToken: ""
+				});
+			}
+			user = existingUser;
+		} else {
 			if (options?.disableImplicitSignUp) throw new APIError("UNAUTHORIZED", { message: "User not found and implicit sign up is disabled for this provider" });
 			user = await ctx.context.internalAdapter.createUser({
 				email: userInfo.email,
 				name: userInfo.name,
 				emailVerified: userInfo.emailVerified
 			});
+			await ctx.context.internalAdapter.createAccount({
+				userId: user.id,
+				providerId: provider.providerId,
+				accountId: userInfo.id,
+				accessToken: "",
+				refreshToken: ""
+			});
 		}
-		if (!await ctx.context.adapter.findOne({
-			model: "account",
-			where: [
-				{
-					field: "userId",
-					value: user.id
-				},
-				{
-					field: "providerId",
-					value: provider.providerId
-				},
-				{
-					field: "accountId",
-					value: userInfo.id
-				}
-			]
-		})) await ctx.context.internalAdapter.createAccount({
-			userId: user.id,
-			providerId: provider.providerId,
-			accountId: userInfo.id,
-			accessToken: "",
-			refreshToken: ""
-		});
 		if (options?.provisionUser) await options.provisionUser({
 			user,
 			userInfo,

package/package.json

@@ -1,13 +1,14 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.6-beta.3",
+  "version": "1.4.6-beta.6",
   "type": "module",
   "main": "dist/index.mjs",
+  "types": "dist/index.d.mts",
   "homepage": "https://www.better-auth.com/docs/plugins/sso",
   "repository": {
     "type": "git",
-    "url": "https://github.com/better-auth/better-auth",
+    "url": "git+https://github.com/better-auth/better-auth.git",
     "directory": "packages/sso"
   },
   "license": "MIT",
@@ -60,18 +61,19 @@
   "devDependencies": {
     "@types/body-parser": "^1.19.6",
     "@types/express": "^5.0.5",
-    "better-call": "1.1.4",
+    "better-call": "1.1.5",
     "body-parser": "^2.2.1",
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.0",
-    "better-auth": "1.4.6-beta.3"
+    "better-auth": "1.4.6-beta.6"
   },
   "peerDependencies": {
-    "better-auth": "1.4.6-beta.3"
+    "better-auth": "1.4.6-beta.6"
   },
   "scripts": {
     "test": "vitest",
+    "coverage": "vitest run --coverage",
     "lint:package": "publint run --strict",
     "build": "tsdown",
     "dev": "tsdown --watch",

package/src/oidc.test.ts

@@ -571,3 +571,167 @@ describe("provisioning", async (ctx) => {
 		expect(res.url).toContain("http://localhost:8080/authorize");
 	});
 });
+
+describe("OIDC account linking with domainVerified", async () => {
+	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
+		await getTestInstance({
+			account: {
+				accountLinking: {
+					enabled: true,
+					trustedProviders: [],
+				},
+			},
+			plugins: [
+				sso({
+					domainVerification: {
+						enabled: true,
+					},
+				}),
+			],
+		});
+
+	const authClient = createAuthClient({
+		plugins: [ssoClient()],
+		baseURL: "http://localhost:3000",
+		fetchOptions: {
+			customFetchImpl,
+		},
+	});
+
+	beforeAll(async () => {
+		await server.issuer.keys.generate("RS256");
+		await server.start(8080, "localhost");
+	});
+
+	afterAll(async () => {
+		await server.stop().catch(() => {});
+	});
+
+	async function simulateOAuthFlow(authUrl: string, headers: Headers) {
+		let location: string | null = null;
+		await betterFetch(authUrl, {
+			method: "GET",
+			redirect: "manual",
+			onError(context) {
+				location = context.response.headers.get("location");
+			},
+		});
+
+		if (!location) throw new Error("No redirect location found");
+
+		let callbackURL = "";
+		const newHeaders = new Headers();
+		await betterFetch(location, {
+			method: "GET",
+			customFetchImpl,
+			headers,
+			onError(context) {
+				callbackURL = context.response.headers.get("location") || "";
+				cookieSetter(newHeaders)(context);
+			},
+		});
+
+		return { callbackURL, headers: newHeaders };
+	}
+
+	it("should allow account linking when domain is verified and email domain matches", async () => {
+		const testEmail = "linking-test@verified-oidc.com";
+		const testDomain = "verified-oidc.com";
+
+		server.service.on("beforeTokenSigning", (token) => {
+			token.payload.email = testEmail;
+			token.payload.email_verified = false;
+			token.payload.name = "Domain Verified User";
+			token.payload.sub = "oidc-domain-verified-user";
+		});
+
+		const { headers } = await signInWithTestUser();
+
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "domain-verified-oidc",
+				issuer: server.issuer.url!,
+				domain: testDomain,
+				oidcConfig: {
+					clientId: "test",
+					clientSecret: "test",
+					authorizationEndpoint: `${server.issuer.url}/authorize`,
+					tokenEndpoint: `${server.issuer.url}/token`,
+					jwksEndpoint: `${server.issuer.url}/jwks`,
+					discoveryEndpoint: `${server.issuer.url}/.well-known/openid-configuration`,
+					mapping: {
+						id: "sub",
+						email: "email",
+						emailVerified: "email_verified",
+						name: "name",
+					},
+				},
+			},
+			headers,
+		});
+
+		expect(provider.domainVerified).toBe(false);
+
+		const ctx = await auth.$context;
+		await ctx.adapter.update({
+			model: "ssoProvider",
+			where: [{ field: "providerId", value: provider.providerId }],
+			update: {
+				domainVerified: true,
+			},
+		});
+
+		const updatedProvider = await ctx.adapter.findOne<{
+			domainVerified: boolean;
+			domain: string;
+		}>({
+			model: "ssoProvider",
+			where: [{ field: "providerId", value: provider.providerId }],
+		});
+		expect(updatedProvider?.domainVerified).toBe(true);
+
+		await ctx.adapter.create({
+			model: "user",
+			data: {
+				id: "existing-oidc-domain-user",
+				email: testEmail,
+				name: "Existing User",
+				emailVerified: true,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+			},
+			forceAllowId: true,
+		});
+
+		const newHeaders = new Headers();
+		const res = await authClient.signIn.sso({
+			providerId: "domain-verified-oidc",
+			callbackURL: "/dashboard",
+			fetchOptions: {
+				throw: true,
+				onSuccess: cookieSetter(newHeaders),
+			},
+		});
+
+		expect(res.url).toContain("http://localhost:8080/authorize");
+
+		const { callbackURL } = await simulateOAuthFlow(res.url, newHeaders);
+
+		expect(callbackURL).toContain("/dashboard");
+		expect(callbackURL).not.toContain("error");
+
+		const accounts = await ctx.adapter.findMany<{
+			providerId: string;
+			accountId: string;
+			userId: string;
+		}>({
+			model: "account",
+			where: [{ field: "userId", value: "existing-oidc-domain-user" }],
+		});
+		const linkedAccount = accounts.find(
+			(a) => a.providerId === "domain-verified-oidc",
+		);
+		expect(linkedAccount).toBeTruthy();
+		expect(linkedAccount?.accountId).toBe("oidc-domain-verified-user");
+	});
+});

package/src/routes/sso.ts

@@ -22,35 +22,7 @@ import type { IdentityProvider } from "samlify/types/src/entity-idp";
 import type { FlowResult } from "samlify/types/src/flow";
 import * as z from "zod/v4";
 import type { OIDCConfig, SAMLConfig, SSOOptions, SSOProvider } from "../types";
-import { validateEmailDomain } from "../utils";
-
-/**
- * Safely parses a value that might be a JSON string or already a parsed object
- * This handles cases where ORMs like Drizzle might return already parsed objects
- * instead of JSON strings from TEXT/JSON columns
- */
-function safeJsonParse<T>(value: string | T | null | undefined): T | null {
-	if (!value) return null;
-
-	// If it's already an object (not a string), return it as-is
-	if (typeof value === "object") {
-		return value as T;
-	}
-
-	// If it's a string, try to parse it
-	if (typeof value === "string") {
-		try {
-			return JSON.parse(value) as T;
-		} catch (error) {
-			// If parsing fails, this might indicate the string is not valid JSON
-			throw new Error(
-				`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`,
-			);
-		}
-	}
-
-	return null;
-}
+import { safeJsonParse, validateEmailDomain } from "../utils";
 
 const spMetadataQuerySchema = z.object({
 	providerId: z.string(),
@@ -683,12 +655,12 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 
 			return ctx.json({
 				...provider,
-				oidcConfig: JSON.parse(
+				oidcConfig: safeJsonParse<OIDCConfig>(
 					provider.oidcConfig as unknown as string,
-				) as OIDCConfig,
-				samlConfig: JSON.parse(
+				),
+				samlConfig: safeJsonParse<SAMLConfig>(
 					provider.samlConfig as unknown as string,
-				) as SAMLConfig,
+				),
 				redirectURI: `${ctx.context.baseURL}/sso/callback/${provider.providerId}`,
 				...(options?.domainVerification?.enabled ? { domainVerified } : {}),
 				...(options?.domainVerification?.enabled
@@ -1377,6 +1349,11 @@ export const callbackSSO = (options?: SSOOptions) => {
 					}/error?error=invalid_provider&error_description=missing_user_info`,
 				);
 			}
+			const isTrustedProvider =
+				"domainVerified" in provider &&
+				(provider as { domainVerified?: boolean }).domainVerified === true &&
+				validateEmailDomain(userInfo.email, provider.domain);
+
 			const linked = await handleOAuthUserInfo(ctx, {
 				userInfo: {
 					email: userInfo.email,
@@ -1400,6 +1377,7 @@ export const callbackSSO = (options?: SSOOptions) => {
 				callbackURL,
 				disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
 				overrideUserInfo: config.overrideUserInfo,
+				isTrustedProvider,
 			});
 			if (linked.error) {
 				throw ctx.redirect(
@@ -1722,6 +1700,35 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 			});
 
 			if (existingUser) {
+				const account = await ctx.context.adapter.findOne<Account>({
+					model: "account",
+					where: [
+						{ field: "userId", value: existingUser.id },
+						{ field: "providerId", value: provider.providerId },
+						{ field: "accountId", value: userInfo.id },
+					],
+				});
+				if (!account) {
+					const isTrustedProvider =
+						ctx.context.options.account?.accountLinking?.trustedProviders?.includes(
+							provider.providerId,
+						) ||
+						("domainVerified" in provider &&
+							provider.domainVerified &&
+							validateEmailDomain(userInfo.email, provider.domain));
+					if (!isTrustedProvider) {
+						const redirectUrl =
+							RelayState || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+						throw ctx.redirect(`${redirectUrl}?error=account_not_linked`);
+					}
+					await ctx.context.internalAdapter.createAccount({
+						userId: existingUser.id,
+						providerId: provider.providerId,
+						accountId: userInfo.id,
+						accessToken: "",
+						refreshToken: "",
+					});
+				}
 				user = existingUser;
 			} else {
 				// if implicit sign up is disabled, we should not create a new user nor a new account.
@@ -1737,19 +1744,6 @@ export const callbackSSOSAML = (options?: SSOOptions) => {
 					name: userInfo.name,
 					emailVerified: userInfo.emailVerified,
 				});
-			}
-
-			// Create or update account link
-			const account = await ctx.context.adapter.findOne<Account>({
-				model: "account",
-				where: [
-					{ field: "userId", value: user.id },
-					{ field: "providerId", value: provider.providerId },
-					{ field: "accountId", value: userInfo.id },
-				],
-			});
-
-			if (!account) {
 				await ctx.context.internalAdapter.createAccount({
 					userId: user.id,
 					providerId: provider.providerId,

package/src/saml.test.ts

@@ -1182,6 +1182,171 @@ describe("SAML SSO", async () => {
 			},
 		});
 	});
+
+	it("should deny account linking when provider is not trusted and domain is not verified", async () => {
+		const {
+			auth: authUntrusted,
+			signInWithTestUser,
+			client,
+		} = await getTestInstance({
+			account: {
+				accountLinking: {
+					enabled: true,
+					trustedProviders: [],
+				},
+			},
+			plugins: [sso()],
+		});
+
+		const { headers } = await signInWithTestUser();
+
+		await authUntrusted.api.registerSSOProvider({
+			body: {
+				providerId: "untrusted-saml-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+
+		const ctx = await authUntrusted.$context;
+		await ctx.adapter.create({
+			model: "user",
+			data: {
+				id: "existing-user-id",
+				email: "test@email.com",
+				name: "Existing User",
+				emailVerified: true,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+			},
+		});
+
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+
+		const response = await authUntrusted.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/callback/untrusted-saml-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(response.status).toBe(302);
+		const redirectLocation = response.headers.get("location") || "";
+		expect(redirectLocation).toContain("error=account_not_linked");
+	});
+
+	it("should allow account linking when provider is in trustedProviders", async () => {
+		const { auth: authWithTrusted, signInWithTestUser } = await getTestInstance(
+			{
+				account: {
+					accountLinking: {
+						enabled: true,
+						trustedProviders: ["trusted-saml-provider"],
+					},
+				},
+				plugins: [sso()],
+			},
+		);
+
+		const { headers } = await signInWithTestUser();
+
+		await authWithTrusted.api.registerSSOProvider({
+			body: {
+				providerId: "trusted-saml-provider",
+				issuer: "http://localhost:8081",
+				domain: "http://localhost:8081",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/api/sso/saml2/idp/post",
+					cert: certificate,
+					callbackUrl: "http://localhost:3000/dashboard",
+					wantAssertionsSigned: false,
+					signatureAlgorithm: "sha256",
+					digestAlgorithm: "sha256",
+					idpMetadata: {
+						metadata: idpMetadata,
+					},
+					spMetadata: {
+						metadata: spMetadata,
+					},
+					identifierFormat:
+						"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
+				},
+			},
+			headers,
+		});
+
+		const ctx = await authWithTrusted.$context;
+		await ctx.adapter.create({
+			model: "user",
+			data: {
+				id: "existing-user-id-2",
+				email: "test@email.com",
+				name: "Existing User",
+				emailVerified: true,
+				createdAt: new Date(),
+				updatedAt: new Date(),
+			},
+		});
+
+		let samlResponse: any;
+		await betterFetch("http://localhost:8081/api/sso/saml2/idp/post", {
+			onSuccess: async (context) => {
+				samlResponse = await context.data;
+			},
+		});
+
+		const response = await authWithTrusted.handler(
+			new Request(
+				"http://localhost:3000/api/auth/sso/saml2/callback/trusted-saml-provider",
+				{
+					method: "POST",
+					headers: {
+						"Content-Type": "application/x-www-form-urlencoded",
+					},
+					body: new URLSearchParams({
+						SAMLResponse: samlResponse.samlResponse,
+						RelayState: "http://localhost:3000/dashboard",
+					}),
+				},
+			),
+		);
+
+		expect(response.status).toBe(302);
+		const redirectLocation = response.headers.get("location") || "";
+		expect(redirectLocation).not.toContain("error");
+		expect(redirectLocation).toContain("dashboard");
+	});
 });
 
 describe("SAML SSO with custom fields", () => {
@@ -1325,3 +1490,184 @@ describe("SAML SSO with custom fields", () => {
 		});
 	});
 });
+
+import { safeJsonParse } from "./utils";
+
+describe("safeJsonParse", () => {
+	it("returns object as-is when value is already an object", () => {
+		const obj = { a: 1, nested: { b: 2 } };
+		const result = safeJsonParse<typeof obj>(obj);
+		expect(result).toBe(obj); // same reference
+		expect(result).toEqual({ a: 1, nested: { b: 2 } });
+	});
+
+	it("parses stringified JSON when value is a string", () => {
+		const json = '{"a":1,"nested":{"b":2}}';
+		const result = safeJsonParse<{ a: number; nested: { b: number } }>(json);
+		expect(result).toEqual({ a: 1, nested: { b: 2 } });
+	});
+
+	it("returns null for null input", () => {
+		const result = safeJsonParse<{ a: number }>(null);
+		expect(result).toBeNull();
+	});
+
+	it("returns null for undefined input", () => {
+		const result = safeJsonParse<{ a: number }>(undefined);
+		expect(result).toBeNull();
+	});
+
+	it("throws error for invalid JSON string", () => {
+		expect(() => safeJsonParse<{ a: number }>("not valid json")).toThrow(
+			"Failed to parse JSON",
+		);
+	});
+
+	it("handles empty object", () => {
+		const obj = {};
+		const result = safeJsonParse<typeof obj>(obj);
+		expect(result).toBe(obj);
+	});
+
+	it("handles empty string JSON", () => {
+		const result = safeJsonParse<Record<string, never>>("{}");
+		expect(result).toEqual({});
+	});
+});
+
+describe("SSO Provider Config Parsing", () => {
+	it("returns parsed SAML config and avoids [object Object] in response", async () => {
+		const data = {
+			user: [] as any[],
+			session: [] as any[],
+			verification: [] as any[],
+			account: [] as any[],
+			ssoProvider: [] as any[],
+		};
+
+		const memory = memoryAdapter(data);
+
+		const auth = betterAuth({
+			database: memory,
+			baseURL: "http://localhost:3000",
+			emailAndPassword: { enabled: true },
+			plugins: [sso()],
+		});
+
+		const authClient = createAuthClient({
+			baseURL: "http://localhost:3000",
+			plugins: [bearer(), ssoClient()],
+			fetchOptions: {
+				customFetchImpl: async (url, init) =>
+					auth.handler(new Request(url, init)),
+			},
+		});
+
+		const headers = new Headers();
+		await authClient.signUp.email({
+			email: "test@example.com",
+			password: "password123",
+			name: "Test User",
+		});
+		await authClient.signIn.email(
+			{ email: "test@example.com", password: "password123" },
+			{ onSuccess: setCookieToHeader(headers) },
+		);
+
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "saml-config-provider",
+				issuer: "http://localhost:8081",
+				domain: "example.com",
+				samlConfig: {
+					entryPoint: "http://localhost:8081/sso",
+					cert: "test-cert",
+					callbackUrl: "http://localhost:3000/callback",
+					spMetadata: {
+						entityID: "test-entity",
+					},
+				},
+			},
+			headers,
+		});
+
+		expect(provider.samlConfig).toBeDefined();
+		expect(typeof provider.samlConfig).toBe("object");
+		expect(provider.samlConfig?.entryPoint).toBe("http://localhost:8081/sso");
+		expect(provider.samlConfig?.cert).toBe("test-cert");
+
+		const serialized = JSON.stringify(provider.samlConfig);
+		expect(serialized).not.toContain("[object Object]");
+
+		expect(provider.samlConfig?.spMetadata?.entityID).toBe("test-entity");
+	});
+
+	it("returns parsed OIDC config and avoids [object Object] in response", async () => {
+		const data = {
+			user: [] as any[],
+			session: [] as any[],
+			verification: [] as any[],
+			account: [] as any[],
+			ssoProvider: [] as any[],
+		};
+
+		const memory = memoryAdapter(data);
+
+		const auth = betterAuth({
+			database: memory,
+			baseURL: "http://localhost:3000",
+			emailAndPassword: { enabled: true },
+			plugins: [sso()],
+		});
+
+		const authClient = createAuthClient({
+			baseURL: "http://localhost:3000",
+			plugins: [bearer(), ssoClient()],
+			fetchOptions: {
+				customFetchImpl: async (url, init) =>
+					auth.handler(new Request(url, init)),
+			},
+		});
+
+		const headers = new Headers();
+		await authClient.signUp.email({
+			email: "test@example.com",
+			password: "password123",
+			name: "Test User",
+		});
+		await authClient.signIn.email(
+			{ email: "test@example.com", password: "password123" },
+			{ onSuccess: setCookieToHeader(headers) },
+		);
+
+		const provider = await auth.api.registerSSOProvider({
+			body: {
+				providerId: "oidc-config-provider",
+				issuer: "http://localhost:8080",
+				domain: "example.com",
+				oidcConfig: {
+					clientId: "test-client",
+					clientSecret: "test-secret",
+					discoveryEndpoint:
+						"http://localhost:8080/.well-known/openid-configuration",
+					mapping: {
+						id: "sub",
+						email: "email",
+						name: "name",
+					},
+				},
+			},
+			headers,
+		});
+
+		expect(provider.oidcConfig).toBeDefined();
+		expect(typeof provider.oidcConfig).toBe("object");
+		expect(provider.oidcConfig?.clientId).toBe("test-client");
+		expect(provider.oidcConfig?.clientSecret).toBe("test-secret");
+
+		const serialized = JSON.stringify(provider.oidcConfig);
+		expect(serialized).not.toContain("[object Object]");
+
+		expect(provider.oidcConfig?.mapping?.id).toBe("sub");
+	});
+});

package/src/types.ts

@@ -232,7 +232,13 @@ export interface SSOOptions {
 	 *
 	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
 	 * providers in the `trustedProviders` list.
+	 *
 	 * @default false
+	 *
+	 * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
+	 * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
+	 * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
+	 * This option may be removed in a future major version.
 	 */
 	trustEmailVerified?: boolean | undefined;
 	/**

package/src/utils.ts

@@ -1,3 +1,34 @@
+/**
+ * Safely parses a value that might be a JSON string or already a parsed object.
+ * This handles cases where ORMs like Drizzle might return already parsed objects
+ * instead of JSON strings from TEXT/JSON columns.
+ *
+ * @param value - The value to parse (string, object, null, or undefined)
+ * @returns The parsed object or null
+ * @throws Error if string parsing fails
+ */
+export function safeJsonParse<T>(
+	value: string | T | null | undefined,
+): T | null {
+	if (!value) return null;
+
+	if (typeof value === "object") {
+		return value as T;
+	}
+
+	if (typeof value === "string") {
+		try {
+			return JSON.parse(value) as T;
+		} catch (error) {
+			throw new Error(
+				`Failed to parse JSON: ${error instanceof Error ? error.message : "Unknown error"}`,
+			);
+		}
+	}
+
+	return null;
+}
+
 export const validateEmailDomain = (email: string, domain: string) => {
 	const emailDomain = email.split("@")[1]?.toLowerCase();
 	const providerDomain = domain.toLowerCase();