@better-auth/sso 1.4.7-beta.2 → 1.4.7-beta.4

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.4.7-beta.2 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.7-beta.4 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             59.70 kB │ gzip: 10.48 kB
+ℹ dist/index.mjs             80.81 kB │ gzip: 15.19 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
-ℹ dist/index.d.mts            0.21 kB │ gzip:  0.15 kB
-ℹ dist/index-BWvN4yrs.d.mts  25.84 kB │ gzip:  4.13 kB
-ℹ 5 files, total: 86.39 kB
-✔ Build complete in 12102ms
+ℹ dist/index.d.mts            1.44 kB │ gzip:  0.52 kB
+ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
+ℹ dist/index-GoyGoP_a.d.mts  41.30 kB │ gzip:  8.58 kB
+ℹ 5 files, total: 124.19 kB
+✔ Build complete in 12053ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-BWvN4yrs.mjs";
+import { t as SSOPlugin } from "./index-GoyGoP_a.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-BWvN4yrs.d.mts → index-GoyGoP_a.d.mts}

@@ -1,7 +1,44 @@
+import { APIError } from "better-auth/api";
 import * as z from "zod/v4";
 import { OAuth2Tokens, User } from "better-auth";
 import * as better_call7 from "better-call";
 
+//#region src/authn-request-store.d.ts
+
+/**
+ * AuthnRequest Store
+ *
+ * Tracks SAML AuthnRequest IDs to enable InResponseTo validation.
+ * This prevents:
+ * - Unsolicited SAML responses
+ * - Cross-provider response injection
+ * - Replay attacks
+ * - Expired login completions
+ */
+interface AuthnRequestRecord {
+  id: string;
+  providerId: string;
+  createdAt: number;
+  expiresAt: number;
+}
+interface AuthnRequestStore {
+  save(record: AuthnRequestRecord): Promise<void>;
+  get(id: string): Promise<AuthnRequestRecord | null>;
+  delete(id: string): Promise<void>;
+}
+/**
+ * Default TTL for AuthnRequest records (5 minutes).
+ * This should be sufficient for most IdPs while protecting against stale requests.
+ */
+declare const DEFAULT_AUTHN_REQUEST_TTL_MS: number;
+/**
+ * In-memory implementation of AuthnRequestStore.
+ * ⚠️ Only suitable for testing or single-instance non-serverless deployments.
+ * For production, rely on the default behavior (uses verification table)
+ * or provide a custom Redis-backed store.
+ */
+declare function createInMemoryAuthnRequestStore(): AuthnRequestStore;
+//#endregion
 //#region src/types.d.ts
 interface OIDCMapping {
   id?: string | undefined;
@@ -243,6 +280,86 @@ interface SSOOptions {
      */
     tokenPrefix?: string;
   };
+  /**
+   * SAML security options for AuthnRequest/InResponseTo validation.
+   * This prevents unsolicited responses, replay attacks, and cross-provider injection.
+   */
+  saml?: {
+    /**
+     * Enable InResponseTo validation for SP-initiated SAML flows.
+     * When enabled, AuthnRequest IDs are tracked and validated against SAML responses.
+     *
+     * Storage behavior:
+     * - Uses `secondaryStorage` (e.g., Redis) if configured in your auth options
+     * - Falls back to the verification table in the database otherwise
+     *
+     * This works correctly in serverless environments without any additional configuration.
+     *
+     * @default false
+     */
+    enableInResponseToValidation?: boolean;
+    /**
+     * Allow IdP-initiated SSO (unsolicited SAML responses).
+     * When true, responses without InResponseTo are accepted.
+     * When false, all responses must correlate to a stored AuthnRequest.
+     *
+     * Only applies when InResponseTo validation is enabled.
+     *
+     * @default true
+     */
+    allowIdpInitiated?: boolean;
+    /**
+     * TTL for AuthnRequest records in milliseconds.
+     * Requests older than this will be rejected.
+     *
+     * Only applies when InResponseTo validation is enabled.
+     *
+     * @default 300000 (5 minutes)
+     */
+    requestTTL?: number;
+    /**
+     * Custom AuthnRequest store implementation.
+     * Use this to provide a custom storage backend (e.g., Redis-backed store).
+     *
+     * Providing a custom store automatically enables InResponseTo validation.
+     *
+     * Note: When not provided, the default storage (secondaryStorage with
+     * verification table fallback) is used automatically.
+     */
+    authnRequestStore?: AuthnRequestStore;
+    /**
+     * Clock skew tolerance for SAML assertion timestamp validation in milliseconds.
+     * Allows for minor time differences between IdP and SP servers.
+     *
+     * Defaults to 300000 (5 minutes) to accommodate:
+     * - Network latency and processing time
+     * - Clock synchronization differences (NTP drift)
+     * - Distributed systems across timezones
+     *
+     * For stricter security, reduce to 1-2 minutes (60000-120000).
+     * For highly distributed systems, increase up to 10 minutes (600000).
+     *
+     * @default 300000 (5 minutes)
+     */
+    clockSkew?: number;
+    /**
+     * Require timestamp conditions (NotBefore/NotOnOrAfter) in SAML assertions.
+     * When enabled, assertions without timestamp conditions will be rejected.
+     *
+     * When disabled (default), assertions without timestamps are accepted
+     * but a warning is logged.
+     *
+     * **SAML Spec Notes:**
+     * - SAML 2.0 Core: Timestamps are OPTIONAL
+     * - SAML2Int (enterprise profile): Timestamps are REQUIRED
+     *
+     * **Recommendation:** Enable for enterprise/production deployments
+     * where your IdP follows SAML2Int (Okta, Azure AD, OneLogin, etc.)
+     *
+     * @default false
+     */
+    requireTimestamps?: boolean;
+  };
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
@@ -291,8 +408,6 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
       };
     };
   }>)[];
-} & {
-  use: any[];
 }, {
   domainVerificationToken: string;
 }>;
@@ -344,11 +459,29 @@ declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint
       };
     };
   }>)[];
-} & {
-  use: any[];
 }, void>;
 //#endregion
 //#region src/routes/sso.d.ts
+/** Default clock skew tolerance: 5 minutes */
+declare const DEFAULT_CLOCK_SKEW_MS: number;
+interface TimestampValidationOptions {
+  clockSkew?: number;
+  requireTimestamps?: boolean;
+  logger?: {
+    warn: (message: string, data?: Record<string, unknown>) => void;
+  };
+}
+/** Conditions extracted from SAML assertion */
+interface SAMLConditions {
+  notBefore?: string;
+  notOnOrAfter?: string;
+}
+/**
+ * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
+ * Prevents acceptance of expired or future-dated assertions.
+ * @throws {APIError} If timestamps are invalid, expired, or not yet valid
+ */
+declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
 declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
@@ -370,8 +503,6 @@ declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metad
       };
     };
   };
-} & {
-  use: any[];
 }, Response>;
 declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call7.StrictEndpoint<"/sso/register", {
   method: "POST";
@@ -391,6 +522,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
       }>>;
       jwksEndpoint: z.ZodOptional<z.ZodString>;
       discoveryEndpoint: z.ZodOptional<z.ZodString>;
+      skipDiscovery: z.ZodOptional<z.ZodBoolean>;
       scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
       pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
       mapping: z.ZodOptional<z.ZodObject<{
@@ -635,8 +767,6 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
       };
     };
   };
-} & {
-  use: any[];
 }, O["domainVerification"] extends {
   enabled: true;
 } ? {
@@ -657,8 +787,8 @@ declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"
     loginHint: z.ZodOptional<z.ZodString>;
     requestSignUp: z.ZodOptional<z.ZodBoolean>;
     providerType: z.ZodOptional<z.ZodEnum<{
-      oidc: "oidc";
       saml: "saml";
+      oidc: "oidc";
     }>>;
   }, z.core.$strip>;
   metadata: {
@@ -733,8 +863,6 @@ declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"
       };
     };
   };
-} & {
-  use: any[];
 }, {
   url: string;
   redirect: boolean;
@@ -749,7 +877,6 @@ declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint
   }, z.core.$strip>;
   allowedMediaTypes: string[];
   metadata: {
-    isAction: false;
     openapi: {
       operationId: string;
       summary: string;
@@ -760,9 +887,8 @@ declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint
         };
       };
     };
+    scope: "server";
   };
-} & {
-  use: any[];
 }, never>;
 declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
@@ -771,7 +897,6 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndp
     RelayState: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>;
   metadata: {
-    isAction: false;
     allowedMediaTypes: string[];
     openapi: {
       operationId: string;
@@ -789,9 +914,8 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndp
         };
       };
     };
+    scope: "server";
   };
-} & {
-  use: any[];
 }, never>;
 declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
@@ -803,7 +927,6 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint
     RelayState: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>;
   metadata: {
-    isAction: false;
     allowedMediaTypes: string[];
     openapi: {
       operationId: string;
@@ -815,11 +938,257 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint
         };
       };
     };
+    scope: "server";
   };
-} & {
-  use: any[];
 }, never>;
 //#endregion
+//#region src/oidc/types.d.ts
+/**
+ * OIDC Discovery Types
+ *
+ * Types for the OIDC discovery document and hydrated configuration.
+ * Based on OpenID Connect Discovery 1.0 specification.
+ *
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html
+ */
+/**
+ * Raw OIDC Discovery Document as returned by the IdP's
+ * .well-known/openid-configuration endpoint.
+ *
+ * Required fields for Better Auth's OIDC support:
+ * - issuer
+ * - authorization_endpoint
+ * - token_endpoint
+ * - jwks_uri (required for ID token validation)
+ *
+ */
+interface OIDCDiscoveryDocument {
+  /** REQUIRED. URL using the https scheme that the OP asserts as its Issuer Identifier. */
+  issuer: string;
+  /** REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint. */
+  authorization_endpoint: string;
+  /**
+   * REQUIRED (spec says "unless only implicit flow is used").
+   * URL of the OP's OAuth 2.0 Token Endpoint.
+   * We only support authorization code flow.
+   */
+  token_endpoint: string;
+  /** REQUIRED. URL of the OP's JSON Web Key Set document for ID token validation. */
+  jwks_uri: string;
+  /** RECOMMENDED. URL of the OP's UserInfo Endpoint. */
+  userinfo_endpoint?: string;
+  /**
+   * OPTIONAL. JSON array containing a list of Client Authentication methods
+   * supported by this Token Endpoint.
+   * Default: ["client_secret_basic"]
+   */
+  token_endpoint_auth_methods_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the OAuth 2.0 scope values that this server supports. */
+  scopes_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. */
+  response_types_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the Subject Identifier types that this OP supports. */
+  subject_types_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the JWS signing algorithms supported by the OP. */
+  id_token_signing_alg_values_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the claim names that the OP may supply values for. */
+  claims_supported?: string[];
+  /** OPTIONAL. URL of a page containing human-readable information about the OP. */
+  service_documentation?: string;
+  /** OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter. */
+  claims_parameter_supported?: boolean;
+  /** OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter. */
+  request_parameter_supported?: boolean;
+  /** OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter. */
+  request_uri_parameter_supported?: boolean;
+  /** OPTIONAL. Boolean value specifying whether the OP requires any request_uri values to be pre-registered. */
+  require_request_uri_registration?: boolean;
+  /** OPTIONAL. URL of the OP's end session endpoint. */
+  end_session_endpoint?: string;
+  /** OPTIONAL. URL of the OP's revocation endpoint. */
+  revocation_endpoint?: string;
+  /** OPTIONAL. URL of the OP's introspection endpoint. */
+  introspection_endpoint?: string;
+  /** OPTIONAL. JSON array of PKCE code challenge methods supported (e.g., "S256", "plain"). */
+  code_challenge_methods_supported?: string[];
+  /** Allow additional fields from the discovery document */
+  [key: string]: unknown;
+}
+/**
+ * Error codes for OIDC discovery operations.
+ */
+type DiscoveryErrorCode = /** Request to discovery endpoint timed out */
+"discovery_timeout"
+/** Discovery endpoint returned 404 or similar */ | "discovery_not_found"
+/** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json"
+/** Discovery URL is invalid or malformed */ | "discovery_invalid_url"
+/** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch"
+/** Discovery document is missing required fields */ | "discovery_incomplete"
+/** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method"
+/** Catch-all for unexpected errors */ | "discovery_unexpected_error";
+/**
+ * Custom error class for OIDC discovery failures.
+ * Can be caught and mapped to APIError at the edge.
+ */
+declare class DiscoveryError extends Error {
+  readonly code: DiscoveryErrorCode;
+  readonly details?: Record<string, unknown>;
+  constructor(code: DiscoveryErrorCode, message: string, details?: Record<string, unknown>, options?: {
+    cause?: unknown;
+  });
+}
+/**
+ * Hydrated OIDC configuration after discovery.
+ * This is the normalized shape that gets persisted to the database
+ * or merged into provider config at runtime.
+ *
+ * Field names are camelCase to match Better Auth conventions.
+ */
+interface HydratedOIDCConfig {
+  /** The issuer URL (validated to match configured issuer) */
+  issuer: string;
+  /** The discovery endpoint URL */
+  discoveryEndpoint: string;
+  /** URL of the authorization endpoint */
+  authorizationEndpoint: string;
+  /** URL of the token endpoint */
+  tokenEndpoint: string;
+  /** URL of the JWKS endpoint */
+  jwksEndpoint: string;
+  /** URL of the userinfo endpoint (optional) */
+  userInfoEndpoint?: string;
+  /** Token endpoint authentication method */
+  tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post";
+  /** Scopes supported by the IdP */
+  scopesSupported?: string[];
+}
+/**
+ * Parameters for the discoverOIDCConfig function.
+ */
+interface DiscoverOIDCConfigParams {
+  /** The issuer URL to discover configuration from */
+  issuer: string;
+  /**
+   * Optional existing configuration.
+   * Values provided here will override discovered values.
+   */
+  existingConfig?: Partial<HydratedOIDCConfig>;
+  /**
+   * Optional custom discovery endpoint URL.
+   * If not provided, defaults to <issuer>/.well-known/openid-configuration
+   */
+  discoveryEndpoint?: string;
+  /**
+   * Optional timeout in milliseconds for the discovery request.
+   * @default 10000 (10 seconds)
+   */
+  timeout?: number;
+}
+/**
+ * Required fields that must be present in a valid discovery document.
+ */
+declare const REQUIRED_DISCOVERY_FIELDS: readonly ["issuer", "authorization_endpoint", "token_endpoint", "jwks_uri"];
+type RequiredDiscoveryField = (typeof REQUIRED_DISCOVERY_FIELDS)[number];
+//#endregion
+//#region src/oidc/discovery.d.ts
+/**
+ * Main entry point: Discover and hydrate OIDC configuration from an issuer.
+ *
+ * This function:
+ * 1. Computes the discovery URL from the issuer
+ * 2. Validates the discovery URL (stub for now)
+ * 3. Fetches the discovery document
+ * 4. Validates the discovery document (issuer match + required fields)
+ * 5. Normalizes URLs (stub for now)
+ * 6. Selects token endpoint auth method
+ * 7. Merges with existing config (existing values take precedence)
+ *
+ * @param params - Discovery parameters
+ * @returns Hydrated OIDC configuration ready for persistence
+ * @throws DiscoveryError on any failure
+ */
+declare function discoverOIDCConfig(params: DiscoverOIDCConfigParams): Promise<HydratedOIDCConfig>;
+/**
+ * Compute the discovery URL from an issuer URL.
+ *
+ * Per OIDC Discovery spec, the discovery document is located at:
+ * <issuer>/.well-known/openid-configuration
+ *
+ * Handles trailing slashes correctly.
+ */
+declare function computeDiscoveryUrl(issuer: string): string;
+/**
+ * Validate a discovery URL before fetching.
+ *
+ * @param url - The discovery URL to validate
+ * @throws DiscoveryError if URL is invalid
+ */
+declare function validateDiscoveryUrl(url: string): void;
+/**
+ * Fetch the OIDC discovery document from the IdP.
+ *
+ * @param url - The discovery endpoint URL
+ * @param timeout - Request timeout in milliseconds
+ * @returns The parsed discovery document
+ * @throws DiscoveryError on network errors, timeouts, or invalid responses
+ */
+declare function fetchDiscoveryDocument(url: string, timeout?: number): Promise<OIDCDiscoveryDocument>;
+/**
+ * Validate a discovery document.
+ *
+ * Checks:
+ * 1. All required fields are present
+ * 2. Issuer matches the configured issuer (case-sensitive, exact match)
+ *
+ * Invariant: If this function returns without throwing, the document is safe
+ * to use for hydrating OIDC config (required fields present, issuer matches
+ * configured value, basic structural sanity verified).
+ *
+ * @param doc - The discovery document to validate
+ * @param configuredIssuer - The expected issuer value
+ * @throws DiscoveryError if validation fails
+ */
+declare function validateDiscoveryDocument(doc: OIDCDiscoveryDocument, configuredIssuer: string): void;
+/**
+ * Normalize URLs in the discovery document.
+ *
+ * @param doc - The discovery document
+ * @param _issuerBase - The base issuer URL
+ * @returns The normalized discovery document
+ */
+declare function normalizeDiscoveryUrls(doc: OIDCDiscoveryDocument, _issuerBase: string): OIDCDiscoveryDocument;
+/**
+ * Normalize a single URL endpoint.
+ *
+ * @param endpoint - The endpoint URL to normalize
+ * @param _issuerBase - The base issuer URL
+ * @returns The normalized endpoint URL
+ */
+declare function normalizeUrl(endpoint: string, _issuerBase: string): string;
+/**
+ * Select the token endpoint authentication method.
+ *
+ * @param doc - The discovery document
+ * @param existing - Existing authentication method from config
+ * @returns The selected authentication method
+ */
+declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, existing?: "client_secret_basic" | "client_secret_post"): "client_secret_basic" | "client_secret_post";
+/**
+ * Check if a provider configuration needs runtime discovery.
+ *
+ * Returns true if we need discovery at runtime to complete the token exchange
+ * and validation. Specifically checks for:
+ * - `tokenEndpoint` - required for exchanging authorization code for tokens
+ * - `jwksEndpoint` - required for validating ID token signatures
+ *
+ * Note: `authorizationEndpoint` is handled separately in the sign-in flow,
+ * so it's not checked here.
+ *
+ * @param config - Partial OIDC config from the provider
+ * @returns true if runtime discovery should be performed
+ */
+declare function needsRuntimeDiscovery(config: Partial<HydratedOIDCConfig> | undefined): boolean;
+//#endregion
 //#region src/index.d.ts
 type DomainVerificationEndpoints = {
   requestDomainVerification: ReturnType<typeof requestDomainVerification>;
@@ -856,4 +1225,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   endpoints: SSOEndpoints<O>;
 };
 //#endregion
-export { SSOOptions as a, SAMLConfig as i, sso as n, SSOProvider as o, OIDCConfig as r, SSOPlugin as t };
+export { createInMemoryAuthnRequestStore as A, OIDCConfig as C, AuthnRequestRecord as D, SSOProvider as E, AuthnRequestStore as O, validateSAMLTimestamp as S, SSOOptions as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, SAMLConditions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DEFAULT_AUTHN_REQUEST_TTL_MS as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SAMLConfig as w, TimestampValidationOptions as x, DEFAULT_CLOCK_SKEW_MS as y };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { a as SSOOptions, i as SAMLConfig, n as sso, o as SSOProvider, r as OIDCConfig, t as SSOPlugin } from "./index-BWvN4yrs.mjs";
-export { OIDCConfig, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, sso };
+import { A as createInMemoryAuthnRequestStore, C as OIDCConfig, D as AuthnRequestRecord, E as SSOProvider, O as AuthnRequestStore, S as validateSAMLTimestamp, T as SSOOptions, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as SAMLConditions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, k as DEFAULT_AUTHN_REQUEST_TTL_MS, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SAMLConfig, x as TimestampValidationOptions, y as DEFAULT_CLOCK_SKEW_MS } from "./index-GoyGoP_a.mjs";
+export { AuthnRequestRecord, AuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS, DEFAULT_CLOCK_SKEW_MS, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, TimestampValidationOptions, computeDiscoveryUrl, createInMemoryAuthnRequestStore, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };