@better-auth/sso 1.4.7-beta.3 → 1.4.7

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.4.7-beta.3 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.7 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             65.14 kB │ gzip: 11.40 kB
+ℹ dist/index.mjs             83.77 kB │ gzip: 15.84 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
-ℹ dist/index.d.mts            0.43 kB │ gzip:  0.23 kB
-ℹ dist/index-m7FISidt.d.mts  28.63 kB │ gzip:  5.07 kB
-ℹ 5 files, total: 94.85 kB
-✔ Build complete in 11484ms
+ℹ dist/index.d.mts            1.44 kB │ gzip:  0.52 kB
+ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
+ℹ dist/index-B9WMxRdD.d.mts  41.59 kB │ gzip:  8.59 kB
+ℹ 5 files, total: 127.44 kB
+✔ Build complete in 12101ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-m7FISidt.mjs";
+import { t as SSOPlugin } from "./index-B9WMxRdD.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-m7FISidt.d.mts → index-B9WMxRdD.d.mts}

@@ -1,6 +1,7 @@
+import { APIError } from "better-auth/api";
 import * as z from "zod/v4";
 import { OAuth2Tokens, User } from "better-auth";
-import * as better_call0 from "better-call";
+import * as better_call7 from "better-call";
 
 //#region src/authn-request-store.d.ts
 
@@ -252,13 +253,7 @@ interface SSOOptions {
    *
    * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
    * providers in the `trustedProviders` list.
-   *
    * @default false
-   *
-   * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
-   * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
-   * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
-   * This option may be removed in a future major version.
    */
   trustEmailVerified?: boolean | undefined;
   /**
@@ -326,11 +321,43 @@ interface SSOOptions {
      * verification table fallback) is used automatically.
      */
     authnRequestStore?: AuthnRequestStore;
+    /**
+     * Clock skew tolerance for SAML assertion timestamp validation in milliseconds.
+     * Allows for minor time differences between IdP and SP servers.
+     *
+     * Defaults to 300000 (5 minutes) to accommodate:
+     * - Network latency and processing time
+     * - Clock synchronization differences (NTP drift)
+     * - Distributed systems across timezones
+     *
+     * For stricter security, reduce to 1-2 minutes (60000-120000).
+     * For highly distributed systems, increase up to 10 minutes (600000).
+     *
+     * @default 300000 (5 minutes)
+     */
+    clockSkew?: number;
+    /**
+     * Require timestamp conditions (NotBefore/NotOnOrAfter) in SAML assertions.
+     * When enabled, assertions without timestamp conditions will be rejected.
+     *
+     * When disabled (default), assertions without timestamps are accepted
+     * but a warning is logged.
+     *
+     * **SAML Spec Notes:**
+     * - SAML 2.0 Core: Timestamps are OPTIONAL
+     * - SAML2Int (enterprise profile): Timestamps are REQUIRED
+     *
+     * **Recommendation:** Enable for enterprise/production deployments
+     * where your IdP follows SAML2Int (Okta, Azure AD, OneLogin, etc.)
+     *
+     * @default false
+     */
+    requireTimestamps?: boolean;
   };
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
-declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
+declare const requestDomainVerification: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -352,7 +379,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
       };
     };
   };
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -378,7 +405,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call0.S
 }, {
   domainVerificationToken: string;
 }>;
-declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
+declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -403,7 +430,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
       };
     };
   };
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -429,7 +456,27 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
 }, void>;
 //#endregion
 //#region src/routes/sso.d.ts
-declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
+/** Default clock skew tolerance: 5 minutes */
+declare const DEFAULT_CLOCK_SKEW_MS: number;
+interface TimestampValidationOptions {
+  clockSkew?: number;
+  requireTimestamps?: boolean;
+  logger?: {
+    warn: (message: string, data?: Record<string, unknown>) => void;
+  };
+}
+/** Conditions extracted from SAML assertion */
+interface SAMLConditions {
+  notBefore?: string;
+  notOnOrAfter?: string;
+}
+/**
+ * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
+ * Prevents acceptance of expired or future-dated assertions.
+ * @throws {APIError} If timestamps are invalid, expired, or not yet valid
+ */
+declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
+declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
@@ -451,7 +498,7 @@ declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metad
     };
   };
 }, Response>;
-declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
+declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call7.StrictEndpoint<"/sso/register", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -469,6 +516,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
       }>>;
       jwksEndpoint: z.ZodOptional<z.ZodString>;
       discoveryEndpoint: z.ZodOptional<z.ZodString>;
+      skipDiscovery: z.ZodOptional<z.ZodBoolean>;
       scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
       pkce: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
       mapping: z.ZodOptional<z.ZodObject<{
@@ -529,7 +577,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     organizationId: z.ZodOptional<z.ZodString>;
     overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
   }, z.core.$strip>;
-  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -719,7 +767,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
   domainVerified: boolean;
   domainVerificationToken: string;
 } & SSOProvider<O> : SSOProvider<O>>;
-declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
+declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sign-in/sso", {
   method: "POST";
   body: z.ZodObject<{
     email: z.ZodOptional<z.ZodString>;
@@ -813,7 +861,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"
   url: string;
   redirect: boolean;
 }>;
-declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
+declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/callback/:providerId", {
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -836,7 +884,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
     scope: "server";
   };
 }, never>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -863,7 +911,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
     scope: "server";
   };
 }, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
   params: z.ZodObject<{
     providerId: z.ZodOptional<z.ZodString>;
@@ -888,6 +936,264 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
   };
 }, never>;
 //#endregion
+//#region src/oidc/types.d.ts
+/**
+ * OIDC Discovery Types
+ *
+ * Types for the OIDC discovery document and hydrated configuration.
+ * Based on OpenID Connect Discovery 1.0 specification.
+ *
+ * @see https://openid.net/specs/openid-connect-discovery-1_0.html
+ */
+/**
+ * Raw OIDC Discovery Document as returned by the IdP's
+ * .well-known/openid-configuration endpoint.
+ *
+ * Required fields for Better Auth's OIDC support:
+ * - issuer
+ * - authorization_endpoint
+ * - token_endpoint
+ * - jwks_uri (required for ID token validation)
+ *
+ */
+interface OIDCDiscoveryDocument {
+  /** REQUIRED. URL using the https scheme that the OP asserts as its Issuer Identifier. */
+  issuer: string;
+  /** REQUIRED. URL of the OP's OAuth 2.0 Authorization Endpoint. */
+  authorization_endpoint: string;
+  /**
+   * REQUIRED (spec says "unless only implicit flow is used").
+   * URL of the OP's OAuth 2.0 Token Endpoint.
+   * We only support authorization code flow.
+   */
+  token_endpoint: string;
+  /** REQUIRED. URL of the OP's JSON Web Key Set document for ID token validation. */
+  jwks_uri: string;
+  /** RECOMMENDED. URL of the OP's UserInfo Endpoint. */
+  userinfo_endpoint?: string;
+  /**
+   * OPTIONAL. JSON array containing a list of Client Authentication methods
+   * supported by this Token Endpoint.
+   * Default: ["client_secret_basic"]
+   */
+  token_endpoint_auth_methods_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the OAuth 2.0 scope values that this server supports. */
+  scopes_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the OAuth 2.0 response_type values that this OP supports. */
+  response_types_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the Subject Identifier types that this OP supports. */
+  subject_types_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the JWS signing algorithms supported by the OP. */
+  id_token_signing_alg_values_supported?: string[];
+  /** OPTIONAL. JSON array containing a list of the claim names that the OP may supply values for. */
+  claims_supported?: string[];
+  /** OPTIONAL. URL of a page containing human-readable information about the OP. */
+  service_documentation?: string;
+  /** OPTIONAL. Boolean value specifying whether the OP supports use of the claims parameter. */
+  claims_parameter_supported?: boolean;
+  /** OPTIONAL. Boolean value specifying whether the OP supports use of the request parameter. */
+  request_parameter_supported?: boolean;
+  /** OPTIONAL. Boolean value specifying whether the OP supports use of the request_uri parameter. */
+  request_uri_parameter_supported?: boolean;
+  /** OPTIONAL. Boolean value specifying whether the OP requires any request_uri values to be pre-registered. */
+  require_request_uri_registration?: boolean;
+  /** OPTIONAL. URL of the OP's end session endpoint. */
+  end_session_endpoint?: string;
+  /** OPTIONAL. URL of the OP's revocation endpoint. */
+  revocation_endpoint?: string;
+  /** OPTIONAL. URL of the OP's introspection endpoint. */
+  introspection_endpoint?: string;
+  /** OPTIONAL. JSON array of PKCE code challenge methods supported (e.g., "S256", "plain"). */
+  code_challenge_methods_supported?: string[];
+  /** Allow additional fields from the discovery document */
+  [key: string]: unknown;
+}
+/**
+ * Error codes for OIDC discovery operations.
+ */
+type DiscoveryErrorCode = /** Request to discovery endpoint timed out */
+"discovery_timeout"
+/** Discovery endpoint returned 404 or similar */ | "discovery_not_found"
+/** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json"
+/** Discovery URL is invalid or malformed */ | "discovery_invalid_url"
+/** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin"
+/** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch"
+/** Discovery document is missing required fields */ | "discovery_incomplete"
+/** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method"
+/** Catch-all for unexpected errors */ | "discovery_unexpected_error";
+/**
+ * Custom error class for OIDC discovery failures.
+ * Can be caught and mapped to APIError at the edge.
+ */
+declare class DiscoveryError extends Error {
+  readonly code: DiscoveryErrorCode;
+  readonly details?: Record<string, unknown>;
+  constructor(code: DiscoveryErrorCode, message: string, details?: Record<string, unknown>, options?: {
+    cause?: unknown;
+  });
+}
+/**
+ * Hydrated OIDC configuration after discovery.
+ * This is the normalized shape that gets persisted to the database
+ * or merged into provider config at runtime.
+ *
+ * Field names are camelCase to match Better Auth conventions.
+ */
+interface HydratedOIDCConfig {
+  /** The issuer URL (validated to match configured issuer) */
+  issuer: string;
+  /** The discovery endpoint URL */
+  discoveryEndpoint: string;
+  /** URL of the authorization endpoint */
+  authorizationEndpoint: string;
+  /** URL of the token endpoint */
+  tokenEndpoint: string;
+  /** URL of the JWKS endpoint */
+  jwksEndpoint: string;
+  /** URL of the userinfo endpoint (optional) */
+  userInfoEndpoint?: string;
+  /** Token endpoint authentication method */
+  tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post";
+  /** Scopes supported by the IdP */
+  scopesSupported?: string[];
+}
+/**
+ * Parameters for the discoverOIDCConfig function.
+ */
+interface DiscoverOIDCConfigParams {
+  /** The issuer URL to discover configuration from */
+  issuer: string;
+  /**
+   * Optional existing configuration.
+   * Values provided here will override discovered values.
+   */
+  existingConfig?: Partial<HydratedOIDCConfig>;
+  /**
+   * Optional custom discovery endpoint URL.
+   * If not provided, defaults to <issuer>/.well-known/openid-configuration
+   */
+  discoveryEndpoint?: string;
+  /**
+   * Optional timeout in milliseconds for the discovery request.
+   * @default 10000 (10 seconds)
+   */
+  timeout?: number;
+  /**
+   * Trusted origin predicate. See "trustedOrigins" option
+   * @param url the url to test
+   * @returns {boolean} return true for urls that belong to a trusted origin and false otherwise
+   */
+  isTrustedOrigin: (url: string) => boolean;
+}
+/**
+ * Required fields that must be present in a valid discovery document.
+ */
+declare const REQUIRED_DISCOVERY_FIELDS: readonly ["issuer", "authorization_endpoint", "token_endpoint", "jwks_uri"];
+type RequiredDiscoveryField = (typeof REQUIRED_DISCOVERY_FIELDS)[number];
+//#endregion
+//#region src/oidc/discovery.d.ts
+/**
+ * Main entry point: Discover and hydrate OIDC configuration from an issuer.
+ *
+ * This function:
+ * 1. Computes the discovery URL from the issuer
+ * 2. Validates the discovery URL
+ * 3. Fetches the discovery document
+ * 4. Validates the discovery document (issuer match + required fields)
+ * 5. Normalizes URLs
+ * 6. Selects token endpoint auth method
+ * 7. Merges with existing config (existing values take precedence)
+ *
+ * @param params - Discovery parameters
+ * @param isTrustedOrigin - Origin verification tester function
+ * @returns Hydrated OIDC configuration ready for persistence
+ * @throws DiscoveryError on any failure
+ */
+declare function discoverOIDCConfig(params: DiscoverOIDCConfigParams): Promise<HydratedOIDCConfig>;
+/**
+ * Compute the discovery URL from an issuer URL.
+ *
+ * Per OIDC Discovery spec, the discovery document is located at:
+ * <issuer>/.well-known/openid-configuration
+ *
+ * Handles trailing slashes correctly.
+ */
+declare function computeDiscoveryUrl(issuer: string): string;
+/**
+ * Validate a discovery URL before fetching.
+ *
+ * @param url - The discovery URL to validate
+ * @param isTrustedOrigin - Origin verification tester function
+ * @throws DiscoveryError if URL is invalid
+ */
+declare function validateDiscoveryUrl(url: string, isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"]): void;
+/**
+ * Fetch the OIDC discovery document from the IdP.
+ *
+ * @param url - The discovery endpoint URL
+ * @param timeout - Request timeout in milliseconds
+ * @returns The parsed discovery document
+ * @throws DiscoveryError on network errors, timeouts, or invalid responses
+ */
+declare function fetchDiscoveryDocument(url: string, timeout?: number): Promise<OIDCDiscoveryDocument>;
+/**
+ * Validate a discovery document.
+ *
+ * Checks:
+ * 1. All required fields are present
+ * 2. Issuer matches the configured issuer (case-sensitive, exact match)
+ *
+ * Invariant: If this function returns without throwing, the document is safe
+ * to use for hydrating OIDC config (required fields present, issuer matches
+ * configured value, basic structural sanity verified).
+ *
+ * @param doc - The discovery document to validate
+ * @param configuredIssuer - The expected issuer value
+ * @throws DiscoveryError if validation fails
+ */
+declare function validateDiscoveryDocument(doc: OIDCDiscoveryDocument, configuredIssuer: string): void;
+/**
+ * Normalize URLs in the discovery document.
+ *
+ * @param document - The discovery document
+ * @param issuer - The base issuer URL
+ * @param isTrustedOrigin - Origin verification tester function
+ * @returns The normalized discovery document
+ */
+declare function normalizeDiscoveryUrls(document: OIDCDiscoveryDocument, issuer: string, isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"]): OIDCDiscoveryDocument;
+/**
+ * Normalize a single URL endpoint.
+ *
+ * @param name - The endpoint name (e.g token_endpoint)
+ * @param endpoint - The endpoint URL to normalize
+ * @param issuer - The base issuer URL
+ * @returns The normalized endpoint URL
+ */
+declare function normalizeUrl(name: string, endpoint: string, issuer: string): string;
+/**
+ * Select the token endpoint authentication method.
+ *
+ * @param doc - The discovery document
+ * @param existing - Existing authentication method from config
+ * @returns The selected authentication method
+ */
+declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, existing?: "client_secret_basic" | "client_secret_post"): "client_secret_basic" | "client_secret_post";
+/**
+ * Check if a provider configuration needs runtime discovery.
+ *
+ * Returns true if we need discovery at runtime to complete the token exchange
+ * and validation. Specifically checks for:
+ * - `tokenEndpoint` - required for exchanging authorization code for tokens
+ * - `jwksEndpoint` - required for validating ID token signatures
+ *
+ * Note: `authorizationEndpoint` is handled separately in the sign-in flow,
+ * so it's not checked here.
+ *
+ * @param config - Partial OIDC config from the provider
+ * @returns true if runtime discovery should be performed
+ */
+declare function needsRuntimeDiscovery(config: Partial<HydratedOIDCConfig> | undefined): boolean;
+//#endregion
 //#region src/index.d.ts
 type DomainVerificationEndpoints = {
   requestDomainVerification: ReturnType<typeof requestDomainVerification>;
@@ -924,4 +1230,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   endpoints: SSOEndpoints<O>;
 };
 //#endregion
-export { SSOOptions as a, AuthnRequestStore as c, SAMLConfig as i, DEFAULT_AUTHN_REQUEST_TTL_MS as l, sso as n, SSOProvider as o, OIDCConfig as r, AuthnRequestRecord as s, SSOPlugin as t, createInMemoryAuthnRequestStore as u };
+export { createInMemoryAuthnRequestStore as A, OIDCConfig as C, AuthnRequestRecord as D, SSOProvider as E, AuthnRequestStore as O, validateSAMLTimestamp as S, SSOOptions as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, SAMLConditions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DEFAULT_AUTHN_REQUEST_TTL_MS as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SAMLConfig as w, TimestampValidationOptions as x, DEFAULT_CLOCK_SKEW_MS as y };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { a as SSOOptions, c as AuthnRequestStore, i as SAMLConfig, l as DEFAULT_AUTHN_REQUEST_TTL_MS, n as sso, o as SSOProvider, r as OIDCConfig, s as AuthnRequestRecord, t as SSOPlugin, u as createInMemoryAuthnRequestStore } from "./index-m7FISidt.mjs";
-export { AuthnRequestRecord, AuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS, OIDCConfig, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, createInMemoryAuthnRequestStore, sso };
+import { A as createInMemoryAuthnRequestStore, C as OIDCConfig, D as AuthnRequestRecord, E as SSOProvider, O as AuthnRequestStore, S as validateSAMLTimestamp, T as SSOOptions, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as SAMLConditions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, k as DEFAULT_AUTHN_REQUEST_TTL_MS, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SAMLConfig, x as TimestampValidationOptions, y as DEFAULT_CLOCK_SKEW_MS } from "./index-B9WMxRdD.mjs";
+export { AuthnRequestRecord, AuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS, DEFAULT_CLOCK_SKEW_MS, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, TimestampValidationOptions, computeDiscoveryUrl, createInMemoryAuthnRequestStore, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };