@better-auth/sso 1.4.7-beta.4 → 1.4.7

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.4.7-beta.4 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.7 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             80.81 kB │ gzip: 15.19 kB
+ℹ dist/index.mjs             83.77 kB │ gzip: 15.84 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
 ℹ dist/index.d.mts            1.44 kB │ gzip:  0.52 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
-ℹ dist/index-GoyGoP_a.d.mts  41.30 kB │ gzip:  8.58 kB
-ℹ 5 files, total: 124.19 kB
-✔ Build complete in 12053ms
+ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
+ℹ dist/index-B9WMxRdD.d.mts  41.59 kB │ gzip:  8.59 kB
+ℹ 5 files, total: 127.44 kB
+✔ Build complete in 12101ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-GoyGoP_a.mjs";
+import { t as SSOPlugin } from "./index-B9WMxRdD.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-GoyGoP_a.d.mts → index-B9WMxRdD.d.mts}

@@ -253,13 +253,7 @@ interface SSOOptions {
    *
    * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
    * providers in the `trustedProviders` list.
-   *
    * @default false
-   *
-   * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
-   * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
-   * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
-   * This option may be removed in a future major version.
    */
   trustEmailVerified?: boolean | undefined;
   /**
@@ -1022,6 +1016,7 @@ type DiscoveryErrorCode = /** Request to discovery endpoint timed out */
 /** Discovery endpoint returned 404 or similar */ | "discovery_not_found"
 /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json"
 /** Discovery URL is invalid or malformed */ | "discovery_invalid_url"
+/** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin"
 /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch"
 /** Discovery document is missing required fields */ | "discovery_incomplete"
 /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method"
@@ -1083,6 +1078,12 @@ interface DiscoverOIDCConfigParams {
    * @default 10000 (10 seconds)
    */
   timeout?: number;
+  /**
+   * Trusted origin predicate. See "trustedOrigins" option
+   * @param url the url to test
+   * @returns {boolean} return true for urls that belong to a trusted origin and false otherwise
+   */
+  isTrustedOrigin: (url: string) => boolean;
 }
 /**
  * Required fields that must be present in a valid discovery document.
@@ -1096,14 +1097,15 @@ type RequiredDiscoveryField = (typeof REQUIRED_DISCOVERY_FIELDS)[number];
  *
  * This function:
  * 1. Computes the discovery URL from the issuer
- * 2. Validates the discovery URL (stub for now)
+ * 2. Validates the discovery URL
  * 3. Fetches the discovery document
  * 4. Validates the discovery document (issuer match + required fields)
- * 5. Normalizes URLs (stub for now)
+ * 5. Normalizes URLs
  * 6. Selects token endpoint auth method
  * 7. Merges with existing config (existing values take precedence)
  *
  * @param params - Discovery parameters
+ * @param isTrustedOrigin - Origin verification tester function
  * @returns Hydrated OIDC configuration ready for persistence
  * @throws DiscoveryError on any failure
  */
@@ -1121,9 +1123,10 @@ declare function computeDiscoveryUrl(issuer: string): string;
  * Validate a discovery URL before fetching.
  *
  * @param url - The discovery URL to validate
+ * @param isTrustedOrigin - Origin verification tester function
  * @throws DiscoveryError if URL is invalid
  */
-declare function validateDiscoveryUrl(url: string): void;
+declare function validateDiscoveryUrl(url: string, isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"]): void;
 /**
  * Fetch the OIDC discovery document from the IdP.
  *
@@ -1152,19 +1155,21 @@ declare function validateDiscoveryDocument(doc: OIDCDiscoveryDocument, configure
 /**
  * Normalize URLs in the discovery document.
  *
- * @param doc - The discovery document
- * @param _issuerBase - The base issuer URL
+ * @param document - The discovery document
+ * @param issuer - The base issuer URL
+ * @param isTrustedOrigin - Origin verification tester function
  * @returns The normalized discovery document
  */
-declare function normalizeDiscoveryUrls(doc: OIDCDiscoveryDocument, _issuerBase: string): OIDCDiscoveryDocument;
+declare function normalizeDiscoveryUrls(document: OIDCDiscoveryDocument, issuer: string, isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"]): OIDCDiscoveryDocument;
 /**
  * Normalize a single URL endpoint.
  *
+ * @param name - The endpoint name (e.g token_endpoint)
  * @param endpoint - The endpoint URL to normalize
- * @param _issuerBase - The base issuer URL
+ * @param issuer - The base issuer URL
  * @returns The normalized endpoint URL
  */
-declare function normalizeUrl(endpoint: string, _issuerBase: string): string;
+declare function normalizeUrl(name: string, endpoint: string, issuer: string): string;
 /**
  * Select the token endpoint authentication method.
  *

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as createInMemoryAuthnRequestStore, C as OIDCConfig, D as AuthnRequestRecord, E as SSOProvider, O as AuthnRequestStore, S as validateSAMLTimestamp, T as SSOOptions, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as SAMLConditions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, k as DEFAULT_AUTHN_REQUEST_TTL_MS, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SAMLConfig, x as TimestampValidationOptions, y as DEFAULT_CLOCK_SKEW_MS } from "./index-GoyGoP_a.mjs";
+import { A as createInMemoryAuthnRequestStore, C as OIDCConfig, D as AuthnRequestRecord, E as SSOProvider, O as AuthnRequestStore, S as validateSAMLTimestamp, T as SSOOptions, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as SAMLConditions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, k as DEFAULT_AUTHN_REQUEST_TTL_MS, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SAMLConfig, x as TimestampValidationOptions, y as DEFAULT_CLOCK_SKEW_MS } from "./index-B9WMxRdD.mjs";
 export { AuthnRequestRecord, AuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS, DEFAULT_CLOCK_SKEW_MS, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, TimestampValidationOptions, computeDiscoveryUrl, createInMemoryAuthnRequestStore, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -268,24 +268,25 @@ const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
 *
 * This function:
 * 1. Computes the discovery URL from the issuer
-* 2. Validates the discovery URL (stub for now)
+* 2. Validates the discovery URL
 * 3. Fetches the discovery document
 * 4. Validates the discovery document (issuer match + required fields)
-* 5. Normalizes URLs (stub for now)
+* 5. Normalizes URLs
 * 6. Selects token endpoint auth method
 * 7. Merges with existing config (existing values take precedence)
 *
 * @param params - Discovery parameters
+* @param isTrustedOrigin - Origin verification tester function
 * @returns Hydrated OIDC configuration ready for persistence
 * @throws DiscoveryError on any failure
 */
 async function discoverOIDCConfig(params) {
 	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
 	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
-	validateDiscoveryUrl(discoveryUrl);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
 	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
 	validateDiscoveryDocument(discoveryDoc, issuer);
-	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer);
+	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
 	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
 	return {
 		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
@@ -313,19 +314,12 @@ function computeDiscoveryUrl(issuer) {
 * Validate a discovery URL before fetching.
 *
 * @param url - The discovery URL to validate
+* @param isTrustedOrigin - Origin verification tester function
 * @throws DiscoveryError if URL is invalid
 */
-function validateDiscoveryUrl(url) {
-	try {
-		const parsed = new URL(url);
-		if (parsed.protocol !== "https:" && parsed.protocol !== "http:") throw new DiscoveryError("discovery_invalid_url", `Discovery URL must use HTTP or HTTPS protocol: ${url}`, {
-			url,
-			protocol: parsed.protocol
-		});
-	} catch (error) {
-		if (error instanceof DiscoveryError) throw error;
-		throw new DiscoveryError("discovery_invalid_url", `Invalid discovery URL: ${url}`, { url }, { cause: error });
-	}
+function validateDiscoveryUrl(url, isTrustedOrigin) {
+	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
+	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
 }
 /**
 * Fetch the OIDC discovery document from the IdP.
@@ -399,22 +393,76 @@ function validateDiscoveryDocument(doc, configuredIssuer) {
 /**
 * Normalize URLs in the discovery document.
 *
-* @param doc - The discovery document
-* @param _issuerBase - The base issuer URL
+* @param document - The discovery document
+* @param issuer - The base issuer URL
+* @param isTrustedOrigin - Origin verification tester function
 * @returns The normalized discovery document
 */
-function normalizeDiscoveryUrls(doc, _issuerBase) {
+function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
+	const doc = { ...document };
+	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
+	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
+	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
+	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
+	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
+	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
+	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
 	return doc;
 }
 /**
+* Normalizes and validates a single URL endpoint
+* @param name The url name
+* @param endpoint The url to validate
+* @param issuer The issuer base url
+* @param isTrustedOrigin - Origin verification tester function
+* @returns
+*/
+function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
+	const url = normalizeUrl(name, endpoint, issuer);
+	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
+		endpoint: name,
+		url
+	});
+	return url;
+}
+/**
 * Normalize a single URL endpoint.
 *
+* @param name - The endpoint name (e.g token_endpoint)
 * @param endpoint - The endpoint URL to normalize
-* @param _issuerBase - The base issuer URL
+* @param issuer - The base issuer URL
 * @returns The normalized endpoint URL
 */
-function normalizeUrl(endpoint, _issuerBase) {
-	return endpoint;
+function normalizeUrl(name, endpoint, issuer) {
+	try {
+		return parseURL(name, endpoint).toString();
+	} catch {
+		const issuerURL = parseURL(name, issuer);
+		const basePath = issuerURL.pathname.replace(/\/+$/, "");
+		const endpointPath = endpoint.replace(/^\/+/, "");
+		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
+	}
+}
+/**
+* Parses the given URL or throws in case of invalid or unsupported protocols
+*
+* @param name the url name
+* @param endpoint the endpoint url
+* @param [base] optional base path
+* @returns
+*/
+function parseURL(name, endpoint, base) {
+	let endpointURL;
+	try {
+		endpointURL = new URL(endpoint, base);
+		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
+	} catch (error) {
+		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
+	}
+	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
+		url: endpoint,
+		protocol: endpointURL.protocol
+	});
 }
 /**
 * Select the token endpoint authentication method.
@@ -492,6 +540,10 @@ function mapDiscoveryErrorToAPIError(error) {
 			message: `Invalid OIDC discovery URL: ${error.message}`,
 			code: error.code
 		});
+		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
+			message: `Untrusted OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
 		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
 			message: `OIDC discovery returned invalid data: ${error.message}`,
 			code: error.code
@@ -918,7 +970,8 @@ const registerSSOProvider = (options) => {
 					jwksEndpoint: body.oidcConfig.jwksEndpoint,
 					userInfoEndpoint: body.oidcConfig.userInfoEndpoint,
 					tokenEndpointAuthentication: body.oidcConfig.tokenEndpointAuthentication
-				}
+				},
+				isTrustedOrigin: ctx.context.isTrustedOrigin
 			});
 		} catch (error) {
 			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@better-auth/sso",
   "author": "Bereket Engida",
-  "version": "1.4.7-beta.4",
+  "version": "1.4.7",
   "type": "module",
   "main": "dist/index.mjs",
   "types": "dist/index.d.mts",
@@ -66,10 +66,10 @@
     "express": "^5.1.0",
     "oauth2-mock-server": "^8.2.0",
     "tsdown": "^0.17.2",
-    "better-auth": "1.4.7-beta.4"
+    "better-auth": "1.4.7"
   },
   "peerDependencies": {
-    "better-auth": "1.4.7-beta.4"
+    "better-auth": "1.4.7"
   },
   "scripts": {
     "test": "vitest",

package/src/oidc/discovery.test.ts

@@ -75,10 +75,13 @@ describe("OIDC Discovery", () => {
 	});
 
 	describe("validateDiscoveryUrl", () => {
+		const isTrustedOrigin = vi.fn().mockReturnValue(true);
+
 		it("should accept valid HTTPS URL", () => {
 			expect(() =>
 				validateDiscoveryUrl(
 					"https://idp.example.com/.well-known/openid-configuration",
+					isTrustedOrigin,
 				),
 			).not.toThrow();
 		});
@@ -87,28 +90,31 @@ describe("OIDC Discovery", () => {
 			expect(() =>
 				validateDiscoveryUrl(
 					"http://localhost:8080/.well-known/openid-configuration",
+					isTrustedOrigin,
 				),
 			).not.toThrow();
 		});
 
 		it("should reject invalid URL", () => {
-			expect(() => validateDiscoveryUrl("not-a-url")).toThrow(DiscoveryError);
-			expect(() => validateDiscoveryUrl("not-a-url")).toThrow(
-				"Invalid discovery URL",
+			expect(() => validateDiscoveryUrl("not-a-url", isTrustedOrigin)).toThrow(
+				DiscoveryError,
+			);
+			expect(() => validateDiscoveryUrl("not-a-url", isTrustedOrigin)).toThrow(
+				'The url "discoveryEndpoint" must be valid',
 			);
 		});
 
 		it("should reject non-HTTP protocols", () => {
-			expect(() => validateDiscoveryUrl("ftp://example.com/config")).toThrow(
-				DiscoveryError,
-			);
-			expect(() => validateDiscoveryUrl("ftp://example.com/config")).toThrow(
-				"must use HTTP or HTTPS",
-			);
+			expect(() =>
+				validateDiscoveryUrl("ftp://example.com/config", isTrustedOrigin),
+			).toThrow(DiscoveryError);
+			expect(() =>
+				validateDiscoveryUrl("ftp://example.com/config", isTrustedOrigin),
+			).toThrow("must use the http or https supported protocols");
 		});
 
 		it("should throw DiscoveryError with discovery_invalid_url code for invalid URL", () => {
-			expect(() => validateDiscoveryUrl("not-a-url")).toThrow(
+			expect(() => validateDiscoveryUrl("not-a-url", isTrustedOrigin)).toThrow(
 				expect.objectContaining({
 					code: "discovery_invalid_url",
 					details: expect.objectContaining({
@@ -119,7 +125,9 @@ describe("OIDC Discovery", () => {
 		});
 
 		it("should throw DiscoveryError with discovery_invalid_url code for non-HTTP protocol", () => {
-			expect(() => validateDiscoveryUrl("ftp://example.com/config")).toThrow(
+			expect(() =>
+				validateDiscoveryUrl("ftp://example.com/config", isTrustedOrigin),
+			).toThrow(
 				expect.objectContaining({
 					code: "discovery_invalid_url",
 					details: expect.objectContaining({
@@ -128,6 +136,22 @@ describe("OIDC Discovery", () => {
 				}),
 			);
 		});
+
+		it("should throw DiscoveryError with discovery_untrusted_origin code for untrusted origins", () => {
+			isTrustedOrigin.mockReturnValue(false);
+
+			expect(() =>
+				validateDiscoveryUrl(
+					"https://untrusted.com/.well-known/openid-configuration",
+					isTrustedOrigin,
+				),
+			).toThrow(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message: `The main discovery endpoint "https://untrusted.com/.well-known/openid-configuration" is not trusted by your trusted origins configuration.`,
+				}),
+			);
+		});
 	});
 
 	describe("validateDiscoveryDocument", () => {
@@ -314,18 +338,265 @@ describe("OIDC Discovery", () => {
 		});
 	});
 
-	describe("normalizeDiscoveryUrls (stub)", () => {
-		it("should return document unchanged in Phase 1", () => {
+	describe("normalizeDiscoveryUrls", () => {
+		const isTrustedOrigin = vi.fn().mockReturnValue(true);
+
+		it("should return the document unchanged if all urls are already absolute", () => {
 			const doc = createMockDiscoveryDocument();
-			const result = normalizeDiscoveryUrls(doc, "https://idp.example.com");
+			const result = normalizeDiscoveryUrls(
+				doc,
+				"https://idp.example.com",
+				isTrustedOrigin,
+			);
 			expect(result).toEqual(doc);
 		});
+
+		it("should resolve all required discovery urls relative to the issuer", () => {
+			const expected = createMockDiscoveryDocument({
+				issuer: "https://idp.example.com",
+				authorization_endpoint: "https://idp.example.com/oauth2/authorize",
+				token_endpoint: "https://idp.example.com/oauth2/token",
+				jwks_uri: "https://idp.example.com/.well-known/jwks.json",
+			});
+			const doc = createMockDiscoveryDocument({
+				issuer: "https://idp.example.com",
+				authorization_endpoint: "/oauth2/authorize",
+				token_endpoint: "/oauth2/token",
+				jwks_uri: "/.well-known/jwks.json",
+			});
+			const result = normalizeDiscoveryUrls(
+				doc,
+				"https://idp.example.com",
+				isTrustedOrigin,
+			);
+			expect(result).toEqual(expected);
+		});
+
+		it("should resolve all discovery urls relative to the issuer", () => {
+			const expected = createMockDiscoveryDocument({
+				issuer: "https://idp.example.com",
+				authorization_endpoint: "https://idp.example.com/oauth2/authorize",
+				token_endpoint: "https://idp.example.com/oauth2/token",
+				jwks_uri: "https://idp.example.com/.well-known/jwks.json",
+				userinfo_endpoint: "https://idp.example.com/userinfo",
+				revocation_endpoint: "https://idp.example.com/revoke",
+			});
+			const doc = createMockDiscoveryDocument({
+				issuer: "https://idp.example.com",
+				authorization_endpoint: "/oauth2/authorize",
+				token_endpoint: "/oauth2/token",
+				jwks_uri: "/.well-known/jwks.json",
+				userinfo_endpoint: "/userinfo",
+				revocation_endpoint: "/revoke",
+			});
+			const result = normalizeDiscoveryUrls(
+				doc,
+				"https://idp.example.com",
+				isTrustedOrigin,
+			);
+			expect(result).toEqual(expected);
+		});
+
+		it("should reject on invalid discovery urls", () => {
+			const doc = createMockDiscoveryDocument({
+				authorization_endpoint: "/oauth2/authorize",
+			});
+			expect(() =>
+				normalizeDiscoveryUrls(doc, "not-url", isTrustedOrigin),
+			).toThrowError('The url "authorization_endpoint" must be valid');
+		});
+
+		it("should reject with discovery_untrusted_origin code on untrusted discovery urls", () => {
+			const doc = createMockDiscoveryDocument({
+				authorization_endpoint: "/oauth2/authorize",
+				token_endpoint: "/oauth2/token",
+				jwks_uri: "/.well-known/jwks.json",
+				userinfo_endpoint: "/userinfo",
+				revocation_endpoint: "/revoke",
+				end_session_endpoint: "/endsession",
+				introspection_endpoint: "/introspection",
+			});
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/oauth2/token"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The token_endpoint "https://idp.example.com/oauth2/token" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "token_endpoint",
+						url: "https://idp.example.com/oauth2/token",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/oauth2/authorize"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The authorization_endpoint "https://idp.example.com/oauth2/authorize" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "authorization_endpoint",
+						url: "https://idp.example.com/oauth2/authorize",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/.well-known/jwks.json"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The jwks_uri "https://idp.example.com/.well-known/jwks.json" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "jwks_uri",
+						url: "https://idp.example.com/.well-known/jwks.json",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/userinfo"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The userinfo_endpoint "https://idp.example.com/userinfo" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "userinfo_endpoint",
+						url: "https://idp.example.com/userinfo",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/revoke"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The revocation_endpoint "https://idp.example.com/revoke" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "revocation_endpoint",
+						url: "https://idp.example.com/revoke",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/endsession"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The end_session_endpoint "https://idp.example.com/endsession" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "end_session_endpoint",
+						url: "https://idp.example.com/endsession",
+					},
+				}),
+			);
+
+			expect(() =>
+				normalizeDiscoveryUrls(
+					doc,
+					"https://idp.example.com",
+					(url) => !url.endsWith("/introspection"),
+				),
+			).toThrowError(
+				expect.objectContaining({
+					code: "discovery_untrusted_origin",
+					message:
+						'The introspection_endpoint "https://idp.example.com/introspection" is not trusted by your trusted origins configuration.',
+					details: {
+						endpoint: "introspection_endpoint",
+						url: "https://idp.example.com/introspection",
+					},
+				}),
+			);
+		});
 	});
 
-	describe("normalizeUrl (stub)", () => {
-		it("should return endpoint unchanged in Phase 1", () => {
+	describe("normalizeUrl", () => {
+		it("should return endpoint unchanged if already absolute", () => {
 			const endpoint = "https://idp.example.com/oauth2/token";
-			expect(normalizeUrl(endpoint, "https://idp.example.com")).toBe(endpoint);
+			expect(normalizeUrl("url", endpoint, "https://idp.example.com")).toBe(
+				endpoint,
+			);
+		});
+
+		it("should return endpoint as an absolute url", () => {
+			const endpoint = "/oauth2/token";
+			expect(normalizeUrl("url", endpoint, "https://idp.example.com")).toBe(
+				"https://idp.example.com/oauth2/token",
+			);
+		});
+
+		it.each([
+			[
+				"/oauth2/token",
+				"https://idp.example.com/base",
+				"endpoint with leading slash",
+			],
+			[
+				"oauth2/token",
+				"https://idp.example.com/base",
+				"endpoint without leading slash",
+			],
+			[
+				"/oauth2/token",
+				"https://idp.example.com/base/",
+				"issuer with trailing slash",
+			],
+			["//oauth2/token", "https://idp.example.com/base//", "multiple slashes"],
+		])("should resolve relative endpoint preserving issuer base path (%s, %s) - %s", (endpoint, issuer) => {
+			expect(normalizeUrl("url", endpoint, issuer)).toBe(
+				"https://idp.example.com/base/oauth2/token",
+			);
+		});
+
+		it("should reject invalid endpoint urls", () => {
+			const endpoint = "oauth2/token";
+			const issuer = "not-a-url";
+			expect(() => normalizeUrl("url", endpoint, issuer)).toThrowError(
+				'The url "url" must be valid',
+			);
+		});
+
+		it("should reject urls with unsupported protocols", () => {
+			const endpoint = "not-a-url";
+			const issuer = "ftp://idp.example.com";
+			expect(() => normalizeUrl("url", endpoint, issuer)).toThrowError(
+				'The url "url" must use the http or https supported protocols',
+			);
 		});
 	});
 
@@ -521,6 +792,7 @@ describe("OIDC Discovery", () => {
 	describe("discoverOIDCConfig (integration)", () => {
 		const mockBetterFetch = betterFetch as ReturnType<typeof vi.fn>;
 		const issuer = "https://idp.example.com";
+		const isTrustedOrigin = vi.fn().mockReturnValue(true);
 
 		beforeEach(() => {
 			vi.clearAllMocks();
@@ -539,7 +811,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 
 			expect(result.issuer).toBe(issuer);
 			expect(result.authorizationEndpoint).toBe(`${issuer}/oauth2/authorize`);
@@ -570,6 +842,7 @@ describe("OIDC Discovery", () => {
 					tokenEndpoint: "https://custom.example.com/token",
 					tokenEndpointAuthentication: "client_secret_post",
 				},
+				isTrustedOrigin,
 			});
 
 			expect(result.tokenEndpoint).toBe("https://custom.example.com/token");
@@ -589,6 +862,7 @@ describe("OIDC Discovery", () => {
 			const result = await discoverOIDCConfig({
 				issuer,
 				discoveryEndpoint: customEndpoint,
+				isTrustedOrigin,
 			});
 
 			expect(result.discoveryEndpoint).toBe(customEndpoint);
@@ -610,6 +884,7 @@ describe("OIDC Discovery", () => {
 				existingConfig: {
 					discoveryEndpoint: existingEndpoint,
 				},
+				isTrustedOrigin,
 			});
 
 			expect(result.discoveryEndpoint).toBe(existingEndpoint);
@@ -627,7 +902,9 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			await expect(discoverOIDCConfig({ issuer })).rejects.toThrow(
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
 				expect.objectContaining({
 					code: "issuer_mismatch",
 				}),
@@ -643,7 +920,9 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			await expect(discoverOIDCConfig({ issuer })).rejects.toThrow(
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
 				expect.objectContaining({
 					code: "discovery_incomplete",
 				}),
@@ -656,7 +935,9 @@ describe("OIDC Discovery", () => {
 				error: { status: 404, message: "Not Found" },
 			});
 
-			await expect(discoverOIDCConfig({ issuer })).rejects.toThrow(
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
 				expect.objectContaining({
 					code: "discovery_not_found",
 				}),
@@ -673,7 +954,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 
 			expect(result.scopesSupported).toEqual(scopes);
 		});
@@ -689,7 +970,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 
 			expect(result.issuer).toBe(issuer);
 			expect(result.authorizationEndpoint).toBe(`${issuer}/authorize`);
@@ -720,6 +1001,7 @@ describe("OIDC Discovery", () => {
 					tokenEndpointAuthentication: "client_secret_post",
 					scopesSupported: ["openid", "profile"],
 				},
+				isTrustedOrigin,
 			});
 
 			expect(result.issuer).toBe(issuer);
@@ -750,7 +1032,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 			expect(result.tokenEndpointAuthentication).toBe("client_secret_basic");
 		});
 
@@ -774,6 +1056,7 @@ describe("OIDC Discovery", () => {
 					// Only jwksEndpoint is set (simulating a legacy/partial config)
 					jwksEndpoint: "https://custom.example.com/jwks",
 				},
+				isTrustedOrigin,
 			});
 
 			// Existing value should be preserved
@@ -804,7 +1087,7 @@ describe("OIDC Discovery", () => {
 				error: null,
 			});
 
-			const result = await discoverOIDCConfig({ issuer });
+			const result = await discoverOIDCConfig({ issuer, isTrustedOrigin });
 
 			// Should successfully extract required fields
 			expect(result.issuer).toBe(issuer);
@@ -819,5 +1102,56 @@ describe("OIDC Discovery", () => {
 			// Should default auth method when not specified
 			expect(result.tokenEndpointAuthentication).toBe("client_secret_basic");
 		});
+
+		it("should throw an error with discovery_untrusted_origin code when the main discovery url is untrusted", async () => {
+			isTrustedOrigin.mockReturnValue(false);
+
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
+				expect.objectContaining({
+					name: "DiscoveryError",
+					message:
+						'The main discovery endpoint "https://idp.example.com/.well-known/openid-configuration" is not trusted by your trusted origins configuration.',
+					code: "discovery_untrusted_origin",
+					details: {
+						url: "https://idp.example.com/.well-known/openid-configuration",
+					},
+				}),
+			);
+		});
+
+		it("should throw an error with discovery_untrusted_origin code when discovered urls are untrusted", async () => {
+			isTrustedOrigin.mockImplementation((url: string) => {
+				return url.endsWith(".well-known/openid-configuration");
+			});
+
+			const discoveryDoc = createMockDiscoveryDocument({
+				issuer,
+				authorization_endpoint: `${issuer}/oauth2/authorize`,
+				token_endpoint: `${issuer}/oauth2/token`,
+				jwks_uri: `${issuer}/.well-known/jwks.json`,
+				userinfo_endpoint: `${issuer}/userinfo`,
+			});
+			mockBetterFetch.mockResolvedValueOnce({
+				data: discoveryDoc,
+				error: null,
+			});
+
+			await expect(
+				discoverOIDCConfig({ issuer, isTrustedOrigin }),
+			).rejects.toThrow(
+				expect.objectContaining({
+					name: "DiscoveryError",
+					message:
+						'The token_endpoint "https://idp.example.com/oauth2/token" is not trusted by your trusted origins configuration.',
+					code: "discovery_untrusted_origin",
+					details: {
+						endpoint: "token_endpoint",
+						url: "https://idp.example.com/oauth2/token",
+					},
+				}),
+			);
+		});
 	});
 });

package/src/oidc/discovery.ts

@@ -24,14 +24,15 @@ const DEFAULT_DISCOVERY_TIMEOUT = 10000;
  *
  * This function:
  * 1. Computes the discovery URL from the issuer
- * 2. Validates the discovery URL (stub for now)
+ * 2. Validates the discovery URL
  * 3. Fetches the discovery document
  * 4. Validates the discovery document (issuer match + required fields)
- * 5. Normalizes URLs (stub for now)
+ * 5. Normalizes URLs
  * 6. Selects token endpoint auth method
  * 7. Merges with existing config (existing values take precedence)
  *
  * @param params - Discovery parameters
+ * @param isTrustedOrigin - Origin verification tester function
  * @returns Hydrated OIDC configuration ready for persistence
  * @throws DiscoveryError on any failure
  */
@@ -49,13 +50,17 @@ export async function discoverOIDCConfig(
 		existingConfig?.discoveryEndpoint ||
 		computeDiscoveryUrl(issuer);
 
-	validateDiscoveryUrl(discoveryUrl);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
 
 	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
 
 	validateDiscoveryDocument(discoveryDoc, issuer);
 
-	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer);
+	const normalizedDoc = normalizeDiscoveryUrls(
+		discoveryDoc,
+		issuer,
+		params.isTrustedOrigin,
+	);
 
 	const tokenEndpointAuth = selectTokenEndpointAuthMethod(
 		normalizedDoc,
@@ -99,27 +104,20 @@ export function computeDiscoveryUrl(issuer: string): string {
  * Validate a discovery URL before fetching.
  *
  * @param url - The discovery URL to validate
+ * @param isTrustedOrigin - Origin verification tester function
  * @throws DiscoveryError if URL is invalid
  */
-export function validateDiscoveryUrl(url: string): void {
-	try {
-		const parsed = new URL(url);
-		if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
-			throw new DiscoveryError(
-				"discovery_invalid_url",
-				`Discovery URL must use HTTP or HTTPS protocol: ${url}`,
-				{ url, protocol: parsed.protocol },
-			);
-		}
-	} catch (error) {
-		if (error instanceof DiscoveryError) {
-			throw error;
-		}
+export function validateDiscoveryUrl(
+	url: string,
+	isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"],
+): void {
+	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
+
+	if (!isTrustedOrigin(discoveryEndpoint)) {
 		throw new DiscoveryError(
-			"discovery_invalid_url",
-			`Invalid discovery URL: ${url}`,
-			{ url },
-			{ cause: error },
+			"discovery_untrusted_origin",
+			`The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`,
+			{ url: discoveryEndpoint },
 		);
 	}
 }
@@ -276,26 +274,167 @@ export function validateDiscoveryDocument(
 /**
  * Normalize URLs in the discovery document.
  *
- * @param doc - The discovery document
- * @param _issuerBase - The base issuer URL
+ * @param document - The discovery document
+ * @param issuer - The base issuer URL
+ * @param isTrustedOrigin - Origin verification tester function
  * @returns The normalized discovery document
  */
 export function normalizeDiscoveryUrls(
-	doc: OIDCDiscoveryDocument,
-	_issuerBase: string,
+	document: OIDCDiscoveryDocument,
+	issuer: string,
+	isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"],
 ): OIDCDiscoveryDocument {
+	const doc = { ...document };
+
+	doc.token_endpoint = normalizeAndValidateUrl(
+		"token_endpoint",
+		doc.token_endpoint,
+		issuer,
+		isTrustedOrigin,
+	);
+	doc.authorization_endpoint = normalizeAndValidateUrl(
+		"authorization_endpoint",
+		doc.authorization_endpoint,
+		issuer,
+		isTrustedOrigin,
+	);
+
+	doc.jwks_uri = normalizeAndValidateUrl(
+		"jwks_uri",
+		doc.jwks_uri,
+		issuer,
+		isTrustedOrigin,
+	);
+
+	if (doc.userinfo_endpoint) {
+		doc.userinfo_endpoint = normalizeAndValidateUrl(
+			"userinfo_endpoint",
+			doc.userinfo_endpoint,
+			issuer,
+			isTrustedOrigin,
+		);
+	}
+
+	if (doc.revocation_endpoint) {
+		doc.revocation_endpoint = normalizeAndValidateUrl(
+			"revocation_endpoint",
+			doc.revocation_endpoint,
+			issuer,
+			isTrustedOrigin,
+		);
+	}
+
+	if (doc.end_session_endpoint) {
+		doc.end_session_endpoint = normalizeAndValidateUrl(
+			"end_session_endpoint",
+			doc.end_session_endpoint,
+			issuer,
+			isTrustedOrigin,
+		);
+	}
+
+	if (doc.introspection_endpoint) {
+		doc.introspection_endpoint = normalizeAndValidateUrl(
+			"introspection_endpoint",
+			doc.introspection_endpoint,
+			issuer,
+			isTrustedOrigin,
+		);
+	}
+
 	return doc;
 }
 
+/**
+ * Normalizes and validates a single URL endpoint
+ * @param name The url name
+ * @param endpoint The url to validate
+ * @param issuer The issuer base url
+ * @param isTrustedOrigin - Origin verification tester function
+ * @returns
+ */
+function normalizeAndValidateUrl(
+	name: string,
+	endpoint: string,
+	issuer: string,
+	isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"],
+): string {
+	const url = normalizeUrl(name, endpoint, issuer);
+
+	if (!isTrustedOrigin(url)) {
+		throw new DiscoveryError(
+			"discovery_untrusted_origin",
+			`The ${name} "${url}" is not trusted by your trusted origins configuration.`,
+			{ endpoint: name, url },
+		);
+	}
+
+	return url;
+}
+
 /**
  * Normalize a single URL endpoint.
  *
+ * @param name - The endpoint name (e.g token_endpoint)
  * @param endpoint - The endpoint URL to normalize
- * @param _issuerBase - The base issuer URL
+ * @param issuer - The base issuer URL
  * @returns The normalized endpoint URL
  */
-export function normalizeUrl(endpoint: string, _issuerBase: string): string {
-	return endpoint;
+export function normalizeUrl(
+	name: string,
+	endpoint: string,
+	issuer: string,
+): string {
+	try {
+		return parseURL(name, endpoint).toString();
+	} catch {
+		// In case of error, endpoint maybe a relative url
+		// So we try to resolve it relative to the issuer
+
+		const issuerURL = parseURL(name, issuer);
+		const basePath = issuerURL.pathname.replace(/\/+$/, "");
+		const endpointPath = endpoint.replace(/^\/+/, "");
+
+		return parseURL(
+			name,
+			basePath + "/" + endpointPath,
+			issuerURL.origin,
+		).toString();
+	}
+}
+
+/**
+ * Parses the given URL or throws in case of invalid or unsupported protocols
+ *
+ * @param name the url name
+ * @param endpoint the endpoint url
+ * @param [base] optional base path
+ * @returns
+ */
+function parseURL(name: string, endpoint: string, base?: string) {
+	let endpointURL: URL | undefined;
+
+	try {
+		endpointURL = new URL(endpoint, base);
+		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") {
+			return endpointURL;
+		}
+	} catch (error) {
+		throw new DiscoveryError(
+			"discovery_invalid_url",
+			`The url "${name}" must be valid: ${endpoint}`,
+			{
+				url: endpoint,
+			},
+			{ cause: error },
+		);
+	}
+
+	throw new DiscoveryError(
+		"discovery_invalid_url",
+		`The url "${name}" must use the http or https supported protocols: ${endpoint}`,
+		{ url: endpoint, protocol: endpointURL.protocol },
+	);
 }
 
 /**

package/src/oidc/errors.ts

@@ -50,6 +50,12 @@ export function mapDiscoveryErrorToAPIError(error: DiscoveryError): APIError {
 				code: error.code,
 			});
 
+		case "discovery_untrusted_origin":
+			return new APIError("BAD_REQUEST", {
+				message: `Untrusted OIDC discovery URL: ${error.message}`,
+				code: error.code,
+			});
+
 		case "discovery_invalid_json":
 			return new APIError("BAD_REQUEST", {
 				message: `OIDC discovery returned invalid data: ${error.message}`,

package/src/oidc/types.ts

@@ -103,6 +103,8 @@ export type DiscoveryErrorCode =
 	| "discovery_invalid_json"
 	/** Discovery URL is invalid or malformed */
 	| "discovery_invalid_url"
+	/** Discovery URL is not trusted by the trusted origins configuration */
+	| "discovery_untrusted_origin"
 	/** Discovery document issuer doesn't match configured issuer */
 	| "issuer_mismatch"
 	/** Discovery document is missing required fields */
@@ -195,6 +197,13 @@ export interface DiscoverOIDCConfigParams {
 	 * @default 10000 (10 seconds)
 	 */
 	timeout?: number;
+
+	/**
+	 * Trusted origin predicate. See "trustedOrigins" option
+	 * @param url the url to test
+	 * @returns {boolean} return true for urls that belong to a trusted origin and false otherwise
+	 */
+	isTrustedOrigin: (url: string) => boolean;
 }
 
 /**

package/src/oidc.test.ts

@@ -12,6 +12,7 @@ let server = new OAuth2Server();
 describe("SSO", async () => {
 	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
 		await getTestInstance({
+			trustedOrigins: ["http://localhost:8080"],
 			plugins: [sso(), organization()],
 		});
 
@@ -257,6 +258,7 @@ describe("SSO", async () => {
 describe("SSO disable implicit sign in", async () => {
 	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
 		await getTestInstance({
+			trustedOrigins: ["http://localhost:8080"],
 			plugins: [sso({ disableImplicitSignUp: true }), organization()],
 		});
 
@@ -419,6 +421,7 @@ describe("SSO disable implicit sign in", async () => {
 describe("provisioning", async (ctx) => {
 	const { auth, signInWithTestUser, customFetchImpl, cookieSetter } =
 		await getTestInstance({
+			trustedOrigins: ["http://localhost:8080"],
 			plugins: [sso(), organization()],
 		});
 

package/src/routes/sso.ts

@@ -681,6 +681,7 @@ export const registerSSOProvider = <O extends SSOOptions>(options: O) => {
 							tokenEndpointAuthentication:
 								body.oidcConfig.tokenEndpointAuthentication,
 						},
+						isTrustedOrigin: ctx.context.isTrustedOrigin,
 					});
 				} catch (error) {
 					if (error instanceof DiscoveryError) {

package/src/saml.test.ts

@@ -1941,6 +1941,7 @@ describe("SSO Provider Config Parsing", () => {
 
 			const auth = betterAuth({
 				database: memory,
+				trustedOrigins: ["http://localhost:8082"],
 				baseURL: "http://localhost:3000",
 				emailAndPassword: { enabled: true },
 				plugins: [sso()],

package/src/types.ts

@@ -233,13 +233,7 @@ export interface SSOOptions {
 	 *
 	 * If you want to allow account linking for specific trusted providers, enable the `accountLinking` option in your auth config and specify those
 	 * providers in the `trustedProviders` list.
-	 *
 	 * @default false
-	 *
-	 * @deprecated This option is discouraged for new projects. Relying on provider-level `email_verified` is a weaker
-	 * trust signal compared to using `trustedProviders` in `accountLinking` or enabling `domainVerification` for SSO.
-	 * Existing configurations will continue to work, but new integrations should use explicit trust mechanisms.
-	 * This option may be removed in a future major version.
 	 */
 	trustEmailVerified?: boolean | undefined;
 	/**