@better-auth/sso 1.4.7-beta.4 → 1.4.8-beta.1

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @better-auth/sso@1.4.7-beta.4 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.4.8-beta.1 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
 ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
@@ -7,10 +7,10 @@
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             80.81 kB │ gzip: 15.19 kB
+ℹ dist/index.mjs             92.44 kB │ gzip: 18.07 kB
 ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
-ℹ dist/index.d.mts            1.44 kB │ gzip:  0.52 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
-ℹ dist/index-GoyGoP_a.d.mts  41.30 kB │ gzip:  8.58 kB
-ℹ 5 files, total: 124.19 kB
-✔ Build complete in 12053ms
+ℹ dist/index.d.mts            1.48 kB │ gzip:  0.51 kB
+ℹ dist/client.d.mts           0.49 kB │ gzip:  0.30 kB
+ℹ dist/index-DNWhGQW-.d.mts  42.86 kB │ gzip:  8.79 kB
+ℹ 5 files, total: 137.41 kB
+✔ Build complete in 12113ms

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-GoyGoP_a.mjs";
+import { t as SSOPlugin } from "./index-DNWhGQW-.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/{index-GoyGoP_a.d.mts → index-DNWhGQW-.d.mts}

@@ -1,43 +1,47 @@
 import { APIError } from "better-auth/api";
-import * as z from "zod/v4";
-import { OAuth2Tokens, User } from "better-auth";
-import * as better_call7 from "better-call";
+import * as z$1 from "zod/v4";
+import z from "zod/v4";
+import { Awaitable, OAuth2Tokens, User } from "better-auth";
+import * as better_call0 from "better-call";
 
-//#region src/authn-request-store.d.ts
-
-/**
- * AuthnRequest Store
- *
- * Tracks SAML AuthnRequest IDs to enable InResponseTo validation.
- * This prevents:
- * - Unsolicited SAML responses
- * - Cross-provider response injection
- * - Replay attacks
- * - Expired login completions
- */
-interface AuthnRequestRecord {
-  id: string;
-  providerId: string;
-  createdAt: number;
-  expiresAt: number;
-}
-interface AuthnRequestStore {
-  save(record: AuthnRequestRecord): Promise<void>;
-  get(id: string): Promise<AuthnRequestRecord | null>;
-  delete(id: string): Promise<void>;
+//#region src/saml/algorithms.d.ts
+declare const SignatureAlgorithm: {
+  readonly RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1";
+  readonly RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256";
+  readonly RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384";
+  readonly RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512";
+  readonly ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256";
+  readonly ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384";
+  readonly ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512";
+};
+declare const DigestAlgorithm: {
+  readonly SHA1: "http://www.w3.org/2000/09/xmldsig#sha1";
+  readonly SHA256: "http://www.w3.org/2001/04/xmlenc#sha256";
+  readonly SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384";
+  readonly SHA512: "http://www.w3.org/2001/04/xmlenc#sha512";
+};
+declare const KeyEncryptionAlgorithm: {
+  readonly RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5";
+  readonly RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";
+  readonly RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep";
+};
+declare const DataEncryptionAlgorithm: {
+  readonly TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc";
+  readonly AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc";
+  readonly AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc";
+  readonly AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc";
+  readonly AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm";
+  readonly AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm";
+  readonly AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm";
+};
+type DeprecatedAlgorithmBehavior = "reject" | "warn" | "allow";
+interface AlgorithmValidationOptions {
+  onDeprecated?: DeprecatedAlgorithmBehavior;
+  allowedSignatureAlgorithms?: string[];
+  allowedDigestAlgorithms?: string[];
+  allowedKeyEncryptionAlgorithms?: string[];
+  allowedDataEncryptionAlgorithms?: string[];
 }
-/**
- * Default TTL for AuthnRequest records (5 minutes).
- * This should be sufficient for most IdPs while protecting against stale requests.
- */
-declare const DEFAULT_AUTHN_REQUEST_TTL_MS: number;
-/**
- * In-memory implementation of AuthnRequestStore.
- * ⚠️ Only suitable for testing or single-instance non-serverless deployments.
- * For production, rely on the default behavior (uses verification table)
- * or provide a custom Redis-backed store.
- */
-declare function createInMemoryAuthnRequestStore(): AuthnRequestStore;
 //#endregion
 //#region src/types.d.ts
 interface OIDCMapping {
@@ -148,7 +152,7 @@ interface SSOOptions {
      * The SSO provider
      */
     provider: SSOProvider<SSOOptions>;
-  }) => Promise<void>) | undefined;
+  }) => Awaitable<void>) | undefined;
   /**
    * Organization provisioning options
    */
@@ -244,7 +248,7 @@ interface SSOOptions {
    * ```
    * @default 10
    */
-  providersLimit?: (number | ((user: User) => Promise<number> | number)) | undefined;
+  providersLimit?: (number | ((user: User) => Awaitable<number>)) | undefined;
   /**
    * Trust the email verified flag from the provider.
    *
@@ -317,16 +321,6 @@ interface SSOOptions {
      * @default 300000 (5 minutes)
      */
     requestTTL?: number;
-    /**
-     * Custom AuthnRequest store implementation.
-     * Use this to provide a custom storage backend (e.g., Redis-backed store).
-     *
-     * Providing a custom store automatically enables InResponseTo validation.
-     *
-     * Note: When not provided, the default storage (secondaryStorage with
-     * verification table fallback) is used automatically.
-     */
-    authnRequestStore?: AuthnRequestStore;
     /**
      * Clock skew tolerance for SAML assertion timestamp validation in milliseconds.
      * Allows for minor time differences between IdP and SP servers.
@@ -359,15 +353,29 @@ interface SSOOptions {
      * @default false
      */
     requireTimestamps?: boolean;
+    /**
+     * Algorithm validation options for SAML responses.
+     *
+     * Controls behavior when deprecated algorithms (SHA-1, RSA1_5, 3DES)
+     * are detected in SAML responses.
+     *
+     * @example
+     * ```ts
+     * algorithms: {
+     *   onDeprecated: "reject" // Reject deprecated algorithms
+     * }
+     * ```
+     */
+    algorithms?: AlgorithmValidationOptions;
   };
 }
 //#endregion
 //#region src/routes/domain-verification.d.ts
-declare const requestDomainVerification: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/request-domain-verification", {
+declare const requestDomainVerification: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/request-domain-verification", {
   method: "POST";
-  body: z.ZodObject<{
-    providerId: z.ZodString;
-  }, z.core.$strip>;
+  body: z$1.ZodObject<{
+    providerId: z$1.ZodString;
+  }, z$1.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -385,7 +393,7 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
       };
     };
   };
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -411,11 +419,11 @@ declare const requestDomainVerification: (options: SSOOptions) => better_call7.S
 }, {
   domainVerificationToken: string;
 }>;
-declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint<"/sso/verify-domain", {
+declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/verify-domain", {
   method: "POST";
-  body: z.ZodObject<{
-    providerId: z.ZodString;
-  }, z.core.$strip>;
+  body: z$1.ZodObject<{
+    providerId: z$1.ZodString;
+  }, z$1.core.$strip>;
   metadata: {
     openapi: {
       summary: string;
@@ -436,7 +444,7 @@ declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint
       };
     };
   };
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -462,8 +470,6 @@ declare const verifyDomain: (options: SSOOptions) => better_call7.StrictEndpoint
 }, void>;
 //#endregion
 //#region src/routes/sso.d.ts
-/** Default clock skew tolerance: 5 minutes */
-declare const DEFAULT_CLOCK_SKEW_MS: number;
 interface TimestampValidationOptions {
   clockSkew?: number;
   requireTimestamps?: boolean;
@@ -482,7 +488,7 @@ interface SAMLConditions {
  * @throws {APIError} If timestamps are invalid, expired, or not yet valid
  */
 declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
-declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metadata", {
+declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
@@ -504,7 +510,7 @@ declare const spMetadata: () => better_call7.StrictEndpoint<"/sso/saml2/sp/metad
     };
   };
 }, Response>;
-declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call7.StrictEndpoint<"/sso/register", {
+declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_call0.StrictEndpoint<"/sso/register", {
   method: "POST";
   body: z.ZodObject<{
     providerId: z.ZodString;
@@ -583,7 +589,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     organizationId: z.ZodOptional<z.ZodString>;
     overrideUserInfo: z.ZodOptional<z.ZodDefault<z.ZodBoolean>>;
   }, z.core.$strip>;
-  use: ((inputContext: better_call7.MiddlewareInputContext<better_call7.MiddlewareOptions>) => Promise<{
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
         id: string;
@@ -773,7 +779,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
   domainVerified: boolean;
   domainVerificationToken: string;
 } & SSOProvider<O> : SSOProvider<O>>;
-declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sign-in/sso", {
+declare const signInSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sign-in/sso", {
   method: "POST";
   body: z.ZodObject<{
     email: z.ZodOptional<z.ZodString>;
@@ -867,7 +873,7 @@ declare const signInSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"
   url: string;
   redirect: boolean;
 }>;
-declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/callback/:providerId", {
+declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback/:providerId", {
   method: "GET";
   query: z.ZodObject<{
     code: z.ZodOptional<z.ZodString>;
@@ -890,7 +896,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call7.StrictEndpoint
     scope: "server";
   };
 }, never>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: "POST";
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -917,7 +923,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call7.StrictEndp
     scope: "server";
   };
 }, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call7.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
   params: z.ZodObject<{
     providerId: z.ZodOptional<z.ZodString>;
@@ -1022,6 +1028,7 @@ type DiscoveryErrorCode = /** Request to discovery endpoint timed out */
 /** Discovery endpoint returned 404 or similar */ | "discovery_not_found"
 /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json"
 /** Discovery URL is invalid or malformed */ | "discovery_invalid_url"
+/** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin"
 /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch"
 /** Discovery document is missing required fields */ | "discovery_incomplete"
 /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method"
@@ -1083,6 +1090,12 @@ interface DiscoverOIDCConfigParams {
    * @default 10000 (10 seconds)
    */
   timeout?: number;
+  /**
+   * Trusted origin predicate. See "trustedOrigins" option
+   * @param url the url to test
+   * @returns {boolean} return true for urls that belong to a trusted origin and false otherwise
+   */
+  isTrustedOrigin: (url: string) => boolean;
 }
 /**
  * Required fields that must be present in a valid discovery document.
@@ -1096,14 +1109,15 @@ type RequiredDiscoveryField = (typeof REQUIRED_DISCOVERY_FIELDS)[number];
  *
  * This function:
  * 1. Computes the discovery URL from the issuer
- * 2. Validates the discovery URL (stub for now)
+ * 2. Validates the discovery URL
  * 3. Fetches the discovery document
  * 4. Validates the discovery document (issuer match + required fields)
- * 5. Normalizes URLs (stub for now)
+ * 5. Normalizes URLs
  * 6. Selects token endpoint auth method
  * 7. Merges with existing config (existing values take precedence)
  *
  * @param params - Discovery parameters
+ * @param isTrustedOrigin - Origin verification tester function
  * @returns Hydrated OIDC configuration ready for persistence
  * @throws DiscoveryError on any failure
  */
@@ -1121,9 +1135,10 @@ declare function computeDiscoveryUrl(issuer: string): string;
  * Validate a discovery URL before fetching.
  *
  * @param url - The discovery URL to validate
+ * @param isTrustedOrigin - Origin verification tester function
  * @throws DiscoveryError if URL is invalid
  */
-declare function validateDiscoveryUrl(url: string): void;
+declare function validateDiscoveryUrl(url: string, isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"]): void;
 /**
  * Fetch the OIDC discovery document from the IdP.
  *
@@ -1152,19 +1167,21 @@ declare function validateDiscoveryDocument(doc: OIDCDiscoveryDocument, configure
 /**
  * Normalize URLs in the discovery document.
  *
- * @param doc - The discovery document
- * @param _issuerBase - The base issuer URL
+ * @param document - The discovery document
+ * @param issuer - The base issuer URL
+ * @param isTrustedOrigin - Origin verification tester function
  * @returns The normalized discovery document
  */
-declare function normalizeDiscoveryUrls(doc: OIDCDiscoveryDocument, _issuerBase: string): OIDCDiscoveryDocument;
+declare function normalizeDiscoveryUrls(document: OIDCDiscoveryDocument, issuer: string, isTrustedOrigin: DiscoverOIDCConfigParams["isTrustedOrigin"]): OIDCDiscoveryDocument;
 /**
  * Normalize a single URL endpoint.
  *
+ * @param name - The endpoint name (e.g token_endpoint)
  * @param endpoint - The endpoint URL to normalize
- * @param _issuerBase - The base issuer URL
+ * @param issuer - The base issuer URL
  * @returns The normalized endpoint URL
  */
-declare function normalizeUrl(endpoint: string, _issuerBase: string): string;
+declare function normalizeUrl(name: string, endpoint: string, issuer: string): string;
 /**
  * Select the token endpoint authentication method.
  *
@@ -1225,4 +1242,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   endpoints: SSOEndpoints<O>;
 };
 //#endregion
-export { createInMemoryAuthnRequestStore as A, OIDCConfig as C, AuthnRequestRecord as D, SSOProvider as E, AuthnRequestStore as O, validateSAMLTimestamp as S, SSOOptions as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, SAMLConditions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DEFAULT_AUTHN_REQUEST_TTL_MS as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SAMLConfig as w, TimestampValidationOptions as x, DEFAULT_CLOCK_SKEW_MS as y };
+export { KeyEncryptionAlgorithm as A, SAMLConfig as C, DataEncryptionAlgorithm as D, AlgorithmValidationOptions as E, DeprecatedAlgorithmBehavior as O, OIDCConfig as S, SSOProvider as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, TimestampValidationOptions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, SignatureAlgorithm as j, DigestAlgorithm as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SSOOptions as w, validateSAMLTimestamp as x, SAMLConditions as y };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as createInMemoryAuthnRequestStore, C as OIDCConfig, D as AuthnRequestRecord, E as SSOProvider, O as AuthnRequestStore, S as validateSAMLTimestamp, T as SSOOptions, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as SAMLConditions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, k as DEFAULT_AUTHN_REQUEST_TTL_MS, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SAMLConfig, x as TimestampValidationOptions, y as DEFAULT_CLOCK_SKEW_MS } from "./index-GoyGoP_a.mjs";
-export { AuthnRequestRecord, AuthnRequestStore, DEFAULT_AUTHN_REQUEST_TTL_MS, DEFAULT_CLOCK_SKEW_MS, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, TimestampValidationOptions, computeDiscoveryUrl, createInMemoryAuthnRequestStore, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-DNWhGQW-.mjs";
+export { AlgorithmValidationOptions, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };