@better-auth/sso 1.5.0-beta.1 → 1.5.0-beta.10

package/.turbo/turbo-build.log

@@ -1,16 +1,20 @@
 
-> @better-auth/sso@1.5.0-beta.1 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.5.0-beta.10 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
-ℹ tsdown v0.17.2 powered by rolldown v1.0.0-beta.53
+ℹ tsdown v0.20.1 powered by rolldown v1.0.0-rc.1
 ℹ config file: /home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts 
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             95.91 kB │ gzip: 18.60 kB
-ℹ dist/client.mjs             0.15 kB │ gzip:  0.14 kB
-ℹ dist/index.d.mts            1.48 kB │ gzip:  0.51 kB
-ℹ dist/client.d.mts           0.49 kB │ gzip:  0.29 kB
-ℹ dist/index-CvpS40sl.d.mts  43.12 kB │ gzip:  8.83 kB
-ℹ 5 files, total: 141.14 kB
-✔ Build complete in 15982ms
+ℹ dist/index.mjs             120.85 kB │ gzip: 24.06 kB
+ℹ dist/client.mjs              0.28 kB │ gzip:  0.21 kB
+ℹ dist/index.mjs.map         244.11 kB │ gzip: 46.78 kB
+ℹ dist/client.mjs.map          0.94 kB │ gzip:  0.50 kB
+ℹ dist/index.d.mts             1.67 kB │ gzip:  0.57 kB
+ℹ dist/client.d.mts            0.62 kB │ gzip:  0.36 kB
+ℹ dist/index-CBBJTszO.d.mts   56.16 kB │ gzip:  9.96 kB
+ℹ 7 files, total: 424.63 kB
+[PLUGIN_TIMINGS] Warning: Your build spent significant time in plugin `rolldown-plugin-dts:generate`. See https://rolldown.rs/options/checks#plugintimings for more details.
+
+✔ Build complete in 26757ms

package/LICENSE.md

@@ -1,17 +1,20 @@
 The MIT License (MIT)
 Copyright (c) 2024 - present, Bereket Engida
 
-Permission is hereby granted, free of charge, to any person obtaining a copy of this software
-and associated documentation files (the "Software"), to deal in the Software without restriction,
-including without limitation the rights to use, copy, modify, merge, publish, distribute,
-sublicense, and/or sell copies of the Software, and to permit persons to whom the Software
-is furnished to do so, subject to the following conditions:
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
 
-The above copyright notice and this permission notice shall be included in all copies or
-substantial portions of the Software.
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
-BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
-DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-CvpS40sl.mjs";
+import { t as SSOPlugin } from "./index-CBBJTszO.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {
@@ -15,6 +15,11 @@ declare const ssoClient: <CO extends SSOClientOptions>(options?: CO | undefined)
       } ? true : false;
     };
   }>;
+  pathMethods: {
+    "/sso/providers": "GET";
+    "/sso/providers/:providerId": "GET";
+  };
 };
 //#endregion
-export { ssoClient };
+export { ssoClient };
+//# sourceMappingURL=client.d.mts.map

package/dist/client.mjs

@@ -2,9 +2,14 @@
 const ssoClient = (options) => {
 	return {
 		id: "sso-client",
-		$InferServerPlugin: {}
+		$InferServerPlugin: {},
+		pathMethods: {
+			"/sso/providers": "GET",
+			"/sso/providers/:providerId": "GET"
+		}
 	};
 };
 
 //#endregion
-export { ssoClient };
+export { ssoClient };
+//# sourceMappingURL=client.mjs.map

package/dist/client.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.mjs","names":[],"sources":["../src/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"better-auth/client\";\nimport type { SSOPlugin } from \"./index\";\n\ninterface SSOClientOptions {\n\tdomainVerification?:\n\t\t| {\n\t\t\t\tenabled: boolean;\n\t\t  }\n\t\t| undefined;\n}\n\nexport const ssoClient = <CO extends SSOClientOptions>(\n\toptions?: CO | undefined,\n) => {\n\treturn {\n\t\tid: \"sso-client\",\n\t\t$InferServerPlugin: {} as SSOPlugin<{\n\t\t\tdomainVerification: {\n\t\t\t\tenabled: CO[\"domainVerification\"] extends { enabled: true }\n\t\t\t\t\t? true\n\t\t\t\t\t: false;\n\t\t\t};\n\t\t}>,\n\t\tpathMethods: {\n\t\t\t\"/sso/providers\": \"GET\",\n\t\t\t\"/sso/providers/:providerId\": \"GET\",\n\t\t},\n\t} satisfies BetterAuthClientPlugin;\n};\n"],"mappings":";AAWA,MAAa,aACZ,YACI;AACJ,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EAOtB,aAAa;GACZ,kBAAkB;GAClB,8BAA8B;GAC9B;EACD"}

package/dist/{index-CvpS40sl.d.mts → index-CBBJTszO.d.mts}

@@ -1,7 +1,7 @@
 import { APIError } from "better-auth/api";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
-import { Awaitable, OAuth2Tokens, User } from "better-auth";
+import { Awaitable, BetterAuthPlugin, OAuth2Tokens, User } from "better-auth";
 import * as better_call0 from "better-call";
 
 //#region src/saml/algorithms.d.ts
@@ -109,6 +109,7 @@ interface SAMLConfig {
     encPrivateKeyPass?: string | undefined;
   };
   wantAssertionsSigned?: boolean | undefined;
+  authnRequestsSigned?: boolean | undefined;
   signatureAlgorithm?: string | undefined;
   digestAlgorithm?: string | undefined;
   identifierFormat?: string | undefined;
@@ -367,6 +368,18 @@ interface SSOOptions {
      * ```
      */
     algorithms?: AlgorithmValidationOptions;
+    /**
+     * Maximum allowed size for SAML responses in bytes.
+     *
+     * @default 262144 (256KB)
+     */
+    maxResponseSize?: number;
+    /**
+     * Maximum allowed size for IdP metadata XML in bytes.
+     *
+     * @default 102400 (100KB)
+     */
+    maxMetadataSize?: number;
   };
 }
 //#endregion
@@ -469,6 +482,377 @@ declare const verifyDomain: (options: SSOOptions) => better_call0.StrictEndpoint
   }>)[];
 }, void>;
 //#endregion
+//#region src/routes/providers.d.ts
+declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/providers", {
+  method: "GET";
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "200": {
+          description: string;
+        };
+      };
+    };
+  };
+}, {
+  providers: {
+    providerId: string;
+    type: string;
+    issuer: string;
+    domain: string;
+    organizationId: string | null;
+    domainVerified: boolean;
+    oidcConfig: {
+      discoveryEndpoint: string;
+      clientIdLastFour: string;
+      pkce: boolean;
+      authorizationEndpoint: string | undefined;
+      tokenEndpoint: string | undefined;
+      userInfoEndpoint: string | undefined;
+      jwksEndpoint: string | undefined;
+      scopes: string[] | undefined;
+      tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+    } | undefined;
+    samlConfig: {
+      entryPoint: string;
+      callbackUrl: string;
+      audience: string | undefined;
+      wantAssertionsSigned: boolean | undefined;
+      authnRequestsSigned: boolean | undefined;
+      identifierFormat: string | undefined;
+      signatureAlgorithm: string | undefined;
+      digestAlgorithm: string | undefined;
+      certificate: {
+        fingerprintSha256: string;
+        notBefore: string;
+        notAfter: string;
+        publicKeyAlgorithm: string;
+      } | {
+        error: string;
+      };
+    } | undefined;
+    spMetadataUrl: string;
+  }[];
+}>;
+declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/providers/:providerId", {
+  method: "GET";
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  params: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "200": {
+          description: string;
+        };
+        "404": {
+          description: string;
+        };
+        "403": {
+          description: string;
+        };
+      };
+    };
+  };
+}, {
+  providerId: string;
+  type: string;
+  issuer: string;
+  domain: string;
+  organizationId: string | null;
+  domainVerified: boolean;
+  oidcConfig: {
+    discoveryEndpoint: string;
+    clientIdLastFour: string;
+    pkce: boolean;
+    authorizationEndpoint: string | undefined;
+    tokenEndpoint: string | undefined;
+    userInfoEndpoint: string | undefined;
+    jwksEndpoint: string | undefined;
+    scopes: string[] | undefined;
+    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+  } | undefined;
+  samlConfig: {
+    entryPoint: string;
+    callbackUrl: string;
+    audience: string | undefined;
+    wantAssertionsSigned: boolean | undefined;
+    authnRequestsSigned: boolean | undefined;
+    identifierFormat: string | undefined;
+    signatureAlgorithm: string | undefined;
+    digestAlgorithm: string | undefined;
+    certificate: {
+      fingerprintSha256: string;
+      notBefore: string;
+      notAfter: string;
+      publicKeyAlgorithm: string;
+    } | {
+      error: string;
+    };
+  } | undefined;
+  spMetadataUrl: string;
+}>;
+declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/providers/:providerId", {
+  method: "PATCH";
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  params: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
+  body: z.ZodObject<{
+    issuer: z.ZodOptional<z.ZodString>;
+    domain: z.ZodOptional<z.ZodString>;
+    oidcConfig: z.ZodOptional<z.ZodObject<{
+      clientId: z.ZodOptional<z.ZodString>;
+      clientSecret: z.ZodOptional<z.ZodString>;
+      authorizationEndpoint: z.ZodOptional<z.ZodString>;
+      tokenEndpoint: z.ZodOptional<z.ZodString>;
+      userInfoEndpoint: z.ZodOptional<z.ZodString>;
+      tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
+        client_secret_post: "client_secret_post";
+        client_secret_basic: "client_secret_basic";
+      }>>;
+      jwksEndpoint: z.ZodOptional<z.ZodString>;
+      discoveryEndpoint: z.ZodOptional<z.ZodString>;
+      scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+      pkce: z.ZodOptional<z.ZodBoolean>;
+      overrideUserInfo: z.ZodOptional<z.ZodBoolean>;
+      mapping: z.ZodOptional<z.ZodObject<{
+        id: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        emailVerified: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        image: z.ZodOptional<z.ZodString>;
+        extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+      }, z.core.$strip>>;
+    }, z.core.$strip>>;
+    samlConfig: z.ZodOptional<z.ZodObject<{
+      entryPoint: z.ZodOptional<z.ZodString>;
+      cert: z.ZodOptional<z.ZodString>;
+      callbackUrl: z.ZodOptional<z.ZodString>;
+      audience: z.ZodOptional<z.ZodString>;
+      idpMetadata: z.ZodOptional<z.ZodObject<{
+        metadata: z.ZodOptional<z.ZodString>;
+        entityID: z.ZodOptional<z.ZodString>;
+        cert: z.ZodOptional<z.ZodString>;
+        privateKey: z.ZodOptional<z.ZodString>;
+        privateKeyPass: z.ZodOptional<z.ZodString>;
+        isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
+        encPrivateKey: z.ZodOptional<z.ZodString>;
+        encPrivateKeyPass: z.ZodOptional<z.ZodString>;
+        singleSignOnService: z.ZodOptional<z.ZodArray<z.ZodObject<{
+          Binding: z.ZodString;
+          Location: z.ZodString;
+        }, z.core.$strip>>>;
+      }, z.core.$strip>>;
+      spMetadata: z.ZodOptional<z.ZodObject<{
+        metadata: z.ZodOptional<z.ZodString>;
+        entityID: z.ZodOptional<z.ZodString>;
+        binding: z.ZodOptional<z.ZodString>;
+        privateKey: z.ZodOptional<z.ZodString>;
+        privateKeyPass: z.ZodOptional<z.ZodString>;
+        isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
+        encPrivateKey: z.ZodOptional<z.ZodString>;
+        encPrivateKeyPass: z.ZodOptional<z.ZodString>;
+      }, z.core.$strip>>;
+      wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
+      authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
+      signatureAlgorithm: z.ZodOptional<z.ZodString>;
+      digestAlgorithm: z.ZodOptional<z.ZodString>;
+      identifierFormat: z.ZodOptional<z.ZodString>;
+      privateKey: z.ZodOptional<z.ZodString>;
+      decryptionPvk: z.ZodOptional<z.ZodString>;
+      additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+      mapping: z.ZodOptional<z.ZodObject<{
+        id: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        emailVerified: z.ZodOptional<z.ZodString>;
+        name: z.ZodOptional<z.ZodString>;
+        firstName: z.ZodOptional<z.ZodString>;
+        lastName: z.ZodOptional<z.ZodString>;
+        extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
+      }, z.core.$strip>>;
+    }, z.core.$strip>>;
+  }, z.core.$strip>;
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "200": {
+          description: string;
+        };
+        "404": {
+          description: string;
+        };
+        "403": {
+          description: string;
+        };
+      };
+    };
+  };
+}, {
+  providerId: string;
+  type: string;
+  issuer: string;
+  domain: string;
+  organizationId: string | null;
+  domainVerified: boolean;
+  oidcConfig: {
+    discoveryEndpoint: string;
+    clientIdLastFour: string;
+    pkce: boolean;
+    authorizationEndpoint: string | undefined;
+    tokenEndpoint: string | undefined;
+    userInfoEndpoint: string | undefined;
+    jwksEndpoint: string | undefined;
+    scopes: string[] | undefined;
+    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+  } | undefined;
+  samlConfig: {
+    entryPoint: string;
+    callbackUrl: string;
+    audience: string | undefined;
+    wantAssertionsSigned: boolean | undefined;
+    authnRequestsSigned: boolean | undefined;
+    identifierFormat: string | undefined;
+    signatureAlgorithm: string | undefined;
+    digestAlgorithm: string | undefined;
+    certificate: {
+      fingerprintSha256: string;
+      notBefore: string;
+      notAfter: string;
+      publicKeyAlgorithm: string;
+    } | {
+      error: string;
+    };
+  } | undefined;
+  spMetadataUrl: string;
+}>;
+declare const deleteSSOProvider: () => better_call0.StrictEndpoint<"/sso/providers/:providerId", {
+  method: "DELETE";
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  params: z.ZodObject<{
+    providerId: z.ZodString;
+  }, z.core.$strip>;
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "200": {
+          description: string;
+        };
+        "404": {
+          description: string;
+        };
+        "403": {
+          description: string;
+        };
+      };
+    };
+  };
+}, {
+  success: boolean;
+}>;
+//#endregion
 //#region src/routes/sso.d.ts
 interface TimestampValidationOptions {
   clockSkew?: number;
@@ -570,6 +954,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
         encPrivateKeyPass: z.ZodOptional<z.ZodString>;
       }, z.core.$strip>;
       wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
+      authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
       signatureAlgorithm: z.ZodOptional<z.ZodString>;
       digestAlgorithm: z.ZodOptional<z.ZodString>;
       identifierFormat: z.ZodOptional<z.ZodString>;
@@ -905,11 +1290,14 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
   };
 }, never>;
 declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
-  method: "POST";
-  body: z.ZodObject<{
+  method: ("POST" | "GET")[];
+  body: z.ZodOptional<z.ZodObject<{
     SAMLResponse: z.ZodString;
     RelayState: z.ZodOptional<z.ZodString>;
-  }, z.core.$strip>;
+  }, z.core.$strip>>;
+  query: z.ZodOptional<z.ZodObject<{
+    RelayState: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
   metadata: {
     allowedMediaTypes: string[];
     openapi: {
@@ -933,9 +1321,6 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
 }, never>;
 declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: "POST";
-  params: z.ZodObject<{
-    providerId: z.ZodOptional<z.ZodString>;
-  }, z.core.$strip>;
   body: z.ZodObject<{
     SAMLResponse: z.ZodString;
     RelayState: z.ZodOptional<z.ZodString>;
@@ -956,6 +1341,28 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
   };
 }, never>;
 //#endregion
+//#region src/constants.d.ts
+/**
+ * Default clock skew tolerance (5 minutes).
+ * Allows for minor time differences between IdP and SP servers.
+ *
+ * Accommodates:
+ * - Network latency and processing time
+ * - Clock synchronization differences (NTP drift)
+ * - Distributed systems across timezones
+ */
+declare const DEFAULT_CLOCK_SKEW_MS: number;
+/**
+ * Default maximum size for SAML responses (256 KB).
+ * Protects against memory exhaustion from oversized SAML payloads.
+ */
+declare const DEFAULT_MAX_SAML_RESPONSE_SIZE: number;
+/**
+ * Default maximum size for IdP metadata (100 KB).
+ * Protects against oversized metadata documents.
+ */
+declare const DEFAULT_MAX_SAML_METADATA_SIZE: number;
+//#endregion
 //#region src/oidc/types.d.ts
 /**
  * OIDC Discovery Types
@@ -1031,16 +1438,7 @@ interface OIDCDiscoveryDocument {
 /**
  * Error codes for OIDC discovery operations.
  */
-type DiscoveryErrorCode = /** Request to discovery endpoint timed out */
-"discovery_timeout"
-/** Discovery endpoint returned 404 or similar */ | "discovery_not_found"
-/** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json"
-/** Discovery URL is invalid or malformed */ | "discovery_invalid_url"
-/** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin"
-/** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch"
-/** Discovery document is missing required fields */ | "discovery_incomplete"
-/** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method"
-/** Catch-all for unexpected errors */ | "discovery_unexpected_error";
+type DiscoveryErrorCode = /** Request to discovery endpoint timed out */"discovery_timeout" /** Discovery endpoint returned 404 or similar */ | "discovery_not_found" /** Discovery endpoint returned invalid JSON */ | "discovery_invalid_json" /** Discovery URL is invalid or malformed */ | "discovery_invalid_url" /** Discovery URL is not trusted by the trusted origins configuration */ | "discovery_untrusted_origin" /** Discovery document issuer doesn't match configured issuer */ | "issuer_mismatch" /** Discovery document is missing required fields */ | "discovery_incomplete" /** IdP only advertises token auth methods that Better Auth doesn't currently support */ | "unsupported_token_auth_method" /** Catch-all for unexpected errors */ | "discovery_unexpected_error";
 /**
  * Custom error class for OIDC discovery failures.
  * Can be caught and mapped to APIError at the edge.
@@ -1215,6 +1613,13 @@ declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, exist
 declare function needsRuntimeDiscovery(config: Partial<HydratedOIDCConfig> | undefined): boolean;
 //#endregion
 //#region src/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    sso: {
+      creator: typeof sso;
+    };
+  }
+}
 type DomainVerificationEndpoints = {
   requestDomainVerification: ReturnType<typeof requestDomainVerification>;
   verifyDomain: ReturnType<typeof verifyDomain>;
@@ -1226,6 +1631,10 @@ type SSOEndpoints<O extends SSOOptions> = {
   callbackSSO: ReturnType<typeof callbackSSO>;
   callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
   acsEndpoint: ReturnType<typeof acsEndpoint>;
+  listSSOProviders: ReturnType<typeof listSSOProviders>;
+  getSSOProvider: ReturnType<typeof getSSOProvider>;
+  updateSSOProvider: ReturnType<typeof updateSSOProvider>;
+  deleteSSOProvider: ReturnType<typeof deleteSSOProvider>;
 };
 type SSOPlugin<O extends SSOOptions> = {
   id: "sso";
@@ -1242,7 +1651,7 @@ declare function sso<O extends SSOOptions & {
 }>(options?: O | undefined): {
   id: "sso";
   endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
-  schema: any;
+  schema: NonNullable<BetterAuthPlugin["schema"]>;
   options: O;
 };
 declare function sso<O extends SSOOptions>(options?: O | undefined): {
@@ -1250,4 +1659,5 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   endpoints: SSOEndpoints<O>;
 };
 //#endregion
-export { KeyEncryptionAlgorithm as A, SAMLConfig as C, DataEncryptionAlgorithm as D, AlgorithmValidationOptions as E, DeprecatedAlgorithmBehavior as O, OIDCConfig as S, SSOProvider as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, TimestampValidationOptions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, SignatureAlgorithm as j, DigestAlgorithm as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, SSOOptions as w, validateSAMLTimestamp as x, SAMLConditions as y };
+export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
+//# sourceMappingURL=index-CBBJTszO.d.mts.map

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as KeyEncryptionAlgorithm, C as SAMLConfig, D as DataEncryptionAlgorithm, E as AlgorithmValidationOptions, O as DeprecatedAlgorithmBehavior, S as OIDCConfig, T as SSOProvider, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as SignatureAlgorithm, k as DigestAlgorithm, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as SSOOptions, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-CvpS40sl.mjs";
-export { AlgorithmValidationOptions, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-CBBJTszO.mjs";
+export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };