@better-auth/sso 1.5.0-beta.13 → 1.5.0-beta.16

package/.turbo/turbo-build.log

@@ -1,20 +1,20 @@
 
-> @better-auth/sso@1.5.0-beta.13 build /home/runner/work/better-auth/better-auth/packages/sso
+> @better-auth/sso@1.5.0-beta.16 build /home/runner/work/better-auth/better-auth/packages/sso
 > tsdown
 
-ℹ tsdown v0.20.1 powered by rolldown v1.0.0-rc.1
+ℹ tsdown v0.20.3 powered by rolldown v1.0.0-rc.3
 ℹ config file: /home/runner/work/better-auth/better-auth/packages/sso/tsdown.config.ts 
 ℹ entry: src/index.ts, src/client.ts
 ℹ tsconfig: tsconfig.json
 ℹ Build start
-ℹ dist/index.mjs             121.90 kB │ gzip: 24.04 kB
-ℹ dist/client.mjs              0.28 kB │ gzip:  0.21 kB
-ℹ dist/index.mjs.map         246.25 kB │ gzip: 46.78 kB
-ℹ dist/client.mjs.map          0.94 kB │ gzip:  0.50 kB
-ℹ dist/index.d.mts             1.67 kB │ gzip:  0.57 kB
-ℹ dist/client.d.mts            0.62 kB │ gzip:  0.36 kB
-ℹ dist/index-DCUy0gtM.d.mts   56.16 kB │ gzip:  9.96 kB
-ℹ 7 files, total: 427.81 kB
+ℹ dist/index.mjs             139.98 kB │ gzip: 27.81 kB
+ℹ dist/client.mjs              0.27 kB │ gzip:  0.21 kB
+ℹ dist/index.mjs.map         280.86 kB │ gzip: 53.94 kB
+ℹ dist/client.mjs.map          0.93 kB │ gzip:  0.50 kB
+ℹ dist/index.d.mts             3.79 kB │ gzip:  1.20 kB
+ℹ dist/client.d.mts            0.63 kB │ gzip:  0.36 kB
+ℹ dist/index-CbKvQr9M.d.mts   58.40 kB │ gzip: 10.28 kB
+ℹ 7 files, total: 484.85 kB
 [PLUGIN_TIMINGS] Warning: Your build spent significant time in plugin `rolldown-plugin-dts:generate`. See https://rolldown.rs/options/checks#plugintimings for more details.
 
-✔ Build complete in 29829ms
+✔ Build complete in 31855ms

package/dist/client.d.mts

@@ -1,4 +1,5 @@
-import { t as SSOPlugin } from "./index-DCUy0gtM.mjs";
+import "./index-CbKvQr9M.mjs";
+import { SSOPlugin } from "./index.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {
@@ -17,7 +18,7 @@ declare const ssoClient: <CO extends SSOClientOptions>(options?: CO | undefined)
   }>;
   pathMethods: {
     "/sso/providers": "GET";
-    "/sso/providers/:providerId": "GET";
+    "/sso/get-provider": "GET";
   };
 };
 //#endregion

package/dist/client.mjs

@@ -5,7 +5,7 @@ const ssoClient = (options) => {
 		$InferServerPlugin: {},
 		pathMethods: {
 			"/sso/providers": "GET",
-			"/sso/providers/:providerId": "GET"
+			"/sso/get-provider": "GET"
 		}
 	};
 };

package/dist/client.mjs.map

@@ -1 +1 @@
-{"version":3,"file":"client.mjs","names":[],"sources":["../src/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"better-auth/client\";\nimport type { SSOPlugin } from \"./index\";\n\ninterface SSOClientOptions {\n\tdomainVerification?:\n\t\t| {\n\t\t\t\tenabled: boolean;\n\t\t  }\n\t\t| undefined;\n}\n\nexport const ssoClient = <CO extends SSOClientOptions>(\n\toptions?: CO | undefined,\n) => {\n\treturn {\n\t\tid: \"sso-client\",\n\t\t$InferServerPlugin: {} as SSOPlugin<{\n\t\t\tdomainVerification: {\n\t\t\t\tenabled: CO[\"domainVerification\"] extends { enabled: true }\n\t\t\t\t\t? true\n\t\t\t\t\t: false;\n\t\t\t};\n\t\t}>,\n\t\tpathMethods: {\n\t\t\t\"/sso/providers\": \"GET\",\n\t\t\t\"/sso/providers/:providerId\": \"GET\",\n\t\t},\n\t} satisfies BetterAuthClientPlugin;\n};\n"],"mappings":";AAWA,MAAa,aACZ,YACI;AACJ,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EAOtB,aAAa;GACZ,kBAAkB;GAClB,8BAA8B;GAC9B;EACD"}
+{"version":3,"file":"client.mjs","names":[],"sources":["../src/client.ts"],"sourcesContent":["import type { BetterAuthClientPlugin } from \"better-auth/client\";\nimport type { SSOPlugin } from \"./index\";\n\ninterface SSOClientOptions {\n\tdomainVerification?:\n\t\t| {\n\t\t\t\tenabled: boolean;\n\t\t  }\n\t\t| undefined;\n}\n\nexport const ssoClient = <CO extends SSOClientOptions>(\n\toptions?: CO | undefined,\n) => {\n\treturn {\n\t\tid: \"sso-client\",\n\t\t$InferServerPlugin: {} as SSOPlugin<{\n\t\t\tdomainVerification: {\n\t\t\t\tenabled: CO[\"domainVerification\"] extends { enabled: true }\n\t\t\t\t\t? true\n\t\t\t\t\t: false;\n\t\t\t};\n\t\t}>,\n\t\tpathMethods: {\n\t\t\t\"/sso/providers\": \"GET\",\n\t\t\t\"/sso/get-provider\": \"GET\",\n\t\t},\n\t} satisfies BetterAuthClientPlugin;\n};\n"],"mappings":";AAWA,MAAa,aACZ,YACI;AACJ,QAAO;EACN,IAAI;EACJ,oBAAoB,EAAE;EAOtB,aAAa;GACZ,kBAAkB;GAClB,qBAAqB;GACrB;EACD"}

package/dist/{index-DCUy0gtM.d.mts → index-CbKvQr9M.d.mts}

@@ -1,7 +1,7 @@
 import { APIError } from "better-auth/api";
 import * as z$1 from "zod/v4";
 import z from "zod/v4";
-import { Awaitable, BetterAuthPlugin, OAuth2Tokens, User } from "better-auth";
+import { Awaitable, OAuth2Tokens, User } from "better-auth";
 import * as better_call0 from "better-call";
 
 //#region src/saml/algorithms.d.ts
@@ -97,6 +97,10 @@ interface SAMLConfig {
       Binding: string;
       Location: string;
     }>;
+    singleLogoutService?: Array<{
+      Binding: string;
+      Location: string;
+    }>;
   } | undefined;
   spMetadata: {
     metadata?: string | undefined;
@@ -279,12 +283,20 @@ interface SSOOptions {
      */
     enabled?: boolean;
     /**
-     * Prefix used to generate the domain verification token
+     * Prefix used to generate the domain verification token.
+     * An underscore is automatically prepended to follow DNS
+     * infrastructure subdomain conventions (RFC 8552), so do
+     * not include a leading underscore.
      *
-     * @default "better-auth-token-"
+     * @default "better-auth-token"
      */
     tokenPrefix?: string;
   };
+  /**
+   * A shared redirect URI used by all OIDC providers instead of
+   * per-provider callback URLs. Can be a path or a full URL.
+   */
+  redirectURI?: string;
   /**
    * SAML security options for AuthnRequest/InResponseTo validation.
    * This prevents unsolicited responses, replay attacks, and cross-provider injection.
@@ -380,6 +392,26 @@ interface SSOOptions {
      * @default 102400 (100KB)
      */
     maxMetadataSize?: number;
+    /**
+     * Enable SAML Single Logout
+     * @default false
+     */
+    enableSingleLogout?: boolean;
+    /**
+     * TTL for LogoutRequest records in milliseconds
+     * @default 300000 (5 minutes)
+     */
+    logoutRequestTTL?: number;
+    /**
+     * Require signed LogoutRequests from IdP
+     * @default false
+     */
+    wantLogoutRequestSigned?: boolean;
+    /**
+     * Require signed LogoutResponses from IdP
+     * @default false
+     */
+    wantLogoutResponseSigned?: boolean;
   };
 }
 //#endregion
@@ -560,7 +592,7 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
     spMetadataUrl: string;
   }[];
 }>;
-declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/providers/:providerId", {
+declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provider", {
   method: "GET";
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
@@ -585,7 +617,7 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/providers/
       };
     };
   }>)[];
-  params: z.ZodObject<{
+  query: z.ZodObject<{
     providerId: z.ZodString;
   }, z.core.$strip>;
   metadata: {
@@ -644,8 +676,8 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/providers/
   } | undefined;
   spMetadataUrl: string;
 }>;
-declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/providers/:providerId", {
-  method: "PATCH";
+declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEndpoint<"/sso/update-provider", {
+  method: "POST";
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
@@ -669,9 +701,6 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
       };
     };
   }>)[];
-  params: z.ZodObject<{
-    providerId: z.ZodString;
-  }, z.core.$strip>;
   body: z.ZodObject<{
     issuer: z.ZodOptional<z.ZodString>;
     domain: z.ZodOptional<z.ZodString>;
@@ -746,6 +775,7 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
         extraFields: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
       }, z.core.$strip>>;
     }, z.core.$strip>>;
+    providerId: z.ZodString;
   }, z.core.$strip>;
   metadata: {
     openapi: {
@@ -803,8 +833,8 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
   } | undefined;
   spMetadataUrl: string;
 }>;
-declare const deleteSSOProvider: () => better_call0.StrictEndpoint<"/sso/providers/:providerId", {
-  method: "DELETE";
+declare const deleteSSOProvider: () => better_call0.StrictEndpoint<"/sso/delete-provider", {
+  method: "POST";
   use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
     session: {
       session: Record<string, any> & {
@@ -828,7 +858,7 @@ declare const deleteSSOProvider: () => better_call0.StrictEndpoint<"/sso/provide
       };
     };
   }>)[];
-  params: z.ZodObject<{
+  body: z.ZodObject<{
     providerId: z.ZodString;
   }, z.core.$strip>;
   metadata: {
@@ -872,7 +902,7 @@ interface SAMLConditions {
  * @throws {APIError} If timestamps are invalid, expired, or not yet valid
  */
 declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
-declare const spMetadata: () => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
+declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
@@ -1274,7 +1304,7 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
     error: z.ZodOptional<z.ZodString>;
     error_description: z.ZodOptional<z.ZodString>;
   }, z.core.$strip>;
-  allowedMediaTypes: string[];
+  allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
   metadata: {
     openapi: {
       operationId: string;
@@ -1288,7 +1318,35 @@ declare const callbackSSO: (options?: SSOOptions) => better_call0.StrictEndpoint
     };
     scope: "server";
   };
-}, never>;
+}, void>;
+/**
+ * Shared OIDC callback endpoint (no `:providerId` in path).
+ * Used when `options.redirectURI` is set — the `providerId` is read from
+ * the OAuth state instead of the URL path.
+ */
+declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/callback", {
+  metadata: {
+    openapi: {
+      operationId: string;
+      summary: string;
+      description: string;
+      responses: {
+        "302": {
+          description: string;
+        };
+      };
+    };
+    scope: "server";
+  };
+  method: "GET";
+  query: z.ZodObject<{
+    code: z.ZodOptional<z.ZodString>;
+    state: z.ZodString;
+    error: z.ZodOptional<z.ZodString>;
+    error_description: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>;
+  allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
+}, void>;
 declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
   method: ("POST" | "GET")[];
   body: z.ZodOptional<z.ZodObject<{
@@ -1340,6 +1398,59 @@ declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint
     scope: "server";
   };
 }, never>;
+declare const sloEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/slo/:providerId", {
+  method: ("POST" | "GET")[];
+  body: z.ZodOptional<z.ZodObject<{
+    SAMLRequest: z.ZodOptional<z.ZodString>;
+    SAMLResponse: z.ZodOptional<z.ZodString>;
+    RelayState: z.ZodOptional<z.ZodString>;
+    SigAlg: z.ZodOptional<z.ZodString>;
+    Signature: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
+  query: z.ZodOptional<z.ZodObject<{
+    SAMLRequest: z.ZodOptional<z.ZodString>;
+    SAMLResponse: z.ZodOptional<z.ZodString>;
+    RelayState: z.ZodOptional<z.ZodString>;
+    SigAlg: z.ZodOptional<z.ZodString>;
+    Signature: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
+  metadata: {
+    allowedMediaTypes: string[];
+    scope: "server";
+  };
+}, void | Response>;
+declare const initiateSLO: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/logout/:providerId", {
+  method: "POST";
+  body: z.ZodObject<{
+    callbackURL: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>;
+  use: ((inputContext: better_call0.MiddlewareInputContext<better_call0.MiddlewareOptions>) => Promise<{
+    session: {
+      session: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        userId: string;
+        expiresAt: Date;
+        token: string;
+        ipAddress?: string | null | undefined;
+        userAgent?: string | null | undefined;
+      };
+      user: Record<string, any> & {
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        email: string;
+        emailVerified: boolean;
+        name: string;
+        image?: string | null | undefined;
+      };
+    };
+  }>)[];
+  metadata: {
+    readonly scope: "server";
+  };
+}, never>;
 //#endregion
 //#region src/constants.d.ts
 /**
@@ -1612,52 +1723,5 @@ declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, exist
  */
 declare function needsRuntimeDiscovery(config: Partial<HydratedOIDCConfig> | undefined): boolean;
 //#endregion
-//#region src/index.d.ts
-declare module "@better-auth/core" {
-  interface BetterAuthPluginRegistry<AuthOptions, Options> {
-    sso: {
-      creator: typeof sso;
-    };
-  }
-}
-type DomainVerificationEndpoints = {
-  requestDomainVerification: ReturnType<typeof requestDomainVerification>;
-  verifyDomain: ReturnType<typeof verifyDomain>;
-};
-type SSOEndpoints<O extends SSOOptions> = {
-  spMetadata: ReturnType<typeof spMetadata>;
-  registerSSOProvider: ReturnType<typeof registerSSOProvider<O>>;
-  signInSSO: ReturnType<typeof signInSSO>;
-  callbackSSO: ReturnType<typeof callbackSSO>;
-  callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
-  acsEndpoint: ReturnType<typeof acsEndpoint>;
-  listSSOProviders: ReturnType<typeof listSSOProviders>;
-  getSSOProvider: ReturnType<typeof getSSOProvider>;
-  updateSSOProvider: ReturnType<typeof updateSSOProvider>;
-  deleteSSOProvider: ReturnType<typeof deleteSSOProvider>;
-};
-type SSOPlugin<O extends SSOOptions> = {
-  id: "sso";
-  endpoints: SSOEndpoints<O> & (O extends {
-    domainVerification: {
-      enabled: true;
-    };
-  } ? DomainVerificationEndpoints : {});
-};
-declare function sso<O extends SSOOptions & {
-  domainVerification?: {
-    enabled: true;
-  };
-}>(options?: O | undefined): {
-  id: "sso";
-  endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
-  schema: NonNullable<BetterAuthPlugin["schema"]>;
-  options: O;
-};
-declare function sso<O extends SSOOptions>(options?: O | undefined): {
-  id: "sso";
-  endpoints: SSOEndpoints<O>;
-};
-//#endregion
-export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
-//# sourceMappingURL=index-DCUy0gtM.d.mts.map
+export { spMetadata as A, SSOOptions as B, callbackSSO as C, registerSSOProvider as D, initiateSLO as E, updateSSOProvider as F, DigestAlgorithm as G, AlgorithmValidationOptions as H, requestDomainVerification as I, KeyEncryptionAlgorithm as K, verifyDomain as L, deleteSSOProvider as M, getSSOProvider as N, signInSSO as O, listSSOProviders as P, OIDCConfig as R, acsEndpoint as S, callbackSSOShared as T, DataEncryptionAlgorithm as U, SSOProvider as V, DeprecatedAlgorithmBehavior as W, DEFAULT_CLOCK_SKEW_MS as _, normalizeDiscoveryUrls as a, SAMLConditions as b, validateDiscoveryDocument as c, DiscoveryError as d, DiscoveryErrorCode as f, RequiredDiscoveryField as g, REQUIRED_DISCOVERY_FIELDS as h, needsRuntimeDiscovery as i, validateSAMLTimestamp as j, sloEndpoint as k, validateDiscoveryUrl as l, OIDCDiscoveryDocument as m, discoverOIDCConfig as n, normalizeUrl as o, HydratedOIDCConfig as p, SignatureAlgorithm as q, fetchDiscoveryDocument as r, selectTokenEndpointAuthMethod as s, computeDiscoveryUrl as t, DiscoverOIDCConfigParams as u, DEFAULT_MAX_SAML_METADATA_SIZE as v, callbackSSOSAML as w, TimestampValidationOptions as x, DEFAULT_MAX_SAML_RESPONSE_SIZE as y, SAMLConfig as z };
+//# sourceMappingURL=index-CbKvQr9M.d.mts.map

package/dist/index.d.mts

@@ -1,2 +1,56 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DCUy0gtM.mjs";
-export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+import { A as spMetadata, B as SSOOptions, C as callbackSSO, D as registerSSOProvider, E as initiateSLO, F as updateSSOProvider, G as DigestAlgorithm, H as AlgorithmValidationOptions, I as requestDomainVerification, K as KeyEncryptionAlgorithm, L as verifyDomain, M as deleteSSOProvider, N as getSSOProvider, O as signInSSO, P as listSSOProviders, R as OIDCConfig, S as acsEndpoint, T as callbackSSOShared, U as DataEncryptionAlgorithm, V as SSOProvider, W as DeprecatedAlgorithmBehavior, _ as DEFAULT_CLOCK_SKEW_MS, a as normalizeDiscoveryUrls, b as SAMLConditions, c as validateDiscoveryDocument, d as DiscoveryError, f as DiscoveryErrorCode, g as RequiredDiscoveryField, h as REQUIRED_DISCOVERY_FIELDS, i as needsRuntimeDiscovery, j as validateSAMLTimestamp, k as sloEndpoint, l as validateDiscoveryUrl, m as OIDCDiscoveryDocument, n as discoverOIDCConfig, o as normalizeUrl, p as HydratedOIDCConfig, q as SignatureAlgorithm, r as fetchDiscoveryDocument, s as selectTokenEndpointAuthMethod, t as computeDiscoveryUrl, u as DiscoverOIDCConfigParams, v as DEFAULT_MAX_SAML_METADATA_SIZE, w as callbackSSOSAML, x as TimestampValidationOptions, y as DEFAULT_MAX_SAML_RESPONSE_SIZE, z as SAMLConfig } from "./index-CbKvQr9M.mjs";
+import { BetterAuthPlugin } from "better-auth";
+
+//#region src/index.d.ts
+declare module "@better-auth/core" {
+  interface BetterAuthPluginRegistry<AuthOptions, Options> {
+    sso: {
+      creator: typeof sso;
+    };
+  }
+}
+type DomainVerificationEndpoints = {
+  requestDomainVerification: ReturnType<typeof requestDomainVerification>;
+  verifyDomain: ReturnType<typeof verifyDomain>;
+};
+type SSOEndpoints<O extends SSOOptions> = {
+  spMetadata: ReturnType<typeof spMetadata>;
+  registerSSOProvider: ReturnType<typeof registerSSOProvider<O>>;
+  signInSSO: ReturnType<typeof signInSSO>;
+  callbackSSO: ReturnType<typeof callbackSSO>;
+  callbackSSOShared: ReturnType<typeof callbackSSOShared>;
+  callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
+  acsEndpoint: ReturnType<typeof acsEndpoint>;
+  sloEndpoint: ReturnType<typeof sloEndpoint>;
+  initiateSLO: ReturnType<typeof initiateSLO>;
+  listSSOProviders: ReturnType<typeof listSSOProviders>;
+  getSSOProvider: ReturnType<typeof getSSOProvider>;
+  updateSSOProvider: ReturnType<typeof updateSSOProvider>;
+  deleteSSOProvider: ReturnType<typeof deleteSSOProvider>;
+};
+type SSOPlugin<O extends SSOOptions> = {
+  id: "sso";
+  endpoints: SSOEndpoints<O> & (O extends {
+    domainVerification: {
+      enabled: true;
+    };
+  } ? DomainVerificationEndpoints : {});
+};
+declare function sso<O extends SSOOptions & {
+  domainVerification?: {
+    enabled: true;
+  };
+}>(options?: O | undefined): {
+  id: "sso";
+  endpoints: SSOEndpoints<O> & DomainVerificationEndpoints;
+  schema: NonNullable<BetterAuthPlugin["schema"]>;
+  options: O;
+};
+declare function sso<O extends SSOOptions>(options?: O | undefined): {
+  id: "sso";
+  endpoints: SSOEndpoints<O>;
+  options: O;
+};
+//#endregion
+export { type AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, type DeprecatedAlgorithmBehavior, DigestAlgorithm, type DiscoverOIDCConfigParams, DiscoveryError, type DiscoveryErrorCode, type HydratedOIDCConfig, KeyEncryptionAlgorithm, type OIDCConfig, type OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, type RequiredDiscoveryField, type SAMLConditions, type SAMLConfig, type SSOOptions, SSOPlugin, type SSOProvider, SignatureAlgorithm, type TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
+//# sourceMappingURL=index.d.mts.map