@better-auth/sso 1.6.1 → 1.7.0-beta.0

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-iRhhiRKL.mjs";
+import { t as SSOPlugin } from "./index-DVg_iWRX.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-CfoAqE_A.mjs";
+import { t as PACKAGE_VERSION } from "./version-CzfTSPRz.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/{index-iRhhiRKL.d.mts → index-DVg_iWRX.d.mts}

@@ -64,14 +64,19 @@ interface OIDCConfig {
   issuer: string;
   pkce: boolean;
   clientId: string;
-  clientSecret: string;
+  /** Required for client_secret_basic/client_secret_post. Optional for private_key_jwt. */
+  clientSecret?: string;
   authorizationEndpoint?: string | undefined;
   discoveryEndpoint: string;
   userInfoEndpoint?: string | undefined;
   scopes?: string[] | undefined;
   overrideUserInfo?: boolean | undefined;
   tokenEndpoint?: string | undefined;
-  tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic") | undefined;
+  tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic" | "private_key_jwt") | undefined;
+  /** Key ID for private_key_jwt key resolution */
+  privateKeyId?: string | undefined;
+  /** Signing algorithm for private_key_jwt. @default "RS256" */
+  privateKeyAlgorithm?: string | undefined;
   jwksEndpoint?: string | undefined;
   mapping?: OIDCMapping | undefined;
 }
@@ -214,6 +219,14 @@ interface SSOOptions {
      * OIDC configuration
      */
     oidcConfig?: OIDCConfig;
+    /**
+     * Private key for `private_key_jwt` authentication.
+     * Only used with defaultSSO — not stored in DB.
+     */
+    privateKey?: {
+      privateKeyJwk?: JsonWebKey;
+      privateKeyPem?: string;
+    };
   }> | undefined;
   /**
    * Override user info with the provider info.
@@ -306,6 +319,21 @@ interface SSOOptions {
    * per-provider callback URLs. Can be a path or a full URL.
    */
   redirectURI?: string;
+  /**
+   * Callback to resolve private key material for private_key_jwt authentication.
+   * Called during token exchange when a provider uses tokenEndpointAuthentication: "private_key_jwt".
+   * Keeps private keys out of the database — supports HSM/KMS/Vault integration.
+   */
+  resolvePrivateKey?: (params: {
+    providerId: string;
+    keyId?: string;
+    issuer: string;
+  }) => Promise<{
+    privateKeyJwk?: JsonWebKey;
+    privateKeyPem?: string;
+    kid?: string;
+    algorithm?: string;
+  }>;
   /**
    * SAML security options for AuthnRequest/InResponseTo validation.
    * This prevents unsolicited responses, replay attacks, and cross-provider injection.
@@ -329,9 +357,13 @@ interface SSOOptions {
      * When true, responses without InResponseTo are accepted.
      * When false, all responses must correlate to a stored AuthnRequest.
      *
+     * IdP-initiated SSO is a known attack vector — the SAML2Int
+     * interoperability profile recommends against it. Only enable
+     * this if your IdP requires it and you understand the risks.
+     *
      * Only applies when InResponseTo validation is enabled.
      *
-     * @default true
+     * @default false
      */
     allowIdpInitiated?: boolean;
     /**
@@ -578,7 +610,7 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
       userInfoEndpoint: string | undefined;
       jwksEndpoint: string | undefined;
       scopes: string[] | undefined;
-      tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+      tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
     } | undefined;
     samlConfig: {
       entryPoint: string;
@@ -663,7 +695,7 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
     userInfoEndpoint: string | undefined;
     jwksEndpoint: string | undefined;
     scopes: string[] | undefined;
-    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
   } | undefined;
   samlConfig: {
     entryPoint: string;
@@ -722,7 +754,10 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
       tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
+        private_key_jwt: "private_key_jwt";
       }>>;
+      privateKeyId: z.ZodOptional<z.ZodString>;
+      privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
       jwksEndpoint: z.ZodOptional<z.ZodString>;
       discoveryEndpoint: z.ZodOptional<z.ZodString>;
       scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -820,7 +855,7 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
     userInfoEndpoint: string | undefined;
     jwksEndpoint: string | undefined;
     scopes: string[] | undefined;
-    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
   } | undefined;
   samlConfig: {
     entryPoint: string;
@@ -893,24 +928,6 @@ declare const deleteSSOProvider: () => better_call0.StrictEndpoint<"/sso/delete-
 }>;
 //#endregion
 //#region src/routes/sso.d.ts
-interface TimestampValidationOptions {
-  clockSkew?: number;
-  requireTimestamps?: boolean;
-  logger?: {
-    warn: (message: string, data?: Record<string, unknown>) => void;
-  };
-}
-/** Conditions extracted from SAML assertion */
-interface SAMLConditions {
-  notBefore?: string;
-  notOnOrAfter?: string;
-}
-/**
- * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
- * Prevents acceptance of expired or future-dated assertions.
- * @throws {APIError} If timestamps are invalid, expired, or not yet valid
- */
-declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
 declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
@@ -941,14 +958,17 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     domain: z.ZodString;
     oidcConfig: z.ZodOptional<z.ZodObject<{
       clientId: z.ZodString;
-      clientSecret: z.ZodString;
+      clientSecret: z.ZodOptional<z.ZodString>;
       authorizationEndpoint: z.ZodOptional<z.ZodString>;
       tokenEndpoint: z.ZodOptional<z.ZodString>;
       userInfoEndpoint: z.ZodOptional<z.ZodString>;
       tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
+        private_key_jwt: "private_key_jwt";
       }>>;
+      privateKeyId: z.ZodOptional<z.ZodString>;
+      privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
       jwksEndpoint: z.ZodOptional<z.ZodString>;
       discoveryEndpoint: z.ZodOptional<z.ZodString>;
       skipDiscovery: z.ZodOptional<z.ZodBoolean>;
@@ -1483,6 +1503,26 @@ declare const DEFAULT_MAX_SAML_RESPONSE_SIZE: number;
  */
 declare const DEFAULT_MAX_SAML_METADATA_SIZE: number;
 //#endregion
+//#region src/saml/timestamp.d.ts
+interface TimestampValidationOptions {
+  clockSkew?: number;
+  requireTimestamps?: boolean;
+  logger?: {
+    warn: (message: string, data?: Record<string, unknown>) => void;
+  };
+}
+/** Conditions extracted from SAML assertion */
+interface SAMLConditions {
+  notBefore?: string;
+  notOnOrAfter?: string;
+}
+/**
+ * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
+ * Prevents acceptance of expired or future-dated assertions.
+ * @throws {APIError} If timestamps are invalid, expired, or not yet valid
+ */
+declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
+//#endregion
 //#region src/oidc/types.d.ts
 /**
  * OIDC Discovery Types
@@ -1591,7 +1631,7 @@ interface HydratedOIDCConfig {
   /** URL of the userinfo endpoint (optional) */
   userInfoEndpoint?: string;
   /** Token endpoint authentication method */
-  tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post";
+  tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   /** Scopes supported by the IdP */
   scopesSupported?: string[];
 }
@@ -1715,7 +1755,7 @@ declare function normalizeUrl(name: string, endpoint: string, issuer: string): s
  * @param existing - Existing authentication method from config
  * @returns The selected authentication method
  */
-declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, existing?: "client_secret_basic" | "client_secret_post"): "client_secret_basic" | "client_secret_post";
+declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, existing?: "client_secret_basic" | "client_secret_post" | "private_key_jwt"): "client_secret_basic" | "client_secret_post" | "private_key_jwt";
 /**
  * Check if a provider configuration needs runtime discovery.
  *
@@ -1784,4 +1824,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   options: NoInfer<O>;
 };
 //#endregion
-export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
+export { DataEncryptionAlgorithm as A, DEFAULT_MAX_SAML_METADATA_SIZE as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, DEFAULT_CLOCK_SKEW_MS as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, TimestampValidationOptions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, DEFAULT_MAX_SAML_RESPONSE_SIZE as w, validateSAMLTimestamp as x, SAMLConditions as y };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-iRhhiRKL.mjs";
+import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-DVg_iWRX.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };