npm - @better-auth/sso - Versions diffs - 1.6.10 → 1.6.11 - Mend

@better-auth/sso 1.6.10 → 1.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/client.d.mts +1 -1
package/dist/client.mjs +1 -1
package/dist/{index-DyoL-0jp.d.mts → index-DbZYHOJt.d.mts} +11 -11
package/dist/index.d.mts +1 -1
package/dist/index.mjs +1007 -930
package/dist/{version-Bwp02oze.mjs → version-D_ggtAOl.mjs} +1 -1
package/package.json +5 -5

package/dist/index.mjs CHANGED Viewed

@@ -1,12 +1,13 @@
-import { t as PACKAGE_VERSION } from "./version-Bwp02oze.mjs";
+import { t as PACKAGE_VERSION } from "./version-D_ggtAOl.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
-import { base64 } from "@better-auth/utils/base64";
+import { isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
+import { base64 } from "@better-auth/utils/base64";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
@@ -371,992 +372,1060 @@ const verifyDomain = (options) => {
 	});
 };
 //#endregion
-//#region src/saml/parser.ts
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true,
-	processEntities: false
-});
-function findNode(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return null;
-	const record = obj;
-	if (nodeName in record) return record[nodeName];
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
-		const found = findNode(item, nodeName);
-		if (found) return found;
-	}
-	else if (typeof value === "object" && value !== null) {
-		const found = findNode(value, nodeName);
-		if (found) return found;
-	}
-	return null;
-}
-function countAllNodes(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return 0;
-	let count = 0;
-	const record = obj;
-	if (nodeName in record) {
-		const node = record[nodeName];
-		count += Array.isArray(node) ? node.length : 1;
+//#region src/oidc/types.ts
+/**
+* Custom error class for OIDC discovery failures.
+* Can be caught and mapped to APIError at the edge.
+*/
+var DiscoveryError = class DiscoveryError extends Error {
+	code;
+	details;
+	constructor(code, message, details, options) {
+		super(message, options);
+		this.name = "DiscoveryError";
+		this.code = code;
+		this.details = details;
+		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
 	}
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
-	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
-	return count;
-}
-//#endregion
-//#region src/saml/algorithms.ts
-const SignatureAlgorithm = {
-	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
-	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
-	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
-	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
-};
-const DigestAlgorithm = {
-	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
-	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
-	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
-	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
 };
-const KeyEncryptionAlgorithm = {
-	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
-	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
-	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
-};
-const DataEncryptionAlgorithm = {
-	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
-	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
-	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
-	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
-	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
-	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
-	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
-};
-const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
-const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
-const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
-const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
-const SECURE_SIGNATURE_ALGORITHMS = [
-	SignatureAlgorithm.RSA_SHA256,
-	SignatureAlgorithm.RSA_SHA384,
-	SignatureAlgorithm.RSA_SHA512,
-	SignatureAlgorithm.ECDSA_SHA256,
-	SignatureAlgorithm.ECDSA_SHA384,
-	SignatureAlgorithm.ECDSA_SHA512
-];
-const SECURE_DIGEST_ALGORITHMS = [
-	DigestAlgorithm.SHA256,
-	DigestAlgorithm.SHA384,
-	DigestAlgorithm.SHA512
+/**
+* Required fields that must be present in a valid discovery document.
+*/
+const REQUIRED_DISCOVERY_FIELDS = [
+	"issuer",
+	"authorization_endpoint",
+	"token_endpoint",
+	"jwks_uri"
 ];
-const SHORT_FORM_SIGNATURE_TO_URI = {
-	sha1: SignatureAlgorithm.RSA_SHA1,
-	sha256: SignatureAlgorithm.RSA_SHA256,
-	sha384: SignatureAlgorithm.RSA_SHA384,
-	sha512: SignatureAlgorithm.RSA_SHA512,
-	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
-	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
-	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
-	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
-	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
-	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
-	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
-};
-const SHORT_FORM_DIGEST_TO_URI = {
-	sha1: DigestAlgorithm.SHA1,
-	sha256: DigestAlgorithm.SHA256,
-	sha384: DigestAlgorithm.SHA384,
-	sha512: DigestAlgorithm.SHA512
-};
-function normalizeSignatureAlgorithm(alg) {
-	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
-}
-function normalizeDigestAlgorithm(alg) {
-	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
-}
-function extractEncryptionAlgorithms(xml) {
-	try {
-		const parsed = xmlParser.parse(xml);
-		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
-		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
-		return {
-			keyEncryption: keyAlg || null,
-			dataEncryption: dataAlg || null
-		};
-	} catch {
-		return {
-			keyEncryption: null,
-			dataEncryption: null
-		};
-	}
+//#endregion
+//#region src/oidc/discovery.ts
+/**
+* OIDC Discovery Pipeline
+*
+* Implements OIDC discovery document fetching, validation, and hydration.
+* This module is used both at provider registration time (to persist validated config)
+* and at runtime (to hydrate legacy providers that are missing metadata).
+*
+* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+*/
+/** Default timeout for discovery requests (10 seconds) */
+const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
+/**
+* Main entry point: Discover and hydrate OIDC configuration from an issuer.
+*
+* This function:
+* 1. Computes the discovery URL from the issuer
+* 2. Validates the discovery URL
+* 3. Fetches the discovery document
+* 4. Validates the discovery document (issuer match + required fields)
+* 5. Normalizes URLs
+* 6. Selects token endpoint auth method
+* 7. Merges with existing config (existing values take precedence)
+*
+* @param params - Discovery parameters
+* @param isTrustedOrigin - Origin verification tester function
+* @returns Hydrated OIDC configuration ready for persistence
+* @throws DiscoveryError on any failure
+*/
+async function discoverOIDCConfig(params) {
+	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
+	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
+	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
+	validateDiscoveryDocument(discoveryDoc, issuer);
+	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
+	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
+	return {
+		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
+		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
+		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
+		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
+		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
+		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
+		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
+		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
+	};
 }
-function hasEncryptedAssertion(xml) {
-	try {
-		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
-	} catch {
-		return false;
-	}
+/**
+* Compute the discovery URL from an issuer URL.
+*
+* Per OIDC Discovery spec, the discovery document is located at:
+* <issuer>/.well-known/openid-configuration
+*
+* Handles trailing slashes correctly.
+*/
+function computeDiscoveryUrl(issuer) {
+	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
 }
-function handleDeprecatedAlgorithm(message, behavior, errorCode) {
-	switch (behavior) {
-		case "reject": throw new APIError("BAD_REQUEST", {
-			message,
-			code: errorCode
-		});
-		case "warn":
-			console.warn(`[SAML Security Warning] ${message}`);
-			break;
-		case "allow": break;
-	}
+/**
+* Validate a discovery URL before fetching.
+*
+* @param url - The discovery URL to validate
+* @param isTrustedOrigin - Origin verification tester function
+* @throws DiscoveryError if URL is invalid
+*/
+function validateDiscoveryUrl(url, isTrustedOrigin) {
+	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
+	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
 }
-function validateSignatureAlgorithm(algorithm, options = {}) {
-	if (!algorithm) return;
-	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
-	if (allowedSignatureAlgorithms) {
-		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
-			code: "SAML_ALGORITHM_NOT_ALLOWED"
-		});
-		return;
-	}
-	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
-		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-		return;
-	}
-	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-		message: `SAML signature algorithm not recognized: ${algorithm}`,
-		code: "SAML_UNKNOWN_ALGORITHM"
+/**
+* Validate that a user-supplied OIDC endpoint URL is safe to fetch.
+*
+* Layered checks (in order):
+*   1. URL parsing + http(s) scheme            → discovery_invalid_url
+*   2. Public-routable host (RFC 6890)         → allowed
+*   3. Operator-allowlisted via trustedOrigins → allowed (opt-in for internal IdPs)
+*   4. Otherwise                               → discovery_private_host
+*
+* Step 2 rejects loopback, RFC 1918, link-local, ULA, shared-address,
+* cloud-metadata FQDNs (e.g. `169.254.169.254`, `metadata.google.internal`),
+* multicast, and reserved ranges. See `isPublicRoutableHost` in
+* `@better-auth/core/utils/host`.
+*
+* Step 3 is the documented escape hatch for customers whose IdP runs on a
+* private network or behind a corporate VPN: they add the IdP origin to their
+* `trustedOrigins` configuration.
+*
+* @param name - The endpoint field name, used in error messages
+* @param endpoint - The URL to validate
+* @param isTrustedOrigin - Predicate matching the configured `trustedOrigins`
+* @throws DiscoveryError(discovery_invalid_url)  — malformed URL or non-http(s) scheme
+* @throws DiscoveryError(discovery_private_host) — host is not publicly routable and not allowlisted
+*/
+function validateSkipDiscoveryEndpoint(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isPublicRoutableHost(parsed.hostname)) return;
+	if (isTrustedOrigin(parsed.toString())) return;
+	throw new DiscoveryError("discovery_private_host", `The ${name} URL (${parsed.toString()}) is not publicly routable: ${parsed.hostname}. If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: parsed.hostname
 	});
 }
-function validateEncryptionAlgorithms(algorithms, options = {}) {
-	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
-	const { keyEncryption, dataEncryption } = algorithms;
-	if (keyEncryption) {
-		if (allowedKeyEncryptionAlgorithms) {
-			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+/**
+* Validate every present OIDC endpoint URL in a registration or update body.
+*
+* Each provided URL is checked with {@link validateSkipDiscoveryEndpoint}.
+* Omitted (undefined / null / empty) fields are skipped.
+*
+* @param config - OIDC endpoint URLs from the request body
+* @param isTrustedOrigin - Predicate matching the configured `trustedOrigins`
+* @throws DiscoveryError on the first invalid endpoint
+*/
+function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
+	const fields = [
+		["authorizationEndpoint", config.authorizationEndpoint],
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint],
+		["discoveryEndpoint", config.discoveryEndpoint]
+	];
+	for (const [name, url] of fields) if (url) validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+}
+/**
+* Fetch the OIDC discovery document from the IdP.
+*
+* @param url - The discovery endpoint URL
+* @param timeout - Request timeout in milliseconds
+* @returns The parsed discovery document
+* @throws DiscoveryError on network errors, timeouts, or invalid responses
+*/
+async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+	try {
+		const response = await betterFetch(url, {
+			method: "GET",
+			timeout
+		});
+		if (response.error) {
+			const { status } = response.error;
+			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
+				url,
+				status
 			});
-		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-	if (dataEncryption) {
-		if (allowedDataEncryptionAlgorithms) {
-			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+				url,
+				timeout
 			});
-		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-}
-function validateSAMLAlgorithms(response, options) {
-	validateSignatureAlgorithm(response.sigAlg, options);
-	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
-}
-function validateConfigAlgorithms(config, options = {}) {
-	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
-	if (config.signatureAlgorithm) {
-		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
-		if (allowedSignatureAlgorithms) {
-			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
+				url,
+				...response.error
 			});
-		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
+		}
+		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
+		const data = response.data;
+		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
+			url,
+			bodyPreview: data.slice(0, 200)
 		});
-	}
-	if (config.digestAlgorithm) {
-		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
-		if (allowedDigestAlgorithms) {
-			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
+		return data;
+	} catch (error) {
+		if (error instanceof DiscoveryError) throw error;
+		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+			url,
+			timeout
 		});
+		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
 	}
 }
-//#endregion
-//#region src/saml/assertions.ts
-function countAssertions(xml) {
-	let parsed;
+/**
+* Validate a discovery document.
+*
+* Checks:
+* 1. All required fields are present
+* 2. Issuer matches the configured issuer (case-sensitive, exact match)
+*
+* Invariant: If this function returns without throwing, the document is safe
+* to use for hydrating OIDC config (required fields present, issuer matches
+* configured value, basic structural sanity verified).
+*
+* @param doc - The discovery document to validate
+* @param configuredIssuer - The expected issuer value
+* @throws DiscoveryError if validation fails
+*/
+function validateDiscoveryDocument(doc, configuredIssuer) {
+	const missingFields = [];
+	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
+	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
+	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
+		discovered: doc.issuer,
+		configured: configuredIssuer
+	});
+}
+/**
+* Normalize URLs in the discovery document.
+*
+* @param document - The discovery document
+* @param issuer - The base issuer URL
+* @param isTrustedOrigin - Origin verification tester function
+* @returns The normalized discovery document
+*/
+function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
+	const doc = { ...document };
+	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
+	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
+	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
+	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
+	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
+	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
+	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
+	return doc;
+}
+/**
+* Normalizes and validates a single URL endpoint
+* @param name The url name
+* @param endpoint The url to validate
+* @param issuer The issuer base url
+* @param isTrustedOrigin - Origin verification tester function
+* @returns
+*/
+function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
+	const url = normalizeUrl(name, endpoint, issuer);
+	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
+		endpoint: name,
+		url
+	});
+	return url;
+}
+/**
+* Normalize a single URL endpoint.
+*
+* @param name - The endpoint name (e.g token_endpoint)
+* @param endpoint - The endpoint URL to normalize
+* @param issuer - The base issuer URL
+* @returns The normalized endpoint URL
+*/
+function normalizeUrl(name, endpoint, issuer) {
 	try {
-		parsed = xmlParser.parse(xml);
+		return parseURL(name, endpoint).toString();
 	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Failed to parse SAML response XML",
-			code: "SAML_INVALID_XML"
-		});
+		const issuerURL = parseURL(name, issuer);
+		const basePath = issuerURL.pathname.replace(/\/+$/, "");
+		const endpointPath = endpoint.replace(/^\/+/, "");
+		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
 	}
-	const assertions = countAllNodes(parsed, "Assertion");
-	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
-	return {
-		assertions,
-		encryptedAssertions,
-		total: assertions + encryptedAssertions
-	};
 }
-function validateSingleAssertion(samlResponse) {
-	let xml;
+/**
+* Parses the given URL or throws in case of invalid or unsupported protocols
+*
+* @param name the url name
+* @param endpoint the endpoint url
+* @param [base] optional base path
+* @returns
+*/
+function parseURL(name, endpoint, base) {
+	let endpointURL;
 	try {
-		xml = new TextDecoder().decode(base64.decode(samlResponse.replace(/\s+/g, "")));
-		if (!xml.includes("<")) throw new Error("Not XML");
-	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Invalid base64-encoded SAML response",
-			code: "SAML_INVALID_ENCODING"
-		});
+		endpointURL = new URL(endpoint, base);
+		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
+	} catch (error) {
+		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
 	}
-	const counts = countAssertions(xml);
-	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
-		message: "SAML response contains no assertions",
-		code: "SAML_NO_ASSERTION"
-	});
-	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
-		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
-		code: "SAML_MULTIPLE_ASSERTIONS"
+	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
+		url: endpoint,
+		protocol: endpointURL.protocol
 	});
 }
-//#endregion
-//#region src/routes/schemas.ts
-const oidcMappingSchema = z.object({
-	id: z.string().optional(),
-	email: z.string().optional(),
-	emailVerified: z.string().optional(),
-	name: z.string().optional(),
-	image: z.string().optional(),
-	extraFields: z.record(z.string(), z.any()).optional()
-}).optional();
-const samlMappingSchema = z.object({
-	id: z.string().optional(),
-	email: z.string().optional(),
-	emailVerified: z.string().optional(),
-	name: z.string().optional(),
-	firstName: z.string().optional(),
-	lastName: z.string().optional(),
-	extraFields: z.record(z.string(), z.any()).optional()
-}).optional();
-const oidcConfigSchema = z.object({
-	clientId: z.string().optional(),
-	clientSecret: z.string().optional(),
-	authorizationEndpoint: z.string().url().optional(),
-	tokenEndpoint: z.string().url().optional(),
-	userInfoEndpoint: z.string().url().optional(),
-	tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
-	jwksEndpoint: z.string().url().optional(),
-	discoveryEndpoint: z.string().url().optional(),
-	scopes: z.array(z.string()).optional(),
-	pkce: z.boolean().optional(),
-	overrideUserInfo: z.boolean().optional(),
-	mapping: oidcMappingSchema
-});
-const samlConfigSchema = z.object({
-	entryPoint: z.string().url().optional(),
-	cert: z.string().optional(),
-	callbackUrl: z.string().url().optional(),
-	audience: z.string().optional(),
-	idpMetadata: z.object({
-		metadata: z.string().optional(),
-		entityID: z.string().optional(),
-		cert: z.string().optional(),
-		privateKey: z.string().optional(),
-		privateKeyPass: z.string().optional(),
-		isAssertionEncrypted: z.boolean().optional(),
-		encPrivateKey: z.string().optional(),
-		encPrivateKeyPass: z.string().optional(),
-		singleSignOnService: z.array(z.object({
-			Binding: z.string(),
-			Location: z.string().url()
-		})).optional()
-	}).optional(),
-	spMetadata: z.object({
-		metadata: z.string().optional(),
-		entityID: z.string().optional(),
-		binding: z.string().optional(),
-		privateKey: z.string().optional(),
-		privateKeyPass: z.string().optional(),
-		isAssertionEncrypted: z.boolean().optional(),
-		encPrivateKey: z.string().optional(),
-		encPrivateKeyPass: z.string().optional()
-	}).optional(),
-	wantAssertionsSigned: z.boolean().optional(),
-	authnRequestsSigned: z.boolean().optional(),
-	signatureAlgorithm: z.string().optional(),
-	digestAlgorithm: z.string().optional(),
-	identifierFormat: z.string().optional(),
-	privateKey: z.string().optional(),
-	decryptionPvk: z.string().optional(),
-	additionalParams: z.record(z.string(), z.any()).optional(),
-	mapping: samlMappingSchema
-});
-const updateSSOProviderBodySchema = z.object({
-	issuer: z.string().url().optional(),
-	domain: z.string().optional(),
-	oidcConfig: oidcConfigSchema.optional(),
-	samlConfig: samlConfigSchema.optional()
-});
-//#endregion
-//#region src/routes/providers.ts
-const ADMIN_ROLES = ["owner", "admin"];
-async function isOrgAdmin(ctx, userId, organizationId) {
-	const member = await ctx.context.adapter.findOne({
-		model: "member",
-		where: [{
-			field: "userId",
-			value: userId
-		}, {
-			field: "organizationId",
-			value: organizationId
-		}]
-	});
-	if (!member) return false;
-	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
-}
-async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
-	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
-	const members = await ctx.context.adapter.findMany({
-		model: "member",
-		where: [{
-			field: "userId",
-			value: userId
-		}, {
-			field: "organizationId",
-			value: organizationIds,
-			operator: "in"
-		}]
-	});
-	const adminOrgIds = /* @__PURE__ */ new Set();
-	for (const member of members) if (member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()))) adminOrgIds.add(member.organizationId);
-	return adminOrgIds;
-}
-function sanitizeProvider(provider, baseURL) {
-	let oidcConfig = null;
-	let samlConfig = null;
-	try {
-		oidcConfig = safeJsonParse(provider.oidcConfig);
-	} catch {
-		oidcConfig = null;
-	}
-	try {
-		samlConfig = safeJsonParse(provider.samlConfig);
-	} catch {
-		samlConfig = null;
-	}
-	const type = samlConfig ? "saml" : "oidc";
-	return {
-		providerId: provider.providerId,
-		type,
-		issuer: provider.issuer,
-		domain: provider.domain,
-		organizationId: provider.organizationId || null,
-		domainVerified: provider.domainVerified ?? false,
-		oidcConfig: oidcConfig ? {
-			discoveryEndpoint: oidcConfig.discoveryEndpoint,
-			clientIdLastFour: maskClientId(oidcConfig.clientId),
-			pkce: oidcConfig.pkce,
-			authorizationEndpoint: oidcConfig.authorizationEndpoint,
-			tokenEndpoint: oidcConfig.tokenEndpoint,
-			userInfoEndpoint: oidcConfig.userInfoEndpoint,
-			jwksEndpoint: oidcConfig.jwksEndpoint,
-			scopes: oidcConfig.scopes,
-			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
-		} : void 0,
-		samlConfig: samlConfig ? {
-			entryPoint: samlConfig.entryPoint,
-			callbackUrl: samlConfig.callbackUrl,
-			audience: samlConfig.audience,
-			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
-			authnRequestsSigned: samlConfig.authnRequestsSigned,
-			identifierFormat: samlConfig.identifierFormat,
-			signatureAlgorithm: samlConfig.signatureAlgorithm,
-			digestAlgorithm: samlConfig.digestAlgorithm,
-			certificate: (() => {
-				try {
-					return parseCertificate(samlConfig.cert);
-				} catch {
-					return { error: "Failed to parse certificate" };
-				}
-			})()
-		} : void 0,
-		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
-	};
-}
-const listSSOProviders = () => {
-	return createAuthEndpoint("/sso/providers", {
-		method: "GET",
-		use: [sessionMiddleware],
-		metadata: { openapi: {
-			operationId: "listSSOProviders",
-			summary: "List SSO providers",
-			description: "Returns a list of SSO providers the user has access to",
-			responses: { "200": { description: "List of SSO providers" } }
-		} }
-	}, async (ctx) => {
-		const userId = ctx.context.session.user.id;
-		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
-		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
-		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
-		const orgPluginEnabled = ctx.context.hasPlugin("organization");
-		let accessibleProviders = [...userOwnedProviders];
-		if (orgPluginEnabled && orgProviders.length > 0) {
-			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
-			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
-			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
-		} else if (!orgPluginEnabled) {
-			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
-			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
-		}
-		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
-		return ctx.json({ providers });
-	});
-};
-const getSSOProviderQuerySchema = z.object({ providerId: z.string() });
-async function checkProviderAccess(ctx, providerId) {
-	const userId = ctx.context.session.user.id;
-	const provider = await ctx.context.adapter.findOne({
-		model: "ssoProvider",
-		where: [{
-			field: "providerId",
-			value: providerId
-		}]
-	});
-	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
-	let hasAccess = false;
-	if (provider.organizationId) if (ctx.context.hasPlugin("organization")) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
-	else hasAccess = provider.userId === userId;
-	else hasAccess = provider.userId === userId;
-	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
-	return provider;
-}
-const getSSOProvider = () => {
-	return createAuthEndpoint("/sso/get-provider", {
-		method: "GET",
-		use: [sessionMiddleware],
-		query: getSSOProviderQuerySchema,
-		metadata: { openapi: {
-			operationId: "getSSOProvider",
-			summary: "Get SSO provider details",
-			description: "Returns sanitized details for a specific SSO provider",
-			responses: {
-				"200": { description: "SSO provider details" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId } = ctx.query;
-		const provider = await checkProviderAccess(ctx, providerId);
-		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
-	});
-};
-function parseAndValidateConfig(configString, configType) {
-	let config = null;
-	try {
-		config = safeJsonParse(configString);
-	} catch {
-		config = null;
-	}
-	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
-	return config;
-}
-function mergeSAMLConfig(current, updates, issuer) {
-	return {
-		...current,
-		...updates,
-		issuer,
-		entryPoint: updates.entryPoint ?? current.entryPoint,
-		cert: updates.cert ?? current.cert,
-		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
-		spMetadata: updates.spMetadata ?? current.spMetadata,
-		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
-		mapping: updates.mapping ?? current.mapping,
-		audience: updates.audience ?? current.audience,
-		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
-		authnRequestsSigned: updates.authnRequestsSigned ?? current.authnRequestsSigned,
-		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
-		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
-		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
-	};
-}
-function mergeOIDCConfig(current, updates, issuer) {
-	return {
-		...current,
-		...updates,
-		issuer,
-		pkce: updates.pkce ?? current.pkce ?? true,
-		clientId: updates.clientId ?? current.clientId,
-		clientSecret: updates.clientSecret ?? current.clientSecret,
-		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
-		mapping: updates.mapping ?? current.mapping,
-		scopes: updates.scopes ?? current.scopes,
-		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
-		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
-		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
-		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
-		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication
-	};
-}
-const updateSSOProvider = (options) => {
-	return createAuthEndpoint("/sso/update-provider", {
-		method: "POST",
-		use: [sessionMiddleware],
-		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
-		metadata: { openapi: {
-			operationId: "updateSSOProvider",
-			summary: "Update SSO provider",
-			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
-			responses: {
-				"200": { description: "SSO provider updated successfully" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId, ...body } = ctx.body;
-		const { issuer, domain, samlConfig, oidcConfig } = body;
-		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
-		const existingProvider = await checkProviderAccess(ctx, providerId);
-		const updateData = {};
-		if (body.issuer !== void 0) updateData.issuer = body.issuer;
-		if (body.domain !== void 0) {
-			updateData.domain = body.domain;
-			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
-		}
-		if (body.samlConfig) {
-			if (body.samlConfig.idpMetadata?.metadata) {
-				const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
-				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
-			}
-			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
-				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
-				digestAlgorithm: body.samlConfig.digestAlgorithm
-			}, options?.saml?.algorithms);
-			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
-			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
-			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
-		}
-		if (body.oidcConfig) {
-			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
-			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
-			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
-		}
-		await ctx.context.adapter.update({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}],
-			update: updateData
-		});
-		const fullProvider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}]
-		});
-		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
-		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
-	});
-};
-const deleteSSOProvider = () => {
-	return createAuthEndpoint("/sso/delete-provider", {
-		method: "POST",
-		use: [sessionMiddleware],
-		body: z.object({ providerId: z.string() }),
-		metadata: { openapi: {
-			operationId: "deleteSSOProvider",
-			summary: "Delete SSO provider",
-			description: "Deletes an SSO provider",
-			responses: {
-				"200": { description: "SSO provider deleted successfully" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId } = ctx.body;
-		await checkProviderAccess(ctx, providerId);
-		await ctx.context.adapter.delete({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}]
-		});
-		return ctx.json({ success: true });
-	});
-};
-//#endregion
-//#region src/oidc/types.ts
 /**
-* Custom error class for OIDC discovery failures.
-* Can be caught and mapped to APIError at the edge.
+* Select the token endpoint authentication method.
+*
+* @param doc - The discovery document
+* @param existing - Existing authentication method from config
+* @returns The selected authentication method
 */
-var DiscoveryError = class DiscoveryError extends Error {
-	code;
-	details;
-	constructor(code, message, details, options) {
-		super(message, options);
-		this.name = "DiscoveryError";
-		this.code = code;
-		this.details = details;
-		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
-	}
-};
+function selectTokenEndpointAuthMethod(doc, existing) {
+	if (existing) return existing;
+	const supported = doc.token_endpoint_auth_methods_supported;
+	if (!supported || supported.length === 0) return "client_secret_basic";
+	if (supported.includes("client_secret_basic")) return "client_secret_basic";
+	if (supported.includes("client_secret_post")) return "client_secret_post";
+	return "client_secret_basic";
+}
 /**
-* Required fields that must be present in a valid discovery document.
+* Check if a provider configuration needs runtime discovery.
+*
+* Returns true if we need discovery at runtime to complete the token exchange
+* and validation. Specifically checks for:
+* - `tokenEndpoint` - required for exchanging authorization code for tokens
+* - `jwksEndpoint` - required for validating ID token signatures
+* - `authorizationEndpoint` - required for redirecting users to the IdP for login
+*
+* @param config - Partial OIDC config from the provider
+* @returns true if runtime discovery should be performed
 */
-const REQUIRED_DISCOVERY_FIELDS = [
-	"issuer",
-	"authorization_endpoint",
-	"token_endpoint",
-	"jwks_uri"
-];
+function needsRuntimeDiscovery(config) {
+	if (!config) return true;
+	return !config.tokenEndpoint || !config.jwksEndpoint || !config.authorizationEndpoint;
+}
+/**
+* Runs runtime OIDC discovery when the stored config is missing required
+* endpoints, and merges the hydrated fields back into the config.
+* Throws if discovery fails.
+*/
+async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
+	if (!needsRuntimeDiscovery(config)) return config;
+	const hydrated = await discoverOIDCConfig({
+		issuer,
+		existingConfig: config,
+		isTrustedOrigin
+	});
+	return {
+		...config,
+		authorizationEndpoint: hydrated.authorizationEndpoint,
+		tokenEndpoint: hydrated.tokenEndpoint,
+		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+		userInfoEndpoint: hydrated.userInfoEndpoint,
+		jwksEndpoint: hydrated.jwksEndpoint
+	};
+}
 //#endregion
-//#region src/oidc/discovery.ts
+//#region src/oidc/errors.ts
 /**
-* OIDC Discovery Pipeline
-*
-* Implements OIDC discovery document fetching, validation, and hydration.
-* This module is used both at provider registration time (to persist validated config)
-* and at runtime (to hydrate legacy providers that are missing metadata).
+* OIDC Discovery Error Mapping
 *
-* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+* Maps DiscoveryError codes to appropriate APIError responses.
+* Used at the boundary between the discovery pipeline and HTTP handlers.
 */
-/** Default timeout for discovery requests (10 seconds) */
-const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
 /**
-* Main entry point: Discover and hydrate OIDC configuration from an issuer.
+* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
 *
-* This function:
-* 1. Computes the discovery URL from the issuer
-* 2. Validates the discovery URL
-* 3. Fetches the discovery document
-* 4. Validates the discovery document (issuer match + required fields)
-* 5. Normalizes URLs
-* 6. Selects token endpoint auth method
-* 7. Merges with existing config (existing values take precedence)
+* Error code mapping:
+* - discovery_invalid_url        → 400 BAD_REQUEST
+* - discovery_not_found          → 400 BAD_REQUEST
+* - discovery_untrusted_origin   → 400 BAD_REQUEST
+* - discovery_private_host       → 400 BAD_REQUEST
+* - discovery_invalid_json       → 400 BAD_REQUEST
+* - discovery_incomplete         → 400 BAD_REQUEST
+* - issuer_mismatch              → 400 BAD_REQUEST
+* - unsupported_token_auth_method → 400 BAD_REQUEST
+* - discovery_timeout            → 502 BAD_GATEWAY
+* - discovery_unexpected_error   → 502 BAD_GATEWAY
 *
-* @param params - Discovery parameters
-* @param isTrustedOrigin - Origin verification tester function
-* @returns Hydrated OIDC configuration ready for persistence
-* @throws DiscoveryError on any failure
+* @param error - The DiscoveryError to map
+* @returns An APIError with appropriate status and message
 */
-async function discoverOIDCConfig(params) {
-	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
-	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
-	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
-	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
-	validateDiscoveryDocument(discoveryDoc, issuer);
-	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
-	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
-	return {
-		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
-		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
-		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
-		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
-		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
-		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
-		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
-		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
-	};
+function mapDiscoveryErrorToAPIError(error) {
+	switch (error.code) {
+		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery timed out: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery failed: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_not_found": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
+			code: error.code
+		});
+		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
+			message: `Invalid OIDC endpoint URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
+			message: `Untrusted OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_private_host": return new APIError("BAD_REQUEST", {
+			message: error.message,
+			code: error.code
+		});
+		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery returned invalid data: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery document is missing required fields: ${error.message}`,
+			code: error.code
+		});
+		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
+			message: `OIDC issuer mismatch: ${error.message}`,
+			code: error.code
+		});
+		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
+			message: `Incompatible OIDC provider: ${error.message}`,
+			code: error.code
+		});
+		default:
+			error.code;
+			return new APIError("INTERNAL_SERVER_ERROR", {
+				message: `Unexpected discovery error: ${error.message}`,
+				code: "discovery_unexpected_error"
+			});
+	}
+}
+//#endregion
+//#region src/saml/parser.ts
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true,
+	processEntities: false
+});
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
+	}
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
+	}
+	return null;
+}
+function countAllNodes(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return 0;
+	let count = 0;
+	const record = obj;
+	if (nodeName in record) {
+		const node = record[nodeName];
+		count += Array.isArray(node) ? node.length : 1;
+	}
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
+	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
+	return count;
+}
+//#endregion
+//#region src/saml/algorithms.ts
+const SignatureAlgorithm = {
+	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+};
+const DigestAlgorithm = {
+	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
+};
+const KeyEncryptionAlgorithm = {
+	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+};
+const DataEncryptionAlgorithm = {
+	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
+	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
+};
+const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
+const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
+const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
+const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
+const SECURE_SIGNATURE_ALGORITHMS = [
+	SignatureAlgorithm.RSA_SHA256,
+	SignatureAlgorithm.RSA_SHA384,
+	SignatureAlgorithm.RSA_SHA512,
+	SignatureAlgorithm.ECDSA_SHA256,
+	SignatureAlgorithm.ECDSA_SHA384,
+	SignatureAlgorithm.ECDSA_SHA512
+];
+const SECURE_DIGEST_ALGORITHMS = [
+	DigestAlgorithm.SHA256,
+	DigestAlgorithm.SHA384,
+	DigestAlgorithm.SHA512
+];
+const SHORT_FORM_SIGNATURE_TO_URI = {
+	sha1: SignatureAlgorithm.RSA_SHA1,
+	sha256: SignatureAlgorithm.RSA_SHA256,
+	sha384: SignatureAlgorithm.RSA_SHA384,
+	sha512: SignatureAlgorithm.RSA_SHA512,
+	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
+	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
+	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
+	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
+	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
+	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
+	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
+};
+const SHORT_FORM_DIGEST_TO_URI = {
+	sha1: DigestAlgorithm.SHA1,
+	sha256: DigestAlgorithm.SHA256,
+	sha384: DigestAlgorithm.SHA384,
+	sha512: DigestAlgorithm.SHA512
+};
+function normalizeSignatureAlgorithm(alg) {
+	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
 }
-/**
-* Compute the discovery URL from an issuer URL.
-*
-* Per OIDC Discovery spec, the discovery document is located at:
-* <issuer>/.well-known/openid-configuration
-*
-* Handles trailing slashes correctly.
-*/
-function computeDiscoveryUrl(issuer) {
-	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
+function normalizeDigestAlgorithm(alg) {
+	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
 }
-/**
-* Validate a discovery URL before fetching.
-*
-* @param url - The discovery URL to validate
-* @param isTrustedOrigin - Origin verification tester function
-* @throws DiscoveryError if URL is invalid
-*/
-function validateDiscoveryUrl(url, isTrustedOrigin) {
-	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
-	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
+function extractEncryptionAlgorithms(xml) {
+	try {
+		const parsed = xmlParser.parse(xml);
+		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
+		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
+		return {
+			keyEncryption: keyAlg || null,
+			dataEncryption: dataAlg || null
+		};
+	} catch {
+		return {
+			keyEncryption: null,
+			dataEncryption: null
+		};
+	}
 }
-/**
-* Fetch the OIDC discovery document from the IdP.
-*
-* @param url - The discovery endpoint URL
-* @param timeout - Request timeout in milliseconds
-* @returns The parsed discovery document
-* @throws DiscoveryError on network errors, timeouts, or invalid responses
-*/
-async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+function hasEncryptedAssertion(xml) {
 	try {
-		const response = await betterFetch(url, {
-			method: "GET",
-			timeout
+		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+	} catch {
+		return false;
+	}
+}
+function handleDeprecatedAlgorithm(message, behavior, errorCode) {
+	switch (behavior) {
+		case "reject": throw new APIError("BAD_REQUEST", {
+			message,
+			code: errorCode
 		});
-		if (response.error) {
-			const { status } = response.error;
-			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
-				url,
-				status
+		case "warn":
+			console.warn(`[SAML Security Warning] ${message}`);
+			break;
+		case "allow": break;
+	}
+}
+function validateSignatureAlgorithm(algorithm, options = {}) {
+	if (!algorithm) return;
+	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
+	if (allowedSignatureAlgorithms) {
+		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
+			code: "SAML_ALGORITHM_NOT_ALLOWED"
+		});
+		return;
+	}
+	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
+		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+		return;
+	}
+	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+		message: `SAML signature algorithm not recognized: ${algorithm}`,
+		code: "SAML_UNKNOWN_ALGORITHM"
+	});
+}
+function validateEncryptionAlgorithms(algorithms, options = {}) {
+	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
+	const { keyEncryption, dataEncryption } = algorithms;
+	if (keyEncryption) {
+		if (allowedKeyEncryptionAlgorithms) {
+			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
 			});
-			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
-				url,
-				timeout
+		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+	if (dataEncryption) {
+		if (allowedDataEncryptionAlgorithms) {
+			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
 			});
-			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
-				url,
-				...response.error
+		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+}
+function validateSAMLAlgorithms(response, options) {
+	validateSignatureAlgorithm(response.sigAlg, options);
+	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
+}
+function validateConfigAlgorithms(config, options = {}) {
+	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
+	if (config.signatureAlgorithm) {
+		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
+		if (allowedSignatureAlgorithms) {
+			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
 			});
-		}
-		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
-		const data = response.data;
-		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
-			url,
-			bodyPreview: data.slice(0, 200)
+		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
 		});
-		return data;
-	} catch (error) {
-		if (error instanceof DiscoveryError) throw error;
-		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
-			url,
-			timeout
+	}
+	if (config.digestAlgorithm) {
+		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
+		if (allowedDigestAlgorithms) {
+			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+}
+//#endregion
+//#region src/saml/assertions.ts
+function countAssertions(xml) {
+	let parsed;
+	try {
+		parsed = xmlParser.parse(xml);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Failed to parse SAML response XML",
+			code: "SAML_INVALID_XML"
+		});
+	}
+	const assertions = countAllNodes(parsed, "Assertion");
+	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
+	return {
+		assertions,
+		encryptedAssertions,
+		total: assertions + encryptedAssertions
+	};
+}
+function validateSingleAssertion(samlResponse) {
+	let xml;
+	try {
+		xml = new TextDecoder().decode(base64.decode(samlResponse.replace(/\s+/g, "")));
+		if (!xml.includes("<")) throw new Error("Not XML");
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Invalid base64-encoded SAML response",
+			code: "SAML_INVALID_ENCODING"
 		});
-		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
 	}
+	const counts = countAssertions(xml);
+	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
+		message: "SAML response contains no assertions",
+		code: "SAML_NO_ASSERTION"
+	});
+	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
+		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
+		code: "SAML_MULTIPLE_ASSERTIONS"
+	});
+}
+//#endregion
+//#region src/routes/schemas.ts
+const oidcMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	image: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const samlMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	firstName: z.string().optional(),
+	lastName: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const oidcConfigSchema = z.object({
+	clientId: z.string().optional(),
+	clientSecret: z.string().optional(),
+	authorizationEndpoint: z.url().optional(),
+	tokenEndpoint: z.url().optional(),
+	userInfoEndpoint: z.url().optional(),
+	tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+	jwksEndpoint: z.url().optional(),
+	discoveryEndpoint: z.url().optional(),
+	scopes: z.array(z.string()).optional(),
+	pkce: z.boolean().optional(),
+	overrideUserInfo: z.boolean().optional(),
+	mapping: oidcMappingSchema
+});
+const samlConfigSchema = z.object({
+	entryPoint: z.string().url().optional(),
+	cert: z.string().optional(),
+	callbackUrl: z.string().url().optional(),
+	audience: z.string().optional(),
+	idpMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		cert: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional(),
+		singleSignOnService: z.array(z.object({
+			Binding: z.string(),
+			Location: z.string().url()
+		})).optional()
+	}).optional(),
+	spMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		binding: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional()
+	}).optional(),
+	wantAssertionsSigned: z.boolean().optional(),
+	authnRequestsSigned: z.boolean().optional(),
+	signatureAlgorithm: z.string().optional(),
+	digestAlgorithm: z.string().optional(),
+	identifierFormat: z.string().optional(),
+	privateKey: z.string().optional(),
+	decryptionPvk: z.string().optional(),
+	additionalParams: z.record(z.string(), z.any()).optional(),
+	mapping: samlMappingSchema
+});
+const updateSSOProviderBodySchema = z.object({
+	issuer: z.string().url().optional(),
+	domain: z.string().optional(),
+	oidcConfig: oidcConfigSchema.optional(),
+	samlConfig: samlConfigSchema.optional()
+});
+//#endregion
+//#region src/routes/providers.ts
+const ADMIN_ROLES = ["owner", "admin"];
+function hasOrgAdminRole(member) {
+	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
 }
-/**
-* Validate a discovery document.
-*
-* Checks:
-* 1. All required fields are present
-* 2. Issuer matches the configured issuer (case-sensitive, exact match)
-*
-* Invariant: If this function returns without throwing, the document is safe
-* to use for hydrating OIDC config (required fields present, issuer matches
-* configured value, basic structural sanity verified).
-*
-* @param doc - The discovery document to validate
-* @param configuredIssuer - The expected issuer value
-* @throws DiscoveryError if validation fails
-*/
-function validateDiscoveryDocument(doc, configuredIssuer) {
-	const missingFields = [];
-	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
-	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
-	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
-		discovered: doc.issuer,
-		configured: configuredIssuer
+async function isOrgAdmin(ctx, userId, organizationId) {
+	const member = await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationId
+		}]
 	});
+	return member ? hasOrgAdminRole(member) : false;
 }
-/**
-* Normalize URLs in the discovery document.
-*
-* @param document - The discovery document
-* @param issuer - The base issuer URL
-* @param isTrustedOrigin - Origin verification tester function
-* @returns The normalized discovery document
-*/
-function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
-	const doc = { ...document };
-	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
-	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
-	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
-	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
-	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
-	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
-	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
-	return doc;
-}
-/**
-* Normalizes and validates a single URL endpoint
-* @param name The url name
-* @param endpoint The url to validate
-* @param issuer The issuer base url
-* @param isTrustedOrigin - Origin verification tester function
-* @returns
-*/
-function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
-	const url = normalizeUrl(name, endpoint, issuer);
-	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
-		endpoint: name,
-		url
+async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
+	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
+	const members = await ctx.context.adapter.findMany({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationIds,
+			operator: "in"
+		}]
 	});
-	return url;
+	const adminOrgIds = /* @__PURE__ */ new Set();
+	for (const member of members) if (hasOrgAdminRole(member)) adminOrgIds.add(member.organizationId);
+	return adminOrgIds;
 }
-/**
-* Normalize a single URL endpoint.
-*
-* @param name - The endpoint name (e.g token_endpoint)
-* @param endpoint - The endpoint URL to normalize
-* @param issuer - The base issuer URL
-* @returns The normalized endpoint URL
-*/
-function normalizeUrl(name, endpoint, issuer) {
+function sanitizeProvider(provider, baseURL) {
+	let oidcConfig = null;
+	let samlConfig = null;
 	try {
-		return parseURL(name, endpoint).toString();
+		oidcConfig = safeJsonParse(provider.oidcConfig);
 	} catch {
-		const issuerURL = parseURL(name, issuer);
-		const basePath = issuerURL.pathname.replace(/\/+$/, "");
-		const endpointPath = endpoint.replace(/^\/+/, "");
-		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
+		oidcConfig = null;
+	}
+	try {
+		samlConfig = safeJsonParse(provider.samlConfig);
+	} catch {
+		samlConfig = null;
 	}
+	const type = samlConfig ? "saml" : "oidc";
+	return {
+		providerId: provider.providerId,
+		type,
+		issuer: provider.issuer,
+		domain: provider.domain,
+		organizationId: provider.organizationId || null,
+		domainVerified: provider.domainVerified ?? false,
+		oidcConfig: oidcConfig ? {
+			discoveryEndpoint: oidcConfig.discoveryEndpoint,
+			clientIdLastFour: maskClientId(oidcConfig.clientId),
+			pkce: oidcConfig.pkce,
+			authorizationEndpoint: oidcConfig.authorizationEndpoint,
+			tokenEndpoint: oidcConfig.tokenEndpoint,
+			userInfoEndpoint: oidcConfig.userInfoEndpoint,
+			jwksEndpoint: oidcConfig.jwksEndpoint,
+			scopes: oidcConfig.scopes,
+			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
+		} : void 0,
+		samlConfig: samlConfig ? {
+			entryPoint: samlConfig.entryPoint,
+			callbackUrl: samlConfig.callbackUrl,
+			audience: samlConfig.audience,
+			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
+			authnRequestsSigned: samlConfig.authnRequestsSigned,
+			identifierFormat: samlConfig.identifierFormat,
+			signatureAlgorithm: samlConfig.signatureAlgorithm,
+			digestAlgorithm: samlConfig.digestAlgorithm,
+			certificate: (() => {
+				try {
+					return parseCertificate(samlConfig.cert);
+				} catch {
+					return { error: "Failed to parse certificate" };
+				}
+			})()
+		} : void 0,
+		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
+	};
 }
-/**
-* Parses the given URL or throws in case of invalid or unsupported protocols
-*
-* @param name the url name
-* @param endpoint the endpoint url
-* @param [base] optional base path
-* @returns
-*/
-function parseURL(name, endpoint, base) {
-	let endpointURL;
+const listSSOProviders = () => {
+	return createAuthEndpoint("/sso/providers", {
+		method: "GET",
+		use: [sessionMiddleware],
+		metadata: { openapi: {
+			operationId: "listSSOProviders",
+			summary: "List SSO providers",
+			description: "Returns a list of SSO providers the user has access to",
+			responses: { "200": { description: "List of SSO providers" } }
+		} }
+	}, async (ctx) => {
+		const userId = ctx.context.session.user.id;
+		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
+		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
+		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
+		const orgPluginEnabled = ctx.context.hasPlugin("organization");
+		let accessibleProviders = [...userOwnedProviders];
+		if (orgPluginEnabled && orgProviders.length > 0) {
+			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
+			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
+			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
+		} else if (!orgPluginEnabled) {
+			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
+			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
+		}
+		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
+		return ctx.json({ providers });
+	});
+};
+const getSSOProviderQuerySchema = z.object({ providerId: z.string() });
+async function checkProviderAccess(ctx, providerId) {
+	const userId = ctx.context.session.user.id;
+	const provider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
+	let hasAccess = false;
+	if (provider.organizationId) if (ctx.context.hasPlugin("organization")) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
+	else hasAccess = provider.userId === userId;
+	else hasAccess = provider.userId === userId;
+	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
+	return provider;
+}
+const getSSOProvider = () => {
+	return createAuthEndpoint("/sso/get-provider", {
+		method: "GET",
+		use: [sessionMiddleware],
+		query: getSSOProviderQuerySchema,
+		metadata: { openapi: {
+			operationId: "getSSOProvider",
+			summary: "Get SSO provider details",
+			description: "Returns sanitized details for a specific SSO provider",
+			responses: {
+				"200": { description: "SSO provider details" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.query;
+		const provider = await checkProviderAccess(ctx, providerId);
+		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
+	});
+};
+function parseAndValidateConfig(configString, configType) {
+	let config = null;
 	try {
-		endpointURL = new URL(endpoint, base);
-		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
-	} catch (error) {
-		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
+		config = safeJsonParse(configString);
+	} catch {
+		config = null;
 	}
-	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
-		url: endpoint,
-		protocol: endpointURL.protocol
-	});
-}
-/**
-* Select the token endpoint authentication method.
-*
-* @param doc - The discovery document
-* @param existing - Existing authentication method from config
-* @returns The selected authentication method
-*/
-function selectTokenEndpointAuthMethod(doc, existing) {
-	if (existing) return existing;
-	const supported = doc.token_endpoint_auth_methods_supported;
-	if (!supported || supported.length === 0) return "client_secret_basic";
-	if (supported.includes("client_secret_basic")) return "client_secret_basic";
-	if (supported.includes("client_secret_post")) return "client_secret_post";
-	return "client_secret_basic";
-}
-/**
-* Check if a provider configuration needs runtime discovery.
-*
-* Returns true if we need discovery at runtime to complete the token exchange
-* and validation. Specifically checks for:
-* - `tokenEndpoint` - required for exchanging authorization code for tokens
-* - `jwksEndpoint` - required for validating ID token signatures
-* - `authorizationEndpoint` - required for redirecting users to the IdP for login
-*
-* @param config - Partial OIDC config from the provider
-* @returns true if runtime discovery should be performed
-*/
-function needsRuntimeDiscovery(config) {
-	if (!config) return true;
-	return !config.tokenEndpoint || !config.jwksEndpoint || !config.authorizationEndpoint;
+	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
+	return config;
 }
-/**
-* Runs runtime OIDC discovery when the stored config is missing required
-* endpoints, and merges the hydrated fields back into the config.
-* Throws if discovery fails.
-*/
-async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
-	if (!needsRuntimeDiscovery(config)) return config;
-	const hydrated = await discoverOIDCConfig({
+function mergeSAMLConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
 		issuer,
-		existingConfig: config,
-		isTrustedOrigin
-	});
+		entryPoint: updates.entryPoint ?? current.entryPoint,
+		cert: updates.cert ?? current.cert,
+		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
+		spMetadata: updates.spMetadata ?? current.spMetadata,
+		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
+		mapping: updates.mapping ?? current.mapping,
+		audience: updates.audience ?? current.audience,
+		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
+		authnRequestsSigned: updates.authnRequestsSigned ?? current.authnRequestsSigned,
+		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
+		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
+		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
+	};
+}
+function mergeOIDCConfig(current, updates, issuer) {
 	return {
-		...config,
-		authorizationEndpoint: hydrated.authorizationEndpoint,
-		tokenEndpoint: hydrated.tokenEndpoint,
-		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
-		userInfoEndpoint: hydrated.userInfoEndpoint,
-		jwksEndpoint: hydrated.jwksEndpoint
+		...current,
+		...updates,
+		issuer,
+		pkce: updates.pkce ?? current.pkce ?? true,
+		clientId: updates.clientId ?? current.clientId,
+		clientSecret: updates.clientSecret ?? current.clientSecret,
+		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
+		mapping: updates.mapping ?? current.mapping,
+		scopes: updates.scopes ?? current.scopes,
+		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
+		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
+		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
+		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
+		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication
 	};
 }
-//#endregion
-//#region src/oidc/errors.ts
-/**
-* OIDC Discovery Error Mapping
-*
-* Maps DiscoveryError codes to appropriate APIError responses.
-* Used at the boundary between the discovery pipeline and HTTP handlers.
-*/
-/**
-* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
-*
-* Error code mapping:
-* - discovery_invalid_url       → 400 BAD_REQUEST
-* - discovery_not_found         → 400 BAD_REQUEST
-* - discovery_invalid_json      → 400 BAD_REQUEST
-* - discovery_incomplete        → 400 BAD_REQUEST
-* - issuer_mismatch             → 400 BAD_REQUEST
-* - unsupported_token_auth_method → 400 BAD_REQUEST
-* - discovery_timeout           → 502 BAD_GATEWAY
-* - discovery_unexpected_error  → 502 BAD_GATEWAY
-*
-* @param error - The DiscoveryError to map
-* @returns An APIError with appropriate status and message
-*/
-function mapDiscoveryErrorToAPIError(error) {
-	switch (error.code) {
-		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
-			message: `OIDC discovery timed out: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
-			message: `OIDC discovery failed: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_not_found": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
-			code: error.code
-		});
-		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
-			message: `Invalid OIDC discovery URL: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
-			message: `Untrusted OIDC discovery URL: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery returned invalid data: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery document is missing required fields: ${error.message}`,
-			code: error.code
+const updateSSOProvider = (options) => {
+	return createAuthEndpoint("/sso/update-provider", {
+		method: "POST",
+		use: [sessionMiddleware],
+		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
+		metadata: { openapi: {
+			operationId: "updateSSOProvider",
+			summary: "Update SSO provider",
+			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
+			responses: {
+				"200": { description: "SSO provider updated successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId, ...body } = ctx.body;
+		const { issuer, domain, samlConfig, oidcConfig } = body;
+		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
+		const existingProvider = await checkProviderAccess(ctx, providerId);
+		const updateData = {};
+		if (body.issuer !== void 0) updateData.issuer = body.issuer;
+		if (body.domain !== void 0) {
+			updateData.domain = body.domain;
+			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
+		}
+		if (body.samlConfig) {
+			if (body.samlConfig.idpMetadata?.metadata) {
+				const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
+				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+			}
+			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
+				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+				digestAlgorithm: body.samlConfig.digestAlgorithm
+			}, options?.saml?.algorithms);
+			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
+			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
+			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
+		}
+		if (body.oidcConfig) {
+			try {
+				validateSkipDiscoveryEndpoints(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
+			} catch (error) {
+				if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
+				throw error;
+			}
+			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
+			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
+			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
+		}
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}],
+			update: updateData
 		});
-		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
-			message: `OIDC issuer mismatch: ${error.message}`,
-			code: error.code
+		const fullProvider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
 		});
-		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
-			message: `Incompatible OIDC provider: ${error.message}`,
-			code: error.code
+		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
+		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
+	});
+};
+const deleteSSOProvider = () => {
+	return createAuthEndpoint("/sso/delete-provider", {
+		method: "POST",
+		use: [sessionMiddleware],
+		body: z.object({ providerId: z.string() }),
+		metadata: { openapi: {
+			operationId: "deleteSSOProvider",
+			summary: "Delete SSO provider",
+			description: "Deletes an SSO provider",
+			responses: {
+				"200": { description: "SSO provider deleted successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.body;
+		await checkProviderAccess(ctx, providerId);
+		await ctx.context.adapter.delete({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
 		});
-		default:
-			error.code;
-			return new APIError("INTERNAL_SERVER_ERROR", {
-				message: `Unexpected discovery error: ${error.message}`,
-				code: "discovery_unexpected_error"
-			});
-	}
-}
+		return ctx.json({ success: true });
+	});
+};
 //#endregion
 //#region src/saml/error-codes.ts
 const SAML_ERROR_CODES = defineErrorCodes({
@@ -1865,12 +1934,12 @@ const ssoProviderBodySchema = z.object({
 	oidcConfig: z.object({
 		clientId: z.string({}).meta({ description: "The client ID" }),
 		clientSecret: z.string({}).meta({ description: "The client secret" }),
-		authorizationEndpoint: z.string({}).meta({ description: "The authorization endpoint" }).optional(),
-		tokenEndpoint: z.string({}).meta({ description: "The token endpoint" }).optional(),
-		userInfoEndpoint: z.string({}).meta({ description: "The user info endpoint" }).optional(),
+		authorizationEndpoint: z.url().meta({ description: "The authorization endpoint" }).optional(),
+		tokenEndpoint: z.url().meta({ description: "The token endpoint" }).optional(),
+		userInfoEndpoint: z.url().meta({ description: "The user info endpoint" }).optional(),
 		tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
-		jwksEndpoint: z.string({}).meta({ description: "The JWKS endpoint" }).optional(),
-		discoveryEndpoint: z.string().optional(),
+		jwksEndpoint: z.url().meta({ description: "The JWKS endpoint" }).optional(),
+		discoveryEndpoint: z.url().optional(),
 		skipDiscovery: z.boolean().meta({ description: "Skip OIDC discovery during registration. When true, you must provide authorizationEndpoint, tokenEndpoint, and jwksEndpoint manually." }).optional(),
 		scopes: z.array(z.string(), {}).meta({ description: "The scopes to request. Defaults to ['openid', 'email', 'profile', 'offline_access']" }).optional(),
 		pkce: z.boolean({}).meta({ description: "Whether to use PKCE for the authorization flow" }).default(true).optional(),
@@ -2123,7 +2192,7 @@ const registerSSOProvider = (options) => {
 			if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
 		}
 		if (ctx.body.organizationId) {
-			if (!await ctx.context.adapter.findOne({
+			const member = await ctx.context.adapter.findOne({
 				model: "member",
 				where: [{
 					field: "userId",
@@ -2132,7 +2201,9 @@ const registerSSOProvider = (options) => {
 					field: "organizationId",
 					value: ctx.body.organizationId
 				}]
-			})) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
+			});
+			if (!member) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
+			if (ctx.context.hasPlugin("organization") && !hasOrgAdminRole(member)) throw new APIError("FORBIDDEN", { message: "You must be an organization owner or admin to register SSO providers" });
 		}
 		if (await ctx.context.adapter.findOne({
 			model: "ssoProvider",
@@ -2144,6 +2215,12 @@ const registerSSOProvider = (options) => {
 			ctx.context.logger.info(`SSO provider creation attempt with existing providerId: ${body.providerId}`);
 			throw new APIError("UNPROCESSABLE_ENTITY", { message: "SSO provider with this providerId already exists" });
 		}
+		if (body.oidcConfig) try {
+			validateSkipDiscoveryEndpoints(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
+		} catch (error) {
+			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
+			throw error;
+		}
 		let hydratedOIDCConfig = null;
 		if (body.oidcConfig && !body.oidcConfig.skipDiscovery) try {
 			hydratedOIDCConfig = await discoverOIDCConfig({