@better-auth/sso 1.6.10 → 1.6.12

package/dist/index.mjs

@@ -1,12 +1,14 @@
-import { t as PACKAGE_VERSION } from "./version-Bwp02oze.mjs";
+import { t as PACKAGE_VERSION } from "./version-dnGn0OgM.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
-import { base64 } from "@better-auth/utils/base64";
+import { isPublicRoutableHost } from "@better-auth/core/utils/host";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
+import { base64 } from "@better-auth/utils/base64";
+import { isAPIError } from "@better-auth/core/utils/is-api-error";
 import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
@@ -371,992 +373,1060 @@ const verifyDomain = (options) => {
 	});
 };
 //#endregion
-//#region src/saml/parser.ts
-const xmlParser = new XMLParser({
-	ignoreAttributes: false,
-	attributeNamePrefix: "@_",
-	removeNSPrefix: true,
-	processEntities: false
-});
-function findNode(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return null;
-	const record = obj;
-	if (nodeName in record) return record[nodeName];
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
-		const found = findNode(item, nodeName);
-		if (found) return found;
-	}
-	else if (typeof value === "object" && value !== null) {
-		const found = findNode(value, nodeName);
-		if (found) return found;
-	}
-	return null;
-}
-function countAllNodes(obj, nodeName) {
-	if (!obj || typeof obj !== "object") return 0;
-	let count = 0;
-	const record = obj;
-	if (nodeName in record) {
-		const node = record[nodeName];
-		count += Array.isArray(node) ? node.length : 1;
+//#region src/oidc/types.ts
+/**
+* Custom error class for OIDC discovery failures.
+* Can be caught and mapped to APIError at the edge.
+*/
+var DiscoveryError = class DiscoveryError extends Error {
+	code;
+	details;
+	constructor(code, message, details, options) {
+		super(message, options);
+		this.name = "DiscoveryError";
+		this.code = code;
+		this.details = details;
+		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
 	}
-	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
-	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
-	return count;
-}
-//#endregion
-//#region src/saml/algorithms.ts
-const SignatureAlgorithm = {
-	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
-	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
-	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
-	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
-	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
-	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
-	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
-};
-const DigestAlgorithm = {
-	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
-	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
-	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
-	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
 };
-const KeyEncryptionAlgorithm = {
-	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
-	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
-	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
-};
-const DataEncryptionAlgorithm = {
-	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
-	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
-	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
-	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
-	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
-	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
-	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
-};
-const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
-const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
-const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
-const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
-const SECURE_SIGNATURE_ALGORITHMS = [
-	SignatureAlgorithm.RSA_SHA256,
-	SignatureAlgorithm.RSA_SHA384,
-	SignatureAlgorithm.RSA_SHA512,
-	SignatureAlgorithm.ECDSA_SHA256,
-	SignatureAlgorithm.ECDSA_SHA384,
-	SignatureAlgorithm.ECDSA_SHA512
-];
-const SECURE_DIGEST_ALGORITHMS = [
-	DigestAlgorithm.SHA256,
-	DigestAlgorithm.SHA384,
-	DigestAlgorithm.SHA512
+/**
+* Required fields that must be present in a valid discovery document.
+*/
+const REQUIRED_DISCOVERY_FIELDS = [
+	"issuer",
+	"authorization_endpoint",
+	"token_endpoint",
+	"jwks_uri"
 ];
-const SHORT_FORM_SIGNATURE_TO_URI = {
-	sha1: SignatureAlgorithm.RSA_SHA1,
-	sha256: SignatureAlgorithm.RSA_SHA256,
-	sha384: SignatureAlgorithm.RSA_SHA384,
-	sha512: SignatureAlgorithm.RSA_SHA512,
-	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
-	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
-	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
-	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
-	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
-	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
-	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
-};
-const SHORT_FORM_DIGEST_TO_URI = {
-	sha1: DigestAlgorithm.SHA1,
-	sha256: DigestAlgorithm.SHA256,
-	sha384: DigestAlgorithm.SHA384,
-	sha512: DigestAlgorithm.SHA512
-};
-function normalizeSignatureAlgorithm(alg) {
-	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
-}
-function normalizeDigestAlgorithm(alg) {
-	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
-}
-function extractEncryptionAlgorithms(xml) {
-	try {
-		const parsed = xmlParser.parse(xml);
-		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
-		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
-		return {
-			keyEncryption: keyAlg || null,
-			dataEncryption: dataAlg || null
-		};
-	} catch {
-		return {
-			keyEncryption: null,
-			dataEncryption: null
-		};
-	}
+//#endregion
+//#region src/oidc/discovery.ts
+/**
+* OIDC Discovery Pipeline
+*
+* Implements OIDC discovery document fetching, validation, and hydration.
+* This module is used both at provider registration time (to persist validated config)
+* and at runtime (to hydrate legacy providers that are missing metadata).
+*
+* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+*/
+/** Default timeout for discovery requests (10 seconds) */
+const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
+/**
+* Main entry point: Discover and hydrate OIDC configuration from an issuer.
+*
+* This function:
+* 1. Computes the discovery URL from the issuer
+* 2. Validates the discovery URL
+* 3. Fetches the discovery document
+* 4. Validates the discovery document (issuer match + required fields)
+* 5. Normalizes URLs
+* 6. Selects token endpoint auth method
+* 7. Merges with existing config (existing values take precedence)
+*
+* @param params - Discovery parameters
+* @param isTrustedOrigin - Origin verification tester function
+* @returns Hydrated OIDC configuration ready for persistence
+* @throws DiscoveryError on any failure
+*/
+async function discoverOIDCConfig(params) {
+	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
+	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
+	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
+	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
+	validateDiscoveryDocument(discoveryDoc, issuer);
+	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
+	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
+	return {
+		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
+		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
+		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
+		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
+		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
+		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
+		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
+		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
+	};
 }
-function hasEncryptedAssertion(xml) {
-	try {
-		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
-	} catch {
-		return false;
-	}
+/**
+* Compute the discovery URL from an issuer URL.
+*
+* Per OIDC Discovery spec, the discovery document is located at:
+* <issuer>/.well-known/openid-configuration
+*
+* Handles trailing slashes correctly.
+*/
+function computeDiscoveryUrl(issuer) {
+	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
 }
-function handleDeprecatedAlgorithm(message, behavior, errorCode) {
-	switch (behavior) {
-		case "reject": throw new APIError("BAD_REQUEST", {
-			message,
-			code: errorCode
-		});
-		case "warn":
-			console.warn(`[SAML Security Warning] ${message}`);
-			break;
-		case "allow": break;
-	}
+/**
+* Validate a discovery URL before fetching.
+*
+* @param url - The discovery URL to validate
+* @param isTrustedOrigin - Origin verification tester function
+* @throws DiscoveryError if URL is invalid
+*/
+function validateDiscoveryUrl(url, isTrustedOrigin) {
+	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
+	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
 }
-function validateSignatureAlgorithm(algorithm, options = {}) {
-	if (!algorithm) return;
-	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
-	if (allowedSignatureAlgorithms) {
-		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
-			code: "SAML_ALGORITHM_NOT_ALLOWED"
-		});
-		return;
-	}
-	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
-		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-		return;
-	}
-	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
-		message: `SAML signature algorithm not recognized: ${algorithm}`,
-		code: "SAML_UNKNOWN_ALGORITHM"
+/**
+* Validate that a user-supplied OIDC endpoint URL is safe to fetch.
+*
+* Layered checks (in order):
+*   1. URL parsing + http(s) scheme            → discovery_invalid_url
+*   2. Public-routable host (RFC 6890)         → allowed
+*   3. Operator-allowlisted via trustedOrigins → allowed (opt-in for internal IdPs)
+*   4. Otherwise                               → discovery_private_host
+*
+* Step 2 rejects loopback, RFC 1918, link-local, ULA, shared-address,
+* cloud-metadata FQDNs (e.g. `169.254.169.254`, `metadata.google.internal`),
+* multicast, and reserved ranges. See `isPublicRoutableHost` in
+* `@better-auth/core/utils/host`.
+*
+* Step 3 is the documented escape hatch for customers whose IdP runs on a
+* private network or behind a corporate VPN: they add the IdP origin to their
+* `trustedOrigins` configuration.
+*
+* @param name - The endpoint field name, used in error messages
+* @param endpoint - The URL to validate
+* @param isTrustedOrigin - Predicate matching the configured `trustedOrigins`
+* @throws DiscoveryError(discovery_invalid_url)  — malformed URL or non-http(s) scheme
+* @throws DiscoveryError(discovery_private_host) — host is not publicly routable and not allowlisted
+*/
+function validateSkipDiscoveryEndpoint(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isPublicRoutableHost(parsed.hostname)) return;
+	if (isTrustedOrigin(parsed.toString())) return;
+	throw new DiscoveryError("discovery_private_host", `The ${name} URL (${parsed.toString()}) is not publicly routable: ${parsed.hostname}. If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: parsed.hostname
 	});
 }
-function validateEncryptionAlgorithms(algorithms, options = {}) {
-	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
-	const { keyEncryption, dataEncryption } = algorithms;
-	if (keyEncryption) {
-		if (allowedKeyEncryptionAlgorithms) {
-			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+/**
+* Validate every present OIDC endpoint URL in a registration or update body.
+*
+* Each provided URL is checked with {@link validateSkipDiscoveryEndpoint}.
+* Omitted (undefined / null / empty) fields are skipped.
+*
+* @param config - OIDC endpoint URLs from the request body
+* @param isTrustedOrigin - Predicate matching the configured `trustedOrigins`
+* @throws DiscoveryError on the first invalid endpoint
+*/
+function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
+	const fields = [
+		["authorizationEndpoint", config.authorizationEndpoint],
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint],
+		["discoveryEndpoint", config.discoveryEndpoint]
+	];
+	for (const [name, url] of fields) if (url) validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+}
+/**
+* Fetch the OIDC discovery document from the IdP.
+*
+* @param url - The discovery endpoint URL
+* @param timeout - Request timeout in milliseconds
+* @returns The parsed discovery document
+* @throws DiscoveryError on network errors, timeouts, or invalid responses
+*/
+async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+	try {
+		const response = await betterFetch(url, {
+			method: "GET",
+			timeout
+		});
+		if (response.error) {
+			const { status } = response.error;
+			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
+				url,
+				status
 			});
-		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-	if (dataEncryption) {
-		if (allowedDataEncryptionAlgorithms) {
-			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
-				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+				url,
+				timeout
 			});
-		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
-	}
-}
-function validateSAMLAlgorithms(response, options) {
-	validateSignatureAlgorithm(response.sigAlg, options);
-	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
-}
-function validateConfigAlgorithms(config, options = {}) {
-	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
-	if (config.signatureAlgorithm) {
-		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
-		if (allowedSignatureAlgorithms) {
-			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
+				url,
+				...response.error
 			});
-		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
+		}
+		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
+		const data = response.data;
+		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
+			url,
+			bodyPreview: data.slice(0, 200)
 		});
-	}
-	if (config.digestAlgorithm) {
-		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
-		if (allowedDigestAlgorithms) {
-			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
-				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
-				code: "SAML_ALGORITHM_NOT_ALLOWED"
-			});
-		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
-		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
-			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
-			code: "SAML_UNKNOWN_ALGORITHM"
+		return data;
+	} catch (error) {
+		if (error instanceof DiscoveryError) throw error;
+		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
+			url,
+			timeout
 		});
+		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
 	}
 }
-//#endregion
-//#region src/saml/assertions.ts
-function countAssertions(xml) {
-	let parsed;
+/**
+* Validate a discovery document.
+*
+* Checks:
+* 1. All required fields are present
+* 2. Issuer matches the configured issuer (case-sensitive, exact match)
+*
+* Invariant: If this function returns without throwing, the document is safe
+* to use for hydrating OIDC config (required fields present, issuer matches
+* configured value, basic structural sanity verified).
+*
+* @param doc - The discovery document to validate
+* @param configuredIssuer - The expected issuer value
+* @throws DiscoveryError if validation fails
+*/
+function validateDiscoveryDocument(doc, configuredIssuer) {
+	const missingFields = [];
+	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
+	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
+	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
+		discovered: doc.issuer,
+		configured: configuredIssuer
+	});
+}
+/**
+* Normalize URLs in the discovery document.
+*
+* @param document - The discovery document
+* @param issuer - The base issuer URL
+* @param isTrustedOrigin - Origin verification tester function
+* @returns The normalized discovery document
+*/
+function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
+	const doc = { ...document };
+	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
+	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
+	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
+	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
+	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
+	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
+	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
+	return doc;
+}
+/**
+* Normalizes and validates a single URL endpoint
+* @param name The url name
+* @param endpoint The url to validate
+* @param issuer The issuer base url
+* @param isTrustedOrigin - Origin verification tester function
+* @returns
+*/
+function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
+	const url = normalizeUrl(name, endpoint, issuer);
+	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
+		endpoint: name,
+		url
+	});
+	return url;
+}
+/**
+* Normalize a single URL endpoint.
+*
+* @param name - The endpoint name (e.g token_endpoint)
+* @param endpoint - The endpoint URL to normalize
+* @param issuer - The base issuer URL
+* @returns The normalized endpoint URL
+*/
+function normalizeUrl(name, endpoint, issuer) {
 	try {
-		parsed = xmlParser.parse(xml);
+		return parseURL(name, endpoint).toString();
 	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Failed to parse SAML response XML",
-			code: "SAML_INVALID_XML"
-		});
+		const issuerURL = parseURL(name, issuer);
+		const basePath = issuerURL.pathname.replace(/\/+$/, "");
+		const endpointPath = endpoint.replace(/^\/+/, "");
+		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
 	}
-	const assertions = countAllNodes(parsed, "Assertion");
-	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
-	return {
-		assertions,
-		encryptedAssertions,
-		total: assertions + encryptedAssertions
-	};
 }
-function validateSingleAssertion(samlResponse) {
-	let xml;
+/**
+* Parses the given URL or throws in case of invalid or unsupported protocols
+*
+* @param name the url name
+* @param endpoint the endpoint url
+* @param [base] optional base path
+* @returns
+*/
+function parseURL(name, endpoint, base) {
+	let endpointURL;
 	try {
-		xml = new TextDecoder().decode(base64.decode(samlResponse.replace(/\s+/g, "")));
-		if (!xml.includes("<")) throw new Error("Not XML");
-	} catch {
-		throw new APIError("BAD_REQUEST", {
-			message: "Invalid base64-encoded SAML response",
-			code: "SAML_INVALID_ENCODING"
-		});
+		endpointURL = new URL(endpoint, base);
+		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
+	} catch (error) {
+		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
 	}
-	const counts = countAssertions(xml);
-	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
-		message: "SAML response contains no assertions",
-		code: "SAML_NO_ASSERTION"
-	});
-	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
-		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
-		code: "SAML_MULTIPLE_ASSERTIONS"
+	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
+		url: endpoint,
+		protocol: endpointURL.protocol
 	});
 }
-//#endregion
-//#region src/routes/schemas.ts
-const oidcMappingSchema = z.object({
-	id: z.string().optional(),
-	email: z.string().optional(),
-	emailVerified: z.string().optional(),
-	name: z.string().optional(),
-	image: z.string().optional(),
-	extraFields: z.record(z.string(), z.any()).optional()
-}).optional();
-const samlMappingSchema = z.object({
-	id: z.string().optional(),
-	email: z.string().optional(),
-	emailVerified: z.string().optional(),
-	name: z.string().optional(),
-	firstName: z.string().optional(),
-	lastName: z.string().optional(),
-	extraFields: z.record(z.string(), z.any()).optional()
-}).optional();
-const oidcConfigSchema = z.object({
-	clientId: z.string().optional(),
-	clientSecret: z.string().optional(),
-	authorizationEndpoint: z.string().url().optional(),
-	tokenEndpoint: z.string().url().optional(),
-	userInfoEndpoint: z.string().url().optional(),
-	tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
-	jwksEndpoint: z.string().url().optional(),
-	discoveryEndpoint: z.string().url().optional(),
-	scopes: z.array(z.string()).optional(),
-	pkce: z.boolean().optional(),
-	overrideUserInfo: z.boolean().optional(),
-	mapping: oidcMappingSchema
-});
-const samlConfigSchema = z.object({
-	entryPoint: z.string().url().optional(),
-	cert: z.string().optional(),
-	callbackUrl: z.string().url().optional(),
-	audience: z.string().optional(),
-	idpMetadata: z.object({
-		metadata: z.string().optional(),
-		entityID: z.string().optional(),
-		cert: z.string().optional(),
-		privateKey: z.string().optional(),
-		privateKeyPass: z.string().optional(),
-		isAssertionEncrypted: z.boolean().optional(),
-		encPrivateKey: z.string().optional(),
-		encPrivateKeyPass: z.string().optional(),
-		singleSignOnService: z.array(z.object({
-			Binding: z.string(),
-			Location: z.string().url()
-		})).optional()
-	}).optional(),
-	spMetadata: z.object({
-		metadata: z.string().optional(),
-		entityID: z.string().optional(),
-		binding: z.string().optional(),
-		privateKey: z.string().optional(),
-		privateKeyPass: z.string().optional(),
-		isAssertionEncrypted: z.boolean().optional(),
-		encPrivateKey: z.string().optional(),
-		encPrivateKeyPass: z.string().optional()
-	}).optional(),
-	wantAssertionsSigned: z.boolean().optional(),
-	authnRequestsSigned: z.boolean().optional(),
-	signatureAlgorithm: z.string().optional(),
-	digestAlgorithm: z.string().optional(),
-	identifierFormat: z.string().optional(),
-	privateKey: z.string().optional(),
-	decryptionPvk: z.string().optional(),
-	additionalParams: z.record(z.string(), z.any()).optional(),
-	mapping: samlMappingSchema
-});
-const updateSSOProviderBodySchema = z.object({
-	issuer: z.string().url().optional(),
-	domain: z.string().optional(),
-	oidcConfig: oidcConfigSchema.optional(),
-	samlConfig: samlConfigSchema.optional()
-});
-//#endregion
-//#region src/routes/providers.ts
-const ADMIN_ROLES = ["owner", "admin"];
-async function isOrgAdmin(ctx, userId, organizationId) {
-	const member = await ctx.context.adapter.findOne({
-		model: "member",
-		where: [{
-			field: "userId",
-			value: userId
-		}, {
-			field: "organizationId",
-			value: organizationId
-		}]
-	});
-	if (!member) return false;
-	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
-}
-async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
-	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
-	const members = await ctx.context.adapter.findMany({
-		model: "member",
-		where: [{
-			field: "userId",
-			value: userId
-		}, {
-			field: "organizationId",
-			value: organizationIds,
-			operator: "in"
-		}]
-	});
-	const adminOrgIds = /* @__PURE__ */ new Set();
-	for (const member of members) if (member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()))) adminOrgIds.add(member.organizationId);
-	return adminOrgIds;
-}
-function sanitizeProvider(provider, baseURL) {
-	let oidcConfig = null;
-	let samlConfig = null;
-	try {
-		oidcConfig = safeJsonParse(provider.oidcConfig);
-	} catch {
-		oidcConfig = null;
-	}
-	try {
-		samlConfig = safeJsonParse(provider.samlConfig);
-	} catch {
-		samlConfig = null;
-	}
-	const type = samlConfig ? "saml" : "oidc";
-	return {
-		providerId: provider.providerId,
-		type,
-		issuer: provider.issuer,
-		domain: provider.domain,
-		organizationId: provider.organizationId || null,
-		domainVerified: provider.domainVerified ?? false,
-		oidcConfig: oidcConfig ? {
-			discoveryEndpoint: oidcConfig.discoveryEndpoint,
-			clientIdLastFour: maskClientId(oidcConfig.clientId),
-			pkce: oidcConfig.pkce,
-			authorizationEndpoint: oidcConfig.authorizationEndpoint,
-			tokenEndpoint: oidcConfig.tokenEndpoint,
-			userInfoEndpoint: oidcConfig.userInfoEndpoint,
-			jwksEndpoint: oidcConfig.jwksEndpoint,
-			scopes: oidcConfig.scopes,
-			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
-		} : void 0,
-		samlConfig: samlConfig ? {
-			entryPoint: samlConfig.entryPoint,
-			callbackUrl: samlConfig.callbackUrl,
-			audience: samlConfig.audience,
-			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
-			authnRequestsSigned: samlConfig.authnRequestsSigned,
-			identifierFormat: samlConfig.identifierFormat,
-			signatureAlgorithm: samlConfig.signatureAlgorithm,
-			digestAlgorithm: samlConfig.digestAlgorithm,
-			certificate: (() => {
-				try {
-					return parseCertificate(samlConfig.cert);
-				} catch {
-					return { error: "Failed to parse certificate" };
-				}
-			})()
-		} : void 0,
-		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
-	};
-}
-const listSSOProviders = () => {
-	return createAuthEndpoint("/sso/providers", {
-		method: "GET",
-		use: [sessionMiddleware],
-		metadata: { openapi: {
-			operationId: "listSSOProviders",
-			summary: "List SSO providers",
-			description: "Returns a list of SSO providers the user has access to",
-			responses: { "200": { description: "List of SSO providers" } }
-		} }
-	}, async (ctx) => {
-		const userId = ctx.context.session.user.id;
-		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
-		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
-		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
-		const orgPluginEnabled = ctx.context.hasPlugin("organization");
-		let accessibleProviders = [...userOwnedProviders];
-		if (orgPluginEnabled && orgProviders.length > 0) {
-			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
-			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
-			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
-		} else if (!orgPluginEnabled) {
-			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
-			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
-		}
-		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
-		return ctx.json({ providers });
-	});
-};
-const getSSOProviderQuerySchema = z.object({ providerId: z.string() });
-async function checkProviderAccess(ctx, providerId) {
-	const userId = ctx.context.session.user.id;
-	const provider = await ctx.context.adapter.findOne({
-		model: "ssoProvider",
-		where: [{
-			field: "providerId",
-			value: providerId
-		}]
-	});
-	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
-	let hasAccess = false;
-	if (provider.organizationId) if (ctx.context.hasPlugin("organization")) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
-	else hasAccess = provider.userId === userId;
-	else hasAccess = provider.userId === userId;
-	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
-	return provider;
-}
-const getSSOProvider = () => {
-	return createAuthEndpoint("/sso/get-provider", {
-		method: "GET",
-		use: [sessionMiddleware],
-		query: getSSOProviderQuerySchema,
-		metadata: { openapi: {
-			operationId: "getSSOProvider",
-			summary: "Get SSO provider details",
-			description: "Returns sanitized details for a specific SSO provider",
-			responses: {
-				"200": { description: "SSO provider details" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId } = ctx.query;
-		const provider = await checkProviderAccess(ctx, providerId);
-		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
-	});
-};
-function parseAndValidateConfig(configString, configType) {
-	let config = null;
-	try {
-		config = safeJsonParse(configString);
-	} catch {
-		config = null;
-	}
-	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
-	return config;
-}
-function mergeSAMLConfig(current, updates, issuer) {
-	return {
-		...current,
-		...updates,
-		issuer,
-		entryPoint: updates.entryPoint ?? current.entryPoint,
-		cert: updates.cert ?? current.cert,
-		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
-		spMetadata: updates.spMetadata ?? current.spMetadata,
-		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
-		mapping: updates.mapping ?? current.mapping,
-		audience: updates.audience ?? current.audience,
-		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
-		authnRequestsSigned: updates.authnRequestsSigned ?? current.authnRequestsSigned,
-		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
-		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
-		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
-	};
-}
-function mergeOIDCConfig(current, updates, issuer) {
-	return {
-		...current,
-		...updates,
-		issuer,
-		pkce: updates.pkce ?? current.pkce ?? true,
-		clientId: updates.clientId ?? current.clientId,
-		clientSecret: updates.clientSecret ?? current.clientSecret,
-		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
-		mapping: updates.mapping ?? current.mapping,
-		scopes: updates.scopes ?? current.scopes,
-		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
-		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
-		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
-		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
-		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication
-	};
-}
-const updateSSOProvider = (options) => {
-	return createAuthEndpoint("/sso/update-provider", {
-		method: "POST",
-		use: [sessionMiddleware],
-		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
-		metadata: { openapi: {
-			operationId: "updateSSOProvider",
-			summary: "Update SSO provider",
-			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
-			responses: {
-				"200": { description: "SSO provider updated successfully" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId, ...body } = ctx.body;
-		const { issuer, domain, samlConfig, oidcConfig } = body;
-		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
-		const existingProvider = await checkProviderAccess(ctx, providerId);
-		const updateData = {};
-		if (body.issuer !== void 0) updateData.issuer = body.issuer;
-		if (body.domain !== void 0) {
-			updateData.domain = body.domain;
-			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
-		}
-		if (body.samlConfig) {
-			if (body.samlConfig.idpMetadata?.metadata) {
-				const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
-				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
-			}
-			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
-				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
-				digestAlgorithm: body.samlConfig.digestAlgorithm
-			}, options?.saml?.algorithms);
-			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
-			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
-			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
-		}
-		if (body.oidcConfig) {
-			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
-			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
-			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
-		}
-		await ctx.context.adapter.update({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}],
-			update: updateData
-		});
-		const fullProvider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}]
-		});
-		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
-		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
-	});
-};
-const deleteSSOProvider = () => {
-	return createAuthEndpoint("/sso/delete-provider", {
-		method: "POST",
-		use: [sessionMiddleware],
-		body: z.object({ providerId: z.string() }),
-		metadata: { openapi: {
-			operationId: "deleteSSOProvider",
-			summary: "Delete SSO provider",
-			description: "Deletes an SSO provider",
-			responses: {
-				"200": { description: "SSO provider deleted successfully" },
-				"404": { description: "Provider not found" },
-				"403": { description: "Access denied" }
-			}
-		} }
-	}, async (ctx) => {
-		const { providerId } = ctx.body;
-		await checkProviderAccess(ctx, providerId);
-		await ctx.context.adapter.delete({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: providerId
-			}]
-		});
-		return ctx.json({ success: true });
-	});
-};
-//#endregion
-//#region src/oidc/types.ts
 /**
-* Custom error class for OIDC discovery failures.
-* Can be caught and mapped to APIError at the edge.
+* Select the token endpoint authentication method.
+*
+* @param doc - The discovery document
+* @param existing - Existing authentication method from config
+* @returns The selected authentication method
+*/
+function selectTokenEndpointAuthMethod(doc, existing) {
+	if (existing) return existing;
+	const supported = doc.token_endpoint_auth_methods_supported;
+	if (!supported || supported.length === 0) return "client_secret_basic";
+	if (supported.includes("client_secret_basic")) return "client_secret_basic";
+	if (supported.includes("client_secret_post")) return "client_secret_post";
+	return "client_secret_basic";
+}
+/**
+* Check if a provider configuration needs runtime discovery.
+*
+* Returns true if we need discovery at runtime to complete the token exchange
+* and validation. Specifically checks for:
+* - `tokenEndpoint` - required for exchanging authorization code for tokens
+* - `jwksEndpoint` - required for validating ID token signatures
+* - `authorizationEndpoint` - required for redirecting users to the IdP for login
+*
+* @param config - Partial OIDC config from the provider
+* @returns true if runtime discovery should be performed
 */
-var DiscoveryError = class DiscoveryError extends Error {
-	code;
-	details;
-	constructor(code, message, details, options) {
-		super(message, options);
-		this.name = "DiscoveryError";
-		this.code = code;
-		this.details = details;
-		if (Error.captureStackTrace) Error.captureStackTrace(this, DiscoveryError);
-	}
-};
+function needsRuntimeDiscovery(config) {
+	if (!config) return true;
+	return !config.tokenEndpoint || !config.jwksEndpoint || !config.authorizationEndpoint;
+}
 /**
-* Required fields that must be present in a valid discovery document.
+* Runs runtime OIDC discovery when the stored config is missing required
+* endpoints, and merges the hydrated fields back into the config.
+* Throws if discovery fails.
 */
-const REQUIRED_DISCOVERY_FIELDS = [
-	"issuer",
-	"authorization_endpoint",
-	"token_endpoint",
-	"jwks_uri"
-];
+async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
+	if (!needsRuntimeDiscovery(config)) return config;
+	const hydrated = await discoverOIDCConfig({
+		issuer,
+		existingConfig: config,
+		isTrustedOrigin
+	});
+	return {
+		...config,
+		authorizationEndpoint: hydrated.authorizationEndpoint,
+		tokenEndpoint: hydrated.tokenEndpoint,
+		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+		userInfoEndpoint: hydrated.userInfoEndpoint,
+		jwksEndpoint: hydrated.jwksEndpoint
+	};
+}
 //#endregion
-//#region src/oidc/discovery.ts
+//#region src/oidc/errors.ts
 /**
-* OIDC Discovery Pipeline
-*
-* Implements OIDC discovery document fetching, validation, and hydration.
-* This module is used both at provider registration time (to persist validated config)
-* and at runtime (to hydrate legacy providers that are missing metadata).
+* OIDC Discovery Error Mapping
 *
-* @see https://openid.net/specs/openid-connect-discovery-1_0.html
+* Maps DiscoveryError codes to appropriate APIError responses.
+* Used at the boundary between the discovery pipeline and HTTP handlers.
 */
-/** Default timeout for discovery requests (10 seconds) */
-const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
 /**
-* Main entry point: Discover and hydrate OIDC configuration from an issuer.
+* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
 *
-* This function:
-* 1. Computes the discovery URL from the issuer
-* 2. Validates the discovery URL
-* 3. Fetches the discovery document
-* 4. Validates the discovery document (issuer match + required fields)
-* 5. Normalizes URLs
-* 6. Selects token endpoint auth method
-* 7. Merges with existing config (existing values take precedence)
+* Error code mapping:
+* - discovery_invalid_url        → 400 BAD_REQUEST
+* - discovery_not_found          → 400 BAD_REQUEST
+* - discovery_untrusted_origin   → 400 BAD_REQUEST
+* - discovery_private_host       → 400 BAD_REQUEST
+* - discovery_invalid_json       → 400 BAD_REQUEST
+* - discovery_incomplete         → 400 BAD_REQUEST
+* - issuer_mismatch              → 400 BAD_REQUEST
+* - unsupported_token_auth_method → 400 BAD_REQUEST
+* - discovery_timeout            → 502 BAD_GATEWAY
+* - discovery_unexpected_error   → 502 BAD_GATEWAY
 *
-* @param params - Discovery parameters
-* @param isTrustedOrigin - Origin verification tester function
-* @returns Hydrated OIDC configuration ready for persistence
-* @throws DiscoveryError on any failure
+* @param error - The DiscoveryError to map
+* @returns An APIError with appropriate status and message
 */
-async function discoverOIDCConfig(params) {
-	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
-	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
-	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
-	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
-	validateDiscoveryDocument(discoveryDoc, issuer);
-	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
-	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
-	return {
-		issuer: existingConfig?.issuer ?? normalizedDoc.issuer,
-		discoveryEndpoint: existingConfig?.discoveryEndpoint ?? discoveryUrl,
-		authorizationEndpoint: existingConfig?.authorizationEndpoint ?? normalizedDoc.authorization_endpoint,
-		tokenEndpoint: existingConfig?.tokenEndpoint ?? normalizedDoc.token_endpoint,
-		jwksEndpoint: existingConfig?.jwksEndpoint ?? normalizedDoc.jwks_uri,
-		userInfoEndpoint: existingConfig?.userInfoEndpoint ?? normalizedDoc.userinfo_endpoint,
-		tokenEndpointAuthentication: existingConfig?.tokenEndpointAuthentication ?? tokenEndpointAuth,
-		scopesSupported: existingConfig?.scopesSupported ?? normalizedDoc.scopes_supported
-	};
+function mapDiscoveryErrorToAPIError(error) {
+	switch (error.code) {
+		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery timed out: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
+			message: `OIDC discovery failed: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_not_found": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
+			code: error.code
+		});
+		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
+			message: `Invalid OIDC endpoint URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
+			message: `Untrusted OIDC discovery URL: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_private_host": return new APIError("BAD_REQUEST", {
+			message: error.message,
+			code: error.code
+		});
+		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery returned invalid data: ${error.message}`,
+			code: error.code
+		});
+		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
+			message: `OIDC discovery document is missing required fields: ${error.message}`,
+			code: error.code
+		});
+		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
+			message: `OIDC issuer mismatch: ${error.message}`,
+			code: error.code
+		});
+		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
+			message: `Incompatible OIDC provider: ${error.message}`,
+			code: error.code
+		});
+		default:
+			error.code;
+			return new APIError("INTERNAL_SERVER_ERROR", {
+				message: `Unexpected discovery error: ${error.message}`,
+				code: "discovery_unexpected_error"
+			});
+	}
+}
+//#endregion
+//#region src/saml/parser.ts
+const xmlParser = new XMLParser({
+	ignoreAttributes: false,
+	attributeNamePrefix: "@_",
+	removeNSPrefix: true,
+	processEntities: false
+});
+function findNode(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return null;
+	const record = obj;
+	if (nodeName in record) return record[nodeName];
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) {
+		const found = findNode(item, nodeName);
+		if (found) return found;
+	}
+	else if (typeof value === "object" && value !== null) {
+		const found = findNode(value, nodeName);
+		if (found) return found;
+	}
+	return null;
+}
+function countAllNodes(obj, nodeName) {
+	if (!obj || typeof obj !== "object") return 0;
+	let count = 0;
+	const record = obj;
+	if (nodeName in record) {
+		const node = record[nodeName];
+		count += Array.isArray(node) ? node.length : 1;
+	}
+	for (const value of Object.values(record)) if (Array.isArray(value)) for (const item of value) count += countAllNodes(item, nodeName);
+	else if (typeof value === "object" && value !== null) count += countAllNodes(value, nodeName);
+	return count;
+}
+//#endregion
+//#region src/saml/algorithms.ts
+const SignatureAlgorithm = {
+	RSA_SHA1: "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+	RSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
+	RSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha384",
+	RSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha512",
+	ECDSA_SHA256: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256",
+	ECDSA_SHA384: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha384",
+	ECDSA_SHA512: "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha512"
+};
+const DigestAlgorithm = {
+	SHA1: "http://www.w3.org/2000/09/xmldsig#sha1",
+	SHA256: "http://www.w3.org/2001/04/xmlenc#sha256",
+	SHA384: "http://www.w3.org/2001/04/xmldsig-more#sha384",
+	SHA512: "http://www.w3.org/2001/04/xmlenc#sha512"
+};
+const KeyEncryptionAlgorithm = {
+	RSA_1_5: "http://www.w3.org/2001/04/xmlenc#rsa-1_5",
+	RSA_OAEP: "http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p",
+	RSA_OAEP_SHA256: "http://www.w3.org/2009/xmlenc11#rsa-oaep"
+};
+const DataEncryptionAlgorithm = {
+	TRIPLEDES_CBC: "http://www.w3.org/2001/04/xmlenc#tripledes-cbc",
+	AES_128_CBC: "http://www.w3.org/2001/04/xmlenc#aes128-cbc",
+	AES_192_CBC: "http://www.w3.org/2001/04/xmlenc#aes192-cbc",
+	AES_256_CBC: "http://www.w3.org/2001/04/xmlenc#aes256-cbc",
+	AES_128_GCM: "http://www.w3.org/2009/xmlenc11#aes128-gcm",
+	AES_192_GCM: "http://www.w3.org/2009/xmlenc11#aes192-gcm",
+	AES_256_GCM: "http://www.w3.org/2009/xmlenc11#aes256-gcm"
+};
+const DEPRECATED_SIGNATURE_ALGORITHMS = [SignatureAlgorithm.RSA_SHA1];
+const DEPRECATED_KEY_ENCRYPTION_ALGORITHMS = [KeyEncryptionAlgorithm.RSA_1_5];
+const DEPRECATED_DATA_ENCRYPTION_ALGORITHMS = [DataEncryptionAlgorithm.TRIPLEDES_CBC];
+const DEPRECATED_DIGEST_ALGORITHMS = [DigestAlgorithm.SHA1];
+const SECURE_SIGNATURE_ALGORITHMS = [
+	SignatureAlgorithm.RSA_SHA256,
+	SignatureAlgorithm.RSA_SHA384,
+	SignatureAlgorithm.RSA_SHA512,
+	SignatureAlgorithm.ECDSA_SHA256,
+	SignatureAlgorithm.ECDSA_SHA384,
+	SignatureAlgorithm.ECDSA_SHA512
+];
+const SECURE_DIGEST_ALGORITHMS = [
+	DigestAlgorithm.SHA256,
+	DigestAlgorithm.SHA384,
+	DigestAlgorithm.SHA512
+];
+const SHORT_FORM_SIGNATURE_TO_URI = {
+	sha1: SignatureAlgorithm.RSA_SHA1,
+	sha256: SignatureAlgorithm.RSA_SHA256,
+	sha384: SignatureAlgorithm.RSA_SHA384,
+	sha512: SignatureAlgorithm.RSA_SHA512,
+	"rsa-sha1": SignatureAlgorithm.RSA_SHA1,
+	"rsa-sha256": SignatureAlgorithm.RSA_SHA256,
+	"rsa-sha384": SignatureAlgorithm.RSA_SHA384,
+	"rsa-sha512": SignatureAlgorithm.RSA_SHA512,
+	"ecdsa-sha256": SignatureAlgorithm.ECDSA_SHA256,
+	"ecdsa-sha384": SignatureAlgorithm.ECDSA_SHA384,
+	"ecdsa-sha512": SignatureAlgorithm.ECDSA_SHA512
+};
+const SHORT_FORM_DIGEST_TO_URI = {
+	sha1: DigestAlgorithm.SHA1,
+	sha256: DigestAlgorithm.SHA256,
+	sha384: DigestAlgorithm.SHA384,
+	sha512: DigestAlgorithm.SHA512
+};
+function normalizeSignatureAlgorithm(alg) {
+	return SHORT_FORM_SIGNATURE_TO_URI[alg.toLowerCase()] ?? alg;
 }
-/**
-* Compute the discovery URL from an issuer URL.
-*
-* Per OIDC Discovery spec, the discovery document is located at:
-* <issuer>/.well-known/openid-configuration
-*
-* Handles trailing slashes correctly.
-*/
-function computeDiscoveryUrl(issuer) {
-	return `${issuer.endsWith("/") ? issuer.slice(0, -1) : issuer}/.well-known/openid-configuration`;
+function normalizeDigestAlgorithm(alg) {
+	return SHORT_FORM_DIGEST_TO_URI[alg.toLowerCase()] ?? alg;
 }
-/**
-* Validate a discovery URL before fetching.
-*
-* @param url - The discovery URL to validate
-* @param isTrustedOrigin - Origin verification tester function
-* @throws DiscoveryError if URL is invalid
-*/
-function validateDiscoveryUrl(url, isTrustedOrigin) {
-	const discoveryEndpoint = parseURL("discoveryEndpoint", url).toString();
-	if (!isTrustedOrigin(discoveryEndpoint)) throw new DiscoveryError("discovery_untrusted_origin", `The main discovery endpoint "${discoveryEndpoint}" is not trusted by your trusted origins configuration.`, { url: discoveryEndpoint });
+function extractEncryptionAlgorithms(xml) {
+	try {
+		const parsed = xmlParser.parse(xml);
+		const keyAlg = (findNode(parsed, "EncryptedKey")?.EncryptionMethod)?.["@_Algorithm"];
+		const dataAlg = (findNode(parsed, "EncryptedData")?.EncryptionMethod)?.["@_Algorithm"];
+		return {
+			keyEncryption: keyAlg || null,
+			dataEncryption: dataAlg || null
+		};
+	} catch {
+		return {
+			keyEncryption: null,
+			dataEncryption: null
+		};
+	}
 }
-/**
-* Fetch the OIDC discovery document from the IdP.
-*
-* @param url - The discovery endpoint URL
-* @param timeout - Request timeout in milliseconds
-* @returns The parsed discovery document
-* @throws DiscoveryError on network errors, timeouts, or invalid responses
-*/
-async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+function hasEncryptedAssertion(xml) {
 	try {
-		const response = await betterFetch(url, {
-			method: "GET",
-			timeout
+		return findNode(xmlParser.parse(xml), "EncryptedAssertion") !== null;
+	} catch {
+		return false;
+	}
+}
+function handleDeprecatedAlgorithm(message, behavior, errorCode) {
+	switch (behavior) {
+		case "reject": throw new APIError("BAD_REQUEST", {
+			message,
+			code: errorCode
 		});
-		if (response.error) {
-			const { status } = response.error;
-			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
-				url,
-				status
+		case "warn":
+			console.warn(`[SAML Security Warning] ${message}`);
+			break;
+		case "allow": break;
+	}
+}
+function validateSignatureAlgorithm(algorithm, options = {}) {
+	if (!algorithm) return;
+	const { onDeprecated = "warn", allowedSignatureAlgorithms } = options;
+	if (allowedSignatureAlgorithms) {
+		if (!allowedSignatureAlgorithms.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not in allow-list: ${algorithm}`,
+			code: "SAML_ALGORITHM_NOT_ALLOWED"
+		});
+		return;
+	}
+	if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(algorithm)) {
+		handleDeprecatedAlgorithm(`SAML response uses deprecated signature algorithm: ${algorithm}. Please configure your IdP to use SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+		return;
+	}
+	if (!SECURE_SIGNATURE_ALGORITHMS.includes(algorithm)) throw new APIError("BAD_REQUEST", {
+		message: `SAML signature algorithm not recognized: ${algorithm}`,
+		code: "SAML_UNKNOWN_ALGORITHM"
+	});
+}
+function validateEncryptionAlgorithms(algorithms, options = {}) {
+	const { onDeprecated = "warn", allowedKeyEncryptionAlgorithms, allowedDataEncryptionAlgorithms } = options;
+	const { keyEncryption, dataEncryption } = algorithms;
+	if (keyEncryption) {
+		if (allowedKeyEncryptionAlgorithms) {
+			if (!allowedKeyEncryptionAlgorithms.includes(keyEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML key encryption algorithm not in allow-list: ${keyEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
 			});
-			if (status === 408) throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
-				url,
-				timeout
+		} else if (DEPRECATED_KEY_ENCRYPTION_ALGORITHMS.includes(keyEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated key encryption algorithm: ${keyEncryption}. Please configure your IdP to use RSA-OAEP.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+	if (dataEncryption) {
+		if (allowedDataEncryptionAlgorithms) {
+			if (!allowedDataEncryptionAlgorithms.includes(dataEncryption)) throw new APIError("BAD_REQUEST", {
+				message: `SAML data encryption algorithm not in allow-list: ${dataEncryption}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
 			});
-			throw new DiscoveryError("discovery_unexpected_error", `Unexpected discovery error: ${response.error.statusText}`, {
-				url,
-				...response.error
+		} else if (DEPRECATED_DATA_ENCRYPTION_ALGORITHMS.includes(dataEncryption)) handleDeprecatedAlgorithm(`SAML response uses deprecated data encryption algorithm: ${dataEncryption}. Please configure your IdP to use AES-GCM.`, onDeprecated, "SAML_DEPRECATED_ALGORITHM");
+	}
+}
+function validateSAMLAlgorithms(response, options) {
+	validateSignatureAlgorithm(response.sigAlg, options);
+	if (hasEncryptedAssertion(response.samlContent)) validateEncryptionAlgorithms(extractEncryptionAlgorithms(response.samlContent), options);
+}
+function validateConfigAlgorithms(config, options = {}) {
+	const { onDeprecated = "warn", allowedSignatureAlgorithms, allowedDigestAlgorithms } = options;
+	if (config.signatureAlgorithm) {
+		const normalized = normalizeSignatureAlgorithm(config.signatureAlgorithm);
+		if (allowedSignatureAlgorithms) {
+			if (!allowedSignatureAlgorithms.map(normalizeSignatureAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML signature algorithm not in allow-list: ${config.signatureAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
 			});
-		}
-		if (!response.data) throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned an empty response", { url });
-		const data = response.data;
-		if (typeof data === "string") throw new DiscoveryError("discovery_invalid_json", "Discovery endpoint returned invalid JSON", {
-			url,
-			bodyPreview: data.slice(0, 200)
+		} else if (DEPRECATED_SIGNATURE_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated signature algorithm: ${config.signatureAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_SIGNATURE_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML signature algorithm not recognized: ${config.signatureAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
 		});
-		return data;
-	} catch (error) {
-		if (error instanceof DiscoveryError) throw error;
-		if (error instanceof Error && error.name === "AbortError") throw new DiscoveryError("discovery_timeout", "Discovery request timed out", {
-			url,
-			timeout
+	}
+	if (config.digestAlgorithm) {
+		const normalized = normalizeDigestAlgorithm(config.digestAlgorithm);
+		if (allowedDigestAlgorithms) {
+			if (!allowedDigestAlgorithms.map(normalizeDigestAlgorithm).includes(normalized)) throw new APIError("BAD_REQUEST", {
+				message: `SAML digest algorithm not in allow-list: ${config.digestAlgorithm}`,
+				code: "SAML_ALGORITHM_NOT_ALLOWED"
+			});
+		} else if (DEPRECATED_DIGEST_ALGORITHMS.includes(normalized)) handleDeprecatedAlgorithm(`SAML config uses deprecated digest algorithm: ${config.digestAlgorithm}. Consider using SHA-256 or stronger.`, onDeprecated, "SAML_DEPRECATED_CONFIG_ALGORITHM");
+		else if (!SECURE_DIGEST_ALGORITHMS.includes(normalized)) throw new APIError("BAD_REQUEST", {
+			message: `SAML digest algorithm not recognized: ${config.digestAlgorithm}`,
+			code: "SAML_UNKNOWN_ALGORITHM"
+		});
+	}
+}
+//#endregion
+//#region src/saml/assertions.ts
+function countAssertions(xml) {
+	let parsed;
+	try {
+		parsed = xmlParser.parse(xml);
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Failed to parse SAML response XML",
+			code: "SAML_INVALID_XML"
+		});
+	}
+	const assertions = countAllNodes(parsed, "Assertion");
+	const encryptedAssertions = countAllNodes(parsed, "EncryptedAssertion");
+	return {
+		assertions,
+		encryptedAssertions,
+		total: assertions + encryptedAssertions
+	};
+}
+function validateSingleAssertion(samlResponse) {
+	let xml;
+	try {
+		xml = new TextDecoder().decode(base64.decode(samlResponse.replace(/\s+/g, "")));
+		if (!xml.includes("<")) throw new Error("Not XML");
+	} catch {
+		throw new APIError("BAD_REQUEST", {
+			message: "Invalid base64-encoded SAML response",
+			code: "SAML_INVALID_ENCODING"
 		});
-		throw new DiscoveryError("discovery_unexpected_error", `Unexpected error during discovery: ${error instanceof Error ? error.message : String(error)}`, { url }, { cause: error });
 	}
+	const counts = countAssertions(xml);
+	if (counts.total === 0) throw new APIError("BAD_REQUEST", {
+		message: "SAML response contains no assertions",
+		code: "SAML_NO_ASSERTION"
+	});
+	if (counts.total > 1) throw new APIError("BAD_REQUEST", {
+		message: `SAML response contains ${counts.total} assertions, expected exactly 1`,
+		code: "SAML_MULTIPLE_ASSERTIONS"
+	});
+}
+//#endregion
+//#region src/routes/schemas.ts
+const oidcMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	image: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const samlMappingSchema = z.object({
+	id: z.string().optional(),
+	email: z.string().optional(),
+	emailVerified: z.string().optional(),
+	name: z.string().optional(),
+	firstName: z.string().optional(),
+	lastName: z.string().optional(),
+	extraFields: z.record(z.string(), z.any()).optional()
+}).optional();
+const oidcConfigSchema = z.object({
+	clientId: z.string().optional(),
+	clientSecret: z.string().optional(),
+	authorizationEndpoint: z.url().optional(),
+	tokenEndpoint: z.url().optional(),
+	userInfoEndpoint: z.url().optional(),
+	tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+	jwksEndpoint: z.url().optional(),
+	discoveryEndpoint: z.url().optional(),
+	scopes: z.array(z.string()).optional(),
+	pkce: z.boolean().optional(),
+	overrideUserInfo: z.boolean().optional(),
+	mapping: oidcMappingSchema
+});
+const samlConfigSchema = z.object({
+	entryPoint: z.string().url().optional(),
+	cert: z.string().optional(),
+	callbackUrl: z.string().url().optional(),
+	audience: z.string().optional(),
+	idpMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		cert: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional(),
+		singleSignOnService: z.array(z.object({
+			Binding: z.string(),
+			Location: z.string().url()
+		})).optional()
+	}).optional(),
+	spMetadata: z.object({
+		metadata: z.string().optional(),
+		entityID: z.string().optional(),
+		binding: z.string().optional(),
+		privateKey: z.string().optional(),
+		privateKeyPass: z.string().optional(),
+		isAssertionEncrypted: z.boolean().optional(),
+		encPrivateKey: z.string().optional(),
+		encPrivateKeyPass: z.string().optional()
+	}).optional(),
+	wantAssertionsSigned: z.boolean().optional(),
+	authnRequestsSigned: z.boolean().optional(),
+	signatureAlgorithm: z.string().optional(),
+	digestAlgorithm: z.string().optional(),
+	identifierFormat: z.string().optional(),
+	privateKey: z.string().optional(),
+	decryptionPvk: z.string().optional(),
+	additionalParams: z.record(z.string(), z.any()).optional(),
+	mapping: samlMappingSchema
+});
+const updateSSOProviderBodySchema = z.object({
+	issuer: z.string().url().optional(),
+	domain: z.string().optional(),
+	oidcConfig: oidcConfigSchema.optional(),
+	samlConfig: samlConfigSchema.optional()
+});
+//#endregion
+//#region src/routes/providers.ts
+const ADMIN_ROLES = ["owner", "admin"];
+function hasOrgAdminRole(member) {
+	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
 }
-/**
-* Validate a discovery document.
-*
-* Checks:
-* 1. All required fields are present
-* 2. Issuer matches the configured issuer (case-sensitive, exact match)
-*
-* Invariant: If this function returns without throwing, the document is safe
-* to use for hydrating OIDC config (required fields present, issuer matches
-* configured value, basic structural sanity verified).
-*
-* @param doc - The discovery document to validate
-* @param configuredIssuer - The expected issuer value
-* @throws DiscoveryError if validation fails
-*/
-function validateDiscoveryDocument(doc, configuredIssuer) {
-	const missingFields = [];
-	for (const field of REQUIRED_DISCOVERY_FIELDS) if (!doc[field]) missingFields.push(field);
-	if (missingFields.length > 0) throw new DiscoveryError("discovery_incomplete", `Discovery document is missing required fields: ${missingFields.join(", ")}`, { missingFields });
-	if ((doc.issuer.endsWith("/") ? doc.issuer.slice(0, -1) : doc.issuer) !== (configuredIssuer.endsWith("/") ? configuredIssuer.slice(0, -1) : configuredIssuer)) throw new DiscoveryError("issuer_mismatch", `Discovered issuer "${doc.issuer}" does not match configured issuer "${configuredIssuer}"`, {
-		discovered: doc.issuer,
-		configured: configuredIssuer
+async function isOrgAdmin(ctx, userId, organizationId) {
+	const member = await ctx.context.adapter.findOne({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationId
+		}]
 	});
+	return member ? hasOrgAdminRole(member) : false;
 }
-/**
-* Normalize URLs in the discovery document.
-*
-* @param document - The discovery document
-* @param issuer - The base issuer URL
-* @param isTrustedOrigin - Origin verification tester function
-* @returns The normalized discovery document
-*/
-function normalizeDiscoveryUrls(document, issuer, isTrustedOrigin) {
-	const doc = { ...document };
-	doc.token_endpoint = normalizeAndValidateUrl("token_endpoint", doc.token_endpoint, issuer, isTrustedOrigin);
-	doc.authorization_endpoint = normalizeAndValidateUrl("authorization_endpoint", doc.authorization_endpoint, issuer, isTrustedOrigin);
-	doc.jwks_uri = normalizeAndValidateUrl("jwks_uri", doc.jwks_uri, issuer, isTrustedOrigin);
-	if (doc.userinfo_endpoint) doc.userinfo_endpoint = normalizeAndValidateUrl("userinfo_endpoint", doc.userinfo_endpoint, issuer, isTrustedOrigin);
-	if (doc.revocation_endpoint) doc.revocation_endpoint = normalizeAndValidateUrl("revocation_endpoint", doc.revocation_endpoint, issuer, isTrustedOrigin);
-	if (doc.end_session_endpoint) doc.end_session_endpoint = normalizeAndValidateUrl("end_session_endpoint", doc.end_session_endpoint, issuer, isTrustedOrigin);
-	if (doc.introspection_endpoint) doc.introspection_endpoint = normalizeAndValidateUrl("introspection_endpoint", doc.introspection_endpoint, issuer, isTrustedOrigin);
-	return doc;
-}
-/**
-* Normalizes and validates a single URL endpoint
-* @param name The url name
-* @param endpoint The url to validate
-* @param issuer The issuer base url
-* @param isTrustedOrigin - Origin verification tester function
-* @returns
-*/
-function normalizeAndValidateUrl(name, endpoint, issuer, isTrustedOrigin) {
-	const url = normalizeUrl(name, endpoint, issuer);
-	if (!isTrustedOrigin(url)) throw new DiscoveryError("discovery_untrusted_origin", `The ${name} "${url}" is not trusted by your trusted origins configuration.`, {
-		endpoint: name,
-		url
+async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
+	if (organizationIds.length === 0) return /* @__PURE__ */ new Set();
+	const members = await ctx.context.adapter.findMany({
+		model: "member",
+		where: [{
+			field: "userId",
+			value: userId
+		}, {
+			field: "organizationId",
+			value: organizationIds,
+			operator: "in"
+		}]
 	});
-	return url;
+	const adminOrgIds = /* @__PURE__ */ new Set();
+	for (const member of members) if (hasOrgAdminRole(member)) adminOrgIds.add(member.organizationId);
+	return adminOrgIds;
 }
-/**
-* Normalize a single URL endpoint.
-*
-* @param name - The endpoint name (e.g token_endpoint)
-* @param endpoint - The endpoint URL to normalize
-* @param issuer - The base issuer URL
-* @returns The normalized endpoint URL
-*/
-function normalizeUrl(name, endpoint, issuer) {
+function sanitizeProvider(provider, baseURL) {
+	let oidcConfig = null;
+	let samlConfig = null;
 	try {
-		return parseURL(name, endpoint).toString();
+		oidcConfig = safeJsonParse(provider.oidcConfig);
 	} catch {
-		const issuerURL = parseURL(name, issuer);
-		const basePath = issuerURL.pathname.replace(/\/+$/, "");
-		const endpointPath = endpoint.replace(/^\/+/, "");
-		return parseURL(name, basePath + "/" + endpointPath, issuerURL.origin).toString();
+		oidcConfig = null;
 	}
-}
-/**
-* Parses the given URL or throws in case of invalid or unsupported protocols
-*
-* @param name the url name
-* @param endpoint the endpoint url
-* @param [base] optional base path
-* @returns
-*/
-function parseURL(name, endpoint, base) {
-	let endpointURL;
 	try {
-		endpointURL = new URL(endpoint, base);
-		if (endpointURL.protocol === "http:" || endpointURL.protocol === "https:") return endpointURL;
-	} catch (error) {
-		throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must be valid: ${endpoint}`, { url: endpoint }, { cause: error });
+		samlConfig = safeJsonParse(provider.samlConfig);
+	} catch {
+		samlConfig = null;
 	}
-	throw new DiscoveryError("discovery_invalid_url", `The url "${name}" must use the http or https supported protocols: ${endpoint}`, {
-		url: endpoint,
-		protocol: endpointURL.protocol
-	});
+	const type = samlConfig ? "saml" : "oidc";
+	return {
+		providerId: provider.providerId,
+		type,
+		issuer: provider.issuer,
+		domain: provider.domain,
+		organizationId: provider.organizationId || null,
+		domainVerified: provider.domainVerified ?? false,
+		oidcConfig: oidcConfig ? {
+			discoveryEndpoint: oidcConfig.discoveryEndpoint,
+			clientIdLastFour: maskClientId(oidcConfig.clientId),
+			pkce: oidcConfig.pkce,
+			authorizationEndpoint: oidcConfig.authorizationEndpoint,
+			tokenEndpoint: oidcConfig.tokenEndpoint,
+			userInfoEndpoint: oidcConfig.userInfoEndpoint,
+			jwksEndpoint: oidcConfig.jwksEndpoint,
+			scopes: oidcConfig.scopes,
+			tokenEndpointAuthentication: oidcConfig.tokenEndpointAuthentication
+		} : void 0,
+		samlConfig: samlConfig ? {
+			entryPoint: samlConfig.entryPoint,
+			callbackUrl: samlConfig.callbackUrl,
+			audience: samlConfig.audience,
+			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
+			authnRequestsSigned: samlConfig.authnRequestsSigned,
+			identifierFormat: samlConfig.identifierFormat,
+			signatureAlgorithm: samlConfig.signatureAlgorithm,
+			digestAlgorithm: samlConfig.digestAlgorithm,
+			certificate: (() => {
+				try {
+					return parseCertificate(samlConfig.cert);
+				} catch {
+					return { error: "Failed to parse certificate" };
+				}
+			})()
+		} : void 0,
+		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
+	};
 }
-/**
-* Select the token endpoint authentication method.
-*
-* @param doc - The discovery document
-* @param existing - Existing authentication method from config
-* @returns The selected authentication method
-*/
-function selectTokenEndpointAuthMethod(doc, existing) {
-	if (existing) return existing;
-	const supported = doc.token_endpoint_auth_methods_supported;
-	if (!supported || supported.length === 0) return "client_secret_basic";
-	if (supported.includes("client_secret_basic")) return "client_secret_basic";
-	if (supported.includes("client_secret_post")) return "client_secret_post";
-	return "client_secret_basic";
+const listSSOProviders = () => {
+	return createAuthEndpoint("/sso/providers", {
+		method: "GET",
+		use: [sessionMiddleware],
+		metadata: { openapi: {
+			operationId: "listSSOProviders",
+			summary: "List SSO providers",
+			description: "Returns a list of SSO providers the user has access to",
+			responses: { "200": { description: "List of SSO providers" } }
+		} }
+	}, async (ctx) => {
+		const userId = ctx.context.session.user.id;
+		const allProviders = await ctx.context.adapter.findMany({ model: "ssoProvider" });
+		const userOwnedProviders = allProviders.filter((p) => p.userId === userId && !p.organizationId);
+		const orgProviders = allProviders.filter((p) => p.organizationId !== null && p.organizationId !== void 0);
+		const orgPluginEnabled = ctx.context.hasPlugin("organization");
+		let accessibleProviders = [...userOwnedProviders];
+		if (orgPluginEnabled && orgProviders.length > 0) {
+			const adminOrgIds = await batchCheckOrgAdmin(ctx, userId, [...new Set(orgProviders.map((p) => p.organizationId).filter((id) => id !== null && id !== void 0))]);
+			const orgAccessibleProviders = orgProviders.filter((provider) => provider.organizationId && adminOrgIds.has(provider.organizationId));
+			accessibleProviders = [...accessibleProviders, ...orgAccessibleProviders];
+		} else if (!orgPluginEnabled) {
+			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
+			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
+		}
+		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
+		return ctx.json({ providers });
+	});
+};
+const getSSOProviderQuerySchema = z.object({ providerId: z.string() });
+async function checkProviderAccess(ctx, providerId) {
+	const userId = ctx.context.session.user.id;
+	const provider = await ctx.context.adapter.findOne({
+		model: "ssoProvider",
+		where: [{
+			field: "providerId",
+			value: providerId
+		}]
+	});
+	if (!provider) throw new APIError("NOT_FOUND", { message: "Provider not found" });
+	let hasAccess = false;
+	if (provider.organizationId) if (ctx.context.hasPlugin("organization")) hasAccess = await isOrgAdmin(ctx, userId, provider.organizationId);
+	else hasAccess = provider.userId === userId;
+	else hasAccess = provider.userId === userId;
+	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
+	return provider;
 }
-/**
-* Check if a provider configuration needs runtime discovery.
-*
-* Returns true if we need discovery at runtime to complete the token exchange
-* and validation. Specifically checks for:
-* - `tokenEndpoint` - required for exchanging authorization code for tokens
-* - `jwksEndpoint` - required for validating ID token signatures
-* - `authorizationEndpoint` - required for redirecting users to the IdP for login
-*
-* @param config - Partial OIDC config from the provider
-* @returns true if runtime discovery should be performed
-*/
-function needsRuntimeDiscovery(config) {
-	if (!config) return true;
-	return !config.tokenEndpoint || !config.jwksEndpoint || !config.authorizationEndpoint;
+const getSSOProvider = () => {
+	return createAuthEndpoint("/sso/get-provider", {
+		method: "GET",
+		use: [sessionMiddleware],
+		query: getSSOProviderQuerySchema,
+		metadata: { openapi: {
+			operationId: "getSSOProvider",
+			summary: "Get SSO provider details",
+			description: "Returns sanitized details for a specific SSO provider",
+			responses: {
+				"200": { description: "SSO provider details" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.query;
+		const provider = await checkProviderAccess(ctx, providerId);
+		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
+	});
+};
+function parseAndValidateConfig(configString, configType) {
+	let config = null;
+	try {
+		config = safeJsonParse(configString);
+	} catch {
+		config = null;
+	}
+	if (!config) throw new APIError("BAD_REQUEST", { message: `Cannot update ${configType} config for a provider that doesn't have ${configType} configured` });
+	return config;
 }
-/**
-* Runs runtime OIDC discovery when the stored config is missing required
-* endpoints, and merges the hydrated fields back into the config.
-* Throws if discovery fails.
-*/
-async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
-	if (!needsRuntimeDiscovery(config)) return config;
-	const hydrated = await discoverOIDCConfig({
+function mergeSAMLConfig(current, updates, issuer) {
+	return {
+		...current,
+		...updates,
 		issuer,
-		existingConfig: config,
-		isTrustedOrigin
-	});
+		entryPoint: updates.entryPoint ?? current.entryPoint,
+		cert: updates.cert ?? current.cert,
+		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
+		spMetadata: updates.spMetadata ?? current.spMetadata,
+		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
+		mapping: updates.mapping ?? current.mapping,
+		audience: updates.audience ?? current.audience,
+		wantAssertionsSigned: updates.wantAssertionsSigned ?? current.wantAssertionsSigned,
+		authnRequestsSigned: updates.authnRequestsSigned ?? current.authnRequestsSigned,
+		identifierFormat: updates.identifierFormat ?? current.identifierFormat,
+		signatureAlgorithm: updates.signatureAlgorithm ?? current.signatureAlgorithm,
+		digestAlgorithm: updates.digestAlgorithm ?? current.digestAlgorithm
+	};
+}
+function mergeOIDCConfig(current, updates, issuer) {
 	return {
-		...config,
-		authorizationEndpoint: hydrated.authorizationEndpoint,
-		tokenEndpoint: hydrated.tokenEndpoint,
-		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
-		userInfoEndpoint: hydrated.userInfoEndpoint,
-		jwksEndpoint: hydrated.jwksEndpoint
+		...current,
+		...updates,
+		issuer,
+		pkce: updates.pkce ?? current.pkce ?? true,
+		clientId: updates.clientId ?? current.clientId,
+		clientSecret: updates.clientSecret ?? current.clientSecret,
+		discoveryEndpoint: updates.discoveryEndpoint ?? current.discoveryEndpoint,
+		mapping: updates.mapping ?? current.mapping,
+		scopes: updates.scopes ?? current.scopes,
+		authorizationEndpoint: updates.authorizationEndpoint ?? current.authorizationEndpoint,
+		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
+		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
+		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
+		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication
 	};
 }
-//#endregion
-//#region src/oidc/errors.ts
-/**
-* OIDC Discovery Error Mapping
-*
-* Maps DiscoveryError codes to appropriate APIError responses.
-* Used at the boundary between the discovery pipeline and HTTP handlers.
-*/
-/**
-* Maps a DiscoveryError to an appropriate APIError for HTTP responses.
-*
-* Error code mapping:
-* - discovery_invalid_url       → 400 BAD_REQUEST
-* - discovery_not_found         → 400 BAD_REQUEST
-* - discovery_invalid_json      → 400 BAD_REQUEST
-* - discovery_incomplete        → 400 BAD_REQUEST
-* - issuer_mismatch             → 400 BAD_REQUEST
-* - unsupported_token_auth_method → 400 BAD_REQUEST
-* - discovery_timeout           → 502 BAD_GATEWAY
-* - discovery_unexpected_error  → 502 BAD_GATEWAY
-*
-* @param error - The DiscoveryError to map
-* @returns An APIError with appropriate status and message
-*/
-function mapDiscoveryErrorToAPIError(error) {
-	switch (error.code) {
-		case "discovery_timeout": return new APIError("BAD_GATEWAY", {
-			message: `OIDC discovery timed out: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_unexpected_error": return new APIError("BAD_GATEWAY", {
-			message: `OIDC discovery failed: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_not_found": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery endpoint not found. The issuer may not support OIDC discovery, or the URL is incorrect. ${error.message}`,
-			code: error.code
-		});
-		case "discovery_invalid_url": return new APIError("BAD_REQUEST", {
-			message: `Invalid OIDC discovery URL: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_untrusted_origin": return new APIError("BAD_REQUEST", {
-			message: `Untrusted OIDC discovery URL: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery returned invalid data: ${error.message}`,
-			code: error.code
-		});
-		case "discovery_incomplete": return new APIError("BAD_REQUEST", {
-			message: `OIDC discovery document is missing required fields: ${error.message}`,
-			code: error.code
+const updateSSOProvider = (options) => {
+	return createAuthEndpoint("/sso/update-provider", {
+		method: "POST",
+		use: [sessionMiddleware],
+		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
+		metadata: { openapi: {
+			operationId: "updateSSOProvider",
+			summary: "Update SSO provider",
+			description: "Partially update an SSO provider. Only provided fields are updated. If domain changes, domainVerified is reset to false.",
+			responses: {
+				"200": { description: "SSO provider updated successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId, ...body } = ctx.body;
+		const { issuer, domain, samlConfig, oidcConfig } = body;
+		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
+		const existingProvider = await checkProviderAccess(ctx, providerId);
+		const updateData = {};
+		if (body.issuer !== void 0) updateData.issuer = body.issuer;
+		if (body.domain !== void 0) {
+			updateData.domain = body.domain;
+			if (body.domain !== existingProvider.domain) updateData.domainVerified = false;
+		}
+		if (body.samlConfig) {
+			if (body.samlConfig.idpMetadata?.metadata) {
+				const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
+				if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
+			}
+			if (body.samlConfig.signatureAlgorithm !== void 0 || body.samlConfig.digestAlgorithm !== void 0) validateConfigAlgorithms({
+				signatureAlgorithm: body.samlConfig.signatureAlgorithm,
+				digestAlgorithm: body.samlConfig.digestAlgorithm
+			}, options?.saml?.algorithms);
+			const currentSamlConfig = parseAndValidateConfig(existingProvider.samlConfig, "SAML");
+			const updatedSamlConfig = mergeSAMLConfig(currentSamlConfig, body.samlConfig, updateData.issuer || currentSamlConfig.issuer || existingProvider.issuer);
+			updateData.samlConfig = JSON.stringify(updatedSamlConfig);
+		}
+		if (body.oidcConfig) {
+			try {
+				validateSkipDiscoveryEndpoints(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
+			} catch (error) {
+				if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
+				throw error;
+			}
+			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
+			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
+			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
+		}
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}],
+			update: updateData
 		});
-		case "issuer_mismatch": return new APIError("BAD_REQUEST", {
-			message: `OIDC issuer mismatch: ${error.message}`,
-			code: error.code
+		const fullProvider = await ctx.context.adapter.findOne({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
 		});
-		case "unsupported_token_auth_method": return new APIError("BAD_REQUEST", {
-			message: `Incompatible OIDC provider: ${error.message}`,
-			code: error.code
+		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
+		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
+	});
+};
+const deleteSSOProvider = () => {
+	return createAuthEndpoint("/sso/delete-provider", {
+		method: "POST",
+		use: [sessionMiddleware],
+		body: z.object({ providerId: z.string() }),
+		metadata: { openapi: {
+			operationId: "deleteSSOProvider",
+			summary: "Delete SSO provider",
+			description: "Deletes an SSO provider",
+			responses: {
+				"200": { description: "SSO provider deleted successfully" },
+				"404": { description: "Provider not found" },
+				"403": { description: "Access denied" }
+			}
+		} }
+	}, async (ctx) => {
+		const { providerId } = ctx.body;
+		await checkProviderAccess(ctx, providerId);
+		await ctx.context.adapter.delete({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: providerId
+			}]
 		});
-		default:
-			error.code;
-			return new APIError("INTERNAL_SERVER_ERROR", {
-				message: `Unexpected discovery error: ${error.message}`,
-				code: "discovery_unexpected_error"
-			});
-	}
-}
+		return ctx.json({ success: true });
+	});
+};
 //#endregion
 //#region src/saml/error-codes.ts
 const SAML_ERROR_CODES = defineErrorCodes({
@@ -1740,23 +1810,35 @@ async function processSAMLResponse(ctx, params, options) {
 	}
 	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 	const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
-	const result = await handleOAuthUserInfo(ctx, {
-		userInfo: {
-			email: userInfo.email,
-			name: userInfo.name || userInfo.email,
-			id: userInfo.id,
-			emailVerified: Boolean(userInfo.emailVerified)
-		},
-		account: {
-			providerId,
-			accountId: userInfo.id,
-			accessToken: "",
-			refreshToken: ""
-		},
-		callbackURL: callbackUrl,
-		disableSignUp: options?.disableImplicitSignUp,
-		isTrustedProvider
-	});
+	const errorUrl = relayState?.errorURL || samlRedirectUrl;
+	let result;
+	try {
+		result = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || userInfo.email,
+				id: userInfo.id,
+				emailVerified: Boolean(userInfo.emailVerified)
+			},
+			account: {
+				providerId,
+				accountId: userInfo.id,
+				accessToken: "",
+				refreshToken: ""
+			},
+			callbackURL: callbackUrl,
+			disableSignUp: options?.disableImplicitSignUp,
+			isTrustedProvider
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) {
+			const params = new URLSearchParams({ error: e.body.code });
+			if (e.body.message) params.set("error_description", e.body.message);
+			const sep = errorUrl.includes("?") ? "&" : "?";
+			throw ctx.redirect(`${errorUrl}${sep}${params.toString()}`);
+		}
+		throw e;
+	}
 	if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
 	const { session, user } = result.data;
 	if (options?.provisionUser && (result.isRegister || options.provisionUserOnEveryLogin)) await options.provisionUser({
@@ -1865,12 +1947,12 @@ const ssoProviderBodySchema = z.object({
 	oidcConfig: z.object({
 		clientId: z.string({}).meta({ description: "The client ID" }),
 		clientSecret: z.string({}).meta({ description: "The client secret" }),
-		authorizationEndpoint: z.string({}).meta({ description: "The authorization endpoint" }).optional(),
-		tokenEndpoint: z.string({}).meta({ description: "The token endpoint" }).optional(),
-		userInfoEndpoint: z.string({}).meta({ description: "The user info endpoint" }).optional(),
+		authorizationEndpoint: z.url().meta({ description: "The authorization endpoint" }).optional(),
+		tokenEndpoint: z.url().meta({ description: "The token endpoint" }).optional(),
+		userInfoEndpoint: z.url().meta({ description: "The user info endpoint" }).optional(),
 		tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
-		jwksEndpoint: z.string({}).meta({ description: "The JWKS endpoint" }).optional(),
-		discoveryEndpoint: z.string().optional(),
+		jwksEndpoint: z.url().meta({ description: "The JWKS endpoint" }).optional(),
+		discoveryEndpoint: z.url().optional(),
 		skipDiscovery: z.boolean().meta({ description: "Skip OIDC discovery during registration. When true, you must provide authorizationEndpoint, tokenEndpoint, and jwksEndpoint manually." }).optional(),
 		scopes: z.array(z.string(), {}).meta({ description: "The scopes to request. Defaults to ['openid', 'email', 'profile', 'offline_access']" }).optional(),
 		pkce: z.boolean({}).meta({ description: "Whether to use PKCE for the authorization flow" }).default(true).optional(),
@@ -2123,7 +2205,7 @@ const registerSSOProvider = (options) => {
 			if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
 		}
 		if (ctx.body.organizationId) {
-			if (!await ctx.context.adapter.findOne({
+			const member = await ctx.context.adapter.findOne({
 				model: "member",
 				where: [{
 					field: "userId",
@@ -2132,7 +2214,9 @@ const registerSSOProvider = (options) => {
 					field: "organizationId",
 					value: ctx.body.organizationId
 				}]
-			})) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
+			});
+			if (!member) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
+			if (ctx.context.hasPlugin("organization") && !hasOrgAdminRole(member)) throw new APIError("FORBIDDEN", { message: "You must be an organization owner or admin to register SSO providers" });
 		}
 		if (await ctx.context.adapter.findOne({
 			model: "ssoProvider",
@@ -2144,6 +2228,12 @@ const registerSSOProvider = (options) => {
 			ctx.context.logger.info(`SSO provider creation attempt with existing providerId: ${body.providerId}`);
 			throw new APIError("UNPROCESSABLE_ENTITY", { message: "SSO provider with this providerId already exists" });
 		}
+		if (body.oidcConfig) try {
+			validateSkipDiscoveryEndpoints(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
+		} catch (error) {
+			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
+			throw error;
+		}
 		let hydratedOIDCConfig = null;
 		if (body.oidcConfig && !body.oidcConfig.skipDiscovery) try {
 			hydratedOIDCConfig = await discoverOIDCConfig({
@@ -2621,30 +2711,47 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	} else throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=user_info_endpoint_not_found`);
 	if (!userInfo.email || !userInfo.id) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=missing_user_info`);
 	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
-	const linked = await handleOAuthUserInfo(ctx, {
-		userInfo: {
-			email: userInfo.email,
-			name: userInfo.name || "",
-			id: userInfo.id,
-			image: userInfo.image,
-			emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
-		},
-		account: {
-			idToken: tokenResponse.idToken,
-			accessToken: tokenResponse.accessToken,
-			refreshToken: tokenResponse.refreshToken,
-			accountId: userInfo.id,
-			providerId: provider.providerId,
-			accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
-			refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
-			scope: tokenResponse.scopes?.join(",")
-		},
-		callbackURL,
-		disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
-		overrideUserInfo: config.overrideUserInfo,
-		isTrustedProvider
-	});
-	if (linked.error) throw ctx.redirect(`${errorURL || callbackURL}?error=${linked.error}`);
+	let linked;
+	try {
+		linked = await handleOAuthUserInfo(ctx, {
+			userInfo: {
+				email: userInfo.email,
+				name: userInfo.name || "",
+				id: userInfo.id,
+				image: userInfo.image,
+				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
+			},
+			account: {
+				idToken: tokenResponse.idToken,
+				accessToken: tokenResponse.accessToken,
+				refreshToken: tokenResponse.refreshToken,
+				accountId: userInfo.id,
+				providerId: provider.providerId,
+				accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
+				refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
+				scope: tokenResponse.scopes?.join(",")
+			},
+			callbackURL,
+			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
+			overrideUserInfo: config.overrideUserInfo,
+			isTrustedProvider
+		});
+	} catch (e) {
+		if (isAPIError(e) && e.body?.code) {
+			const baseURL = errorURL || callbackURL;
+			const params = new URLSearchParams({ error: e.body.code });
+			if (e.body.message) params.set("error_description", e.body.message);
+			const sep = baseURL.includes("?") ? "&" : "?";
+			throw ctx.redirect(`${baseURL}${sep}${params.toString()}`);
+		}
+		throw e;
+	}
+	if (linked.error) {
+		const baseURL = errorURL || callbackURL;
+		const params = new URLSearchParams({ error: linked.error });
+		const sep = baseURL.includes("?") ? "&" : "?";
+		throw ctx.redirect(`${baseURL}${sep}${params.toString()}`);
+	}
 	const { session, user } = linked.data;
 	if (options?.provisionUser && (linked.isRegister || options.provisionUserOnEveryLogin)) await options.provisionUser({
 		user,