@better-auth/sso 1.6.2 → 1.7.0-beta.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/client.d.mts
CHANGED
package/dist/client.mjs
CHANGED
|
@@ -64,14 +64,19 @@ interface OIDCConfig {
|
|
|
64
64
|
issuer: string;
|
|
65
65
|
pkce: boolean;
|
|
66
66
|
clientId: string;
|
|
67
|
-
|
|
67
|
+
/** Required for client_secret_basic/client_secret_post. Optional for private_key_jwt. */
|
|
68
|
+
clientSecret?: string;
|
|
68
69
|
authorizationEndpoint?: string | undefined;
|
|
69
70
|
discoveryEndpoint: string;
|
|
70
71
|
userInfoEndpoint?: string | undefined;
|
|
71
72
|
scopes?: string[] | undefined;
|
|
72
73
|
overrideUserInfo?: boolean | undefined;
|
|
73
74
|
tokenEndpoint?: string | undefined;
|
|
74
|
-
tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic") | undefined;
|
|
75
|
+
tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic" | "private_key_jwt") | undefined;
|
|
76
|
+
/** Key ID for private_key_jwt key resolution */
|
|
77
|
+
privateKeyId?: string | undefined;
|
|
78
|
+
/** Signing algorithm for private_key_jwt. @default "RS256" */
|
|
79
|
+
privateKeyAlgorithm?: string | undefined;
|
|
75
80
|
jwksEndpoint?: string | undefined;
|
|
76
81
|
mapping?: OIDCMapping | undefined;
|
|
77
82
|
}
|
|
@@ -214,6 +219,14 @@ interface SSOOptions {
|
|
|
214
219
|
* OIDC configuration
|
|
215
220
|
*/
|
|
216
221
|
oidcConfig?: OIDCConfig;
|
|
222
|
+
/**
|
|
223
|
+
* Private key for `private_key_jwt` authentication.
|
|
224
|
+
* Only used with defaultSSO — not stored in DB.
|
|
225
|
+
*/
|
|
226
|
+
privateKey?: {
|
|
227
|
+
privateKeyJwk?: JsonWebKey;
|
|
228
|
+
privateKeyPem?: string;
|
|
229
|
+
};
|
|
217
230
|
}> | undefined;
|
|
218
231
|
/**
|
|
219
232
|
* Override user info with the provider info.
|
|
@@ -306,6 +319,21 @@ interface SSOOptions {
|
|
|
306
319
|
* per-provider callback URLs. Can be a path or a full URL.
|
|
307
320
|
*/
|
|
308
321
|
redirectURI?: string;
|
|
322
|
+
/**
|
|
323
|
+
* Callback to resolve private key material for private_key_jwt authentication.
|
|
324
|
+
* Called during token exchange when a provider uses tokenEndpointAuthentication: "private_key_jwt".
|
|
325
|
+
* Keeps private keys out of the database — supports HSM/KMS/Vault integration.
|
|
326
|
+
*/
|
|
327
|
+
resolvePrivateKey?: (params: {
|
|
328
|
+
providerId: string;
|
|
329
|
+
keyId?: string;
|
|
330
|
+
issuer: string;
|
|
331
|
+
}) => Promise<{
|
|
332
|
+
privateKeyJwk?: JsonWebKey;
|
|
333
|
+
privateKeyPem?: string;
|
|
334
|
+
kid?: string;
|
|
335
|
+
algorithm?: string;
|
|
336
|
+
}>;
|
|
309
337
|
/**
|
|
310
338
|
* SAML security options for AuthnRequest/InResponseTo validation.
|
|
311
339
|
* This prevents unsolicited responses, replay attacks, and cross-provider injection.
|
|
@@ -329,9 +357,13 @@ interface SSOOptions {
|
|
|
329
357
|
* When true, responses without InResponseTo are accepted.
|
|
330
358
|
* When false, all responses must correlate to a stored AuthnRequest.
|
|
331
359
|
*
|
|
360
|
+
* IdP-initiated SSO is a known attack vector — the SAML2Int
|
|
361
|
+
* interoperability profile recommends against it. Only enable
|
|
362
|
+
* this if your IdP requires it and you understand the risks.
|
|
363
|
+
*
|
|
332
364
|
* Only applies when InResponseTo validation is enabled.
|
|
333
365
|
*
|
|
334
|
-
* @default
|
|
366
|
+
* @default false
|
|
335
367
|
*/
|
|
336
368
|
allowIdpInitiated?: boolean;
|
|
337
369
|
/**
|
|
@@ -578,7 +610,7 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
|
|
|
578
610
|
userInfoEndpoint: string | undefined;
|
|
579
611
|
jwksEndpoint: string | undefined;
|
|
580
612
|
scopes: string[] | undefined;
|
|
581
|
-
tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
|
|
613
|
+
tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
|
|
582
614
|
} | undefined;
|
|
583
615
|
samlConfig: {
|
|
584
616
|
entryPoint: string;
|
|
@@ -663,7 +695,7 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
|
|
|
663
695
|
userInfoEndpoint: string | undefined;
|
|
664
696
|
jwksEndpoint: string | undefined;
|
|
665
697
|
scopes: string[] | undefined;
|
|
666
|
-
tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
|
|
698
|
+
tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
|
|
667
699
|
} | undefined;
|
|
668
700
|
samlConfig: {
|
|
669
701
|
entryPoint: string;
|
|
@@ -722,7 +754,10 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
722
754
|
tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
|
|
723
755
|
client_secret_post: "client_secret_post";
|
|
724
756
|
client_secret_basic: "client_secret_basic";
|
|
757
|
+
private_key_jwt: "private_key_jwt";
|
|
725
758
|
}>>;
|
|
759
|
+
privateKeyId: z.ZodOptional<z.ZodString>;
|
|
760
|
+
privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
|
|
726
761
|
jwksEndpoint: z.ZodOptional<z.ZodString>;
|
|
727
762
|
discoveryEndpoint: z.ZodOptional<z.ZodString>;
|
|
728
763
|
scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
|
|
@@ -820,7 +855,7 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
|
|
|
820
855
|
userInfoEndpoint: string | undefined;
|
|
821
856
|
jwksEndpoint: string | undefined;
|
|
822
857
|
scopes: string[] | undefined;
|
|
823
|
-
tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
|
|
858
|
+
tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
|
|
824
859
|
} | undefined;
|
|
825
860
|
samlConfig: {
|
|
826
861
|
entryPoint: string;
|
|
@@ -893,24 +928,6 @@ declare const deleteSSOProvider: () => better_call0.StrictEndpoint<"/sso/delete-
|
|
|
893
928
|
}>;
|
|
894
929
|
//#endregion
|
|
895
930
|
//#region src/routes/sso.d.ts
|
|
896
|
-
interface TimestampValidationOptions {
|
|
897
|
-
clockSkew?: number;
|
|
898
|
-
requireTimestamps?: boolean;
|
|
899
|
-
logger?: {
|
|
900
|
-
warn: (message: string, data?: Record<string, unknown>) => void;
|
|
901
|
-
};
|
|
902
|
-
}
|
|
903
|
-
/** Conditions extracted from SAML assertion */
|
|
904
|
-
interface SAMLConditions {
|
|
905
|
-
notBefore?: string;
|
|
906
|
-
notOnOrAfter?: string;
|
|
907
|
-
}
|
|
908
|
-
/**
|
|
909
|
-
* Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
|
|
910
|
-
* Prevents acceptance of expired or future-dated assertions.
|
|
911
|
-
* @throws {APIError} If timestamps are invalid, expired, or not yet valid
|
|
912
|
-
*/
|
|
913
|
-
declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
|
|
914
931
|
declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
|
|
915
932
|
method: "GET";
|
|
916
933
|
query: z.ZodObject<{
|
|
@@ -941,14 +958,17 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
|
|
|
941
958
|
domain: z.ZodString;
|
|
942
959
|
oidcConfig: z.ZodOptional<z.ZodObject<{
|
|
943
960
|
clientId: z.ZodString;
|
|
944
|
-
clientSecret: z.ZodString
|
|
961
|
+
clientSecret: z.ZodOptional<z.ZodString>;
|
|
945
962
|
authorizationEndpoint: z.ZodOptional<z.ZodString>;
|
|
946
963
|
tokenEndpoint: z.ZodOptional<z.ZodString>;
|
|
947
964
|
userInfoEndpoint: z.ZodOptional<z.ZodString>;
|
|
948
965
|
tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
|
|
949
966
|
client_secret_post: "client_secret_post";
|
|
950
967
|
client_secret_basic: "client_secret_basic";
|
|
968
|
+
private_key_jwt: "private_key_jwt";
|
|
951
969
|
}>>;
|
|
970
|
+
privateKeyId: z.ZodOptional<z.ZodString>;
|
|
971
|
+
privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
|
|
952
972
|
jwksEndpoint: z.ZodOptional<z.ZodString>;
|
|
953
973
|
discoveryEndpoint: z.ZodOptional<z.ZodString>;
|
|
954
974
|
skipDiscovery: z.ZodOptional<z.ZodBoolean>;
|
|
@@ -1483,6 +1503,26 @@ declare const DEFAULT_MAX_SAML_RESPONSE_SIZE: number;
|
|
|
1483
1503
|
*/
|
|
1484
1504
|
declare const DEFAULT_MAX_SAML_METADATA_SIZE: number;
|
|
1485
1505
|
//#endregion
|
|
1506
|
+
//#region src/saml/timestamp.d.ts
|
|
1507
|
+
interface TimestampValidationOptions {
|
|
1508
|
+
clockSkew?: number;
|
|
1509
|
+
requireTimestamps?: boolean;
|
|
1510
|
+
logger?: {
|
|
1511
|
+
warn: (message: string, data?: Record<string, unknown>) => void;
|
|
1512
|
+
};
|
|
1513
|
+
}
|
|
1514
|
+
/** Conditions extracted from SAML assertion */
|
|
1515
|
+
interface SAMLConditions {
|
|
1516
|
+
notBefore?: string;
|
|
1517
|
+
notOnOrAfter?: string;
|
|
1518
|
+
}
|
|
1519
|
+
/**
|
|
1520
|
+
* Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
|
|
1521
|
+
* Prevents acceptance of expired or future-dated assertions.
|
|
1522
|
+
* @throws {APIError} If timestamps are invalid, expired, or not yet valid
|
|
1523
|
+
*/
|
|
1524
|
+
declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
|
|
1525
|
+
//#endregion
|
|
1486
1526
|
//#region src/oidc/types.d.ts
|
|
1487
1527
|
/**
|
|
1488
1528
|
* OIDC Discovery Types
|
|
@@ -1591,7 +1631,7 @@ interface HydratedOIDCConfig {
|
|
|
1591
1631
|
/** URL of the userinfo endpoint (optional) */
|
|
1592
1632
|
userInfoEndpoint?: string;
|
|
1593
1633
|
/** Token endpoint authentication method */
|
|
1594
|
-
tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post";
|
|
1634
|
+
tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post" | "private_key_jwt";
|
|
1595
1635
|
/** Scopes supported by the IdP */
|
|
1596
1636
|
scopesSupported?: string[];
|
|
1597
1637
|
}
|
|
@@ -1715,7 +1755,7 @@ declare function normalizeUrl(name: string, endpoint: string, issuer: string): s
|
|
|
1715
1755
|
* @param existing - Existing authentication method from config
|
|
1716
1756
|
* @returns The selected authentication method
|
|
1717
1757
|
*/
|
|
1718
|
-
declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, existing?: "client_secret_basic" | "client_secret_post"): "client_secret_basic" | "client_secret_post";
|
|
1758
|
+
declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, existing?: "client_secret_basic" | "client_secret_post" | "private_key_jwt"): "client_secret_basic" | "client_secret_post" | "private_key_jwt";
|
|
1719
1759
|
/**
|
|
1720
1760
|
* Check if a provider configuration needs runtime discovery.
|
|
1721
1761
|
*
|
|
@@ -1784,4 +1824,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
|
|
|
1784
1824
|
options: NoInfer<O>;
|
|
1785
1825
|
};
|
|
1786
1826
|
//#endregion
|
|
1787
|
-
export { DataEncryptionAlgorithm as A,
|
|
1827
|
+
export { DataEncryptionAlgorithm as A, DEFAULT_MAX_SAML_METADATA_SIZE as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, DEFAULT_CLOCK_SKEW_MS as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, TimestampValidationOptions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, DEFAULT_MAX_SAML_RESPONSE_SIZE as w, validateSAMLTimestamp as x, SAMLConditions as y };
|
package/dist/index.d.mts
CHANGED
|
@@ -1,2 +1,2 @@
|
|
|
1
|
-
import { A as DataEncryptionAlgorithm, C as
|
|
1
|
+
import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-DVg_iWRX.mjs";
|
|
2
2
|
export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };
|