@better-auth/sso 1.6.3 → 1.7.0-beta.1

package/dist/client.d.mts

@@ -1,4 +1,4 @@
-import { t as SSOPlugin } from "./index-DyoL-0jp.mjs";
+import { t as SSOPlugin } from "./index-CagV4mMx.mjs";
 
 //#region src/client.d.ts
 interface SSOClientOptions {

package/dist/client.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-1sp6DKT-.mjs";
+import { t as PACKAGE_VERSION } from "./version-C22JHwcK.mjs";
 //#region src/client.ts
 const ssoClient = (options) => {
 	return {

package/dist/{index-DyoL-0jp.d.mts → index-CagV4mMx.d.mts}

@@ -64,28 +64,46 @@ interface OIDCConfig {
   issuer: string;
   pkce: boolean;
   clientId: string;
-  clientSecret: string;
+  /** Required for client_secret_basic/client_secret_post. Optional for private_key_jwt. */
+  clientSecret?: string;
   authorizationEndpoint?: string | undefined;
   discoveryEndpoint: string;
   userInfoEndpoint?: string | undefined;
   scopes?: string[] | undefined;
   overrideUserInfo?: boolean | undefined;
   tokenEndpoint?: string | undefined;
-  tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic") | undefined;
+  tokenEndpointAuthentication?: ("client_secret_post" | "client_secret_basic" | "private_key_jwt") | undefined;
+  /** Key ID for private_key_jwt key resolution */
+  privateKeyId?: string | undefined;
+  /** Signing algorithm for private_key_jwt. @default "RS256" */
+  privateKeyAlgorithm?: string | undefined;
   jwksEndpoint?: string | undefined;
   mapping?: OIDCMapping | undefined;
 }
 interface SAMLConfig {
+  /**
+   * SP Entity ID. Used as the `entityID` in SP metadata when
+   * `spMetadata.entityID` is not set. Also used as the expected
+   * audience for SAML assertion validation when `audience` is not set.
+   */
   issuer: string;
+  /**
+   * IdP SSO URL. Used as the redirect destination when
+   * `idpMetadata.metadata` is not provided. Ignored when
+   * IdP metadata XML is set (the SSO URL is extracted from the XML).
+   */
   entryPoint: string;
+  /**
+   * IdP signing certificate. Used to verify SAML response signatures
+   * when `idpMetadata.metadata` is not provided. Ignored when IdP
+   * metadata XML is set (the certificate is extracted from the XML).
+   * When both this and `idpMetadata.cert` are set, `idpMetadata.cert` takes precedence.
+   */
   cert: string;
-  callbackUrl: string;
   audience?: string | undefined;
   idpMetadata?: {
     metadata?: string;
     entityID?: string;
-    entityURL?: string;
-    redirectURL?: string;
     cert?: string;
     privateKey?: string;
     privateKeyPass?: string;
@@ -101,7 +119,12 @@ interface SAMLConfig {
       Location: string;
     }>;
   } | undefined;
-  spMetadata: {
+  /**
+   * SP metadata configuration. All fields are optional; when omitted,
+   * SP metadata is auto-generated from `issuer`, `wantAssertionsSigned`,
+   * `authnRequestsSigned`, and `identifierFormat`.
+   */
+  spMetadata?: {
     metadata?: string | undefined;
     entityID?: string | undefined;
     binding?: string | undefined;
@@ -111,14 +134,17 @@ interface SAMLConfig {
     encPrivateKey?: string | undefined;
     encPrivateKeyPass?: string | undefined;
   };
+  /**
+   * Request signed assertions from the IdP. When true, the SP metadata
+   * advertises `WantAssertionsSigned="true"` and samlify will reject
+   * unsigned assertions.
+   */
   wantAssertionsSigned?: boolean | undefined;
   authnRequestsSigned?: boolean | undefined;
   signatureAlgorithm?: string | undefined;
   digestAlgorithm?: string | undefined;
   identifierFormat?: string | undefined;
   privateKey?: string | undefined;
-  decryptionPvk?: string | undefined;
-  additionalParams?: Record<string, any> | undefined;
   mapping?: SAMLMapping | undefined;
 }
 type BaseSSOProvider = {
@@ -214,6 +240,14 @@ interface SSOOptions {
      * OIDC configuration
      */
     oidcConfig?: OIDCConfig;
+    /**
+     * Private key for `private_key_jwt` authentication.
+     * Only used with defaultSSO — not stored in DB.
+     */
+    privateKey?: {
+      privateKeyJwk?: JsonWebKey;
+      privateKeyPem?: string;
+    };
   }> | undefined;
   /**
    * Override user info with the provider info.
@@ -306,6 +340,21 @@ interface SSOOptions {
    * per-provider callback URLs. Can be a path or a full URL.
    */
   redirectURI?: string;
+  /**
+   * Callback to resolve private key material for private_key_jwt authentication.
+   * Called during token exchange when a provider uses tokenEndpointAuthentication: "private_key_jwt".
+   * Keeps private keys out of the database — supports HSM/KMS/Vault integration.
+   */
+  resolvePrivateKey?: (params: {
+    providerId: string;
+    keyId?: string;
+    issuer: string;
+  }) => Promise<{
+    privateKeyJwk?: JsonWebKey;
+    privateKeyPem?: string;
+    kid?: string;
+    algorithm?: string;
+  }>;
   /**
    * SAML security options for AuthnRequest/InResponseTo validation.
    * This prevents unsolicited responses, replay attacks, and cross-provider injection.
@@ -329,9 +378,13 @@ interface SSOOptions {
      * When true, responses without InResponseTo are accepted.
      * When false, all responses must correlate to a stored AuthnRequest.
      *
+     * IdP-initiated SSO is a known attack vector — the SAML2Int
+     * interoperability profile recommends against it. Only enable
+     * this if your IdP requires it and you understand the risks.
+     *
      * Only applies when InResponseTo validation is enabled.
      *
-     * @default true
+     * @default false
      */
     allowIdpInitiated?: boolean;
     /**
@@ -578,11 +631,10 @@ declare const listSSOProviders: () => better_call0.StrictEndpoint<"/sso/provider
       userInfoEndpoint: string | undefined;
       jwksEndpoint: string | undefined;
       scopes: string[] | undefined;
-      tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+      tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
     } | undefined;
     samlConfig: {
       entryPoint: string;
-      callbackUrl: string;
       audience: string | undefined;
       wantAssertionsSigned: boolean | undefined;
       authnRequestsSigned: boolean | undefined;
@@ -663,11 +715,10 @@ declare const getSSOProvider: () => better_call0.StrictEndpoint<"/sso/get-provid
     userInfoEndpoint: string | undefined;
     jwksEndpoint: string | undefined;
     scopes: string[] | undefined;
-    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
   } | undefined;
   samlConfig: {
     entryPoint: string;
-    callbackUrl: string;
     audience: string | undefined;
     wantAssertionsSigned: boolean | undefined;
     authnRequestsSigned: boolean | undefined;
@@ -722,7 +773,10 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
       tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
+        private_key_jwt: "private_key_jwt";
       }>>;
+      privateKeyId: z.ZodOptional<z.ZodString>;
+      privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
       jwksEndpoint: z.ZodOptional<z.ZodString>;
       discoveryEndpoint: z.ZodOptional<z.ZodString>;
       scopes: z.ZodOptional<z.ZodArray<z.ZodString>>;
@@ -740,7 +794,6 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
     samlConfig: z.ZodOptional<z.ZodObject<{
       entryPoint: z.ZodOptional<z.ZodString>;
       cert: z.ZodOptional<z.ZodString>;
-      callbackUrl: z.ZodOptional<z.ZodString>;
       audience: z.ZodOptional<z.ZodString>;
       idpMetadata: z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
@@ -772,8 +825,6 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
       digestAlgorithm: z.ZodOptional<z.ZodString>;
       identifierFormat: z.ZodOptional<z.ZodString>;
       privateKey: z.ZodOptional<z.ZodString>;
-      decryptionPvk: z.ZodOptional<z.ZodString>;
-      additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
       mapping: z.ZodOptional<z.ZodObject<{
         id: z.ZodOptional<z.ZodString>;
         email: z.ZodOptional<z.ZodString>;
@@ -820,11 +871,10 @@ declare const updateSSOProvider: (options: SSOOptions) => better_call0.StrictEnd
     userInfoEndpoint: string | undefined;
     jwksEndpoint: string | undefined;
     scopes: string[] | undefined;
-    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | undefined;
+    tokenEndpointAuthentication: "client_secret_post" | "client_secret_basic" | "private_key_jwt" | undefined;
   } | undefined;
   samlConfig: {
     entryPoint: string;
-    callbackUrl: string;
     audience: string | undefined;
     wantAssertionsSigned: boolean | undefined;
     authnRequestsSigned: boolean | undefined;
@@ -892,35 +942,11 @@ declare const deleteSSOProvider: () => better_call0.StrictEndpoint<"/sso/delete-
   success: boolean;
 }>;
 //#endregion
-//#region src/saml/timestamp.d.ts
-interface TimestampValidationOptions {
-  clockSkew?: number;
-  requireTimestamps?: boolean;
-  logger?: {
-    warn: (message: string, data?: Record<string, unknown>) => void;
-  };
-}
-/** Conditions extracted from SAML assertion */
-interface SAMLConditions {
-  notBefore?: string;
-  notOnOrAfter?: string;
-}
-/**
- * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
- * Prevents acceptance of expired or future-dated assertions.
- * @throws {APIError} If timestamps are invalid, expired, or not yet valid
- */
-declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
-//#endregion
 //#region src/routes/sso.d.ts
 declare const spMetadata: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/metadata", {
   method: "GET";
   query: z.ZodObject<{
     providerId: z.ZodString;
-    format: z.ZodDefault<z.ZodEnum<{
-      json: "json";
-      xml: "xml";
-    }>>;
   }, z.core.$strip>;
   metadata: {
     openapi: {
@@ -943,14 +969,17 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     domain: z.ZodString;
     oidcConfig: z.ZodOptional<z.ZodObject<{
       clientId: z.ZodString;
-      clientSecret: z.ZodString;
+      clientSecret: z.ZodOptional<z.ZodString>;
       authorizationEndpoint: z.ZodOptional<z.ZodString>;
       tokenEndpoint: z.ZodOptional<z.ZodString>;
       userInfoEndpoint: z.ZodOptional<z.ZodString>;
       tokenEndpointAuthentication: z.ZodOptional<z.ZodEnum<{
         client_secret_post: "client_secret_post";
         client_secret_basic: "client_secret_basic";
+        private_key_jwt: "private_key_jwt";
       }>>;
+      privateKeyId: z.ZodOptional<z.ZodString>;
+      privateKeyAlgorithm: z.ZodOptional<z.ZodString>;
       jwksEndpoint: z.ZodOptional<z.ZodString>;
       discoveryEndpoint: z.ZodOptional<z.ZodString>;
       skipDiscovery: z.ZodOptional<z.ZodBoolean>;
@@ -968,7 +997,6 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
     samlConfig: z.ZodOptional<z.ZodObject<{
       entryPoint: z.ZodString;
       cert: z.ZodString;
-      callbackUrl: z.ZodString;
       audience: z.ZodOptional<z.ZodString>;
       idpMetadata: z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
@@ -984,7 +1012,7 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
           Location: z.ZodString;
         }, z.core.$strip>>>;
       }, z.core.$strip>>;
-      spMetadata: z.ZodObject<{
+      spMetadata: z.ZodOptional<z.ZodObject<{
         metadata: z.ZodOptional<z.ZodString>;
         entityID: z.ZodOptional<z.ZodString>;
         binding: z.ZodOptional<z.ZodString>;
@@ -993,15 +1021,13 @@ declare const registerSSOProvider: <O extends SSOOptions>(options: O) => better_
         isAssertionEncrypted: z.ZodOptional<z.ZodBoolean>;
         encPrivateKey: z.ZodOptional<z.ZodString>;
         encPrivateKeyPass: z.ZodOptional<z.ZodString>;
-      }, z.core.$strip>;
+      }, z.core.$strip>>;
       wantAssertionsSigned: z.ZodOptional<z.ZodBoolean>;
       authnRequestsSigned: z.ZodOptional<z.ZodBoolean>;
       signatureAlgorithm: z.ZodOptional<z.ZodString>;
       digestAlgorithm: z.ZodOptional<z.ZodString>;
       identifierFormat: z.ZodOptional<z.ZodString>;
       privateKey: z.ZodOptional<z.ZodString>;
-      decryptionPvk: z.ZodOptional<z.ZodString>;
-      additionalParams: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
       mapping: z.ZodOptional<z.ZodObject<{
         id: z.ZodString;
         email: z.ZodString;
@@ -1358,7 +1384,7 @@ declare const callbackSSOShared: (options?: SSOOptions) => better_call0.StrictEn
   }, z.core.$strip>;
   allowedMediaTypes: readonly ["application/x-www-form-urlencoded", "application/json"];
 }, void>;
-declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/callback/:providerId", {
+declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
   method: ("POST" | "GET")[];
   body: z.ZodOptional<z.ZodObject<{
     SAMLResponse: z.ZodString;
@@ -1380,28 +1406,7 @@ declare const callbackSSOSAML: (options?: SSOOptions) => better_call0.StrictEndp
         "400": {
           description: string;
         };
-        "401": {
-          description: string;
-        };
-      };
-    };
-    scope: "server";
-  };
-}, never>;
-declare const acsEndpoint: (options?: SSOOptions) => better_call0.StrictEndpoint<"/sso/saml2/sp/acs/:providerId", {
-  method: "POST";
-  body: z.ZodObject<{
-    SAMLResponse: z.ZodString;
-    RelayState: z.ZodOptional<z.ZodString>;
-  }, z.core.$strip>;
-  metadata: {
-    allowedMediaTypes: string[];
-    openapi: {
-      operationId: string;
-      summary: string;
-      description: string;
-      responses: {
-        "302": {
+        "404": {
           description: string;
         };
       };
@@ -1485,6 +1490,26 @@ declare const DEFAULT_MAX_SAML_RESPONSE_SIZE: number;
  */
 declare const DEFAULT_MAX_SAML_METADATA_SIZE: number;
 //#endregion
+//#region src/saml/timestamp.d.ts
+interface TimestampValidationOptions {
+  clockSkew?: number;
+  requireTimestamps?: boolean;
+  logger?: {
+    warn: (message: string, data?: Record<string, unknown>) => void;
+  };
+}
+/** Conditions extracted from SAML assertion */
+interface SAMLConditions {
+  notBefore?: string;
+  notOnOrAfter?: string;
+}
+/**
+ * Validates SAML assertion timestamp conditions (NotBefore/NotOnOrAfter).
+ * Prevents acceptance of expired or future-dated assertions.
+ * @throws {APIError} If timestamps are invalid, expired, or not yet valid
+ */
+declare function validateSAMLTimestamp(conditions: SAMLConditions | undefined, options?: TimestampValidationOptions): void;
+//#endregion
 //#region src/oidc/types.d.ts
 /**
  * OIDC Discovery Types
@@ -1593,7 +1618,7 @@ interface HydratedOIDCConfig {
   /** URL of the userinfo endpoint (optional) */
   userInfoEndpoint?: string;
   /** Token endpoint authentication method */
-  tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post";
+  tokenEndpointAuthentication?: "client_secret_basic" | "client_secret_post" | "private_key_jwt";
   /** Scopes supported by the IdP */
   scopesSupported?: string[];
 }
@@ -1717,7 +1742,7 @@ declare function normalizeUrl(name: string, endpoint: string, issuer: string): s
  * @param existing - Existing authentication method from config
  * @returns The selected authentication method
  */
-declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, existing?: "client_secret_basic" | "client_secret_post"): "client_secret_basic" | "client_secret_post";
+declare function selectTokenEndpointAuthMethod(doc: OIDCDiscoveryDocument, existing?: "client_secret_basic" | "client_secret_post" | "private_key_jwt"): "client_secret_basic" | "client_secret_post" | "private_key_jwt";
 /**
  * Check if a provider configuration needs runtime discovery.
  *
@@ -1750,7 +1775,6 @@ type SSOEndpoints<O extends SSOOptions> = {
   signInSSO: ReturnType<typeof signInSSO>;
   callbackSSO: ReturnType<typeof callbackSSO>;
   callbackSSOShared: ReturnType<typeof callbackSSOShared>;
-  callbackSSOSAML: ReturnType<typeof callbackSSOSAML>;
   acsEndpoint: ReturnType<typeof acsEndpoint>;
   sloEndpoint: ReturnType<typeof sloEndpoint>;
   initiateSLO: ReturnType<typeof initiateSLO>;
@@ -1786,4 +1810,4 @@ declare function sso<O extends SSOOptions>(options?: O | undefined): {
   options: NoInfer<O>;
 };
 //#endregion
-export { DataEncryptionAlgorithm as A, TimestampValidationOptions as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, SAMLConditions as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, DEFAULT_MAX_SAML_METADATA_SIZE as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, validateSAMLTimestamp as w, DEFAULT_MAX_SAML_RESPONSE_SIZE as x, DEFAULT_CLOCK_SKEW_MS as y };
+export { DataEncryptionAlgorithm as A, DEFAULT_MAX_SAML_METADATA_SIZE as C, SSOOptions as D, SAMLConfig as E, DigestAlgorithm as M, KeyEncryptionAlgorithm as N, SSOProvider as O, SignatureAlgorithm as P, DEFAULT_CLOCK_SKEW_MS as S, OIDCConfig as T, REQUIRED_DISCOVERY_FIELDS as _, fetchDiscoveryDocument as a, TimestampValidationOptions as b, normalizeUrl as c, validateDiscoveryUrl as d, DiscoverOIDCConfigParams as f, OIDCDiscoveryDocument as g, HydratedOIDCConfig as h, discoverOIDCConfig as i, DeprecatedAlgorithmBehavior as j, AlgorithmValidationOptions as k, selectTokenEndpointAuthMethod as l, DiscoveryErrorCode as m, sso as n, needsRuntimeDiscovery as o, DiscoveryError as p, computeDiscoveryUrl as r, normalizeDiscoveryUrls as s, SSOPlugin as t, validateDiscoveryDocument as u, RequiredDiscoveryField as v, DEFAULT_MAX_SAML_RESPONSE_SIZE as w, validateSAMLTimestamp as x, SAMLConditions as y };

package/dist/index.d.mts

@@ -1,2 +1,2 @@
-import { A as DataEncryptionAlgorithm, C as TimestampValidationOptions, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as SAMLConditions, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as DEFAULT_MAX_SAML_METADATA_SIZE, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as validateSAMLTimestamp, x as DEFAULT_MAX_SAML_RESPONSE_SIZE, y as DEFAULT_CLOCK_SKEW_MS } from "./index-DyoL-0jp.mjs";
+import { A as DataEncryptionAlgorithm, C as DEFAULT_MAX_SAML_METADATA_SIZE, D as SSOOptions, E as SAMLConfig, M as DigestAlgorithm, N as KeyEncryptionAlgorithm, O as SSOProvider, P as SignatureAlgorithm, S as DEFAULT_CLOCK_SKEW_MS, T as OIDCConfig, _ as REQUIRED_DISCOVERY_FIELDS, a as fetchDiscoveryDocument, b as TimestampValidationOptions, c as normalizeUrl, d as validateDiscoveryUrl, f as DiscoverOIDCConfigParams, g as OIDCDiscoveryDocument, h as HydratedOIDCConfig, i as discoverOIDCConfig, j as DeprecatedAlgorithmBehavior, k as AlgorithmValidationOptions, l as selectTokenEndpointAuthMethod, m as DiscoveryErrorCode, n as sso, o as needsRuntimeDiscovery, p as DiscoveryError, r as computeDiscoveryUrl, s as normalizeDiscoveryUrls, t as SSOPlugin, u as validateDiscoveryDocument, v as RequiredDiscoveryField, w as DEFAULT_MAX_SAML_RESPONSE_SIZE, x as validateSAMLTimestamp, y as SAMLConditions } from "./index-CagV4mMx.mjs";
 export { AlgorithmValidationOptions, DEFAULT_CLOCK_SKEW_MS, DEFAULT_MAX_SAML_METADATA_SIZE, DEFAULT_MAX_SAML_RESPONSE_SIZE, DataEncryptionAlgorithm, DeprecatedAlgorithmBehavior, DigestAlgorithm, DiscoverOIDCConfigParams, DiscoveryError, DiscoveryErrorCode, HydratedOIDCConfig, KeyEncryptionAlgorithm, OIDCConfig, OIDCDiscoveryDocument, REQUIRED_DISCOVERY_FIELDS, RequiredDiscoveryField, SAMLConditions, SAMLConfig, SSOOptions, SSOPlugin, SSOProvider, SignatureAlgorithm, TimestampValidationOptions, computeDiscoveryUrl, discoverOIDCConfig, fetchDiscoveryDocument, needsRuntimeDiscovery, normalizeDiscoveryUrls, normalizeUrl, selectTokenEndpointAuthMethod, sso, validateDiscoveryDocument, validateDiscoveryUrl, validateSAMLTimestamp };

package/dist/index.mjs

@@ -1,4 +1,4 @@
-import { t as PACKAGE_VERSION } from "./version-1sp6DKT-.mjs";
+import { t as PACKAGE_VERSION } from "./version-C22JHwcK.mjs";
 import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import * as saml from "samlify";
@@ -8,7 +8,7 @@ import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
 import { base64 } from "@better-auth/utils/base64";
 import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
-import { HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
+import { ASSERTION_SIGNING_ALGORITHMS, HIDE_METADATA, createAuthorizationURL, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
 import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
 import { handleOAuthUserInfo } from "better-auth/oauth2";
 import { decodeJwt } from "jose";
@@ -625,6 +625,94 @@ function validateSingleAssertion(samlResponse) {
 	});
 }
 //#endregion
+//#region src/saml/response-validation.ts
+function errorRedirectUrl(base, error, description) {
+	try {
+		const url = new URL(base);
+		url.searchParams.set("error", error);
+		url.searchParams.set("error_description", description);
+		return url.toString();
+	} catch {
+		const hashIdx = base.indexOf("#");
+		const path = hashIdx >= 0 ? base.slice(0, hashIdx) : base;
+		const hash = hashIdx >= 0 ? base.slice(hashIdx + 1) : void 0;
+		return `${path}${path.includes("?") ? "&" : "?"}${`error=${encodeURIComponent(error)}&error_description=${encodeURIComponent(description)}`}${hash ? `#${hash}` : ""}`;
+	}
+}
+/**
+* Validates the InResponseTo attribute of a SAML Response.
+*
+* This binds the IdP's Response to a specific SP-initiated AuthnRequest,
+* preventing replay attacks, unsolicited response injection, and
+* cross-provider assertion swaps.
+*
+* The InResponseTo value lives at `extract.response.inResponseTo` in
+* samlify's parsed output (not at the top level).
+*/
+async function validateInResponseTo(c, ctx) {
+	if (ctx.options.enableInResponseToValidation === false) return;
+	const inResponseTo = ctx.extract.response?.inResponseTo;
+	const allowIdpInitiated = ctx.options.allowIdpInitiated ?? false;
+	if (inResponseTo) {
+		let storedRequest = null;
+		const verification = await c.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+		if (verification) try {
+			storedRequest = JSON.parse(verification.value);
+			if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+		} catch {
+			storedRequest = null;
+		}
+		if (!storedRequest) {
+			c.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
+				inResponseTo,
+				providerId: ctx.providerId
+			});
+			throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Unknown or expired request ID"));
+		}
+		if (storedRequest.providerId !== ctx.providerId) {
+			c.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
+				inResponseTo,
+				expectedProvider: storedRequest.providerId,
+				actualProvider: ctx.providerId
+			});
+			await c.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+			throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Provider mismatch"));
+		}
+		await c.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
+	} else if (!allowIdpInitiated) {
+		c.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: ctx.providerId });
+		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "unsolicited_response", "IdP-initiated SSO not allowed"));
+	}
+}
+/**
+* Validates the AudienceRestriction of a SAML assertion.
+*
+* Per SAML 2.0 Core §2.5.1, an assertion's Audience element specifies
+* the intended recipient SP. Without this check, an assertion issued
+* for a different SP (e.g., another application sharing the same IdP)
+* could be accepted.
+*/
+function validateAudience(c, ctx) {
+	if (!ctx.expectedAudience) {
+		c.context.logger.warn("Could not determine SP entity ID for audience validation; skipping", { providerId: ctx.providerId });
+		return;
+	}
+	const audience = ctx.extract.audience;
+	if (!audience) {
+		c.context.logger.error("SAML assertion missing AudienceRestriction but audience is configured — rejecting", { providerId: ctx.providerId });
+		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Audience restriction missing"));
+	}
+	const audiences = Array.isArray(audience) ? audience : [audience];
+	if (!audiences.includes(ctx.expectedAudience)) {
+		c.context.logger.error("SAML audience mismatch: assertion was issued for a different service provider", {
+			expected: ctx.expectedAudience,
+			received: audiences,
+			providerId: ctx.providerId
+		});
+		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Audience mismatch"));
+	}
+}
+//#endregion
 //#region src/routes/schemas.ts
 const oidcMappingSchema = z.object({
 	id: z.string().optional(),
@@ -649,7 +737,13 @@ const oidcConfigSchema = z.object({
 	authorizationEndpoint: z.string().url().optional(),
 	tokenEndpoint: z.string().url().optional(),
 	userInfoEndpoint: z.string().url().optional(),
-	tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+	tokenEndpointAuthentication: z.enum([
+		"client_secret_post",
+		"client_secret_basic",
+		"private_key_jwt"
+	]).optional(),
+	privateKeyId: z.string().optional(),
+	privateKeyAlgorithm: z.string().optional(),
 	jwksEndpoint: z.string().url().optional(),
 	discoveryEndpoint: z.string().url().optional(),
 	scopes: z.array(z.string()).optional(),
@@ -660,7 +754,6 @@ const oidcConfigSchema = z.object({
 const samlConfigSchema = z.object({
 	entryPoint: z.string().url().optional(),
 	cert: z.string().optional(),
-	callbackUrl: z.string().url().optional(),
 	audience: z.string().optional(),
 	idpMetadata: z.object({
 		metadata: z.string().optional(),
@@ -692,8 +785,6 @@ const samlConfigSchema = z.object({
 	digestAlgorithm: z.string().optional(),
 	identifierFormat: z.string().optional(),
 	privateKey: z.string().optional(),
-	decryptionPvk: z.string().optional(),
-	additionalParams: z.record(z.string(), z.any()).optional(),
 	mapping: samlMappingSchema
 });
 const updateSSOProviderBodySchema = z.object({
@@ -770,7 +861,6 @@ function sanitizeProvider(provider, baseURL) {
 		} : void 0,
 		samlConfig: samlConfig ? {
 			entryPoint: samlConfig.entryPoint,
-			callbackUrl: samlConfig.callbackUrl,
 			audience: samlConfig.audience,
 			wantAssertionsSigned: samlConfig.wantAssertionsSigned,
 			authnRequestsSigned: samlConfig.authnRequestsSigned,
@@ -873,7 +963,6 @@ function mergeSAMLConfig(current, updates, issuer) {
 		issuer,
 		entryPoint: updates.entryPoint ?? current.entryPoint,
 		cert: updates.cert ?? current.cert,
-		callbackUrl: updates.callbackUrl ?? current.callbackUrl,
 		spMetadata: updates.spMetadata ?? current.spMetadata,
 		idpMetadata: updates.idpMetadata ?? current.idpMetadata,
 		mapping: updates.mapping ?? current.mapping,
@@ -900,7 +989,9 @@ function mergeOIDCConfig(current, updates, issuer) {
 		tokenEndpoint: updates.tokenEndpoint ?? current.tokenEndpoint,
 		userInfoEndpoint: updates.userInfoEndpoint ?? current.userInfoEndpoint,
 		jwksEndpoint: updates.jwksEndpoint ?? current.jwksEndpoint,
-		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication
+		tokenEndpointAuthentication: updates.tokenEndpointAuthentication ?? current.tokenEndpointAuthentication,
+		privateKeyId: updates.privateKeyId ?? current.privateKeyId,
+		privateKeyAlgorithm: updates.privateKeyAlgorithm ?? current.privateKeyAlgorithm
 	};
 }
 const updateSSOProvider = (options) => {
@@ -945,6 +1036,8 @@ const updateSSOProvider = (options) => {
 		if (body.oidcConfig) {
 			const currentOidcConfig = parseAndValidateConfig(existingProvider.oidcConfig, "OIDC");
 			const updatedOidcConfig = mergeOIDCConfig(currentOidcConfig, body.oidcConfig, updateData.issuer || currentOidcConfig.issuer || existingProvider.issuer);
+			if (updatedOidcConfig.tokenEndpointAuthentication !== "private_key_jwt" && !updatedOidcConfig.clientSecret) throw new APIError("BAD_REQUEST", { message: "clientSecret is required when using client_secret_basic or client_secret_post authentication" });
+			if (updatedOidcConfig.tokenEndpointAuthentication === "private_key_jwt" && !options?.resolvePrivateKey && !options?.defaultSSO?.some((p) => p.providerId === providerId && "privateKey" in p && p.privateKey)) throw new APIError("BAD_REQUEST", { message: "private_key_jwt authentication requires either a resolvePrivateKey callback or a privateKey in defaultSSO" });
 			updateData.oidcConfig = JSON.stringify(updatedOidcConfig);
 		}
 		await ctx.context.adapter.update({
@@ -1242,11 +1335,13 @@ function parseURL(name, endpoint, base) {
 * @returns The selected authentication method
 */
 function selectTokenEndpointAuthMethod(doc, existing) {
+	if (existing === "private_key_jwt") return existing;
 	if (existing) return existing;
 	const supported = doc.token_endpoint_auth_methods_supported;
 	if (!supported || supported.length === 0) return "client_secret_basic";
 	if (supported.includes("client_secret_basic")) return "client_secret_basic";
 	if (supported.includes("client_secret_post")) return "client_secret_post";
+	if (supported.includes("private_key_jwt")) return "private_key_jwt";
 	return "client_secret_basic";
 }
 /**
@@ -1413,6 +1508,16 @@ async function parseRelayState(c) {
 }
 //#endregion
 //#region src/routes/helpers.ts
+/**
+* Normalizes a PEM string by trimming leading/trailing whitespace from each
+* line. Native `crypto.createPrivateKey` (used by samlify 2.12+) rejects PEM
+* blocks with leading whitespace, which is common when keys are stored in
+* indented config files, environment variables, or JSON.
+*/
+function normalizePem(pem) {
+	if (!pem) return pem;
+	return pem.split("\n").map((line) => line.trim()).join("\n");
+}
 async function findSAMLProvider(providerId, options, adapter) {
 	if (options?.defaultSSO?.length) {
 		const match = options.defaultSSO.find((p) => p.providerId === providerId);
@@ -1439,30 +1544,35 @@ async function findSAMLProvider(providerId, options, adapter) {
 function createSP(config, baseURL, providerId, opts) {
 	const spData = config.spMetadata;
 	const sloLocation = `${baseURL}/sso/saml2/sp/slo/${providerId}`;
-	const acsUrl = config.callbackUrl || `${baseURL}/sso/saml2/sp/acs/${providerId}`;
-	return saml.ServiceProvider({
+	const acsUrl = `${baseURL}/sso/saml2/sp/acs/${providerId}`;
+	let metadata = spData?.metadata;
+	if (!metadata) metadata = saml.SPMetadata({
 		entityID: spData?.entityID || config.issuer,
-		assertionConsumerService: spData?.metadata ? void 0 : [{
+		assertionConsumerService: [{
 			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 			Location: acsUrl
 		}],
-		singleLogoutService: [{
+		singleLogoutService: opts?.sloOptions ? [{
 			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 			Location: sloLocation
 		}, {
 			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 			Location: sloLocation
-		}],
+		}] : void 0,
 		wantMessageSigned: config.wantAssertionsSigned || false,
+		authnRequestsSigned: config.authnRequestsSigned || false,
+		nameIDFormat: config.identifierFormat ? [config.identifierFormat] : void 0
+	}).getMetadata() || "";
+	return saml.ServiceProvider({
+		metadata,
+		allowCreate: true,
 		wantLogoutRequestSigned: opts?.sloOptions?.wantLogoutRequestSigned ?? false,
 		wantLogoutResponseSigned: opts?.sloOptions?.wantLogoutResponseSigned ?? false,
-		metadata: spData?.metadata,
-		privateKey: spData?.privateKey || config.privateKey,
+		privateKey: normalizePem(spData?.privateKey || config.privateKey),
 		privateKeyPass: spData?.privateKeyPass,
 		isAssertionEncrypted: spData?.isAssertionEncrypted || false,
-		encPrivateKey: spData?.encPrivateKey,
+		encPrivateKey: normalizePem(spData?.encPrivateKey),
 		encPrivateKeyPass: spData?.encPrivateKeyPass,
-		nameIDFormat: config.identifierFormat ? [config.identifierFormat] : void 0,
 		relayState: opts?.relayState
 	});
 }
@@ -1470,10 +1580,10 @@ function createIdP(config) {
 	const idpData = config.idpMetadata;
 	if (idpData?.metadata) return saml.IdentityProvider({
 		metadata: idpData.metadata,
-		privateKey: idpData.privateKey,
+		privateKey: normalizePem(idpData.privateKey),
 		privateKeyPass: idpData.privateKeyPass,
 		isAssertionEncrypted: idpData.isAssertionEncrypted,
-		encPrivateKey: idpData.encPrivateKey,
+		encPrivateKey: normalizePem(idpData.encPrivateKey),
 		encPrivateKeyPass: idpData.encPrivateKeyPass
 	});
 	return saml.IdentityProvider({
@@ -1483,10 +1593,10 @@ function createIdP(config) {
 			Location: config.entryPoint
 		}],
 		singleLogoutService: idpData?.singleLogoutService,
-		signingCert: idpData?.cert || config.cert,
+		signingCert: normalizePem(idpData?.cert || config.cert),
 		wantAuthnRequestsSigned: config.authnRequestsSigned || false,
 		isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
-		encPrivateKey: idpData?.encPrivateKey,
+		encPrivateKey: normalizePem(idpData?.encPrivateKey),
 		encPrivateKeyPass: idpData?.encPrivateKeyPass
 	});
 }
@@ -1597,8 +1707,8 @@ function extractAssertionId(samlContent) {
 /**
 * Unified SAML response processing pipeline.
 *
-* Both `/sso/saml2/callback/:providerId` (POST) and `/sso/saml2/sp/acs/:providerId`
-* delegate to this function. It handles the full lifecycle: provider lookup,
+* The `/sso/saml2/sp/acs/:providerId` endpoint delegates to this function.
+* It handles the full lifecycle: provider lookup,
 * SP/IdP construction, response validation, session creation, and redirect
 * URL computation.
 */
@@ -1621,7 +1731,7 @@ async function processSAMLResponse(ctx, params, options) {
 	if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
 	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId);
 	const idp = createIdP(parsedSamlConfig);
-	const samlRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, params.currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+	const samlRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL, params.currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 	validateSingleAssertion(SAMLResponse);
 	let parsedResponse;
 	try {
@@ -1647,40 +1757,21 @@ async function processSAMLResponse(ctx, params, options) {
 		requireTimestamps: options?.saml?.requireTimestamps,
 		logger: ctx.context.logger
 	});
-	const inResponseTo = extract.inResponseTo;
-	if (options?.saml?.enableInResponseToValidation !== false) {
-		const allowIdpInitiated = options?.saml?.allowIdpInitiated !== false;
-		if (inResponseTo) {
-			let storedRequest = null;
-			const verification = await ctx.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-			if (verification) try {
-				storedRequest = JSON.parse(verification.value);
-				if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
-			} catch {
-				storedRequest = null;
-			}
-			if (!storedRequest) {
-				ctx.context.logger.error("SAML InResponseTo validation failed: unknown or expired request ID", {
-					inResponseTo,
-					providerId
-				});
-				throw ctx.redirect(`${samlRedirectUrl}?error=invalid_saml_response&error_description=Unknown+or+expired+request+ID`);
-			}
-			if (storedRequest.providerId !== providerId) {
-				ctx.context.logger.error("SAML InResponseTo validation failed: provider mismatch", {
-					inResponseTo,
-					expectedProvider: storedRequest.providerId,
-					actualProvider: providerId
-				});
-				await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-				throw ctx.redirect(`${samlRedirectUrl}?error=invalid_saml_response&error_description=Provider+mismatch`);
-			}
-			await ctx.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-		} else if (!allowIdpInitiated) {
-			ctx.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId });
-			throw ctx.redirect(`${samlRedirectUrl}?error=unsolicited_response&error_description=IdP-initiated+SSO+not+allowed`);
-		}
-	}
+	await validateInResponseTo(ctx, {
+		extract,
+		providerId,
+		options: {
+			enableInResponseToValidation: options?.saml?.enableInResponseToValidation,
+			allowIdpInitiated: options?.saml?.allowIdpInitiated
+		},
+		redirectUrl: samlRedirectUrl
+	});
+	validateAudience(ctx, {
+		extract,
+		expectedAudience: parsedSamlConfig.audience || sp.entityMeta.getEntityID(),
+		providerId,
+		redirectUrl: samlRedirectUrl
+	});
 	const samlContent = parsedResponse.samlContent;
 	const assertionId = samlContent ? extractAssertionId(samlContent) : null;
 	if (assertionId) {
@@ -1723,7 +1814,7 @@ async function processSAMLResponse(ctx, params, options) {
 	const userInfo = {
 		...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, attributes[value]])),
 		id: attributes[mapping.id || "nameID"] || extract.nameID,
-		email: (attributes[mapping.email || "email"] || extract.nameID).toLowerCase(),
+		email: (attributes[mapping.email || "email"] || extract.nameID || "").toLowerCase(),
 		name: [attributes[mapping.firstName || "givenName"], attributes[mapping.lastName || "surname"]].filter(Boolean).join(" ") || attributes[mapping.name || "displayName"] || extract.nameID,
 		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attributes[mapping.emailVerified] || false : false
 	};
@@ -1737,7 +1828,7 @@ async function processSAMLResponse(ctx, params, options) {
 		throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 	}
 	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
-	const callbackUrl = relayState?.callbackURL || parsedSamlConfig.callbackUrl || ctx.context.baseURL;
+	const postAuthRedirect = relayState?.callbackURL || ctx.context.baseURL;
 	const result = await handleOAuthUserInfo(ctx, {
 		userInfo: {
 			email: userInfo.email,
@@ -1751,11 +1842,11 @@ async function processSAMLResponse(ctx, params, options) {
 			accessToken: "",
 			refreshToken: ""
 		},
-		callbackURL: callbackUrl,
+		callbackURL: postAuthRedirect,
 		disableSignUp: options?.disableImplicitSignUp,
 		isTrustedProvider
 	});
-	if (result.error) throw ctx.redirect(`${callbackUrl}?error=${result.error.split(" ").join("_")}`);
+	if (result.error) throw ctx.redirect(`${samlRedirectUrl}?error=${result.error.split(" ").join("_")}`);
 	const { session, user } = result.data;
 	if (options?.provisionUser && (result.isRegister || options.provisionUserOnEveryLogin)) await options.provisionUser({
 		user,
@@ -1785,7 +1876,7 @@ async function processSAMLResponse(ctx, params, options) {
 			sessionId: session.id,
 			providerId,
 			nameID: extract.nameID,
-			sessionIndex: extract.sessionIndex
+			sessionIndex: extract.sessionIndex?.sessionIndex
 		};
 		await ctx.context.internalAdapter.createVerificationValue({
 			identifier: samlSessionKey,
@@ -1798,7 +1889,7 @@ async function processSAMLResponse(ctx, params, options) {
 			expiresAt: session.expiresAt
 		}).catch((e) => ctx.context.logger.warn("Failed to create SAML session lookup record", e));
 	}
-	return getSafeRedirectUrl(relayState?.callbackURL || parsedSamlConfig.callbackUrl, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+	return getSafeRedirectUrl(relayState?.callbackURL, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 }
 //#endregion
 //#region src/routes/sso.ts
@@ -1815,10 +1906,7 @@ function getOIDCRedirectURI(baseURL, providerId, options) {
 	}
 	return `${baseURL}/sso/callback/${providerId}`;
 }
-const spMetadataQuerySchema = z.object({
-	providerId: z.string(),
-	format: z.enum(["xml", "json"]).default("xml")
-});
+const spMetadataQuerySchema = z.object({ providerId: z.string() });
 const spMetadata = (options) => {
 	return createAuthEndpoint("/sso/saml2/sp/metadata", {
 		method: "GET",
@@ -1840,25 +1928,10 @@ const spMetadata = (options) => {
 		if (!provider) throw new APIError("NOT_FOUND", { message: "No provider found for the given providerId" });
 		const parsedSamlConfig = safeJsonParse(provider.samlConfig);
 		if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
-		const sloLocation = `${ctx.context.baseURL}/sso/saml2/sp/slo/${ctx.query.providerId}`;
-		const singleLogoutService = options?.saml?.enableSingleLogout ? [{
-			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-			Location: sloLocation
-		}, {
-			Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-			Location: sloLocation
-		}] : void 0;
-		const sp = parsedSamlConfig.spMetadata.metadata ? saml.ServiceProvider({ metadata: parsedSamlConfig.spMetadata.metadata }) : saml.SPMetadata({
-			entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
-			assertionConsumerService: [{
-				Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-				Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${ctx.query.providerId}`
-			}],
-			singleLogoutService,
-			wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
-			authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
-			nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
-		});
+		const sp = createSP(parsedSamlConfig, ctx.context.baseURL, ctx.query.providerId, options?.saml?.enableSingleLogout ? { sloOptions: {
+			wantLogoutRequestSigned: options?.saml?.wantLogoutRequestSigned,
+			wantLogoutResponseSigned: options?.saml?.wantLogoutResponseSigned
+		} } : void 0);
 		return new Response(sp.getMetadata(), { headers: { "Content-Type": "application/xml" } });
 	});
 };
@@ -1868,11 +1941,17 @@ const ssoProviderBodySchema = z.object({
 	domain: z.string({}).meta({ description: "The domain(s) of the provider. For enterprise multi-domain SSO where a single IdP serves multiple email domains, use comma-separated values (e.g., 'company.com,subsidiary.com,acquired-company.com')" }),
 	oidcConfig: z.object({
 		clientId: z.string({}).meta({ description: "The client ID" }),
-		clientSecret: z.string({}).meta({ description: "The client secret" }),
+		clientSecret: z.string({}).optional().meta({ description: "The client secret. Required for client_secret_basic/client_secret_post. Optional for private_key_jwt." }),
 		authorizationEndpoint: z.string({}).meta({ description: "The authorization endpoint" }).optional(),
 		tokenEndpoint: z.string({}).meta({ description: "The token endpoint" }).optional(),
 		userInfoEndpoint: z.string({}).meta({ description: "The user info endpoint" }).optional(),
-		tokenEndpointAuthentication: z.enum(["client_secret_post", "client_secret_basic"]).optional(),
+		tokenEndpointAuthentication: z.enum([
+			"client_secret_post",
+			"client_secret_basic",
+			"private_key_jwt"
+		]).optional(),
+		privateKeyId: z.string().optional(),
+		privateKeyAlgorithm: z.string().optional(),
 		jwksEndpoint: z.string({}).meta({ description: "The JWKS endpoint" }).optional(),
 		discoveryEndpoint: z.string().optional(),
 		skipDiscovery: z.boolean().meta({ description: "Skip OIDC discovery during registration. When true, you must provide authorizationEndpoint, tokenEndpoint, and jwksEndpoint manually." }).optional(),
@@ -1890,7 +1969,6 @@ const ssoProviderBodySchema = z.object({
 	samlConfig: z.object({
 		entryPoint: z.string({}).meta({ description: "The entry point of the provider" }),
 		cert: z.string({}).meta({ description: "The certificate of the provider" }),
-		callbackUrl: z.string({}).meta({ description: "The callback URL of the provider" }),
 		audience: z.string().optional(),
 		idpMetadata: z.object({
 			metadata: z.string().optional(),
@@ -1915,15 +1993,13 @@ const ssoProviderBodySchema = z.object({
 			isAssertionEncrypted: z.boolean().optional(),
 			encPrivateKey: z.string().optional(),
 			encPrivateKeyPass: z.string().optional()
-		}),
+		}).optional(),
 		wantAssertionsSigned: z.boolean().optional(),
 		authnRequestsSigned: z.boolean().optional(),
 		signatureAlgorithm: z.string().optional(),
 		digestAlgorithm: z.string().optional(),
 		identifierFormat: z.string().optional(),
 		privateKey: z.string().optional(),
-		decryptionPvk: z.string().optional(),
-		additionalParams: z.record(z.string(), z.any()).optional(),
 		mapping: z.object({
 			id: z.string({}).meta({ description: "Field mapping for user ID (defaults to 'nameID')" }),
 			email: z.string({}).meta({ description: "Field mapping for email (defaults to 'email')" }),
@@ -2175,6 +2251,8 @@ const registerSSOProvider = (options) => {
 				authorizationEndpoint: body.oidcConfig.authorizationEndpoint,
 				tokenEndpoint: body.oidcConfig.tokenEndpoint,
 				tokenEndpointAuthentication: body.oidcConfig.tokenEndpointAuthentication || "client_secret_basic",
+				privateKeyId: body.oidcConfig.privateKeyId,
+				privateKeyAlgorithm: body.oidcConfig.privateKeyAlgorithm,
 				jwksEndpoint: body.oidcConfig.jwksEndpoint,
 				pkce: body.oidcConfig.pkce,
 				discoveryEndpoint: body.oidcConfig.discoveryEndpoint || `${body.issuer}/.well-known/openid-configuration`,
@@ -2191,6 +2269,8 @@ const registerSSOProvider = (options) => {
 				authorizationEndpoint: hydratedOIDCConfig.authorizationEndpoint,
 				tokenEndpoint: hydratedOIDCConfig.tokenEndpoint,
 				tokenEndpointAuthentication: hydratedOIDCConfig.tokenEndpointAuthentication,
+				privateKeyId: body.oidcConfig.privateKeyId,
+				privateKeyAlgorithm: body.oidcConfig.privateKeyAlgorithm,
 				jwksEndpoint: hydratedOIDCConfig.jwksEndpoint,
 				pkce: body.oidcConfig.pkce,
 				discoveryEndpoint: hydratedOIDCConfig.discoveryEndpoint,
@@ -2220,12 +2300,19 @@ const registerSSOProvider = (options) => {
 				issuer: body.issuer,
 				domain: body.domain,
 				domainVerified: false,
-				oidcConfig: buildOIDCConfig(),
+				oidcConfig: (() => {
+					const config = buildOIDCConfig();
+					if (config) {
+						const parsed = JSON.parse(config);
+						if (parsed.tokenEndpointAuthentication !== "private_key_jwt" && !parsed.clientSecret) throw new APIError("BAD_REQUEST", { message: "clientSecret is required when using client_secret_basic or client_secret_post authentication" });
+						if (parsed.tokenEndpointAuthentication === "private_key_jwt" && !options?.resolvePrivateKey && !options?.defaultSSO?.some((p) => p.providerId === body.providerId && "privateKey" in p && p.privateKey)) throw new APIError("BAD_REQUEST", { message: "private_key_jwt authentication requires either a resolvePrivateKey callback or a privateKey in defaultSSO" });
+					}
+					return config;
+				})(),
 				samlConfig: body.samlConfig ? JSON.stringify({
 					issuer: body.issuer,
 					entryPoint: body.samlConfig.entryPoint,
 					cert: body.samlConfig.cert,
-					callbackUrl: body.samlConfig.callbackUrl,
 					audience: body.samlConfig.audience,
 					idpMetadata: body.samlConfig.idpMetadata,
 					spMetadata: body.samlConfig.spMetadata,
@@ -2235,8 +2322,6 @@ const registerSSOProvider = (options) => {
 					digestAlgorithm: body.samlConfig.digestAlgorithm,
 					identifierFormat: body.samlConfig.identifierFormat,
 					privateKey: body.samlConfig.privateKey,
-					decryptionPvk: body.samlConfig.decryptionPvk,
-					additionalParams: body.samlConfig.additionalParams,
 					mapping: body.samlConfig.mapping
 				}) : null,
 				organizationId: body.organizationId,
@@ -2443,46 +2528,8 @@ const signInSSO = (options) => {
 			if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
 			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) throw new APIError("BAD_REQUEST", { message: "authnRequestsSigned is enabled but no privateKey provided in spMetadata or samlConfig" });
 			const { state: relayState } = await generateRelayState(ctx, void 0, false);
-			let metadata = parsedSamlConfig.spMetadata.metadata;
-			if (!metadata) metadata = saml.SPMetadata({
-				entityID: parsedSamlConfig.spMetadata?.entityID || parsedSamlConfig.issuer,
-				assertionConsumerService: [{
-					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
-					Location: parsedSamlConfig.callbackUrl || `${ctx.context.baseURL}/sso/saml2/sp/acs/${provider.providerId}`
-				}],
-				wantMessageSigned: parsedSamlConfig.wantAssertionsSigned || false,
-				authnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
-				nameIDFormat: parsedSamlConfig.identifierFormat ? [parsedSamlConfig.identifierFormat] : void 0
-			}).getMetadata() || "";
-			const sp = saml.ServiceProvider({
-				metadata,
-				allowCreate: true,
-				privateKey: parsedSamlConfig.spMetadata?.privateKey || parsedSamlConfig.privateKey,
-				privateKeyPass: parsedSamlConfig.spMetadata?.privateKeyPass,
-				relayState
-			});
-			const idpData = parsedSamlConfig.idpMetadata;
-			let idp;
-			if (!idpData?.metadata) idp = saml.IdentityProvider({
-				entityID: idpData?.entityID || parsedSamlConfig.issuer,
-				singleSignOnService: idpData?.singleSignOnService || [{
-					Binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
-					Location: parsedSamlConfig.entryPoint
-				}],
-				signingCert: idpData?.cert || parsedSamlConfig.cert,
-				wantAuthnRequestsSigned: parsedSamlConfig.authnRequestsSigned || false,
-				isAssertionEncrypted: idpData?.isAssertionEncrypted || false,
-				encPrivateKey: idpData?.encPrivateKey,
-				encPrivateKeyPass: idpData?.encPrivateKeyPass
-			});
-			else idp = saml.IdentityProvider({
-				metadata: idpData.metadata,
-				privateKey: idpData.privateKey,
-				privateKeyPass: idpData.privateKeyPass,
-				isAssertionEncrypted: idpData.isAssertionEncrypted,
-				encPrivateKey: idpData.encPrivateKey,
-				encPrivateKeyPass: idpData.encPrivateKeyPass
-			});
+			const sp = createSP(parsedSamlConfig, ctx.context.baseURL, provider.providerId, { relayState });
+			const idp = createIdP(parsedSamlConfig);
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
 			if (!loginRequest) throw new APIError("BAD_REQUEST", { message: "Invalid SAML request" });
 			if (loginRequest.id && options?.saml?.enableInResponseToValidation !== false) {
@@ -2573,6 +2620,30 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		]
 	};
 	if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_endpoint_not_found`);
+	let authMethod = "basic";
+	if (config.tokenEndpointAuthentication === "client_secret_post") authMethod = "post";
+	else if (config.tokenEndpointAuthentication === "private_key_jwt") authMethod = "private_key_jwt";
+	let clientAssertionConfig;
+	if (authMethod === "private_key_jwt") {
+		let resolved;
+		const matchingDefault = options?.defaultSSO?.find((p) => p.providerId === provider.providerId && "privateKey" in p && p.privateKey);
+		if (matchingDefault && "privateKey" in matchingDefault) resolved = matchingDefault.privateKey;
+		if (!resolved && options?.resolvePrivateKey) resolved = await options.resolvePrivateKey({
+			providerId: provider.providerId,
+			keyId: config.privateKeyId,
+			issuer: config.issuer
+		});
+		if (!resolved) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=no_private_key_available`);
+		const rawAlg = config.privateKeyAlgorithm ?? resolved.algorithm;
+		const algorithm = rawAlg && ASSERTION_SIGNING_ALGORITHMS.includes(rawAlg) ? rawAlg : void 0;
+		clientAssertionConfig = {
+			privateKeyJwk: resolved.privateKeyJwk,
+			privateKeyPem: resolved.privateKeyPem,
+			kid: config.privateKeyId ?? resolved.kid,
+			algorithm,
+			tokenEndpoint: config.tokenEndpoint
+		};
+	}
 	const tokenResponse = await validateAuthorizationCode({
 		code,
 		codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
@@ -2582,7 +2653,8 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			clientSecret: config.clientSecret
 		},
 		tokenEndpoint: config.tokenEndpoint,
-		authentication: config.tokenEndpointAuthentication === "client_secret_post" ? "post" : "basic"
+		authentication: authMethod,
+		clientAssertion: clientAssertionConfig
 	}).catch((e) => {
 		ctx.context.logger.error("Error validating authorization code", e);
 		if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
@@ -2732,72 +2804,42 @@ const callbackSSOShared = (options) => {
 		return handleOIDCCallback(ctx, options, providerId, stateData);
 	});
 };
-const callbackSSOSAMLBodySchema = z.object({
+const acsEndpointBodySchema = z.object({
 	SAMLResponse: z.string(),
 	RelayState: z.string().optional()
 });
-const callbackSSOSAML = (options) => {
-	return createAuthEndpoint("/sso/saml2/callback/:providerId", {
+const acsEndpoint = (options) => {
+	return createAuthEndpoint("/sso/saml2/sp/acs/:providerId", {
 		method: ["GET", "POST"],
-		body: callbackSSOSAMLBodySchema.optional(),
+		body: acsEndpointBodySchema.optional(),
 		query: z.object({ RelayState: z.string().optional() }).optional(),
 		metadata: {
 			...HIDE_METADATA,
 			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
 			openapi: {
-				operationId: "handleSAMLCallback",
-				summary: "Callback URL for SAML provider",
-				description: "This endpoint is used as the callback URL for SAML providers. Supports both GET and POST methods for IdP-initiated and SP-initiated flows.",
+				operationId: "handleSAMLAssertionConsumerService",
+				summary: "SAML Assertion Consumer Service",
+				description: "Handles SAML responses from IdP after successful authentication. Supports GET for post-auth redirects and POST for SAML response processing.",
 				responses: {
-					"302": { description: "Redirects to the callback URL" },
-					"400": { description: "Invalid SAML response" },
-					"401": { description: "Unauthorized - SAML authentication failed" }
+					"302": { description: "Redirects after authentication (success or error with query params)" },
+					"400": { description: "Missing SAMLResponse in POST body" },
+					"404": { description: "SAML provider not found" }
 				}
 			}
 		}
 	}, async (ctx) => {
 		const { providerId } = ctx.params;
+		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
 		const appOrigin = new URL(ctx.context.baseURL).origin;
-		const errorURL = ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
-		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/callback/${providerId}`;
 		if (ctx.method === "GET" && !ctx.body?.SAMLResponse) {
-			if (!(await getSessionFromCtx(ctx))?.session) throw ctx.redirect(`${errorURL}?error=invalid_request`);
+			if (!(await getSessionFromCtx(ctx))?.session) {
+				const errorURL = ctx.context.options.onAPIError?.errorURL || `${appOrigin}/error`;
+				throw ctx.redirect(`${errorURL}?error=invalid_request`);
+			}
 			const relayState = ctx.query?.RelayState;
-			const safeRedirectUrl = getSafeRedirectUrl(relayState, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
-			throw ctx.redirect(safeRedirectUrl);
+			throw ctx.redirect(getSafeRedirectUrl(relayState, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings)));
 		}
 		if (!ctx.body?.SAMLResponse) throw new APIError("BAD_REQUEST", { message: "SAMLResponse is required for POST requests" });
-		const safeRedirectUrl = await processSAMLResponse(ctx, {
-			SAMLResponse: ctx.body.SAMLResponse,
-			RelayState: ctx.body.RelayState,
-			providerId,
-			currentCallbackPath
-		}, options);
-		throw ctx.redirect(safeRedirectUrl);
-	});
-};
-const acsEndpointBodySchema = z.object({
-	SAMLResponse: z.string(),
-	RelayState: z.string().optional()
-});
-const acsEndpoint = (options) => {
-	return createAuthEndpoint("/sso/saml2/sp/acs/:providerId", {
-		method: "POST",
-		body: acsEndpointBodySchema,
-		metadata: {
-			...HIDE_METADATA,
-			allowedMediaTypes: ["application/x-www-form-urlencoded", "application/json"],
-			openapi: {
-				operationId: "handleSAMLAssertionConsumerService",
-				summary: "SAML Assertion Consumer Service",
-				description: "Handles SAML responses from IdP after successful authentication",
-				responses: { "302": { description: "Redirects to the callback URL after successful authentication" } }
-			}
-		}
-	}, async (ctx) => {
-		const { providerId } = ctx.params;
-		const currentCallbackPath = `${ctx.context.baseURL}/sso/saml2/sp/acs/${providerId}`;
-		const appOrigin = new URL(ctx.context.baseURL).origin;
 		try {
 			const safeRedirectUrl = await processSAMLResponse(ctx, {
 				SAMLResponse: ctx.body.SAMLResponse,
@@ -2809,9 +2851,8 @@ const acsEndpoint = (options) => {
 		} catch (error) {
 			if (error instanceof Response || error && typeof error === "object" && "status" in error && error.status === 302) throw error;
 			if (error instanceof APIError && error.statusCode === 400) {
-				const internalCode = error.body?.code || "";
-				const errorCode = internalCode === "SAML_MULTIPLE_ASSERTIONS" ? "multiple_assertions" : internalCode === "SAML_NO_ASSERTION" ? "no_assertion" : internalCode.toLowerCase() || "saml_error";
-				const redirectUrl = getSafeRedirectUrl(ctx.body.RelayState || void 0, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
+				const errorCode = (error.body?.code || "saml_error").toLowerCase();
+				const redirectUrl = getSafeRedirectUrl(ctx.body?.RelayState || void 0, currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 				throw ctx.redirect(`${redirectUrl}${redirectUrl.includes("?") ? "&" : "?"}error=${encodeURIComponent(errorCode)}&error_description=${encodeURIComponent(error.message)}`);
 			}
 			throw error;
@@ -2986,11 +3027,7 @@ saml.setSchemaValidator({ async validate(xml) {
 * These endpoints receive POST requests from external Identity Providers,
 * which won't have a matching Origin header.
 */
-const SAML_SKIP_ORIGIN_CHECK_PATHS = [
-	"/sso/saml2/callback",
-	"/sso/saml2/sp/acs",
-	"/sso/saml2/sp/slo"
-];
+const SAML_SKIP_ORIGIN_CHECK_PATHS = ["/sso/saml2/sp/acs", "/sso/saml2/sp/slo"];
 function sso(options) {
 	const optionsWithStore = options;
 	let endpoints = {
@@ -2999,7 +3036,6 @@ function sso(options) {
 		signInSSO: signInSSO(optionsWithStore),
 		callbackSSO: callbackSSO(optionsWithStore),
 		callbackSSOShared: callbackSSOShared(optionsWithStore),
-		callbackSSOSAML: callbackSSOSAML(optionsWithStore),
 		acsEndpoint: acsEndpoint(optionsWithStore),
 		sloEndpoint: sloEndpoint(optionsWithStore),
 		initiateSLO: initiateSLO(optionsWithStore),

package/dist/{version-1sp6DKT-.mjs → version-C22JHwcK.mjs}

@@ -1,5 +1,5 @@
 //#endregion
 //#region src/version.ts
-const PACKAGE_VERSION = "1.6.3";
+const PACKAGE_VERSION = "1.7.0-beta.1";
 //#endregion
 export { PACKAGE_VERSION as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@better-auth/sso",
-  "version": "1.6.3",
+  "version": "1.7.0-beta.1",
   "description": "SSO plugin for Better Auth",
   "type": "module",
   "license": "MIT",
@@ -58,7 +58,7 @@
   "dependencies": {
     "fast-xml-parser": "^5.5.7",
     "jose": "^6.1.3",
-    "samlify": "~2.10.2",
+    "samlify": "~2.12.0",
     "tldts": "^6.1.0",
     "zod": "^4.3.6"
   },
@@ -70,15 +70,15 @@
     "express": "^5.2.1",
     "oauth2-mock-server": "^8.2.2",
     "tsdown": "0.21.1",
-    "@better-auth/core": "1.6.3",
-    "better-auth": "1.6.3"
+    "@better-auth/core": "1.7.0-beta.1",
+    "better-auth": "1.7.0-beta.1"
   },
   "peerDependencies": {
     "@better-auth/utils": "0.4.0",
     "@better-fetch/fetch": "1.1.21",
     "better-call": "1.3.5",
-    "@better-auth/core": "^1.6.3",
-    "better-auth": "^1.6.3"
+    "@better-auth/core": "^1.7.0-beta.1",
+    "better-auth": "^1.7.0-beta.1"
   },
   "scripts": {
     "build": "tsdown",