npm - @better-auth/sso - Versions diffs - 1.7.0-beta.4 → 1.7.0-beta.6 - Mend

@better-auth/sso 1.7.0-beta.4 → 1.7.0-beta.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/client.d.mts +10 -1
package/dist/client.mjs +1 -1
package/dist/{index-DCkGGu_2.d.mts → index-DsajaS2F.d.mts} +68 -92
package/dist/index.d.mts +1 -1
package/dist/index.mjs +718 -472
package/dist/{version-5EiO_U3Z.mjs → version-BTlyLl-N.mjs} +1 -1
package/package.json +9 -9

package/dist/index.mjs CHANGED Viewed

@@ -1,19 +1,21 @@
-import { t as PACKAGE_VERSION } from "./version-5EiO_U3Z.mjs";
-import { APIError, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
+import { t as PACKAGE_VERSION } from "./version-BTlyLl-N.mjs";
+import { APIError, addOAuthServerContext, createAuthEndpoint, createAuthMiddleware, getSessionFromCtx, sessionMiddleware } from "better-auth/api";
 import { XMLParser, XMLValidator } from "fast-xml-parser";
 import { X509Certificate } from "node:crypto";
 import { getHostname } from "tldts";
 import { generateRandomString } from "better-auth/crypto";
 import * as z from "zod";
-import { isPublicRoutableHost } from "@better-auth/core/utils/host";
-import { BetterFetchError, betterFetch } from "@better-fetch/fetch";
+import { filterOutputFields } from "@better-auth/core/utils/db";
+import { classifyHost, isPublicRoutableHost } from "@better-auth/core/utils/host";
+import { betterFetch } from "@better-fetch/fetch";
+import { createRemoteJWKSet, customFetch, decodeJwt, jwtVerify } from "jose";
 import { base64 } from "@better-auth/utils/base64";
 import { defineErrorCodes } from "@better-auth/core/utils/error-codes";
+import { parseInputData, toZodSchema } from "better-auth/db";
 import { isAPIError } from "@better-auth/core/utils/is-api-error";
-import { HIDE_METADATA, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS, createAuthorizationURL, createPrivateKeyJwtClientAssertionGetter, generateGenericState, generateState, parseGenericState, parseState, validateAuthorizationCode, validateToken } from "better-auth";
+import { HIDE_METADATA, PRIVATE_KEY_JWT_SIGNING_ALGORITHMS, authorizationCodeRequest, createAuthorizationURL, createPrivateKeyJwtClientAssertionGetter, generateGenericState, generateState, getOAuth2Tokens, parseGenericState, parseState } from "better-auth";
 import { deleteSessionCookie, setSessionCookie } from "better-auth/cookies";
-import { additionalAuthorizationParamsSchema, handleOAuthUserInfo } from "better-auth/oauth2";
-import { decodeJwt } from "jose";
+import { additionalAuthorizationParamsSchema, signInWithOAuthIdentity } from "better-auth/oauth2";
 import * as samlifyNamespace from "samlify";
 import samlifyDefault from "samlify";
 //#region src/constants.ts
@@ -24,8 +26,6 @@ import samlifyDefault from "samlify";
 */
 /** Prefix for AuthnRequest IDs used in InResponseTo validation */
 const AUTHN_REQUEST_KEY_PREFIX = "saml-authn-request:";
-/** Prefix for used Assertion IDs used in replay protection */
-const USED_ASSERTION_KEY_PREFIX = "saml-used-assertion:";
 /** Prefix for SAML session data (NameID + SessionIndex) for SLO */
 const SAML_SESSION_KEY_PREFIX = "saml-session:";
 /** Prefix for reverse lookup of SAML session by Better Auth session ID */
@@ -86,6 +86,16 @@ const domainMatches = (searchDomain, domainList) => {
 	return domainList.split(",").map((d) => d.trim().toLowerCase()).filter(Boolean).some((d) => search === d || search.endsWith(`.${d}`));
 };
 /**
+* Strictly parse a provider-supplied email-verification claim.
+*
+* OIDC userInfo, OIDC id-token, and SAML attribute values are frequently
+* strings, so a loose `Boolean(value)` or truthy fallback treats the string
+* `"false"` as verified. Only a boolean `true` or the exact string `"true"`
+* count as verified; every other value, including `"false"`, `"0"`, `""`,
+* numbers, arrays, and objects, is unverified.
+*/
+const parseProviderEmailVerified = (value) => value === true || value === "true";
+/**
 * Validates email domain against allowed domain(s).
 * Supports comma-separated domains for multi-domain SSO.
 */
@@ -211,171 +221,6 @@ async function assignOrganizationByDomain(ctx, options) {
 	});
 }
 //#endregion
-//#region src/routes/domain-verification.ts
-const DNS_LABEL_MAX_LENGTH = 63;
-const DEFAULT_TOKEN_PREFIX = "better-auth-token";
-const domainVerificationBodySchema = z.object({ providerId: z.string() });
-function getVerificationIdentifier(options, providerId) {
-	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
-}
-const requestDomainVerification = (options) => {
-	return createAuthEndpoint("/sso/request-domain-verification", {
-		method: "POST",
-		body: domainVerificationBodySchema,
-		metadata: { openapi: {
-			summary: "Request a domain verification",
-			description: "Request a domain verification for the given SSO provider",
-			responses: {
-				"404": { description: "Provider not found" },
-				"409": { description: "Domain has already been verified" },
-				"201": { description: "Domain submitted for verification" }
-			}
-		} },
-		use: [sessionMiddleware]
-	}, async (ctx) => {
-		const body = ctx.body;
-		const provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: body.providerId
-			}]
-		});
-		if (!provider) throw new APIError("NOT_FOUND", {
-			message: "Provider not found",
-			code: "PROVIDER_NOT_FOUND"
-		});
-		const userId = ctx.context.session.user.id;
-		let isOrgMember = true;
-		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
-			model: "member",
-			where: [{
-				field: "userId",
-				value: userId
-			}, {
-				field: "organizationId",
-				value: provider.organizationId
-			}]
-		}) > 0;
-		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
-			message: "User must be owner of or belong to the SSO provider organization",
-			code: "INSUFICCIENT_ACCESS"
-		});
-		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
-			message: "Domain has already been verified",
-			code: "DOMAIN_VERIFIED"
-		});
-		const identifier = getVerificationIdentifier(options, provider.providerId);
-		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
-		if (activeVerification && new Date(activeVerification.expiresAt) > /* @__PURE__ */ new Date()) {
-			ctx.setStatus(201);
-			return ctx.json({ domainVerificationToken: activeVerification.value });
-		}
-		const domainVerificationToken = generateRandomString(24);
-		await ctx.context.internalAdapter.createVerificationValue({
-			identifier,
-			value: domainVerificationToken,
-			expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
-		});
-		ctx.setStatus(201);
-		return ctx.json({ domainVerificationToken });
-	});
-};
-const verifyDomain = (options) => {
-	return createAuthEndpoint("/sso/verify-domain", {
-		method: "POST",
-		body: domainVerificationBodySchema,
-		metadata: { openapi: {
-			summary: "Verify the provider domain ownership",
-			description: "Verify the provider domain ownership via DNS records",
-			responses: {
-				"404": { description: "Provider not found" },
-				"409": { description: "Domain has already been verified or no pending verification exists" },
-				"502": { description: "Unable to verify domain ownership due to upstream validator error" },
-				"204": { description: "Domain ownership was verified" }
-			}
-		} },
-		use: [sessionMiddleware]
-	}, async (ctx) => {
-		const body = ctx.body;
-		const provider = await ctx.context.adapter.findOne({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: body.providerId
-			}]
-		});
-		if (!provider) throw new APIError("NOT_FOUND", {
-			message: "Provider not found",
-			code: "PROVIDER_NOT_FOUND"
-		});
-		const userId = ctx.context.session.user.id;
-		let isOrgMember = true;
-		if (provider.organizationId) isOrgMember = await ctx.context.adapter.count({
-			model: "member",
-			where: [{
-				field: "userId",
-				value: userId
-			}, {
-				field: "organizationId",
-				value: provider.organizationId
-			}]
-		}) > 0;
-		if (provider.userId !== userId || !isOrgMember) throw new APIError("FORBIDDEN", {
-			message: "User must be owner of or belong to the SSO provider organization",
-			code: "INSUFICCIENT_ACCESS"
-		});
-		if ("domainVerified" in provider && provider.domainVerified) throw new APIError("CONFLICT", {
-			message: "Domain has already been verified",
-			code: "DOMAIN_VERIFIED"
-		});
-		const identifier = getVerificationIdentifier(options, provider.providerId);
-		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
-			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
-			code: "IDENTIFIER_TOO_LONG"
-		});
-		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
-		if (!activeVerification || new Date(activeVerification.expiresAt) <= /* @__PURE__ */ new Date()) throw new APIError("NOT_FOUND", {
-			message: "No pending domain verification exists",
-			code: "NO_PENDING_VERIFICATION"
-		});
-		let records = [];
-		let dns;
-		try {
-			dns = await import("node:dns/promises");
-		} catch (error) {
-			ctx.context.logger.error("The core node:dns module is required for the domain verification feature", error);
-			throw new APIError("INTERNAL_SERVER_ERROR", {
-				message: "Unable to verify domain ownership due to server error",
-				code: "DOMAIN_VERIFICATION_FAILED"
-			});
-		}
-		const hostname = getHostnameFromDomain(provider.domain);
-		if (!hostname) throw new APIError("BAD_REQUEST", {
-			message: "Invalid domain",
-			code: "INVALID_DOMAIN"
-		});
-		try {
-			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
-		} catch (error) {
-			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
-		}
-		if (!records.find((record) => record.includes(`${activeVerification.identifier}=${activeVerification.value}`))) throw new APIError("BAD_GATEWAY", {
-			message: "Unable to verify domain ownership. Try again later",
-			code: "DOMAIN_VERIFICATION_FAILED"
-		});
-		await ctx.context.adapter.update({
-			model: "ssoProvider",
-			where: [{
-				field: "providerId",
-				value: provider.providerId
-			}],
-			update: { domainVerified: true }
-		});
-		ctx.setStatus(204);
-	});
-};
-//#endregion
 //#region src/oidc/types.ts
 /**
 * Custom error class for OIDC discovery failures.
@@ -414,6 +259,9 @@ const REQUIRED_DISCOVERY_FIELDS = [
 */
 /** Default timeout for discovery requests (10 seconds) */
 const DEFAULT_DISCOVERY_TIMEOUT = 1e4;
+function isHttpRedirectStatus(status) {
+	return status >= 300 && status < 400;
+}
 /**
 * Main entry point: Discover and hydrate OIDC configuration from an issuer.
 *
@@ -435,7 +283,7 @@ async function discoverOIDCConfig(params) {
 	const { issuer, existingConfig, timeout = DEFAULT_DISCOVERY_TIMEOUT } = params;
 	const discoveryUrl = params.discoveryEndpoint || existingConfig?.discoveryEndpoint || computeDiscoveryUrl(issuer);
 	validateDiscoveryUrl(discoveryUrl, params.isTrustedOrigin);
-	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout);
+	const discoveryDoc = await fetchDiscoveryDocument(discoveryUrl, timeout, params.isTrustedOrigin);
 	validateDiscoveryDocument(discoveryDoc, issuer);
 	const normalizedDoc = normalizeDiscoveryUrls(discoveryDoc, issuer, params.isTrustedOrigin);
 	const tokenEndpointAuth = selectTokenEndpointAuthMethod(normalizedDoc, existingConfig?.tokenEndpointAuthentication);
@@ -496,7 +344,7 @@ function validateDiscoveryUrl(url, isTrustedOrigin) {
 * @throws DiscoveryError(discovery_invalid_url)  — malformed URL or non-http(s) scheme
 * @throws DiscoveryError(discovery_private_host) — host is not publicly routable and not allowlisted
 */
-function validateSkipDiscoveryEndpoint(name, endpoint, isTrustedOrigin) {
+function validateOIDCEndpointUrl(name, endpoint, isTrustedOrigin) {
 	const parsed = parseURL(name, endpoint);
 	if (isPublicRoutableHost(parsed.hostname)) return;
 	if (isTrustedOrigin(parsed.toString())) return;
@@ -509,14 +357,14 @@ function validateSkipDiscoveryEndpoint(name, endpoint, isTrustedOrigin) {
 /**
 * Validate every present OIDC endpoint URL in a registration or update body.
 *
-* Each provided URL is checked with {@link validateSkipDiscoveryEndpoint}.
+* Each provided URL is checked with {@link validateOIDCEndpointUrl}.
 * Omitted (undefined / null / empty) fields are skipped.
 *
 * @param config - OIDC endpoint URLs from the request body
 * @param isTrustedOrigin - Predicate matching the configured `trustedOrigins`
 * @throws DiscoveryError on the first invalid endpoint
 */
-function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
+function validateOIDCEndpointUrls(config, isTrustedOrigin) {
 	const fields = [
 		["authorizationEndpoint", config.authorizationEndpoint],
 		["tokenEndpoint", config.tokenEndpoint],
@@ -524,7 +372,137 @@ function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
 		["jwksEndpoint", config.jwksEndpoint],
 		["discoveryEndpoint", config.discoveryEndpoint]
 	];
-	for (const [name, url] of fields) if (url) validateSkipDiscoveryEndpoint(name, url, isTrustedOrigin);
+	for (const [name, url] of fields) if (url) validateOIDCEndpointUrl(name, url, isTrustedOrigin);
+}
+/**
+* Re-validate an endpoint by resolving its hostname and rejecting any resolved
+* address that is not publicly routable.
+*
+* {@link validateOIDCEndpointUrl} only classifies the literal hostname, so
+* a host like `idp.example` whose DNS record points at `127.0.0.1`,
+* `169.254.169.254`, or an RFC 1918 address passes that check unchanged. This
+* function closes that gap by performing the same RFC 6890 classification on the
+* addresses the host actually resolves to, right before the server-side fetch.
+*
+* Best-effort by design:
+*   - Operator-allowlisted origins (trustedOrigins) are skipped — this is the
+*     documented escape hatch for internal IdPs.
+*   - IP-literal hosts are already fully covered by the synchronous check.
+*   - On runtimes without `node:dns` (e.g. Cloudflare Workers / edge), DNS
+*     resolution is unavailable; we fall back to the synchronous host check and
+*     the platform's own egress controls.
+*
+* Note: this resolves once and validates the result; it does not pin the address
+* for the subsequent connection, so a change in the resolved address between
+* this lookup and the fetch remains theoretically possible. It nonetheless
+* rejects the common case of a DNS record that statically points at an internal
+* address.
+*
+* @throws DiscoveryError(discovery_private_host) if any resolved address is not public
+*/
+async function assertEndpointResolvesPublic(name, endpoint, isTrustedOrigin) {
+	const parsed = parseURL(name, endpoint);
+	if (isTrustedOrigin(parsed.toString())) return;
+	const host = parsed.hostname;
+	if (classifyHost(host).literal !== "fqdn") return;
+	let dns;
+	try {
+		dns = await import("node:dns/promises");
+	} catch {
+		return;
+	}
+	let resolved;
+	try {
+		resolved = await dns.lookup(host, { all: true });
+	} catch {
+		return;
+	}
+	for (const { address } of resolved) if (!isPublicRoutableHost(address)) throw new DiscoveryError("discovery_private_host", `The ${name} host "${host}" resolves to a non-publicly-routable address (${address}). If this is an internal IdP, add its origin to trustedOrigins.`, {
+		endpoint: name,
+		url: endpoint,
+		hostname: host,
+		resolved: address
+	});
+}
+/**
+* Validate an OIDC endpoint immediately before a server-side fetch.
+*/
+async function assertOIDCEndpointAllowed(name, endpoint, isTrustedOrigin) {
+	validateOIDCEndpointUrl(name, endpoint, isTrustedOrigin);
+	await assertEndpointResolvesPublic(name, endpoint, isTrustedOrigin);
+}
+/**
+* Re-validate, at fetch time, every OIDC endpoint that is fetched server-side
+* (token, userinfo, jwks). `authorizationEndpoint` is intentionally excluded
+* because it is a browser redirect target, not a server-side fetch.
+*/
+async function assertServerFetchedOIDCEndpointsAllowed(config, isTrustedOrigin) {
+	const fields = [
+		["tokenEndpoint", config.tokenEndpoint],
+		["userInfoEndpoint", config.userInfoEndpoint],
+		["jwksEndpoint", config.jwksEndpoint]
+	];
+	for (const [name, url] of fields) {
+		if (!url) continue;
+		await assertOIDCEndpointAllowed(name, url, isTrustedOrigin);
+	}
+}
+/**
+* Convert an explicit HTTP redirect response into the OIDC configuration error
+* used by all server-side endpoint fetches.
+*/
+function throwRedirectError(name, endpoint, status, location) {
+	throw new DiscoveryError("oidc_endpoint_redirect", `The ${name} (${endpoint}) returned an HTTP ${status} redirect. Configure the final OIDC endpoint URL instead of a redirecting URL.`, {
+		endpoint: name,
+		url: endpoint,
+		status,
+		location
+	});
+}
+/**
+* Fetch a configured OIDC endpoint without following redirects.
+*
+* Every server-side OIDC request goes through this helper so private-host
+* checks and redirect handling stay consistent across discovery, token, and
+* userinfo calls.
+*/
+async function fetchOIDCEndpoint(name, endpoint, options, isTrustedOrigin) {
+	await assertOIDCEndpointAllowed(name, endpoint, isTrustedOrigin);
+	let redirectLocation = null;
+	const { onError, ...fetchOptions } = options;
+	const response = await betterFetch(endpoint, {
+		...fetchOptions,
+		redirect: "manual",
+		onError: async (context) => {
+			if (isHttpRedirectStatus(context.response.status)) redirectLocation = context.response.headers.get("location");
+			await onError?.(context);
+		}
+	});
+	if (response.error && isHttpRedirectStatus(response.error.status)) throwRedirectError(name, endpoint, response.error.status, redirectLocation);
+	return response;
+}
+/**
+* Native-fetch variant for libraries that require a `fetch` implementation,
+* such as jose's remote JWKS loader.
+*/
+async function fetchOIDCEndpointResponse(name, endpoint, init, isTrustedOrigin) {
+	await assertOIDCEndpointAllowed(name, endpoint, isTrustedOrigin);
+	const response = await fetch(endpoint, {
+		...init,
+		redirect: "manual"
+	});
+	if (isHttpRedirectStatus(response.status)) throwRedirectError(name, endpoint, response.status, response.headers.get("location"));
+	return response;
+}
+/**
+* Validate an OIDC ID token using the same endpoint fetch policy as the rest of
+* the SSO OIDC flow.
+*/
+async function validateOIDCIdToken(token, jwksEndpoint, options, isTrustedOrigin) {
+	return jwtVerify(token, createRemoteJWKSet(new URL(jwksEndpoint), { [customFetch]: (url, init) => fetchOIDCEndpointResponse("jwksEndpoint", url, init, isTrustedOrigin) }), {
+		audience: options.audience,
+		issuer: options.issuer
+	});
 }
 /**
 * Fetch the OIDC discovery document from the IdP.
@@ -534,12 +512,12 @@ function validateSkipDiscoveryEndpoints(config, isTrustedOrigin) {
 * @returns The parsed discovery document
 * @throws DiscoveryError on network errors, timeouts, or invalid responses
 */
-async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT) {
+async function fetchDiscoveryDocument(url, timeout = DEFAULT_DISCOVERY_TIMEOUT, isTrustedOrigin = () => false) {
 	try {
-		const response = await betterFetch(url, {
+		const response = await fetchOIDCEndpoint("discoveryEndpoint", url, {
 			method: "GET",
 			timeout
-		});
+		}, isTrustedOrigin);
 		if (response.error) {
 			const { status } = response.error;
 			if (status === 404) throw new DiscoveryError("discovery_not_found", "Discovery endpoint not found", {
@@ -708,20 +686,24 @@ function needsRuntimeDiscovery(config) {
 * Throws if discovery fails.
 */
 async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
-	if (!needsRuntimeDiscovery(config)) return config;
-	const hydrated = await discoverOIDCConfig({
-		issuer,
-		existingConfig: config,
-		isTrustedOrigin
-	});
-	return {
-		...config,
-		authorizationEndpoint: hydrated.authorizationEndpoint,
-		tokenEndpoint: hydrated.tokenEndpoint,
-		tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
-		userInfoEndpoint: hydrated.userInfoEndpoint,
-		jwksEndpoint: hydrated.jwksEndpoint
-	};
+	let resolved = config;
+	if (needsRuntimeDiscovery(config)) {
+		const hydrated = await discoverOIDCConfig({
+			issuer,
+			existingConfig: config,
+			isTrustedOrigin
+		});
+		resolved = {
+			...config,
+			authorizationEndpoint: hydrated.authorizationEndpoint,
+			tokenEndpoint: hydrated.tokenEndpoint,
+			tokenEndpointAuthentication: hydrated.tokenEndpointAuthentication,
+			userInfoEndpoint: hydrated.userInfoEndpoint,
+			jwksEndpoint: hydrated.jwksEndpoint
+		};
+	}
+	await assertServerFetchedOIDCEndpointsAllowed(resolved, isTrustedOrigin);
+	return resolved;
 }
 //#endregion
 //#region src/oidc/errors.ts
@@ -739,6 +721,7 @@ async function ensureRuntimeDiscovery(config, issuer, isTrustedOrigin) {
 * - discovery_not_found          → 400 BAD_REQUEST
 * - discovery_untrusted_origin   → 400 BAD_REQUEST
 * - discovery_private_host       → 400 BAD_REQUEST
+* - oidc_endpoint_redirect       → 400 BAD_REQUEST
 * - discovery_invalid_json       → 400 BAD_REQUEST
 * - discovery_incomplete         → 400 BAD_REQUEST
 * - issuer_mismatch              → 400 BAD_REQUEST
@@ -775,6 +758,10 @@ function mapDiscoveryErrorToAPIError(error) {
 			message: error.message,
 			code: error.code
 		});
+		case "oidc_endpoint_redirect": return new APIError("BAD_REQUEST", {
+			message: error.message,
+			code: error.code
+		});
 		case "discovery_invalid_json": return new APIError("BAD_REQUEST", {
 			message: `OIDC discovery returned invalid data: ${error.message}`,
 			code: error.code
@@ -1125,11 +1112,10 @@ async function validateInResponseTo(c, ctx) {
 	const inResponseTo = ctx.extract.response?.inResponseTo;
 	const allowIdpInitiated = ctx.options.allowIdpInitiated ?? false;
 	if (inResponseTo) {
+		const consumed = await c.context.internalAdapter.consumeVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 		let storedRequest = null;
-		const verification = await c.context.internalAdapter.findVerificationValue(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
-		if (verification) try {
-			storedRequest = JSON.parse(verification.value);
-			if (storedRequest && storedRequest.expiresAt < Date.now()) storedRequest = null;
+		if (consumed) try {
+			storedRequest = JSON.parse(consumed.value);
 		} catch {
 			storedRequest = null;
 		}
@@ -1146,10 +1132,8 @@ async function validateInResponseTo(c, ctx) {
 				expectedProvider: storedRequest.providerId,
 				actualProvider: ctx.providerId
 			});
-			await c.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 			throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "invalid_saml_response", "Provider mismatch"));
 		}
-		await c.context.internalAdapter.deleteVerificationByIdentifier(`${AUTHN_REQUEST_KEY_PREFIX}${inResponseTo}`);
 	} else if (!allowIdpInitiated) {
 		c.context.logger.error("SAML IdP-initiated SSO rejected: InResponseTo missing and allowIdpInitiated is false", { providerId: ctx.providerId });
 		throw c.redirect(errorRedirectUrl(ctx.redirectUrl, "unsolicited_response", "IdP-initiated SSO not allowed"));
@@ -1185,6 +1169,30 @@ function validateAudience(c, ctx) {
 }
 //#endregion
 //#region src/routes/schemas.ts
+function getSSOProviderAdditionalFields$1(options) {
+	return options?.schema?.ssoProvider?.additionalFields ?? {};
+}
+function getSSOProviderAdditionalFieldsSchema(options) {
+	const additionalFields = getSSOProviderAdditionalFields$1(options);
+	const schema = toZodSchema({
+		fields: additionalFields,
+		isClientSide: true
+	});
+	const blockedInputFields = {};
+	for (const key in additionalFields) if (additionalFields[key]?.input === false) blockedInputFields[key] = z.any().optional();
+	return schema.extend(blockedInputFields);
+}
+function assertNoBlockedAdditionalFieldInput(fields, data) {
+	for (const key in fields) if (fields[key]?.input === false && key in data) throw new APIError("BAD_REQUEST", { message: `${key} is not allowed to be set` });
+}
+function parseSSOProviderAdditionalFields(options, data, action) {
+	const fields = getSSOProviderAdditionalFields$1(options);
+	assertNoBlockedAdditionalFieldInput(fields, data);
+	return parseInputData(data, {
+		fields,
+		action
+	});
+}
 const oidcMappingSchema = z.object({
 	id: z.string().meta({ description: "Field mapping for user ID (defaults to 'sub')" }),
 	email: z.string().meta({ description: "Field mapping for email (defaults to 'email')" }),
@@ -1273,15 +1281,39 @@ const registerSSOProviderBodySchema = z.object({
 	organizationId: z.string().meta({ description: "If organization plugin is enabled, the organization id to link the provider to" }).optional(),
 	overrideUserInfo: z.boolean().meta({ description: "Override user info with the provider info. Defaults to false" }).default(false).optional()
 });
+function getRegisterSSOProviderBodySchema(options) {
+	return registerSSOProviderBodySchema.extend({ ...getSSOProviderAdditionalFieldsSchema(options).shape });
+}
 const updateSSOProviderBodySchema = z.object({
 	issuer: z.string().url().optional(),
 	domain: z.string().optional(),
 	oidcConfig: oidcConfigSchema.partial().optional(),
 	samlConfig: samlConfigSchema.partial().optional()
 });
+function getUpdateSSOProviderBodySchema(options) {
+	return updateSSOProviderBodySchema.extend({
+		providerId: z.string(),
+		...getSSOProviderAdditionalFieldsSchema(options).partial().shape
+	});
+}
 //#endregion
 //#region src/routes/providers.ts
 const ADMIN_ROLES = ["owner", "admin"];
+function getSSOProviderAdditionalFields(options) {
+	return options?.schema?.ssoProvider?.additionalFields ?? {};
+}
+function filterSSOProviderAdditionalFields(provider, options) {
+	return filterOutputFields(provider, getSSOProviderAdditionalFields(options));
+}
+function getReturnedSSOProviderAdditionalFields(provider, options) {
+	const additionalFields = getSSOProviderAdditionalFields(options);
+	const result = {};
+	for (const key in additionalFields) {
+		if (additionalFields[key]?.returned === false) continue;
+		if (key in provider) result[key] = provider[key];
+	}
+	return result;
+}
 function hasOrgAdminRole(member) {
 	return member.role.split(",").some((r) => ADMIN_ROLES.includes(r.trim()));
 }
@@ -1327,7 +1359,7 @@ async function batchCheckOrgAdmin(ctx, userId, organizationIds) {
 	for (const member of members) if (hasOrgAdminRole(member)) adminOrgIds.add(member.organizationId);
 	return adminOrgIds;
 }
-function sanitizeProvider(provider, baseURL) {
+function sanitizeProvider(provider, baseURL, options) {
 	let oidcConfig = null;
 	let samlConfig = null;
 	try {
@@ -1342,6 +1374,7 @@ function sanitizeProvider(provider, baseURL) {
 	}
 	const type = samlConfig ? "saml" : "oidc";
 	return {
+		...getReturnedSSOProviderAdditionalFields(provider, options),
 		providerId: provider.providerId,
 		type,
 		issuer: provider.issuer,
@@ -1372,7 +1405,7 @@ function sanitizeProvider(provider, baseURL) {
 		spMetadataUrl: `${baseURL}/sso/saml2/sp/metadata?providerId=${encodeURIComponent(provider.providerId)}`
 	};
 }
-const listSSOProviders = () => {
+const listSSOProviders = (options) => {
 	return createAuthEndpoint("/sso/providers", {
 		method: "GET",
 		use: [sessionMiddleware],
@@ -1397,7 +1430,7 @@ const listSSOProviders = () => {
 			const userOwnedOrgProviders = orgProviders.filter((p) => p.userId === userId);
 			accessibleProviders = [...accessibleProviders, ...userOwnedOrgProviders];
 		}
-		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL));
+		const providers = accessibleProviders.map((p) => sanitizeProvider(p, ctx.context.baseURL, options));
 		return ctx.json({ providers });
 	});
 };
@@ -1419,7 +1452,7 @@ async function checkProviderAccess(ctx, providerId) {
 	if (!hasAccess) throw new APIError("FORBIDDEN", { message: "You don't have access to this provider" });
 	return provider;
 }
-const getSSOProvider = () => {
+const getSSOProvider = (options) => {
 	return createAuthEndpoint("/sso/get-provider", {
 		method: "GET",
 		use: [sessionMiddleware],
@@ -1437,7 +1470,7 @@ const getSSOProvider = () => {
 	}, async (ctx) => {
 		const { providerId } = ctx.query;
 		const provider = await checkProviderAccess(ctx, providerId);
-		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL));
+		return ctx.json(sanitizeProvider(provider, ctx.context.baseURL, options));
 	});
 };
 function parseAndValidateConfig(configString, configType) {
@@ -1489,10 +1522,11 @@ function mergeOIDCConfig(current, updates, issuer) {
 	};
 }
 const updateSSOProvider = (options) => {
+	const updateBodySchema = getUpdateSSOProviderBodySchema(options);
 	return createAuthEndpoint("/sso/update-provider", {
 		method: "POST",
 		use: [sessionMiddleware],
-		body: updateSSOProviderBodySchema.extend({ providerId: z.string() }),
+		body: updateBodySchema,
 		metadata: { openapi: {
 			operationId: "updateSSOProvider",
 			summary: "Update SSO provider",
@@ -1506,9 +1540,10 @@ const updateSSOProvider = (options) => {
 	}, async (ctx) => {
 		const { providerId, ...body } = ctx.body;
 		const { issuer, domain, samlConfig, oidcConfig } = body;
-		if (!issuer && !domain && !samlConfig && !oidcConfig) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
+		const additionalFields = parseSSOProviderAdditionalFields(options, body, "update");
+		if (!issuer && !domain && !samlConfig && !oidcConfig && Object.keys(additionalFields).length === 0) throw new APIError("BAD_REQUEST", { message: "No fields provided for update" });
 		const existingProvider = await checkProviderAccess(ctx, providerId);
-		const updateData = {};
+		const updateData = { ...additionalFields };
 		if (body.issuer !== void 0) updateData.issuer = body.issuer;
 		if (body.domain !== void 0) {
 			updateData.domain = body.domain;
@@ -1530,7 +1565,7 @@ const updateSSOProvider = (options) => {
 		}
 		if (body.oidcConfig) {
 			try {
-				validateSkipDiscoveryEndpoints(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
+				validateOIDCEndpointUrls(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
 			} catch (error) {
 				if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
 				throw error;
@@ -1557,7 +1592,7 @@ const updateSSOProvider = (options) => {
 			}]
 		});
 		if (!fullProvider) throw new APIError("NOT_FOUND", { message: "Provider not found after update" });
-		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL));
+		return ctx.json(sanitizeProvider(fullProvider, ctx.context.baseURL, options));
 	});
 };
 const deleteSSOProvider = () => {
@@ -1589,15 +1624,126 @@ const deleteSSOProvider = () => {
 	});
 };
 //#endregion
+//#region src/routes/domain-verification.ts
+const DNS_LABEL_MAX_LENGTH = 63;
+const DEFAULT_TOKEN_PREFIX = "better-auth-token";
+const domainVerificationBodySchema = z.object({ providerId: z.string() });
+function getVerificationIdentifier(options, providerId) {
+	return `_${options.domainVerification?.tokenPrefix || DEFAULT_TOKEN_PREFIX}-${providerId}`;
+}
+const requestDomainVerification = (options) => {
+	return createAuthEndpoint("/sso/request-domain-verification", {
+		method: "POST",
+		body: domainVerificationBodySchema,
+		metadata: { openapi: {
+			summary: "Request a domain verification",
+			description: "Request a domain verification for the given SSO provider",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified" },
+				"201": { description: "Domain submitted for verification" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await checkProviderAccess(ctx, body.providerId);
+		if (provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
+		if (activeVerification && new Date(activeVerification.expiresAt) > /* @__PURE__ */ new Date()) {
+			ctx.setStatus(201);
+			return ctx.json({ domainVerificationToken: activeVerification.value });
+		}
+		const domainVerificationToken = generateRandomString(24);
+		await ctx.context.internalAdapter.createVerificationValue({
+			identifier,
+			value: domainVerificationToken,
+			expiresAt: new Date(Date.now() + 3600 * 24 * 7 * 1e3)
+		});
+		ctx.setStatus(201);
+		return ctx.json({ domainVerificationToken });
+	});
+};
+const verifyDomain = (options) => {
+	return createAuthEndpoint("/sso/verify-domain", {
+		method: "POST",
+		body: domainVerificationBodySchema,
+		metadata: { openapi: {
+			summary: "Verify the provider domain ownership",
+			description: "Verify the provider domain ownership via DNS records",
+			responses: {
+				"404": { description: "Provider not found" },
+				"409": { description: "Domain has already been verified or no pending verification exists" },
+				"502": { description: "Unable to verify domain ownership due to upstream validator error" },
+				"204": { description: "Domain ownership was verified" }
+			}
+		} },
+		use: [sessionMiddleware]
+	}, async (ctx) => {
+		const body = ctx.body;
+		const provider = await checkProviderAccess(ctx, body.providerId);
+		if (provider.domainVerified) throw new APIError("CONFLICT", {
+			message: "Domain has already been verified",
+			code: "DOMAIN_VERIFIED"
+		});
+		const identifier = getVerificationIdentifier(options, provider.providerId);
+		if (identifier.length > DNS_LABEL_MAX_LENGTH) throw new APIError("BAD_REQUEST", {
+			message: `Verification identifier exceeds the DNS label limit of ${DNS_LABEL_MAX_LENGTH} characters`,
+			code: "IDENTIFIER_TOO_LONG"
+		});
+		const activeVerification = await ctx.context.internalAdapter.findVerificationValue(identifier);
+		if (!activeVerification || new Date(activeVerification.expiresAt) <= /* @__PURE__ */ new Date()) throw new APIError("NOT_FOUND", {
+			message: "No pending domain verification exists",
+			code: "NO_PENDING_VERIFICATION"
+		});
+		let records = [];
+		let dns;
+		try {
+			dns = await import("node:dns/promises");
+		} catch (error) {
+			ctx.context.logger.error("The core node:dns module is required for the domain verification feature", error);
+			throw new APIError("INTERNAL_SERVER_ERROR", {
+				message: "Unable to verify domain ownership due to server error",
+				code: "DOMAIN_VERIFICATION_FAILED"
+			});
+		}
+		const hostname = getHostnameFromDomain(provider.domain);
+		if (!hostname) throw new APIError("BAD_REQUEST", {
+			message: "Invalid domain",
+			code: "INVALID_DOMAIN"
+		});
+		try {
+			records = (await dns.resolveTxt(`${identifier}.${hostname}`)).flat();
+		} catch (error) {
+			ctx.context.logger.warn("DNS resolution failure while validating domain ownership", error);
+		}
+		if (!records.find((record) => record.includes(`${activeVerification.identifier}=${activeVerification.value}`))) throw new APIError("BAD_GATEWAY", {
+			message: "Unable to verify domain ownership. Try again later",
+			code: "DOMAIN_VERIFICATION_FAILED"
+		});
+		await ctx.context.adapter.update({
+			model: "ssoProvider",
+			where: [{
+				field: "providerId",
+				value: provider.providerId
+			}],
+			update: { domainVerified: true }
+		});
+		ctx.setStatus(204);
+	});
+};
+//#endregion
 //#region src/saml-state.ts
-async function generateRelayState(c, link, additionalData) {
+async function generateRelayState(c, link) {
 	const callbackURL = c.body.callbackURL;
 	if (!callbackURL) throw new APIError("BAD_REQUEST", { message: "callbackURL is required" });
-	const codeVerifier = generateRandomString(128);
 	const stateData = {
-		...additionalData ? additionalData : {},
 		callbackURL,
-		codeVerifier,
+		codeVerifier: generateRandomString(128),
 		errorURL: c.body.errorCallbackURL,
 		newUserURL: c.body.newUserCallbackURL,
 		link,
@@ -1699,7 +1845,8 @@ function createSP(config, baseURL, providerId, opts) {
 		isAssertionEncrypted: spData?.isAssertionEncrypted || false,
 		encPrivateKey: normalizePem(spData?.encPrivateKey),
 		encPrivateKeyPass: spData?.encPrivateKeyPass,
-		relayState: opts?.relayState
+		relayState: opts?.relayState,
+		clockDrifts: opts?.clockSkew && opts?.clockSkew !== 0 ? [-opts.clockSkew, opts.clockSkew] : void 0
 	});
 }
 function createIdP(config) {
@@ -1855,7 +2002,7 @@ async function processSAMLResponse(ctx, params, options) {
 	if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
 	const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 	if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
-	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId);
+	const sp = createSP(parsedSamlConfig, ctx.context.baseURL, providerId, { clockSkew: options?.saml?.clockSkew });
 	const idp = createIdP(parsedSamlConfig);
 	const samlRedirectUrl = getSafeRedirectUrl(relayState?.callbackURL, params.currentCallbackPath, appOrigin, (url, settings) => ctx.context.isTrustedOrigin(url, settings));
 	validateSingleAssertion(SAMLResponse);
@@ -1905,26 +2052,8 @@ async function processSAMLResponse(ctx, params, options) {
 		const conditions = extract.conditions;
 		const clockSkew = options?.saml?.clockSkew ?? 3e5;
 		const expiresAt = conditions?.notOnOrAfter ? new Date(conditions.notOnOrAfter).getTime() + clockSkew : Date.now() + DEFAULT_ASSERTION_TTL_MS;
-		const existingAssertion = await ctx.context.internalAdapter.findVerificationValue(`${USED_ASSERTION_KEY_PREFIX}${assertionId}`);
-		let isReplay = false;
-		if (existingAssertion) try {
-			if (JSON.parse(existingAssertion.value).expiresAt >= Date.now()) isReplay = true;
-		} catch (error) {
-			ctx.context.logger.warn("Failed to parse stored assertion record", {
-				assertionId,
-				error
-			});
-		}
-		if (isReplay) {
-			ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
-				assertionId,
-				issuer,
-				providerId
-			});
-			throw ctx.redirect(`${samlRedirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
-		}
-		await ctx.context.internalAdapter.createVerificationValue({
-			identifier: `${USED_ASSERTION_KEY_PREFIX}${assertionId}`,
+		if (!await ctx.context.internalAdapter.reserveVerificationValue({
+			identifier: `saml-used-assertion:${assertionId}`,
 			value: JSON.stringify({
 				assertionId,
 				issuer,
@@ -1933,7 +2062,14 @@ async function processSAMLResponse(ctx, params, options) {
 				expiresAt
 			}),
 			expiresAt: new Date(expiresAt)
-		});
+		})) {
+			ctx.context.logger.error("SAML assertion replay detected: assertion ID already used", {
+				assertionId,
+				issuer,
+				providerId
+			});
+			throw ctx.redirect(`${samlRedirectUrl}?error=replay_detected&error_description=SAML+assertion+has+already+been+used`);
+		}
 	} else ctx.context.logger.warn("Could not extract assertion ID for replay protection", { providerId });
 	const attributes = extract.attributes || {};
 	const mapping = parsedSamlConfig.mapping ?? {};
@@ -1946,7 +2082,7 @@ async function processSAMLResponse(ctx, params, options) {
 		id: attr(mapping.id || "nameID") || extract.nameID,
 		email: (attr(mapping.email || "email") || extract.nameID || "").toLowerCase(),
 		name: [attr(mapping.firstName || "givenName"), attr(mapping.lastName || "surname")].filter(Boolean).join(" ") || attr(mapping.name || "displayName") || extract.nameID,
-		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? attr(mapping.emailVerified) || false : false
+		emailVerified: options?.trustEmailVerified && mapping.emailVerified ? parseProviderEmailVerified(attr(mapping.emailVerified)) : false
 	};
 	if (!userInfo.id || !userInfo.email) {
 		ctx.context.logger.error("Missing essential user info from SAML response", {
@@ -1957,27 +2093,32 @@ async function processSAMLResponse(ctx, params, options) {
 		});
 		throw new APIError("BAD_REQUEST", { message: "Unable to extract user ID or email from SAML response" });
 	}
-	const isTrustedProvider = ctx.context.trustedProviders.includes(providerId) || "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
+	const isTrustedProvider = "domainVerified" in provider && !!provider.domainVerified && validateEmailDomain(userInfo.email, provider.domain);
 	const postAuthRedirect = relayState?.callbackURL || ctx.context.baseURL;
 	const errorUrl = relayState?.errorURL || samlRedirectUrl;
 	let result;
 	try {
-		result = await handleOAuthUserInfo(ctx, {
+		result = await signInWithOAuthIdentity(ctx, {
 			userInfo: {
 				email: userInfo.email,
 				name: userInfo.name || userInfo.email,
 				id: userInfo.id,
-				emailVerified: Boolean(userInfo.emailVerified)
-			},
-			account: {
-				providerId,
-				accountId: userInfo.id,
-				accessToken: "",
-				refreshToken: ""
+				emailVerified: userInfo.emailVerified
 			},
+			providerId,
+			accountId: userInfo.id,
+			tokens: {},
 			callbackURL: postAuthRedirect,
 			disableSignUp: options?.disableImplicitSignUp,
-			isTrustedProvider
+			source: {
+				method: "sso-saml",
+				sso: {
+					providerId,
+					profile: attributes
+				}
+			},
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {
@@ -2002,7 +2143,7 @@ async function processSAMLResponse(ctx, params, options) {
 			providerId,
 			accountId: userInfo.id,
 			email: userInfo.email,
-			emailVerified: Boolean(userInfo.emailVerified),
+			emailVerified: userInfo.emailVerified,
 			rawAttributes: attributes
 		},
 		provider,
@@ -2075,174 +2216,177 @@ const spMetadata = (options) => {
 const registerSSOProvider = (options) => {
 	return createAuthEndpoint("/sso/register", {
 		method: "POST",
-		body: registerSSOProviderBodySchema,
+		body: getRegisterSSOProviderBodySchema(options),
 		use: [sessionMiddleware],
-		metadata: { openapi: {
-			operationId: "registerSSOProvider",
-			summary: "Register an OIDC provider",
-			description: "This endpoint is used to register an OIDC provider. This is used to configure the provider and link it to an organization",
-			responses: { "200": {
-				description: "OIDC provider created successfully",
-				content: { "application/json": { schema: {
-					type: "object",
-					properties: {
-						issuer: {
-							type: "string",
-							format: "uri",
-							description: "The issuer URL of the provider"
-						},
-						domain: {
-							type: "string",
-							description: "The domain of the provider, used for email matching"
-						},
-						domainVerified: {
-							type: "boolean",
-							description: "A boolean indicating whether the domain has been verified or not"
-						},
-						domainVerificationToken: {
-							type: "string",
-							description: "Domain verification token. It can be used to prove ownership over the SSO domain"
-						},
-						oidcConfig: {
-							type: "object",
-							properties: {
-								issuer: {
-									type: "string",
-									format: "uri",
-									description: "The issuer URL of the provider"
-								},
-								pkce: {
-									type: "boolean",
-									description: "Whether PKCE is enabled for the authorization flow"
-								},
-								clientId: {
-									type: "string",
-									description: "The client ID for the provider"
-								},
-								clientSecret: {
-									type: "string",
-									description: "The client secret for the provider"
-								},
-								authorizationEndpoint: {
-									type: "string",
-									format: "uri",
-									nullable: true,
-									description: "The authorization endpoint URL"
-								},
-								discoveryEndpoint: {
-									type: "string",
-									format: "uri",
-									description: "The discovery endpoint URL"
-								},
-								userInfoEndpoint: {
-									type: "string",
-									format: "uri",
-									nullable: true,
-									description: "The user info endpoint URL"
-								},
-								scopes: {
-									type: "array",
-									items: { type: "string" },
-									nullable: true,
-									description: "The scopes requested from the provider"
-								},
-								tokenEndpoint: {
-									type: "string",
-									format: "uri",
-									nullable: true,
-									description: "The token endpoint URL"
-								},
-								tokenEndpointAuthentication: {
-									type: "string",
-									enum: ["client_secret_post", "client_secret_basic"],
-									nullable: true,
-									description: "Authentication method for the token endpoint"
-								},
-								jwksEndpoint: {
-									type: "string",
-									format: "uri",
-									nullable: true,
-									description: "The JWKS endpoint URL"
-								},
-								mapping: {
-									type: "object",
-									nullable: true,
-									properties: {
-										id: {
-											type: "string",
-											description: "Field mapping for user ID (defaults to 'sub')"
-										},
-										email: {
-											type: "string",
-											description: "Field mapping for email (defaults to 'email')"
-										},
-										emailVerified: {
-											type: "string",
-											nullable: true,
-											description: "Field mapping for email verification (defaults to 'email_verified')"
-										},
-										name: {
-											type: "string",
-											description: "Field mapping for name (defaults to 'name')"
-										},
-										image: {
-											type: "string",
-											nullable: true,
-											description: "Field mapping for image (defaults to 'picture')"
-										},
-										extraFields: {
-											type: "object",
-											additionalProperties: { type: "string" },
-											nullable: true,
-											description: "Additional field mappings"
-										}
+		metadata: {
+			$Infer: { body: {} },
+			openapi: {
+				operationId: "registerSSOProvider",
+				summary: "Register an OIDC provider",
+				description: "This endpoint is used to register an OIDC provider. This is used to configure the provider and link it to an organization",
+				responses: { "200": {
+					description: "OIDC provider created successfully",
+					content: { "application/json": { schema: {
+						type: "object",
+						properties: {
+							issuer: {
+								type: "string",
+								format: "uri",
+								description: "The issuer URL of the provider"
+							},
+							domain: {
+								type: "string",
+								description: "The domain of the provider, used for email matching"
+							},
+							domainVerified: {
+								type: "boolean",
+								description: "A boolean indicating whether the domain has been verified or not"
+							},
+							domainVerificationToken: {
+								type: "string",
+								description: "Domain verification token. It can be used to prove ownership over the SSO domain"
+							},
+							oidcConfig: {
+								type: "object",
+								properties: {
+									issuer: {
+										type: "string",
+										format: "uri",
+										description: "The issuer URL of the provider"
+									},
+									pkce: {
+										type: "boolean",
+										description: "Whether PKCE is enabled for the authorization flow"
+									},
+									clientId: {
+										type: "string",
+										description: "The client ID for the provider"
+									},
+									clientSecret: {
+										type: "string",
+										description: "The client secret for the provider"
+									},
+									authorizationEndpoint: {
+										type: "string",
+										format: "uri",
+										nullable: true,
+										description: "The authorization endpoint URL"
+									},
+									discoveryEndpoint: {
+										type: "string",
+										format: "uri",
+										description: "The discovery endpoint URL"
+									},
+									userInfoEndpoint: {
+										type: "string",
+										format: "uri",
+										nullable: true,
+										description: "The user info endpoint URL"
 									},
-									required: [
-										"id",
-										"email",
-										"name"
-									]
-								}
+									scopes: {
+										type: "array",
+										items: { type: "string" },
+										nullable: true,
+										description: "The scopes requested from the provider"
+									},
+									tokenEndpoint: {
+										type: "string",
+										format: "uri",
+										nullable: true,
+										description: "The token endpoint URL"
+									},
+									tokenEndpointAuthentication: {
+										type: "string",
+										enum: ["client_secret_post", "client_secret_basic"],
+										nullable: true,
+										description: "Authentication method for the token endpoint"
+									},
+									jwksEndpoint: {
+										type: "string",
+										format: "uri",
+										nullable: true,
+										description: "The JWKS endpoint URL"
+									},
+									mapping: {
+										type: "object",
+										nullable: true,
+										properties: {
+											id: {
+												type: "string",
+												description: "Field mapping for user ID (defaults to 'sub')"
+											},
+											email: {
+												type: "string",
+												description: "Field mapping for email (defaults to 'email')"
+											},
+											emailVerified: {
+												type: "string",
+												nullable: true,
+												description: "Field mapping for email verification (defaults to 'email_verified')"
+											},
+											name: {
+												type: "string",
+												description: "Field mapping for name (defaults to 'name')"
+											},
+											image: {
+												type: "string",
+												nullable: true,
+												description: "Field mapping for image (defaults to 'picture')"
+											},
+											extraFields: {
+												type: "object",
+												additionalProperties: { type: "string" },
+												nullable: true,
+												description: "Additional field mappings"
+											}
+										},
+										required: [
+											"id",
+											"email",
+											"name"
+										]
+									}
+								},
+								required: [
+									"issuer",
+									"pkce",
+									"clientId",
+									"clientSecret",
+									"discoveryEndpoint"
+								],
+								description: "OIDC configuration for the provider"
 							},
-							required: [
-								"issuer",
-								"pkce",
-								"clientId",
-								"clientSecret",
-								"discoveryEndpoint"
-							],
-							description: "OIDC configuration for the provider"
-						},
-						organizationId: {
-							type: "string",
-							nullable: true,
-							description: "ID of the linked organization, if any"
-						},
-						userId: {
-							type: "string",
-							description: "ID of the user who registered the provider"
-						},
-						providerId: {
-							type: "string",
-							description: "Unique identifier for the provider"
+							organizationId: {
+								type: "string",
+								nullable: true,
+								description: "ID of the linked organization, if any"
+							},
+							userId: {
+								type: "string",
+								description: "ID of the user who registered the provider"
+							},
+							providerId: {
+								type: "string",
+								description: "Unique identifier for the provider"
+							},
+							redirectURI: {
+								type: "string",
+								format: "uri",
+								description: "The redirect URI for the provider callback"
+							}
 						},
-						redirectURI: {
-							type: "string",
-							format: "uri",
-							description: "The redirect URI for the provider callback"
-						}
-					},
-					required: [
-						"issuer",
-						"domain",
-						"oidcConfig",
-						"userId",
-						"providerId",
-						"redirectURI"
-					]
-				} } }
-			} }
-		} }
+						required: [
+							"issuer",
+							"domain",
+							"oidcConfig",
+							"userId",
+							"providerId",
+							"redirectURI"
+						]
+					} } }
+				} }
+			}
+		}
 	}, async (ctx) => {
 		const user = ctx.context.session?.user;
 		if (!user) throw new APIError("UNAUTHORIZED");
@@ -2256,6 +2400,7 @@ const registerSSOProvider = (options) => {
 			}]
 		})).length >= limit) throw new APIError("FORBIDDEN", { message: "You have reached the maximum number of SSO providers" });
 		const body = ctx.body;
+		const additionalFields = parseSSOProviderAdditionalFields(options, body, "create");
 		if (body.samlConfig?.idpMetadata?.metadata) {
 			const maxMetadataSize = options?.saml?.maxMetadataSize ?? 102400;
 			if (new TextEncoder().encode(body.samlConfig.idpMetadata.metadata).length > maxMetadataSize) throw new APIError("BAD_REQUEST", { message: `IdP metadata exceeds maximum allowed size (${maxMetadataSize} bytes)` });
@@ -2274,6 +2419,14 @@ const registerSSOProvider = (options) => {
 			if (!member) throw new APIError("BAD_REQUEST", { message: "You are not a member of the organization" });
 			if (ctx.context.hasPlugin("organization") && !hasOrgAdminRole(member)) throw new APIError("FORBIDDEN", { message: "You must be an organization owner or admin to register SSO providers" });
 		}
+		if (new Set([
+			"credential",
+			...ctx.context.socialProviders.map((p) => p.id),
+			...ctx.context.trustedProviders
+		]).has(body.providerId)) {
+			ctx.context.logger.warn(`SSO provider registration rejected for reserved providerId: ${body.providerId}`);
+			throw new APIError("UNPROCESSABLE_ENTITY", { message: "This providerId is reserved and cannot be used for an SSO provider" });
+		}
 		if (await ctx.context.adapter.findOne({
 			model: "ssoProvider",
 			where: [{
@@ -2285,7 +2438,7 @@ const registerSSOProvider = (options) => {
 			throw new APIError("UNPROCESSABLE_ENTITY", { message: "SSO provider with this providerId already exists" });
 		}
 		if (body.oidcConfig) try {
-			validateSkipDiscoveryEndpoints(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
+			validateOIDCEndpointUrls(body.oidcConfig, (url) => ctx.context.isTrustedOrigin(url));
 		} catch (error) {
 			if (error instanceof DiscoveryError) throw mapDiscoveryErrorToAPIError(error);
 			throw error;
@@ -2367,6 +2520,7 @@ const registerSSOProvider = (options) => {
 				issuer: body.issuer,
 				domain: body.domain,
 				domainVerified: false,
+				...additionalFields,
 				oidcConfig: (() => {
 					const config = buildOIDCConfig();
 					if (config) {
@@ -2408,7 +2562,7 @@ const registerSSOProvider = (options) => {
 			});
 		}
 		const result = {
-			...provider,
+			...filterSSOProviderAdditionalFields(provider, options),
 			oidcConfig: safeJsonParse(provider.oidcConfig),
 			samlConfig: safeJsonParse(provider.samlConfig),
 			redirectURI: getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options),
@@ -2589,9 +2743,16 @@ const signInSSO = (options) => {
 				throw error;
 			}
 			if (!config.authorizationEndpoint) throw new APIError("BAD_REQUEST", { message: "Invalid OIDC configuration. Authorization URL not found." });
-			const state = await generateState(ctx, void 0, options?.redirectURI?.trim() ? { ssoProviderId: provider.providerId } : false);
+			const requestedScopes = ctx.body.scopes || config.scopes || [
+				"openid",
+				"email",
+				"profile",
+				"offline_access"
+			];
+			if (options?.redirectURI?.trim()) await addOAuthServerContext({ ssoProviderId: provider.providerId });
+			const state = await generateState(ctx, { requestedScopes });
 			const redirectURI = getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options);
-			const authorizationURL = await createAuthorizationURL({
+			const { url: authorizationURL } = await createAuthorizationURL({
 				id: provider.issuer,
 				options: {
 					clientId: config.clientId,
@@ -2600,12 +2761,7 @@ const signInSSO = (options) => {
 				redirectURI,
 				state: state.state,
 				codeVerifier: config.pkce ? state.codeVerifier : void 0,
-				scopes: ctx.body.scopes || config.scopes || [
-					"openid",
-					"email",
-					"profile",
-					"offline_access"
-				],
+				scopes: requestedScopes,
 				loginHint: ctx.body.loginHint || email,
 				authorizationEndpoint: config.authorizationEndpoint,
 				additionalParams: ctx.body.additionalParams
@@ -2620,7 +2776,7 @@ const signInSSO = (options) => {
 			const parsedSamlConfig = typeof provider.samlConfig === "object" ? provider.samlConfig : safeJsonParse(provider.samlConfig);
 			if (!parsedSamlConfig) throw new APIError("BAD_REQUEST", { message: "Invalid SAML configuration" });
 			if (parsedSamlConfig.authnRequestsSigned && !parsedSamlConfig.spMetadata?.privateKey && !parsedSamlConfig.privateKey) throw new APIError("BAD_REQUEST", { message: "authnRequestsSigned is enabled but no privateKey provided in spMetadata or samlConfig" });
-			const { state: relayState } = await generateRelayState(ctx, void 0, false);
+			const { state: relayState } = await generateRelayState(ctx, void 0);
 			const sp = createSP(parsedSamlConfig, ctx.context.baseURL, provider.providerId, { relayState });
 			const idp = createIdP(parsedSamlConfig);
 			const loginRequest = sp.createLoginRequest(idp, "redirect");
@@ -2653,6 +2809,22 @@ const callbackSSOQuerySchema = z.object({
 	error: z.string().optional(),
 	error_description: z.string().optional()
 });
+function getStringErrorField(value, field) {
+	if (!value || typeof value !== "object") return;
+	const fieldValue = value[field];
+	return typeof fieldValue === "string" && fieldValue.length > 0 ? fieldValue : void 0;
+}
+function getOIDCErrorDescription(error, fallback) {
+	const nestedError = error && typeof error === "object" ? error.error : void 0;
+	const description = getStringErrorField(nestedError, "error_description") || getStringErrorField(error, "error_description") || getStringErrorField(nestedError, "message") || getStringErrorField(error, "message") || getStringErrorField(error, "statusText") || getStringErrorField(nestedError, "error") || getStringErrorField(error, "error");
+	if (description) return description;
+	if (error && typeof error === "object") {
+		const status = error.status;
+		if (typeof status === "number") return `HTTP ${status}`;
+		if (typeof status === "string" && status.length > 0) return status;
+	}
+	return fallback;
+}
 /**
 * Core OIDC callback handler logic, shared between the per-provider and
 * shared callback endpoints. Resolves the provider, exchanges the
@@ -2668,8 +2840,17 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 		throw ctx.redirect(`${errorURL}?error=invalid_state`);
 	}
-	const { callbackURL, errorURL, newUserURL, requestSignUp } = stateData;
-	if (!code || error) throw ctx.redirect(`${errorURL || callbackURL}?error=${error}&error_description=${error_description}`);
+	const { callbackURL, errorURL, newUserURL, requestSignUp, requestedScopes } = stateData;
+	const redirectOIDCError = (error, description) => {
+		const baseURL = errorURL || callbackURL;
+		const params = new URLSearchParams({
+			error,
+			error_description: description
+		});
+		const separator = baseURL.includes("?") ? "&" : "?";
+		throw ctx.redirect(`${baseURL}${separator}${params.toString()}`);
+	};
+	if (!code || error) redirectOIDCError(error || "invalid_request", error_description || (error ? error : "authorization_code_not_found"));
 	const provider = await resolveOIDCProvider(ctx, options, providerId);
 	if (!provider) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=provider not found`);
 	if (options?.domainVerification?.enabled && !("domainVerified" in provider && provider.domainVerified)) throw new APIError("UNAUTHORIZED", { message: "Provider domain has not been verified" });
@@ -2691,6 +2872,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 		]
 	};
 	if (!config.tokenEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_endpoint_not_found`);
+	const tokenEndpoint = config.tokenEndpoint;
 	let tokenEndpointAuth = config.tokenEndpointAuthentication === "client_secret_post" ? { method: "client_secret_post" } : { method: "client_secret_basic" };
 	if (config.tokenEndpointAuthentication === "private_key_jwt") {
 		let resolved;
@@ -2716,40 +2898,58 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	}
 	const tokenRequestOptions = { clientId: config.clientId };
 	if (tokenEndpointAuth.method !== "private_key_jwt") tokenRequestOptions.clientSecret = config.clientSecret;
-	const tokenResponse = await validateAuthorizationCode({
-		code,
-		codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
-		redirectURI: getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options),
-		options: tokenRequestOptions,
-		tokenEndpoint: config.tokenEndpoint,
-		tokenEndpointAuth
-	}).catch((e) => {
+	const tokenResponse = await (async () => {
+		const { body, headers } = await authorizationCodeRequest({
+			code,
+			codeVerifier: config.pkce ? stateData.codeVerifier : void 0,
+			redirectURI: getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options),
+			options: tokenRequestOptions,
+			tokenEndpoint,
+			tokenEndpointAuth
+		});
+		const { data, error } = await fetchOIDCEndpoint("tokenEndpoint", tokenEndpoint, {
+			method: "POST",
+			body,
+			headers
+		}, (url) => ctx.context.isTrustedOrigin(url));
+		if (error) redirectOIDCError("invalid_provider", getOIDCErrorDescription(error, "token_response_error"));
+		if (!data) throw new Error("Token endpoint returned an empty response");
+		return getOAuth2Tokens(data);
+	})().catch((e) => {
+		if (isAPIError(e)) throw e;
 		ctx.context.logger.error("Error validating authorization code", e);
-		if (e instanceof BetterFetchError) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${e.message}`);
-		return null;
+		if (e instanceof DiscoveryError) redirectOIDCError("invalid_provider", e.message);
+		redirectOIDCError("invalid_provider", getOIDCErrorDescription(e, "token_response_error"));
 	});
 	if (!tokenResponse) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=token_response_not_found`);
 	let userInfo = null;
 	const mapping = config.mapping || {};
+	let rawProfile;
 	if (config.userInfoEndpoint) {
-		const userInfoResponse = await betterFetch(config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } });
-		if (userInfoResponse.error) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=${userInfoResponse.error.message}`);
-		const rawUserInfo = userInfoResponse.data;
+		const userInfoResponse = await fetchOIDCEndpoint("userInfoEndpoint", config.userInfoEndpoint, { headers: { Authorization: `Bearer ${tokenResponse.accessToken}` } }, (url) => ctx.context.isTrustedOrigin(url)).catch((e) => {
+			if (e instanceof DiscoveryError) redirectOIDCError("invalid_provider", e.message);
+			throw e;
+		});
+		if (userInfoResponse.error) redirectOIDCError("invalid_provider", userInfoResponse.error.message || userInfoResponse.error.statusText || "userinfo_response_error");
+		const rawUserInfo = userInfoResponse.data ?? redirectOIDCError("invalid_provider", "userinfo_response_not_found");
+		rawProfile = rawUserInfo;
 		userInfo = {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, rawUserInfo[value]])),
 			id: rawUserInfo[mapping.id || "sub"],
 			email: rawUserInfo[mapping.email || "email"],
-			emailVerified: options?.trustEmailVerified ? rawUserInfo[mapping.emailVerified || "email_verified"] : false,
+			emailVerified: options?.trustEmailVerified ? parseProviderEmailVerified(rawUserInfo[mapping.emailVerified || "email_verified"]) : false,
 			name: rawUserInfo[mapping.name || "name"],
 			image: rawUserInfo[mapping.image || "picture"]
 		};
 	} else if (tokenResponse.idToken) {
 		const idToken = decodeJwt(tokenResponse.idToken);
+		rawProfile = idToken;
 		if (!config.jwksEndpoint) throw ctx.redirect(`${errorURL || callbackURL}?error=invalid_provider&error_description=jwks_endpoint_not_found`);
-		const verified = await validateToken(tokenResponse.idToken, config.jwksEndpoint, {
+		const verified = await validateOIDCIdToken(tokenResponse.idToken, config.jwksEndpoint, {
 			audience: config.clientId,
 			issuer: provider.issuer
-		}).catch((e) => {
+		}, (url) => ctx.context.isTrustedOrigin(url)).catch((e) => {
+			if (e instanceof DiscoveryError) redirectOIDCError("invalid_provider", e.message);
 			ctx.context.logger.error(e);
 			return null;
 		});
@@ -2758,7 +2958,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 			...Object.fromEntries(Object.entries(mapping.extraFields || {}).map(([key, value]) => [key, verified.payload[value]])),
 			id: idToken[mapping.id || "sub"],
 			email: idToken[mapping.email || "email"],
-			emailVerified: options?.trustEmailVerified ? idToken[mapping.emailVerified || "email_verified"] : false,
+			emailVerified: options?.trustEmailVerified ? parseProviderEmailVerified(idToken[mapping.emailVerified || "email_verified"]) : false,
 			name: idToken[mapping.name || "name"],
 			image: idToken[mapping.image || "picture"]
 		};
@@ -2767,7 +2967,7 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 	const isTrustedProvider = "domainVerified" in provider && provider.domainVerified === true && validateEmailDomain(userInfo.email, provider.domain);
 	let linked;
 	try {
-		linked = await handleOAuthUserInfo(ctx, {
+		linked = await signInWithOAuthIdentity(ctx, {
 			userInfo: {
 				email: userInfo.email,
 				name: userInfo.name || "",
@@ -2775,20 +2975,22 @@ async function handleOIDCCallback(ctx, options, providerId, stateData) {
 				image: userInfo.image,
 				emailVerified: options?.trustEmailVerified ? userInfo.emailVerified || false : false
 			},
-			account: {
-				idToken: tokenResponse.idToken,
-				accessToken: tokenResponse.accessToken,
-				refreshToken: tokenResponse.refreshToken,
-				accountId: userInfo.id,
-				providerId: provider.providerId,
-				accessTokenExpiresAt: tokenResponse.accessTokenExpiresAt,
-				refreshTokenExpiresAt: tokenResponse.refreshTokenExpiresAt,
-				scope: tokenResponse.scopes?.join(",")
-			},
+			providerId: provider.providerId,
+			accountId: userInfo.id,
+			tokens: tokenResponse,
+			requestedScopes,
 			callbackURL,
 			disableSignUp: options?.disableImplicitSignUp && !requestSignUp,
 			overrideUserInfo: config.overrideUserInfo,
-			isTrustedProvider
+			source: {
+				method: "sso-oidc",
+				sso: {
+					providerId: provider.providerId,
+					profile: rawProfile
+				}
+			},
+			isTrustedProvider,
+			trustProviderByName: false
 		});
 	} catch (e) {
 		if (isAPIError(e) && e.body?.code) {
@@ -2906,9 +3108,15 @@ async function bounceIfIdpInitiated(ctx, options, providerId) {
 		});
 		return;
 	}
-	const state = await generateState(ctx, void 0, options?.redirectURI?.trim() ? { ssoProviderId: provider.providerId } : false);
+	if (options?.redirectURI?.trim()) await addOAuthServerContext({ ssoProviderId: provider.providerId });
+	const state = await generateState(ctx, { requestedScopes: config.scopes || [
+		"openid",
+		"email",
+		"profile",
+		"offline_access"
+	] });
 	const redirectURI = getOIDCRedirectURI(ctx.context.baseURL, provider.providerId, options);
-	const authorizationURL = await createAuthorizationURL({
+	const { url: authorizationURL } = await createAuthorizationURL({
 		id: provider.issuer,
 		options: {
 			clientId: config.clientId,
@@ -2957,7 +3165,7 @@ const callbackSSOShared = (options) => {
 			const errorURL = ctx.context.options.onAPIError?.errorURL || `${ctx.context.baseURL}/error`;
 			throw ctx.redirect(`${errorURL}?error=invalid_state`);
 		}
-		const providerId = stateData.ssoProviderId;
+		const providerId = stateData.serverContext?.ssoProviderId;
 		if (!providerId) {
 			const errorURL = stateData.errorURL || stateData.callbackURL;
 			throw ctx.redirect(`${errorURL}?error=invalid_state&error_description=missing_provider_id`);
@@ -3188,7 +3396,42 @@ saml.setSchemaValidator({ async validate(xml) {
 * which won't have a matching Origin header.
 */
 const SAML_SKIP_ORIGIN_CHECK_PATHS = ["/sso/saml2/sp/acs", "/sso/saml2/sp/slo"];
+const SSO_PROVIDER_BUILT_IN_FIELD_KEYS = [
+	"id",
+	"issuer",
+	"oidcConfig",
+	"samlConfig",
+	"userId",
+	"providerId",
+	"organizationId",
+	"domain",
+	"domainVerified"
+];
+const SSO_PROVIDER_RESPONSE_FIELD_KEYS = [
+	"type",
+	"spMetadataUrl",
+	"redirectURI",
+	"domainVerificationToken"
+];
+const SSO_PROVIDER_BUILT_IN_FIELD_KEY_SET = new Set(SSO_PROVIDER_BUILT_IN_FIELD_KEYS);
+const SSO_PROVIDER_RESPONSE_FIELD_KEY_SET = new Set(SSO_PROVIDER_RESPONSE_FIELD_KEYS);
+function getSSOProviderBuiltInFieldName(options, key) {
+	const fieldNames = options?.fields;
+	const schemaFieldNames = options?.schema?.ssoProvider?.fields;
+	return fieldNames?.[key] ?? schemaFieldNames?.[key] ?? key;
+}
+function assertNoAdditionalFieldCollisions(options) {
+	const additionalFields = options?.schema?.ssoProvider?.additionalFields ?? {};
+	const builtInFieldNames = new Set(SSO_PROVIDER_BUILT_IN_FIELD_KEYS.map((key) => getSSOProviderBuiltInFieldName(options, key)));
+	for (const [key, field] of Object.entries(additionalFields)) {
+		if (SSO_PROVIDER_BUILT_IN_FIELD_KEY_SET.has(key)) throw new Error(`ssoProvider additional field "${key}" conflicts with a built-in field`);
+		if (SSO_PROVIDER_RESPONSE_FIELD_KEY_SET.has(key)) throw new Error(`ssoProvider additional field "${key}" conflicts with a returned provider field`);
+		const fieldName = field.fieldName ?? key;
+		if (builtInFieldNames.has(fieldName)) throw new Error(`ssoProvider additional field "${key}" maps to built-in field "${fieldName}"`);
+	}
+}
 function sso(options) {
+	assertNoAdditionalFieldCollisions(options);
 	const optionsWithStore = options;
 	let endpoints = {
 		spMetadata: spMetadata(optionsWithStore),
@@ -3199,8 +3442,8 @@ function sso(options) {
 		acsEndpoint: acsEndpoint(optionsWithStore),
 		sloEndpoint: sloEndpoint(optionsWithStore),
 		initiateSLO: initiateSLO(optionsWithStore),
-		listSSOProviders: listSSOProviders(),
-		getSSOProvider: getSSOProvider(),
+		listSSOProviders: listSSOProviders(optionsWithStore),
+		getSSOProvider: getSSOProvider(optionsWithStore),
 		updateSSOProvider: updateSSOProvider(optionsWithStore),
 		deleteSSOProvider: deleteSSOProvider()
 	};
@@ -3257,22 +3500,22 @@ function sso(options) {
 			}]
 		},
 		schema: { ssoProvider: {
-			modelName: options?.modelName ?? "ssoProvider",
+			modelName: options?.modelName ?? options?.schema?.ssoProvider?.modelName ?? "ssoProvider",
 			fields: {
 				issuer: {
 					type: "string",
 					required: true,
-					fieldName: options?.fields?.issuer ?? "issuer"
+					fieldName: options?.fields?.issuer ?? options?.schema?.ssoProvider?.fields?.issuer ?? "issuer"
 				},
 				oidcConfig: {
 					type: "string",
 					required: false,
-					fieldName: options?.fields?.oidcConfig ?? "oidcConfig"
+					fieldName: options?.fields?.oidcConfig ?? options?.schema?.ssoProvider?.fields?.oidcConfig ?? "oidcConfig"
 				},
 				samlConfig: {
 					type: "string",
 					required: false,
-					fieldName: options?.fields?.samlConfig ?? "samlConfig"
+					fieldName: options?.fields?.samlConfig ?? options?.schema?.ssoProvider?.fields?.samlConfig ?? "samlConfig"
 				},
 				userId: {
 					type: "string",
@@ -3280,30 +3523,33 @@ function sso(options) {
 						model: "user",
 						field: "id"
 					},
-					fieldName: options?.fields?.userId ?? "userId"
+					fieldName: options?.fields?.userId ?? options?.schema?.ssoProvider?.fields?.userId ?? "userId"
 				},
 				providerId: {
 					type: "string",
 					required: true,
 					unique: true,
-					fieldName: options?.fields?.providerId ?? "providerId"
+					fieldName: options?.fields?.providerId ?? options?.schema?.ssoProvider?.fields?.providerId ?? "providerId"
 				},
 				organizationId: {
 					type: "string",
 					required: false,
-					fieldName: options?.fields?.organizationId ?? "organizationId"
+					fieldName: options?.fields?.organizationId ?? options?.schema?.ssoProvider?.fields?.organizationId ?? "organizationId"
 				},
 				domain: {
 					type: "string",
 					required: true,
-					fieldName: options?.fields?.domain ?? "domain"
+					fieldName: options?.fields?.domain ?? options?.schema?.ssoProvider?.fields?.domain ?? "domain"
 				},
 				...options?.domainVerification?.enabled ? { domainVerified: {
 					type: "boolean",
-					required: false
-				} } : {}
+					required: false,
+					fieldName: options?.schema?.ssoProvider?.fields?.domainVerified ?? "domainVerified"
+				} } : {},
+				...options?.schema?.ssoProvider?.additionalFields ?? {}
 			}
 		} },
+		$Infer: { SSOProvider: {} },
 		options
 	};
 }