fix: validate OIDC discovered endpoints against SSRF

The discovery URL itself was SSRF-validated, but endpoint URLs returned
in the discovery document (tokenEndpoint, userInfoEndpoint, jwksEndpoint)
were stored without validation. A malicious OIDC issuer on a public IP
could return internal network URLs in the discovery response.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/auth/sso/register/route.ts

@@ -198,6 +198,25 @@ export async function POST(request: NextRequest) {
           oidcConfig.userInfoEndpoint = oidcConfig.userInfoEndpoint || discovery.userinfo_endpoint
           oidcConfig.jwksEndpoint = oidcConfig.jwksEndpoint || discovery.jwks_uri
 
+          // Validate discovered endpoints against SSRF — these are fetched server-side
+          const endpointsToValidate = [
+            { name: 'tokenEndpoint', url: oidcConfig.tokenEndpoint },
+            { name: 'userInfoEndpoint', url: oidcConfig.userInfoEndpoint },
+            { name: 'jwksEndpoint', url: oidcConfig.jwksEndpoint },
+          ]
+          for (const { name, url } of endpointsToValidate) {
+            if (typeof url === 'string') {
+              const result = await validateUrlWithDNS(url, `OIDC ${name}`)
+              if (!result.isValid) {
+                logger.warn(`Discovered OIDC ${name} failed SSRF validation`, {
+                  url,
+                  error: result.error,
+                })
+                return NextResponse.json({ error: result.error }, { status: 400 })
+              }
+            }
+          }
+
           logger.info('Merged OIDC endpoints (user-provided + discovery)', {
             providerId,
             issuer,