stytch 10.24.0 → 10.26.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cb709fad85473f219b4bf2d15da9c8381b117ba31a3f9dd3393a338ec1583323
-  data.tar.gz: 1d59d330089fe207f936e80950a00ab0f1152d3f08c2a62db2df864fe4972408
+  metadata.gz: 0a905e33f9cc2881ad04adabc476f64db1cfc8836b1e012dd6692bd411ff32cd
+  data.tar.gz: bfa6c0c4d4858a8f7154bb85b359bd311b0ea17becf11fb89373bb721fe74d0f
 SHA512:
-  metadata.gz: 015bffaf59b053a43f58d5ab48f245bc24f7ba623ae498a6bcca502ed6023d278e03023154ddb4eb1d269386488831ccc03d30f0ed028817fe7b355e4df006ab
-  data.tar.gz: c5c4bd35f7da7a88da844c470238c6ec3c26dcc3e4ce3abfe874a9e936066b617cee4685019745b71a5ce969be35ab21a287245c1b9f93fcaa0602986980e15d
+  metadata.gz: acb3ded234b14fd6fbff16c1e15942a6a7b30bf30e4d3c763b0645e2e61c9bb7aab86f3b8583b1e5aa338bba49b36fd70f80887aed449dfcf854defac6bf0ede
+  data.tar.gz: 00cc8b6ad8d878561322055da00b0fed3a2265dbb7171ab46f89594fe0ba43636b8f86cd0c04c0f0b57c3ec89f0114f82667ef46d021697066bf0fb0a66d726b

data/lib/stytch/b2b_client.rb

@@ -1,6 +1,13 @@
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
 # frozen_string_literal: true
 
 require_relative 'b2b_discovery'
+require_relative 'b2b_idp'
 require_relative 'b2b_impersonation'
 require_relative 'b2b_magic_links'
 require_relative 'b2b_oauth'
@@ -23,7 +30,7 @@ module StytchB2B
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :connected_app, :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
+    attr_reader :connected_app, :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps, :idp
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -35,7 +42,8 @@ module StytchB2B
       create_connection(&block)
 
       rbac = StytchB2B::RBAC.new(@connection)
-      @policy_cache = StytchB2B::PolicyCache.new(rbac_client: rbac)
+      @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
+      @idp = StytchB2B::IDP.new(@connection, @project_id, @policy_cache)
 
       @connected_app = Stytch::ConnectedApp.new(@connection)
       @discovery = StytchB2B::Discovery.new(@connection)

data/lib/stytch/b2b_discovery.rb

@@ -29,7 +29,7 @@ module StytchB2B
 
       # Exchange an Intermediate Session for a fully realized [Member Session](https://stytch.com/docs/b2b/api/session-object) for the [Organization](https://stytch.com/docs/b2b/api/organization-object) that the user wishes to log into.
       #
-      # This endpoint can be used to accept invites and into a new Organization on the basis of the user's email domain or OAuth tenant.
+      # This endpoint can be used to accept invites and JIT Provision into a new Organization on the basis of the user's email domain or OAuth tenant.
       #
       # If the user **has** already satisfied the authentication requirements of the Organization they are trying to exchange into and logged in with a method that verifies their email address, this API will return `member_authenticated: true` and a `session_token` and `session_jwt`.
       #
@@ -69,7 +69,7 @@ module StytchB2B
       #   Total custom claims size cannot exceed four kilobytes.
       #   The type of this field is nilable +object+.
       # locale::
-      #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+      #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
       #
       # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
       #
@@ -144,7 +144,7 @@ module StytchB2B
         @connection = connection
       end
 
-      # This endpoint allows you to exchange the `intermediate_session_token` returned when the user successfully completes a authentication flow to create a new
+      # This endpoint allows you to exchange the `intermediate_session_token` returned when the user successfully completes a Discovery authentication flow to create a new
       # [Organization](https://stytch.com/docs/b2b/api/organization-object) and [Member](https://stytch.com/docs/b2b/api/member-object) and log the user in. If the user wants to log into an existing Organization, use the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) instead.
       #
       # Stytch **requires that users verify their email address** prior to creating a new Organization in order to prevent Account Takeover (ATO) attacks and phishing.
@@ -197,7 +197,7 @@ module StytchB2B
       # sso_jit_provisioning::
       #   The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:
       #
-      #   `ALL_ALLOWED` – new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
+      #   `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
       #
       #   `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.
       #
@@ -215,7 +215,7 @@ module StytchB2B
       #
       #   `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.
       #
-      #   `NOT_ALLOWED` – disable JIT provisioning via Email Magic Link and OAuth.
+      #   `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
       #
       #   The type of this field is nilable +String+.
       # email_invites::
@@ -273,7 +273,7 @@ module StytchB2B
       #
       #   `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
       #
-      #   `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+      #   `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant.
       #
       #   The type of this field is nilable +String+.
       # allowed_oauth_tenants::
@@ -282,7 +282,7 @@ module StytchB2B
       # first_party_connected_apps_allowed_type::
       #   The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are:
       #
-      #   `ALL_ALLOWED` – any first party Connected App in the Project is permitted for use by Members.
+      #   `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members.
       #
       #   `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
       #
@@ -295,7 +295,7 @@ module StytchB2B
       # third_party_connected_apps_allowed_type::
       #   The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are:
       #
-      #   `ALL_ALLOWED` – any third party Connected App in the Project is permitted for use by Members.
+      #   `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members.
       #
       #   `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
       #

data/lib/stytch/b2b_idp.rb

@@ -0,0 +1,266 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'json/jwt'
+require_relative 'errors'
+require_relative 'request_helper'
+require_relative 'rbac_local'
+
+module StytchB2B
+  class IDP
+    include Stytch::RequestHelper
+
+    def initialize(connection, project_id, policy_cache)
+      @connection = connection
+      @project_id = project_id
+      @policy_cache = policy_cache
+      @non_custom_claim_keys = [
+        'aud',
+        'exp',
+        'iat',
+        'iss',
+        'jti',
+        'nbf',
+        'sub',
+        'active',
+        'client_id',
+        'request_id',
+        'scope',
+        'status_code',
+        'token_type',
+        'https://stytch.com/organization'
+      ]
+    end
+
+    # Introspects a token JWT from an authorization code response.
+    # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
+    # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
+    #
+    # == Parameters:
+    # token::
+    #   The access token (or refresh token) to introspect.
+    #   The type of this field is +String+.
+    # client_id::
+    #   The ID of the client.
+    #   The type of this field is +String+.
+    # client_secret::
+    #   The secret of the client.
+    #   The type of this field is nilable +String+.
+    # token_type_hint::
+    #   A hint on what the token contains. Valid fields are 'access_token' and 'refresh_token'.
+    #   The type of this field is +String+.
+    # authorization_check::
+    #   Optional authorization check object.
+    #   The type of this field is nilable +Hash+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # subject::
+    #   The subject of the token.
+    #   The type of this field is +String+.
+    # scope::
+    #   The scope of the token.
+    #   The type of this field is +String+.
+    # audience::
+    #   The audience of the token.
+    #   The type of this field is +String+.
+    # expires_at::
+    #   The expiration time of the token.
+    #   The type of this field is +Integer+.
+    # issued_at::
+    #   The issued at time of the token.
+    #   The type of this field is +Integer+.
+    # issuer::
+    #   The issuer of the token.
+    #   The type of this field is +String+.
+    # not_before::
+    #   The not before time of the token.
+    #   The type of this field is +Integer+.
+    # token_type::
+    #   The type of the token.
+    #   The type of this field is +String+.
+    # custom_claims::
+    #   Custom claims in the token.
+    #   The type of this field is +Hash+.
+    # organization_claim::
+    #   The organization claim in the token.
+    #   The type of this field is +Hash+.
+    def introspect_token_network(
+      token:,
+      client_id:,
+      client_secret: nil,
+      token_type_hint: 'access_token',
+      authorization_check: nil
+    )
+      headers = {}
+      data = {
+        'token' => token,
+        'client_id' => client_id,
+        'token_type_hint' => token_type_hint
+      }
+      data['client_secret'] = client_secret unless client_secret.nil?
+
+      url = @connection.url_prefix + '/v1/oauth2/introspect'
+      jwt_response = post_request(url, data, headers)
+
+      return nil unless jwt_response['active']
+
+      custom_claims = jwt_response.reject { |k, _| @non_custom_claim_keys.include?(k) }
+      organization_claim = jwt_response['https://stytch.com/organization']
+      organization_id = organization_claim['organization_id']
+      scope = jwt_response['scope']
+
+      if authorization_check
+        @policy_cache.perform_authorization_check(
+          subject_roles: scope.split,
+          authorization_check: authorization_check,
+          subject_org_id: organization_id
+        )
+      end
+
+      {
+        'subject' => jwt_response['sub'],
+        'scope' => jwt_response['scope'],
+        'audience' => jwt_response['aud'],
+        'expires_at' => jwt_response['exp'],
+        'issued_at' => jwt_response['iat'],
+        'issuer' => jwt_response['iss'],
+        'not_before' => jwt_response['nbf'],
+        'token_type' => jwt_response['token_type'],
+        'custom_claims' => custom_claims,
+        'organization_claim' => organization_claim
+      }
+    end
+
+    # Introspects a token JWT from an authorization code response.
+    # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
+    # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
+    #
+    # == Parameters:
+    # access_token::
+    #   The access token (or refresh token) to introspect.
+    #   The type of this field is +String+.
+    # authorization_check::
+    #   Optional authorization check object.
+    #   The type of this field is nilable +Hash+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # subject::
+    #   The subject of the token.
+    #   The type of this field is +String+.
+    # scope::
+    #   The scope of the token.
+    #   The type of this field is +String+.
+    # audience::
+    #   The audience of the token.
+    #   The type of this field is +String+.
+    # expires_at::
+    #   The expiration time of the token.
+    #   The type of this field is +Integer+.
+    # issued_at::
+    #   The issued at time of the token.
+    #   The type of this field is +Integer+.
+    # issuer::
+    #   The issuer of the token.
+    #   The type of this field is +String+.
+    # not_before::
+    #   The not before time of the token.
+    #   The type of this field is +Integer+.
+    # token_type::
+    #   The type of the token.
+    #   The type of this field is +String+.
+    # custom_claims::
+    #   Custom claims in the token.
+    #   The type of this field is +Hash+.
+    # organization_claim::
+    #   The organization claim in the token.
+    #   The type of this field is +Hash+.
+    def introspect_access_token_local(
+      access_token:,
+      authorization_check: nil
+    )
+      scope_claim = 'scope'
+      organization_claim = 'https://stytch.com/organization'
+
+      # Create a JWKS loader similar to other classes in the codebase
+      @cache_last_update = 0
+      jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        if @cached_keys.nil?
+          @cached_keys = get_jwks(project_id: @project_id)
+          @cache_last_update = Time.now.to_i
+        end
+        @cached_keys
+      end
+
+      begin
+        decoded_jwt = JWT.decode(
+          access_token,
+          nil,
+          true,
+          {
+            algorithms: ['RS256'],
+            jwks: jwks_loader,
+            iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
+            aud: @project_id
+          }
+        )[0]
+
+        generic_claims = decoded_jwt
+        custom_claims = generic_claims.reject { |k, _| @non_custom_claim_keys.include?(k) }
+        organization_claim_data = generic_claims[organization_claim]
+        organization_id = organization_claim_data['organization_id']
+        scope = generic_claims[scope_claim]
+
+        if authorization_check
+          @policy_cache.perform_authorization_check(
+            subject_roles: scope.split,
+            authorization_check: authorization_check,
+            subject_org_id: organization_id
+          )
+        end
+
+        {
+          'subject' => generic_claims['sub'],
+          'scope' => generic_claims[scope_claim],
+          'audience' => generic_claims['aud'],
+          'expires_at' => generic_claims['exp'],
+          'issued_at' => generic_claims['iat'],
+          'issuer' => generic_claims['iss'],
+          'not_before' => generic_claims['nbf'],
+          'token_type' => 'access_token',
+          'custom_claims' => custom_claims,
+          'organization_claim' => organization_claim_data
+        }
+      rescue JWT::InvalidIssuerError
+        raise Stytch::JWTInvalidIssuerError
+      rescue JWT::InvalidAudError
+        raise Stytch::JWTInvalidAudienceError
+      rescue JWT::ExpiredSignature
+        raise Stytch::JWTExpiredSignatureError
+      rescue JWT::IncorrectAlgorithm
+        raise Stytch::JWTIncorrectAlgorithmError
+      rescue JWT::DecodeError
+        nil
+      end
+    end
+
+    # Gets the JWKS for the project.
+    #
+    # == Parameters:
+    # project_id::
+    #   The ID of the project.
+    #   The type of this field is +String+.
+    #
+    # == Returns:
+    # The JWKS for the project.
+    #   The type of this field is +Hash+.
+    def get_jwks(project_id:)
+      headers = {}
+      query_params = {}
+      request = request_with_query_params("/v1/b2b/sessions/jwks/#{project_id}", query_params)
+      get_request(request, headers)
+    end
+  end
+end

data/lib/stytch/b2b_impersonation.rb

@@ -16,14 +16,14 @@ module StytchB2B
       @connection = connection
     end
 
-    # Authenticate an impersonation token to impersonate a. This endpoint requires an impersonation token that is not expired or previously used.
+    # Authenticate an impersonation token to impersonate a Member. This endpoint requires an impersonation token that is not expired or previously used.
     # A Stytch session will be created for the impersonated member with a 60 minute duration. Impersonated sessions cannot be extended.
     #
     # Prior to this step, you can generate an impersonation token by visiting the Stytch Dashboard, viewing a member, and clicking the `Impersonate Member` button.
     #
     # == Parameters:
     # impersonation_token::
-    #   The User Impersonation token to authenticate.
+    #   The Member Impersonation token to authenticate. Expires in 5 minutes by default.
     #   The type of this field is +String+.
     #
     # == Returns:

data/lib/stytch/b2b_magic_links.rb

@@ -20,10 +20,10 @@ module StytchB2B
       @discovery = StytchB2B::MagicLinks::Discovery.new(@connection)
     end
 
-    # Authenticate a with a Magic Link. This endpoint requires a Magic Link token that is not expired or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`.
+    # Authenticate a Member with a Magic Link. This endpoint requires a Magic Link token that is not expired or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`.
     # Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
     #
-    # If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
+    # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp),
     # or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete the MFA step and acquire a full member session.
     # The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one.
@@ -67,7 +67,7 @@ module StytchB2B
     #   Total custom claims size cannot exceed four kilobytes.
     #   The type of this field is nilable +object+.
     # locale::
-    #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+    #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
     #
     # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
     #
@@ -277,7 +277,7 @@ module StytchB2B
         post_request('/v1/b2b/magic_links/email/login_or_signup', request, headers)
       end
 
-      # Send an invite email to a new to join an. The Member will be created with an `invited` status until they successfully authenticate. Sending invites to `pending` Members will update their status to `invited`. Sending invites to already `active` Members will return an error.
+      # Send an invite email to a new Member to join an Organization. The Member will be created with an `invited` status until they successfully authenticate. Sending invites to `pending` Members will update their status to `invited`. Sending invites to already `active` Members will return an error.
       #
       # The magic link invite will be valid for 1 week.
       #

data/lib/stytch/b2b_oauth.rb

@@ -19,9 +19,9 @@ module StytchB2B
       @discovery = StytchB2B::OAuth::Discovery.new(@connection)
     end
 
-    # Authenticate a given a `token`. This endpoint verifies that the member completed the flow by verifying that the token is valid and hasn't expired.  Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
+    # Authenticate a Member given a `token`. This endpoint verifies that the member completed the OAuth flow by verifying that the token is valid and hasn't expired.  Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
     #
-    # If the Member is required to complete MFA to log in to the, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
+    # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `intermediate_session_token` can be passed into the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete the MFA step and acquire a full member session.
     # The `intermediate_session_token` can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to join a different Organization or create a new one.
     # The `session_duration_minutes` and `session_custom_claims` parameters will be ignored.
@@ -65,7 +65,7 @@ module StytchB2B
     #   A base64url encoded one time secret used to validate that the request starts and ends on the same device.
     #   The type of this field is nilable +String+.
     # locale::
-    #   If the needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
+    #   If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
     #
     # Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
     #
@@ -165,7 +165,7 @@ module StytchB2B
         @connection = connection
       end
 
-      # Authenticates the Discovery token and exchanges it for an Intermediate
+      # Authenticates the Discovery OAuth token and exchanges it for an Intermediate
       # Session Token. Intermediate Session Tokens can be used for various Discovery login flows and are valid for 10 minutes.
       #
       # == Parameters: