stytch 10.24.0 → 10.26.0

data/lib/stytch/client.rb

@@ -1,8 +1,15 @@
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
 # frozen_string_literal: true
 
 require_relative 'connected_apps'
 require_relative 'crypto_wallets'
 require_relative 'fraud'
+require_relative 'idp'
 require_relative 'impersonation'
 require_relative 'm2m'
 require_relative 'magic_links'
@@ -10,6 +17,8 @@ require_relative 'oauth'
 require_relative 'otps'
 require_relative 'passwords'
 require_relative 'project'
+require_relative 'rbac'
+require_relative 'rbac_local'
 require_relative 'sessions'
 require_relative 'totps'
 require_relative 'users'
@@ -19,7 +28,7 @@ module Stytch
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :connected_app, :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :sessions, :totps, :users, :webauthn
+    attr_reader :connected_app, :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :rbac, :sessions, :totps, :users, :webauthn, :idp
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -30,6 +39,10 @@ module Stytch
 
       create_connection(&block)
 
+      rbac = Stytch::RBAC.new(@connection)
+      @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
+      @idp = Stytch::IDP.new(@connection, @project_id, @policy_cache)
+
       @connected_app = Stytch::ConnectedApp.new(@connection)
       @crypto_wallets = Stytch::CryptoWallets.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
@@ -40,7 +53,8 @@ module Stytch
       @otps = Stytch::OTPs.new(@connection)
       @passwords = Stytch::Passwords.new(@connection)
       @project = Stytch::Project.new(@connection)
-      @sessions = Stytch::Sessions.new(@connection, @project_id)
+      @rbac = Stytch::RBAC.new(@connection)
+      @sessions = Stytch::Sessions.new(@connection, @project_id, @policy_cache)
       @totps = Stytch::TOTPs.new(@connection)
       @users = Stytch::Users.new(@connection)
       @webauthn = Stytch::WebAuthn.new(@connection)

data/lib/stytch/fraud.rb

@@ -28,14 +28,17 @@ module Stytch
         @connection = connection
       end
 
-      # Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function. Learn more about the different fingerprint types and verdicts in our [DFP guide](https://stytch.com/docs/fraud/guides/device-fingerprinting/overview).
+      # Lookup the associated fingerprint for the `telemetry_id` returned from the `GetTelemetryID()` function.
+      # Learn more about the different fingerprint types and verdicts in our [DFP guide](https://stytch.com/docs/fraud/guides/device-fingerprinting/overview).
       #
-      # Make a decision based on the returned `verdict`:
+      # You can make a decision based on the recommended `verdict` in the response:
       # * `ALLOW` - This is a known valid device grouping or device profile that is part of the default `ALLOW` listed set of known devices by Stytch. This grouping is made up of  verified device profiles that match the characteristics of known/authentic traffic origins.
       # * `BLOCK` - This is a known bad or malicious device profile that is undesirable and should be blocked from completing the privileged action in question.
       # * `CHALLENGE` - This is an unknown or potentially malicious device that should be put through increased friction such as 2FA or other forms of extended user verification before allowing the privileged action to proceed.
       #
-      # If the `telemetry_id` is not found, we will return a 404 `telemetry_id_not_found` [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found). We recommend treating 404 errors as a `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections by generating fake telemetry IDs.
+      # If the `telemetry_id` is expired or not found, this endpoint returns a 404 `telemetry_id_not_found` [error](https://stytch.com/docs/fraud/api/errors/404#telemetry_id_not_found).
+      # We recommend treating 404 errors as a `BLOCK`, since it could be a sign of an attacker trying to bypass DFP protections.
+      # See [Attacker-controlled telemetry IDs](https://stytch.com/docs/fraud/guides/device-fingerprinting/integration-steps/test-your-integration#attacker-controlled-telemetry-ids) for more information.
       #
       # == Parameters:
       # telemetry_id::

data/lib/stytch/idp.rb

@@ -0,0 +1,251 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'json/jwt'
+require_relative 'errors'
+require_relative 'request_helper'
+require_relative 'rbac_local'
+
+module Stytch
+  class IDP
+    include Stytch::RequestHelper
+
+    def initialize(connection, project_id, policy_cache)
+      @connection = connection
+      @project_id = project_id
+      @policy_cache = policy_cache
+      @non_custom_claim_keys = %w[
+        aud
+        exp
+        iat
+        iss
+        jti
+        nbf
+        sub
+        active
+        client_id
+        request_id
+        scope
+        status_code
+        token_type
+      ]
+    end
+
+    # Introspects a token JWT from an authorization code response.
+    # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
+    # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
+    #
+    # == Parameters:
+    # token::
+    #   The access token (or refresh token) to introspect.
+    #   The type of this field is +String+.
+    # client_id::
+    #   The ID of the client.
+    #   The type of this field is +String+.
+    # client_secret::
+    #   The secret of the client.
+    #   The type of this field is nilable +String+.
+    # token_type_hint::
+    #   A hint on what the token contains. Valid fields are 'access_token' and 'refresh_token'.
+    #   The type of this field is +String+.
+    # authorization_check::
+    #   Optional authorization check object.
+    #   The type of this field is nilable +Hash+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # subject::
+    #   The subject of the token.
+    #   The type of this field is +String+.
+    # scope::
+    #   The scope of the token.
+    #   The type of this field is +String+.
+    # audience::
+    #   The audience of the token.
+    #   The type of this field is +String+.
+    # expires_at::
+    #   The expiration time of the token.
+    #   The type of this field is +Integer+.
+    # issued_at::
+    #   The issued at time of the token.
+    #   The type of this field is +Integer+.
+    # issuer::
+    #   The issuer of the token.
+    #   The type of this field is +String+.
+    # not_before::
+    #   The not before time of the token.
+    #   The type of this field is +Integer+.
+    # token_type::
+    #   The type of the token.
+    #   The type of this field is +String+.
+    # custom_claims::
+    #   Custom claims in the token.
+    #   The type of this field is +Hash+.
+    def introspect_token_network(
+      token:,
+      client_id:,
+      client_secret: nil,
+      token_type_hint: 'access_token',
+      authorization_check: nil
+    )
+      headers = {}
+      data = {
+        'token' => token,
+        'client_id' => client_id,
+        'token_type_hint' => token_type_hint
+      }
+      data['client_secret'] = client_secret unless client_secret.nil?
+
+      url = @connection.url_prefix + '/v1/oauth2/introspect'
+      res = post_request(url, data, headers)
+
+      jwt_response = res
+      return nil unless jwt_response['active']
+
+      custom_claims = res.reject { |k, _| @non_custom_claim_keys.include?(k) }
+      scope = jwt_response['scope']
+
+      if authorization_check
+        @policy_cache.perform_scope_authorization_check(
+          token_scopes: scope.split,
+          authorization_check: authorization_check
+        )
+      end
+
+      {
+        'subject' => jwt_response['sub'],
+        'scope' => jwt_response['scope'],
+        'audience' => jwt_response['aud'],
+        'expires_at' => jwt_response['exp'],
+        'issued_at' => jwt_response['iat'],
+        'issuer' => jwt_response['iss'],
+        'not_before' => jwt_response['nbf'],
+        'token_type' => jwt_response['token_type'],
+        'custom_claims' => custom_claims
+      }
+    end
+
+    # Introspects a token JWT from an authorization code response.
+    # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
+    # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
+    #
+    # == Parameters:
+    # access_token::
+    #   The access token (or refresh token) to introspect.
+    #   The type of this field is +String+.
+    # authorization_check::
+    #   Optional authorization check object.
+    #   The type of this field is nilable +Hash+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # subject::
+    #   The subject of the token.
+    #   The type of this field is +String+.
+    # scope::
+    #   The scope of the token.
+    #   The type of this field is +String+.
+    # audience::
+    #   The audience of the token.
+    #   The type of this field is +String+.
+    # expires_at::
+    #   The expiration time of the token.
+    #   The type of this field is +Integer+.
+    # issued_at::
+    #   The issued at time of the token.
+    #   The type of this field is +Integer+.
+    # issuer::
+    #   The issuer of the token.
+    #   The type of this field is +String+.
+    # not_before::
+    #   The not before time of the token.
+    #   The type of this field is +Integer+.
+    # token_type::
+    #   The type of the token.
+    #   The type of this field is +String+.
+    # custom_claims::
+    #   Custom claims in the token.
+    #   The type of this field is +Hash+.
+    def introspect_access_token_local(
+      access_token:,
+      authorization_check: nil
+    )
+      scope_claim = 'scope'
+
+      # Create a JWKS loader similar to other classes in the codebase
+      @cache_last_update = 0
+      jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        if @cached_keys.nil?
+          @cached_keys = get_jwks(project_id: @project_id)
+          @cache_last_update = Time.now.to_i
+        end
+        @cached_keys
+      end
+
+      begin
+        decoded_jwt = JWT.decode(
+          access_token,
+          nil,
+          true,
+          {
+            algorithms: ['RS256'],
+            jwks: jwks_loader,
+            iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
+            aud: @project_id
+          }
+        )[0]
+
+        generic_claims = decoded_jwt
+        custom_claims = generic_claims.reject { |k, _| @non_custom_claim_keys.include?(k) }
+        scope = generic_claims[scope_claim]
+
+        if authorization_check
+          @policy_cache.perform_scope_authorization_check(
+            token_scopes: scope.split,
+            authorization_check: authorization_check
+          )
+        end
+
+        {
+          'subject' => generic_claims['sub'],
+          'scope' => generic_claims[scope_claim],
+          'audience' => generic_claims['aud'],
+          'expires_at' => generic_claims['exp'],
+          'issued_at' => generic_claims['iat'],
+          'issuer' => generic_claims['iss'],
+          'not_before' => generic_claims['nbf'],
+          'token_type' => 'access_token',
+          'custom_claims' => custom_claims
+        }
+      rescue JWT::InvalidIssuerError
+        raise Stytch::JWTInvalidIssuerError
+      rescue JWT::InvalidAudError
+        raise Stytch::JWTInvalidAudienceError
+      rescue JWT::ExpiredSignature
+        raise Stytch::JWTExpiredSignatureError
+      rescue JWT::IncorrectAlgorithm
+        raise Stytch::JWTIncorrectAlgorithmError
+      rescue JWT::DecodeError
+        nil
+      end
+    end
+
+    # Gets the JWKS for the project.
+    #
+    # == Parameters:
+    # project_id::
+    #   The ID of the project.
+    #   The type of this field is +String+.
+    #
+    # == Returns:
+    # The JWKS for the project.
+    #   The type of this field is +Hash+.
+    def get_jwks(project_id:)
+      headers = {}
+      query_params = {}
+      request = request_with_query_params("/v1/sessions/jwks/#{project_id}", query_params)
+      get_request(request, headers)
+    end
+  end
+end

data/lib/stytch/impersonation.rb

@@ -23,7 +23,7 @@ module Stytch
     #
     # == Parameters:
     # impersonation_token::
-    #   The User Impersonation token to authenticate.
+    #   The User Impersonation token to authenticate. Expires in 5 minutes by default.
     #   The type of this field is +String+.
     #
     # == Returns:

data/lib/stytch/otps.rb

@@ -130,7 +130,7 @@ module Stytch
       # ### Cost to send SMS OTP
       # Before configuring SMS or WhatsApp OTPs, please review how Stytch [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
       #
-      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
+      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and [add credit card details](https://stytch.com/dashboard/settings/billing) to your account.
       #
       # Even when international SMS is enabled, we do not support sending SMS to countries on our [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries).
       #
@@ -212,7 +212,7 @@ module Stytch
       # ### Cost to send SMS OTP
       # Before configuring SMS or WhatsApp OTPs, please review how Stytch [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
       #
-      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out to [support@stytch.com](mailto:support@stytch.com?subject=Enable%20international%20SMS).
+      # __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did not use SMS prior to October 2023. If you're interested in sending international SMS, please add those countries to your Project's allowlist via the [Dashboard](https://stytch.com/dashboard/country-code-allowlists) or [Programmatic Workspace Actions](https://stytch.com/docs/workspace-management/pwa/set-allowed-country-codes), and [add credit card details](https://stytch.com/dashboard/settings/billing) to your account.
       #
       # Even when international SMS is enabled, we do not support sending SMS to countries on our [Unsupported countries list](https://stytch.com/docs/guides/passcodes/unsupported-countries).
       #

data/lib/stytch/passwords.rb

@@ -408,7 +408,7 @@ module Stytch
       # login_redirect_url::
       #   The URL Stytch redirects to after the OAuth flow is completed for a user that already exists. This URL should be a route in your application which will run `oauth.authenticate` (see below) and finish the login.
       #
-      #   The URL must be configured as a Login URL in the [Redirect URL page](https://stytch.com/docs/dashboard/redirect-urls). If the field is not specified, the default Login URL will be used.
+      #   The URL must be configured as a Login URL in the [Redirect URL page](https://stytch.com/dashboard/redirect-urls). If the field is not specified, the default Login URL will be used.
       #   The type of this field is nilable +String+.
       # locale::
       #   Used to determine which language to use when sending the user this delivery method. Parameter is a [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.

data/lib/stytch/rbac.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
+require_relative 'request_helper'
+
+module Stytch
+  class RBAC
+    include Stytch::RequestHelper
+
+    def initialize(connection)
+      @connection = connection
+    end
+
+    # Get the active RBAC Policy for your current Stytch Project. An RBAC Policy is the canonical document that stores all defined Resources and Roles within your RBAC permissioning model.
+    #
+    # When using the backend SDKs, the RBAC Policy will be cached to allow for local evaluations, eliminating the need for an extra request to Stytch.
+    # The policy will be refreshed if an authorization check is requested and the RBAC policy was last updated more than 5 minutes ago.
+    #
+    # Resources and Roles can be created and managed within the [RBAC page](https://stytch.com/dashboard/rbac) in the Dashboard.
+    # Additionally, [Role assignment](https://stytch.com/docs/guides/rbac/role-assignment) can be programmatically managed through certain Stytch API endpoints.
+    #
+    # Check out the [RBAC overview](https://stytch.com/docs/guides/rbac/overview) to learn more about Stytch's RBAC permissioning model.
+    #
+    # == Parameters:
+    #
+    # == Returns:
+    # An object with the following fields:
+    # request_id::
+    #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+    #   The type of this field is +String+.
+    # status_code::
+    #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+    #   The type of this field is +Integer+.
+    # policy::
+    #   The RBAC Policy document that contains all defined Roles and Resources – which are managed in the [Dashboard](https://stytch.com/dashboard/rbac). Read more about these entities and how they work in our [RBAC overview](https://stytch.com/docs/guides/rbac/overview).
+    #   The type of this field is nilable +Policy+ (+object+).
+    def policy
+      headers = {}
+      query_params = {}
+      request = request_with_query_params('/v1/rbac/policy', query_params)
+      get_request(request, headers)
+    end
+  end
+end

data/lib/stytch/rbac_local.rb

@@ -3,7 +3,7 @@
 require_relative 'errors'
 require_relative 'request_helper'
 
-module StytchB2B
+module Stytch
   class PolicyCache
     def initialize(rbac_client:)
       @rbac_client = rbac_client
@@ -31,8 +31,7 @@ module StytchB2B
       subject_org_id:,
       authorization_check:
     )
-      request_org_id = authorization_check['organization_id']
-      raise Stytch::TenancyError.new(subject_org_id, request_org_id) if request_org_id != subject_org_id
+      raise Stytch::TenancyError.new(subject_org_id, authorization_check['organization_id']) if subject_org_id != authorization_check['organization_id']
 
       policy = get_policy
 
@@ -54,5 +53,69 @@ module StytchB2B
       # If we get here, we didn't find a matching permission
       raise Stytch::PermissionError, authorization_check
     end
+
+    # Performs an authorization check against the project's policy and a set of roles. If the
+    # check succeeds, this method will return. If the check fails, a PermissionError
+    # will be raised. This is used for role based authorization.
+    def perform_consumer_authorization_check(
+      subject_roles:,
+      authorization_check:
+    )
+      policy = get_policy
+
+      # For consumer authorization, we check roles without tenancy validation
+      for role in policy['roles']
+        next unless subject_roles.include?(role['role_id'])
+
+        for permission in role['permissions']
+          actions = permission['actions']
+          resource = permission['resource_id']
+          has_matching_action = actions.include?('*') || actions.include?(authorization_check['action'])
+          has_matching_resource = resource == authorization_check['resource_id']
+          if has_matching_action && has_matching_resource
+            return # Permission granted
+          end
+        end
+      end
+
+      # If we get here, we didn't find a matching permission
+      raise Stytch::PermissionError, authorization_check
+    end
+
+    # Performs an authorization check against the project's policy and a set of scopes. If the
+    # check succeeds, this method will return. If the check fails, a PermissionError
+    # will be raised. This is used for OAuth-style scope-based authorization.
+    # authorization_check is an object with keys 'action' and 'resource_id'
+    def perform_scope_authorization_check(
+      token_scopes:,
+      authorization_check:
+    )
+      policy = get_policy
+
+      # For scope-based authorization, we check if any of the token scopes match policy scopes
+      # and if those scopes grant permission for the requested action/resource
+      action = authorization_check['action']
+      resource_id = authorization_check['resource_id']
+
+      # Check if any of the token scopes grant permission for this action/resource
+      for scope_obj in policy['scopes']
+        scope_name = scope_obj['scope']
+        next unless token_scopes.include?(scope_name)
+
+        # Check if this scope grants permission for the requested action/resource
+        for permission in scope_obj['permissions']
+          actions = permission['actions']
+          resource = permission['resource_id']
+          has_matching_action = actions.include?('*') || actions.include?(action)
+          has_matching_resource = resource == resource_id
+          if has_matching_action && has_matching_resource
+            return # Permission granted
+          end
+        end
+      end
+
+      # If we get here, we didn't find a matching permission
+      raise Stytch::PermissionError, authorization_check
+    end
   end
 end

data/lib/stytch/sessions.rb

@@ -15,9 +15,10 @@ module Stytch
   class Sessions
     include Stytch::RequestHelper
 
-    def initialize(connection, project_id)
+    def initialize(connection, project_id, policy_cache)
       @connection = connection
 
+      @policy_cache = policy_cache
       @project_id = project_id
       @cache_last_update = 0
       @jwks_loader = lambda do |options|
@@ -81,6 +82,13 @@ module Stytch
     #
     #   Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.
     #   The type of this field is nilable +object+.
+    # authorization_check::
+    #   If an `authorization_check` object is passed in, this endpoint will also check if the User is
+    #   authorized to perform the given action on the given Resource. A User is authorized if they are assigned a Role with adequate permissions.
+    #
+    #   If the User is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown.
+    #   Otherwise, the response will contain a list of Roles that satisfied the authorization check.
+    #   The type of this field is nilable +AuthorizationCheck+ (+object+).
     #
     # == Returns:
     # An object with the following fields:
@@ -105,11 +113,16 @@ module Stytch
     # status_code::
     #   The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
     #   The type of this field is +Integer+.
+    # verdict::
+    #   If an `authorization_check` is provided in the request and the check succeeds, this field will return
+    #   information about why the User was granted permission.
+    #   The type of this field is nilable +AuthorizationVerdict+ (+object+).
     def authenticate(
       session_token: nil,
       session_duration_minutes: nil,
       session_jwt: nil,
-      session_custom_claims: nil
+      session_custom_claims: nil,
+      authorization_check: nil
     )
       headers = {}
       request = {}
@@ -117,6 +130,7 @@ module Stytch
       request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
       request[:session_jwt] = session_jwt unless session_jwt.nil?
       request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
+      request[:authorization_check] = authorization_check unless authorization_check.nil?
 
       post_request('/v1/sessions/authenticate', request, headers)
     end
@@ -156,7 +170,7 @@ module Stytch
       post_request('/v1/sessions/revoke', request, headers)
     end
 
-    # Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/docs/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing User and create a Stytch Session. You will need to create the user before using this endpoint.
+    # Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo endpoint defined in your Stytch Project settings in the [Dashboard](https://stytch.com/dashboard), and then perform a lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to match that email address with an existing User and create a Stytch Session. You will need to create the user before using this endpoint.
     #
     # == Parameters:
     # session_token::
@@ -326,7 +340,7 @@ module Stytch
       get_request(request, headers)
     end
 
-    # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/docs/dashboard/trusted-auth-tokens). If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
+    # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens). If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
     #
     # == Parameters:
     # profile_id::
@@ -421,7 +435,8 @@ module Stytch
       max_token_age_seconds: nil,
       session_duration_minutes: nil,
       session_custom_claims: nil,
-      clock_tolerance_seconds: nil
+      clock_tolerance_seconds: nil,
+      authorization_check: nil
     )
       max_token_age_seconds = 300 if max_token_age_seconds.nil?
       clock_tolerance_seconds = 0 if clock_tolerance_seconds.nil?
@@ -430,28 +445,32 @@ module Stytch
         return authenticate(
           session_jwt: session_jwt,
           session_duration_minutes: session_duration_minutes,
-          session_custom_claims: session_custom_claims
+          session_custom_claims: session_custom_claims,
+          authorization_check: authorization_check
         )
       end
 
       session = authenticate_jwt_local(
         session_jwt,
         max_token_age_seconds: max_token_age_seconds,
-        clock_tolerance_seconds: clock_tolerance_seconds
+        clock_tolerance_seconds: clock_tolerance_seconds,
+        authorization_check: authorization_check
       )
       return session unless session.nil?
 
       authenticate(
         session_jwt: session_jwt,
         session_duration_minutes: session_duration_minutes,
-        session_custom_claims: session_custom_claims
+        session_custom_claims: session_custom_claims,
+        authorization_check: authorization_check
       )
     rescue StandardError
       # JWT could not be verified locally. Check with the Stytch API.
       authenticate(
         session_jwt: session_jwt,
         session_duration_minutes: session_duration_minutes,
-        session_custom_claims: session_custom_claims
+        session_custom_claims: session_custom_claims,
+        authorization_check: authorization_check
       )
     end
 
@@ -461,7 +480,7 @@ module Stytch
     # This method never authenticates a JWT directly with the API
     # If max_token_age_seconds is not supplied 300 seconds will be used as the default.
     # If clock_tolerance_seconds is not supplied 0 seconds will be used as the default.
-    def authenticate_jwt_local(session_jwt, max_token_age_seconds: nil, clock_tolerance_seconds: nil)
+    def authenticate_jwt_local(session_jwt, max_token_age_seconds: nil, clock_tolerance_seconds: nil, authorization_check: nil)
       max_token_age_seconds = 300 if max_token_age_seconds.nil?
       clock_tolerance_seconds = 0 if clock_tolerance_seconds.nil?
 
@@ -488,6 +507,14 @@ module Stytch
         raise JWTIncorrectAlgorithmError
       end
 
+      # Do the auth check - intentionally don't rescue errors from here
+      if authorization_check
+        @policy_cache.perform_consumer_authorization_check(
+          subject_roles: session['roles'],
+          authorization_check: authorization_check
+        )
+      end
+
       session
     end
 

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.24.0'
+  VERSION = '10.26.0'
 end

data/lib/stytch.rb

@@ -4,6 +4,7 @@ require 'faraday'
 
 require_relative 'stytch/b2b_client'
 require_relative 'stytch/client'
+require_relative 'stytch/idp'
 require_relative 'stytch/method_options'
 require_relative 'stytch/middleware'
 require_relative 'stytch/version'