stytch 10.25.0 → 10.27.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2f2f709cf39fcc571c655a577f0846ef68c7767d4aeace2f2ea71f3d85781018
-  data.tar.gz: afc3c7c5ce1dd327d2c5ab25f1b130eb25c355207bd8a15ac9db2c986b3f7eda
+  metadata.gz: 49aa54d3b047309a521fa267920e138f8eb27e8c299f5228c4c8bc565f821ce6
+  data.tar.gz: 716a18a6bcdc9ce4288287678e204d47ae90a89a7f432e43234afa2744419e04
 SHA512:
-  metadata.gz: 9e1391f4ed96c281b6303f26532211f75332ce36fa012eba7629d2d2c6982b8fae6366778cff1b54a6b847e7893dac7926080e387893acb6d4efdd0a1029fb5c
-  data.tar.gz: 94b8e29c50c8901bdb605e729de1440deaf73682d53e1da186862267a77bf7fc6545f63aec865fc25b61273da56d2c348b40d811e7b5690315158593bad5c49c
+  metadata.gz: 07cfbe4bbf895019aefd6be0d2fef3376caa5cb84fadd5c1af9c26d7d2e2ffd5399e5d9d3e2704cce5af85dc3eff494ad2ff648b1783434c933223c9408eafff
+  data.tar.gz: 55b223a9d0deabcc07810029395f1bd117c7df2b55db9b3e814e0dc8ce68e48737b2855b65888bb0f4039b14b90849acba473f3ab3961da61272e85198542c74

data/lib/stytch/b2b_client.rb

@@ -1,6 +1,13 @@
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
 # frozen_string_literal: true
 
 require_relative 'b2b_discovery'
+require_relative 'b2b_idp'
 require_relative 'b2b_impersonation'
 require_relative 'b2b_magic_links'
 require_relative 'b2b_oauth'
@@ -23,7 +30,7 @@ module StytchB2B
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :connected_app, :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
+    attr_reader :connected_app, :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps, :idp
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -35,7 +42,8 @@ module StytchB2B
       create_connection(&block)
 
       rbac = StytchB2B::RBAC.new(@connection)
-      @policy_cache = StytchB2B::PolicyCache.new(rbac_client: rbac)
+      @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
+      @idp = StytchB2B::IDP.new(@connection, @project_id, @policy_cache)
 
       @connected_app = Stytch::ConnectedApp.new(@connection)
       @discovery = StytchB2B::Discovery.new(@connection)

data/lib/stytch/b2b_discovery.rb

@@ -48,7 +48,7 @@ module StytchB2B
       #   The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](https://stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.
       #   The type of this field is +String+.
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # session_duration_minutes::
       #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
@@ -197,7 +197,7 @@ module StytchB2B
       # sso_jit_provisioning::
       #   The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:
       #
-      #   `ALL_ALLOWED` – new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
+      #   `ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization's `sso_active_connections`.
       #
       #   `RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.
       #
@@ -215,7 +215,7 @@ module StytchB2B
       #
       #   `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.
       #
-      #   `NOT_ALLOWED` – disable JIT provisioning via Email Magic Link and OAuth.
+      #   `NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth.
       #
       #   The type of this field is nilable +String+.
       # email_invites::
@@ -273,7 +273,7 @@ module StytchB2B
       #
       #   `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
       #
-      #   `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+      #   `NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant.
       #
       #   The type of this field is nilable +String+.
       # allowed_oauth_tenants::
@@ -282,7 +282,7 @@ module StytchB2B
       # first_party_connected_apps_allowed_type::
       #   The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are:
       #
-      #   `ALL_ALLOWED` – any first party Connected App in the Project is permitted for use by Members.
+      #   `ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members.
       #
       #   `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
       #
@@ -295,7 +295,7 @@ module StytchB2B
       # third_party_connected_apps_allowed_type::
       #   The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are:
       #
-      #   `ALL_ALLOWED` – any third party Connected App in the Project is permitted for use by Members.
+      #   `ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members.
       #
       #   `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
       #

data/lib/stytch/b2b_idp.rb

@@ -0,0 +1,266 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'json/jwt'
+require_relative 'errors'
+require_relative 'request_helper'
+require_relative 'rbac_local'
+
+module StytchB2B
+  class IDP
+    include Stytch::RequestHelper
+
+    def initialize(connection, project_id, policy_cache)
+      @connection = connection
+      @project_id = project_id
+      @policy_cache = policy_cache
+      @non_custom_claim_keys = [
+        'aud',
+        'exp',
+        'iat',
+        'iss',
+        'jti',
+        'nbf',
+        'sub',
+        'active',
+        'client_id',
+        'request_id',
+        'scope',
+        'status_code',
+        'token_type',
+        'https://stytch.com/organization'
+      ]
+    end
+
+    # Introspects a token JWT from an authorization code response.
+    # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
+    # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
+    #
+    # == Parameters:
+    # token::
+    #   The access token (or refresh token) to introspect.
+    #   The type of this field is +String+.
+    # client_id::
+    #   The ID of the client.
+    #   The type of this field is +String+.
+    # client_secret::
+    #   The secret of the client.
+    #   The type of this field is nilable +String+.
+    # token_type_hint::
+    #   A hint on what the token contains. Valid fields are 'access_token' and 'refresh_token'.
+    #   The type of this field is +String+.
+    # authorization_check::
+    #   Optional authorization check object.
+    #   The type of this field is nilable +Hash+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # subject::
+    #   The subject of the token.
+    #   The type of this field is +String+.
+    # scope::
+    #   The scope of the token.
+    #   The type of this field is +String+.
+    # audience::
+    #   The audience of the token.
+    #   The type of this field is +String+.
+    # expires_at::
+    #   The expiration time of the token.
+    #   The type of this field is +Integer+.
+    # issued_at::
+    #   The issued at time of the token.
+    #   The type of this field is +Integer+.
+    # issuer::
+    #   The issuer of the token.
+    #   The type of this field is +String+.
+    # not_before::
+    #   The not before time of the token.
+    #   The type of this field is +Integer+.
+    # token_type::
+    #   The type of the token.
+    #   The type of this field is +String+.
+    # custom_claims::
+    #   Custom claims in the token.
+    #   The type of this field is +Hash+.
+    # organization_claim::
+    #   The organization claim in the token.
+    #   The type of this field is +Hash+.
+    def introspect_token_network(
+      token:,
+      client_id:,
+      client_secret: nil,
+      token_type_hint: 'access_token',
+      authorization_check: nil
+    )
+      headers = {}
+      data = {
+        'token' => token,
+        'client_id' => client_id,
+        'token_type_hint' => token_type_hint
+      }
+      data['client_secret'] = client_secret unless client_secret.nil?
+
+      url = @connection.url_prefix + '/v1/oauth2/introspect'
+      jwt_response = post_request(url, data, headers)
+
+      return nil unless jwt_response['active']
+
+      custom_claims = jwt_response.reject { |k, _| @non_custom_claim_keys.include?(k) }
+      organization_claim = jwt_response['https://stytch.com/organization']
+      organization_id = organization_claim['organization_id']
+      scope = jwt_response['scope']
+
+      if authorization_check
+        @policy_cache.perform_authorization_check(
+          subject_roles: scope.split,
+          authorization_check: authorization_check,
+          subject_org_id: organization_id
+        )
+      end
+
+      {
+        'subject' => jwt_response['sub'],
+        'scope' => jwt_response['scope'],
+        'audience' => jwt_response['aud'],
+        'expires_at' => jwt_response['exp'],
+        'issued_at' => jwt_response['iat'],
+        'issuer' => jwt_response['iss'],
+        'not_before' => jwt_response['nbf'],
+        'token_type' => jwt_response['token_type'],
+        'custom_claims' => custom_claims,
+        'organization_claim' => organization_claim
+      }
+    end
+
+    # Introspects a token JWT from an authorization code response.
+    # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
+    # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
+    #
+    # == Parameters:
+    # access_token::
+    #   The access token (or refresh token) to introspect.
+    #   The type of this field is +String+.
+    # authorization_check::
+    #   Optional authorization check object.
+    #   The type of this field is nilable +Hash+.
+    #
+    # == Returns:
+    # An object with the following fields:
+    # subject::
+    #   The subject of the token.
+    #   The type of this field is +String+.
+    # scope::
+    #   The scope of the token.
+    #   The type of this field is +String+.
+    # audience::
+    #   The audience of the token.
+    #   The type of this field is +String+.
+    # expires_at::
+    #   The expiration time of the token.
+    #   The type of this field is +Integer+.
+    # issued_at::
+    #   The issued at time of the token.
+    #   The type of this field is +Integer+.
+    # issuer::
+    #   The issuer of the token.
+    #   The type of this field is +String+.
+    # not_before::
+    #   The not before time of the token.
+    #   The type of this field is +Integer+.
+    # token_type::
+    #   The type of the token.
+    #   The type of this field is +String+.
+    # custom_claims::
+    #   Custom claims in the token.
+    #   The type of this field is +Hash+.
+    # organization_claim::
+    #   The organization claim in the token.
+    #   The type of this field is +Hash+.
+    def introspect_access_token_local(
+      access_token:,
+      authorization_check: nil
+    )
+      scope_claim = 'scope'
+      organization_claim = 'https://stytch.com/organization'
+
+      # Create a JWKS loader similar to other classes in the codebase
+      @cache_last_update = 0
+      jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        if @cached_keys.nil?
+          @cached_keys = get_jwks(project_id: @project_id)
+          @cache_last_update = Time.now.to_i
+        end
+        @cached_keys
+      end
+
+      begin
+        decoded_jwt = JWT.decode(
+          access_token,
+          nil,
+          true,
+          {
+            algorithms: ['RS256'],
+            jwks: jwks_loader,
+            iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
+            aud: @project_id
+          }
+        )[0]
+
+        generic_claims = decoded_jwt
+        custom_claims = generic_claims.reject { |k, _| @non_custom_claim_keys.include?(k) }
+        organization_claim_data = generic_claims[organization_claim]
+        organization_id = organization_claim_data['organization_id']
+        scope = generic_claims[scope_claim]
+
+        if authorization_check
+          @policy_cache.perform_authorization_check(
+            subject_roles: scope.split,
+            authorization_check: authorization_check,
+            subject_org_id: organization_id
+          )
+        end
+
+        {
+          'subject' => generic_claims['sub'],
+          'scope' => generic_claims[scope_claim],
+          'audience' => generic_claims['aud'],
+          'expires_at' => generic_claims['exp'],
+          'issued_at' => generic_claims['iat'],
+          'issuer' => generic_claims['iss'],
+          'not_before' => generic_claims['nbf'],
+          'token_type' => 'access_token',
+          'custom_claims' => custom_claims,
+          'organization_claim' => organization_claim_data
+        }
+      rescue JWT::InvalidIssuerError
+        raise Stytch::JWTInvalidIssuerError
+      rescue JWT::InvalidAudError
+        raise Stytch::JWTInvalidAudienceError
+      rescue JWT::ExpiredSignature
+        raise Stytch::JWTExpiredSignatureError
+      rescue JWT::IncorrectAlgorithm
+        raise Stytch::JWTIncorrectAlgorithmError
+      rescue JWT::DecodeError
+        nil
+      end
+    end
+
+    # Gets the JWKS for the project.
+    #
+    # == Parameters:
+    # project_id::
+    #   The ID of the project.
+    #   The type of this field is +String+.
+    #
+    # == Returns:
+    # The JWKS for the project.
+    #   The type of this field is +Hash+.
+    def get_jwks(project_id:)
+      headers = {}
+      query_params = {}
+      request = request_with_query_params("/v1/b2b/sessions/jwks/#{project_id}", query_params)
+      get_request(request, headers)
+    end
+  end
+end

data/lib/stytch/b2b_magic_links.rb

@@ -20,7 +20,7 @@ module StytchB2B
       @discovery = StytchB2B::MagicLinks::Discovery.new(@connection)
     end
 
-    # Authenticate a Member with a Magic Link. This endpoint requires a Magic Link token that is not expired or previously used. If the Member’s status is `pending` or `invited`, they will be updated to `active`.
+    # Authenticate a Member with a Magic Link. This endpoint requires a Magic Link token that is not expired or previously used. If the Member's status is `pending` or `invited`, they will be updated to `active`.
     # Provide the `session_duration_minutes` parameter to set the lifetime of the session. If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration.
     #
     # If the Member is required to complete MFA to log in to the Organization, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
@@ -187,7 +187,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # email_address::
       #   The email address of the Member.
@@ -287,7 +287,7 @@ module StytchB2B
       #
       # == Parameters:
       # organization_id::
-      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug here as a convenience.
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
       #   The type of this field is +String+.
       # email_address::
       #   The email address of the Member.

data/lib/stytch/b2b_oauth.rb

@@ -31,7 +31,7 @@ module StytchB2B
     # If the Member is logging in via an OAuth provider that does not fully verify the email, the returned value of `member_authenticated` will be `false`, and an `intermediate_session_token` will be returned.
     # The `primary_required` field details the authentication flow the Member must perform in order to [complete a step-up authentication](https://stytch.com/docs/b2b/guides/oauth/auth-flows) into the organization. The `intermediate_session_token` must be passed into that authentication flow.
     #
-    # We’re actively accepting requests for new OAuth providers! Please [email us](mailto:support@stytch.com) or [post in our community](https://stytch.com/docs/b2b/resources) if you are looking for an OAuth provider that is not currently supported.
+    # We're actively accepting requests for new OAuth providers! Please [email us](mailto:support@stytch.com) or [post in our community](https://stytch.com/docs/b2b/resources) if you are looking for an OAuth provider that is not currently supported.
     #
     # == Parameters:
     # oauth_token::