stytch 10.28.0 → 10.29.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 84042207ac59233533cc823e147225b53dfb242577ada92f7c371d91f0067346
-  data.tar.gz: 43abe43af046750571190adbb0aba08f2126c5781812385c7bf4cb88ee41871c
+  metadata.gz: 9837d4362966d389505ea7b235379cb635e2dc5eda22537dac31e8ec0f6e1bcd
+  data.tar.gz: 72ba0b2c7af66364d677ed6ae70ed3278a0375e40e6a4f00dbbe912d31407cdf
 SHA512:
-  metadata.gz: 579d066dd8ebbda2724b7ff7824cd92686bdfecdabf10df8cf562f29a6025f24e814a746832838868c173800aac0399fac882cb52a5e281d5e776b99f4057796
-  data.tar.gz: 6dc2c0f7ae5a048d4bba0bebcf7a002f94afc7dee8d82f844147313920212814256b9aa1ad21d4cf6dbcd6396215e5213285494475e31b17aa4f47e01e75be65
+  metadata.gz: 3e359e41dc088a10f7174b2f72df1c3f552a82e92df50b5dd5c7b7e6cb7f6e053e3fc6a3b42f518ca66bd663d930957ece13c53b3a3ff4ddbaef788edad5ce5b
+  data.tar.gz: ea6fb4ed455954c907ed1d8d34cdb09057de8485037b3474b16ecdab6edfc50241737805a879a22d15c6ecbe9d63ad69532483e88605b1b58d378d0d8f201ad2

data/lib/stytch/b2b_client.rb

@@ -30,7 +30,7 @@ module StytchB2B
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :connected_app, :discovery, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps, :idp
+    attr_reader :connected_app, :discovery, :fraud, :idp, :impersonation, :m2m, :magic_links, :oauth, :otps, :organizations, :passwords, :project, :rbac, :recovery_codes, :scim, :sso, :sessions, :totps
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -43,11 +43,11 @@ module StytchB2B
 
       rbac = StytchB2B::RBAC.new(@connection)
       @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
-      @idp = StytchB2B::IDP.new(@connection, @project_id, @policy_cache)
 
       @connected_app = Stytch::ConnectedApp.new(@connection)
       @discovery = StytchB2B::Discovery.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
+      @idp = StytchB2B::IDP.new(@connection, @project_id, @policy_cache)
       @impersonation = StytchB2B::Impersonation.new(@connection)
       @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client)
       @magic_links = StytchB2B::MagicLinks.new(@connection)

data/lib/stytch/b2b_idp.rb

@@ -1,37 +1,46 @@
 # frozen_string_literal: true
 
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
 require 'jwt'
 require 'json/jwt'
 require_relative 'errors'
 require_relative 'request_helper'
-require_relative 'rbac_local'
 
 module StytchB2B
   class IDP
     include Stytch::RequestHelper
+    attr_reader :oauth
 
     def initialize(connection, project_id, policy_cache)
       @connection = connection
-      @project_id = project_id
+
+      @oauth = StytchB2B::IDP::OAuth.new(@connection)
       @policy_cache = policy_cache
-      @non_custom_claim_keys = [
-        'aud',
-        'exp',
-        'iat',
-        'iss',
-        'jti',
-        'nbf',
-        'sub',
-        'active',
-        'client_id',
-        'request_id',
-        'scope',
-        'status_code',
-        'token_type',
-        'https://stytch.com/organization'
-      ]
+      @project_id = project_id
+      @cache_last_update = 0
+      @jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        @cached_keys ||= begin
+          @cache_last_update = Time.now.to_i
+          keys = []
+          get_jwks(project_id: @project_id)['keys'].each do |r|
+            keys << r
+          end
+          { keys: keys }
+        end
+      end
     end
 
+    # MANUAL(IDP::introspect_token_network)(SERVICE_METHOD)
+    # ADDIMPORT: require 'jwt'
+    # ADDIMPORT: require 'json/jwt'
+    # ADDIMPORT: require_relative 'errors'
+
     # Introspects a token JWT from an authorization code response.
     # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
     # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
@@ -105,7 +114,7 @@ module StytchB2B
 
       return nil unless jwt_response['active']
 
-      custom_claims = jwt_response.reject { |k, _| @non_custom_claim_keys.include?(k) }
+      custom_claims = jwt_response.reject { |k, _| non_custom_claim_keys.include?(k) }
       organization_claim = jwt_response['https://stytch.com/organization']
       organization_id = organization_claim['organization_id']
       scope = jwt_response['scope']
@@ -183,17 +192,6 @@ module StytchB2B
       scope_claim = 'scope'
       organization_claim = 'https://stytch.com/organization'
 
-      # Create a JWKS loader similar to other classes in the codebase
-      @cache_last_update = 0
-      jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        if @cached_keys.nil?
-          @cached_keys = get_jwks(project_id: @project_id)
-          @cache_last_update = Time.now.to_i
-        end
-        @cached_keys
-      end
-
       begin
         decoded_jwt = JWT.decode(
           access_token,
@@ -201,14 +199,14 @@ module StytchB2B
           true,
           {
             algorithms: ['RS256'],
-            jwks: jwks_loader,
+            jwks: @jwks_loader,
             iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
             aud: @project_id
           }
         )[0]
 
         generic_claims = decoded_jwt
-        custom_claims = generic_claims.reject { |k, _| @non_custom_claim_keys.include?(k) }
+        custom_claims = generic_claims.reject { |k, _| non_custom_claim_keys.include?(k) }
         organization_claim_data = generic_claims[organization_claim]
         organization_id = organization_claim_data['organization_id']
         scope = generic_claims[scope_claim]
@@ -246,6 +244,27 @@ module StytchB2B
       end
     end
 
+    private
+
+    def non_custom_claim_keys
+      [
+        'aud',
+        'exp',
+        'iat',
+        'iss',
+        'jti',
+        'nbf',
+        'sub',
+        'active',
+        'client_id',
+        'request_id',
+        'scope',
+        'status_code',
+        'token_type',
+        'https://stytch.com/organization'
+      ]
+    end
+
     # Gets the JWKS for the project.
     #
     # == Parameters:
@@ -262,5 +281,226 @@ module StytchB2B
       request = request_with_query_params("/v1/b2b/sessions/jwks/#{project_id}", query_params)
       get_request(request, headers)
     end
+
+    # ENDMANUAL(IDP::introspect_token_network)
+
+    class OAuth
+      include Stytch::RequestHelper
+
+      def initialize(connection)
+        @connection = connection
+      end
+
+      # Initiates a request for authorization of a Connected App to access a Member's account.
+      #
+      # Call this endpoint using the query parameters from an OAuth Authorization request.
+      # This endpoint validates various fields (`scope`, `client_id`, `redirect_uri`, `prompt`, etc...) are correct and returns
+      # relevant information for rendering an OAuth Consent Screen.
+      #
+      # This endpoint returns:
+      # - A public representation of the Connected App requesting authorization
+      # - Whether _explicit_ consent must be granted before proceeding with the authorization
+      # - A list of scopes the Member has the ability to grant the Connected App
+      #
+      # Use this response to prompt the Member for consent (if necessary) before calling the [Submit OAuth Authorization](https://stytch.com/docs/b2b/api/connected-apps-oauth-authorize) endpoint.
+      #
+      # Exactly one of the following must be provided to identify the Member granting authorization:
+      # - `organization_id` + `member_id`
+      # - `session_token`
+      # - `session_jwt`
+      #
+      # If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes.
+      # One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # response_type::
+      #   The OAuth 2.0 response type. For authorization code flows this value is `code`.
+      #   The type of this field is +String+.
+      # scopes::
+      #   An array of scopes requested by the client.
+      #   The type of this field is list of +String+.
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
+      #   The type of this field is nilable +String+.
+      # member_id::
+      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
+      #   The type of this field is nilable +String+.
+      # session_token::
+      #   A secret token for a given Stytch Session.
+      #   The type of this field is nilable +String+.
+      # session_jwt::
+      #   The JSON Web Token (JWT) for a given Stytch Session.
+      #   The type of this field is nilable +String+.
+      # prompt::
+      #   Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # member_id::
+      #   Globally unique UUID that identifies a specific Member.
+      #   The type of this field is +String+.
+      # member::
+      #   The [Member object](https://stytch.com/docs/b2b/api/member-object)
+      #   The type of this field is +Member+ (+object+).
+      # organization::
+      #   The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
+      #   The type of this field is +Organization+ (+object+).
+      # client::
+      #   (no documentation yet)
+      #   The type of this field is +ConnectedAppPublic+ (+object+).
+      # consent_required::
+      #   Whether the user must provide explicit consent for the authorization request.
+      #   The type of this field is +Boolean+.
+      # scope_results::
+      #   Details about each requested scope.
+      #   The type of this field is list of +ScopeResult+ (+object+).
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      def authorize_start(
+        client_id:,
+        redirect_uri:,
+        response_type:,
+        scopes:,
+        organization_id: nil,
+        member_id: nil,
+        session_token: nil,
+        session_jwt: nil,
+        prompt: nil
+      )
+        headers = {}
+        request = {
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          response_type: response_type,
+          scopes: scopes
+        }
+        request[:organization_id] = organization_id unless organization_id.nil?
+        request[:member_id] = member_id unless member_id.nil?
+        request[:session_token] = session_token unless session_token.nil?
+        request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:prompt] = prompt unless prompt.nil?
+
+        post_request('/v1/b2b/idp/oauth/authorize/start', request, headers)
+      end
+
+      # Completes a request for authorization of a Connected App to access a Member's account.
+      #
+      # Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the
+      # [Preflight Check](https://stytch.com/docs/b2b/api/connected-apps-oauth-authorize-start) API.
+      # Note that this endpoint takes in a few additional parameters the preflight check does not- `state`, `nonce`, and `code_challenge`.
+      #
+      # If the authorization was successful, the `redirect_uri` will contain a valid `authorization_code` embedded as a query parameter.
+      # If the authorization was unsuccessful, the `redirect_uri` will contain an OAuth2.1 `error_code`.
+      # In both cases, redirect the Member to the location for the response to be consumed by the Connected App.
+      #
+      # Exactly one of the following must be provided to identify the Member granting authorization:
+      # - `organization_id` + `member_id`
+      # - `session_token`
+      # - `session_jwt`
+      #
+      # If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the Member's session for tracking purposes.
+      # One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow.
+      #
+      # == Parameters:
+      # consent_granted::
+      #   Indicates whether the user granted the requested scopes.
+      #   The type of this field is +Boolean+.
+      # scopes::
+      #   An array of scopes requested by the client.
+      #   The type of this field is list of +String+.
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # response_type::
+      #   The OAuth 2.0 response type. For authorization code flows this value is `code`.
+      #   The type of this field is +String+.
+      # organization_id::
+      #   Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
+      #   The type of this field is nilable +String+.
+      # member_id::
+      #   Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member.
+      #   The type of this field is nilable +String+.
+      # session_token::
+      #   A secret token for a given Stytch Session.
+      #   The type of this field is nilable +String+.
+      # session_jwt::
+      #   The JSON Web Token (JWT) for a given Stytch Session.
+      #   The type of this field is nilable +String+.
+      # prompt::
+      #   Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.
+      #   The type of this field is nilable +String+.
+      # state::
+      #   An opaque value used to maintain state between the request and callback.
+      #   The type of this field is nilable +String+.
+      # nonce::
+      #   A string used to associate a client session with an ID token to mitigate replay attacks.
+      #   The type of this field is nilable +String+.
+      # code_challenge::
+      #   A base64url encoded challenge derived from the code verifier for PKCE flows.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      # authorization_code::
+      #   A one-time use code that can be exchanged for tokens.
+      #   The type of this field is nilable +String+.
+      def authorize(
+        consent_granted:,
+        scopes:,
+        client_id:,
+        redirect_uri:,
+        response_type:,
+        organization_id: nil,
+        member_id: nil,
+        session_token: nil,
+        session_jwt: nil,
+        prompt: nil,
+        state: nil,
+        nonce: nil,
+        code_challenge: nil
+      )
+        headers = {}
+        request = {
+          consent_granted: consent_granted,
+          scopes: scopes,
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          response_type: response_type
+        }
+        request[:organization_id] = organization_id unless organization_id.nil?
+        request[:member_id] = member_id unless member_id.nil?
+        request[:session_token] = session_token unless session_token.nil?
+        request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:prompt] = prompt unless prompt.nil?
+        request[:state] = state unless state.nil?
+        request[:nonce] = nonce unless nonce.nil?
+        request[:code_challenge] = code_challenge unless code_challenge.nil?
+
+        post_request('/v1/b2b/idp/oauth/authorize', request, headers)
+      end
+    end
   end
 end

data/lib/stytch/b2b_organizations.rb

@@ -1030,7 +1030,7 @@ module StytchB2B
       # If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.default-mfa-method` action on the `stytch.member` Resource. Alternatively, if the Member Session matches the Member associated with the `member_id` passed in the request, the authorization check will also allow a Member Session that has permission to perform the `update.settings.default-mfa-method` action on the `stytch.self` Resource.
       #   The type of this field is nilable +String+.
       # email_address::
-      #   Updates the Member's `email_address`, if provided.
+      #   Updates the Member's `email_address`, if provided. This will clear any existing passwords and require re-verification of the new email address.
       #         If a Member's email address is changed, other Members in the same Organization cannot use the old email address, although the Member may update back to their old email address.
       #         A Member's email address can only be useable again by other Members if the Member is deleted.
       #

data/lib/stytch/b2b_sessions.rb

@@ -436,15 +436,15 @@ module StytchB2B
     # Exchange an auth token issued by a trusted identity provider for a Stytch session. You must first register a Trusted Auth Token profile in the Stytch dashboard [here](https://stytch.com/dashboard/trusted-auth-tokens).  If a session token or session JWT is provided, it will add the trusted auth token as an authentication factor to the existing session.
     #
     # == Parameters:
-    # organization_id::
-    #   The organization ID that the session should be authenticated in.
-    #   The type of this field is +String+.
     # profile_id::
     #   The ID of the trusted auth token profile to use for attestation.
     #   The type of this field is +String+.
     # token::
     #   The trusted auth token to authenticate.
     #   The type of this field is +String+.
+    # organization_id::
+    #   The organization ID that the session should be authenticated in.
+    #   The type of this field is nilable +String+.
     # session_duration_minutes::
     #   Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
     #   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of
@@ -503,9 +503,9 @@ module StytchB2B
     #   If a valid `telemetry_id` was passed in the request and the [Fingerprint Lookup API](https://stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member's device attributes.
     #   The type of this field is nilable +DeviceInfo+ (+object+).
     def attest(
-      organization_id:,
       profile_id:,
       token:,
+      organization_id: nil,
       session_duration_minutes: nil,
       session_custom_claims: nil,
       session_token: nil,
@@ -514,10 +514,10 @@ module StytchB2B
     )
       headers = {}
       request = {
-        organization_id: organization_id,
         profile_id: profile_id,
         token: token
       }
+      request[:organization_id] = organization_id unless organization_id.nil?
       request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
       request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
       request[:session_token] = session_token unless session_token.nil?

data/lib/stytch/client.rb

@@ -28,7 +28,7 @@ module Stytch
   class Client
     ENVIRONMENTS = %i[live test].freeze
 
-    attr_reader :connected_app, :crypto_wallets, :fraud, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :rbac, :sessions, :totps, :users, :webauthn, :idp
+    attr_reader :connected_app, :crypto_wallets, :fraud, :idp, :impersonation, :m2m, :magic_links, :oauth, :otps, :passwords, :project, :rbac, :sessions, :totps, :users, :webauthn
 
     def initialize(project_id:, secret:, env: nil, fraud_env: nil, &block)
       @api_host = api_host(env, project_id)
@@ -41,11 +41,11 @@ module Stytch
 
       rbac = Stytch::RBAC.new(@connection)
       @policy_cache = Stytch::PolicyCache.new(rbac_client: rbac)
-      @idp = Stytch::IDP.new(@connection, @project_id, @policy_cache)
 
       @connected_app = Stytch::ConnectedApp.new(@connection)
       @crypto_wallets = Stytch::CryptoWallets.new(@connection)
       @fraud = Stytch::Fraud.new(@fraud_connection)
+      @idp = Stytch::IDP.new(@connection, @project_id, @policy_cache)
       @impersonation = Stytch::Impersonation.new(@connection)
       @m2m = Stytch::M2M.new(@connection, @project_id, @is_b2b_client)
       @magic_links = Stytch::MagicLinks.new(@connection)

data/lib/stytch/idp.rb

@@ -1,36 +1,46 @@
 # frozen_string_literal: true
 
+# !!!
+# WARNING: This file is autogenerated
+# Only modify code within MANUAL() sections
+# or your changes may be overwritten later!
+# !!!
+
 require 'jwt'
 require 'json/jwt'
 require_relative 'errors'
 require_relative 'request_helper'
-require_relative 'rbac_local'
 
 module Stytch
   class IDP
     include Stytch::RequestHelper
+    attr_reader :oauth
 
     def initialize(connection, project_id, policy_cache)
       @connection = connection
-      @project_id = project_id
+
+      @oauth = Stytch::IDP::OAuth.new(@connection)
       @policy_cache = policy_cache
-      @non_custom_claim_keys = %w[
-        aud
-        exp
-        iat
-        iss
-        jti
-        nbf
-        sub
-        active
-        client_id
-        request_id
-        scope
-        status_code
-        token_type
-      ]
+      @project_id = project_id
+      @cache_last_update = 0
+      @jwks_loader = lambda do |options|
+        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
+        @cached_keys ||= begin
+          @cache_last_update = Time.now.to_i
+          keys = []
+          get_jwks(project_id: @project_id)['keys'].each do |r|
+            keys << r
+          end
+          { keys: keys }
+        end
+      end
     end
 
+    # MANUAL(IDP::introspect_token_network)(SERVICE_METHOD)
+    # ADDIMPORT: require 'jwt'
+    # ADDIMPORT: require 'json/jwt'
+    # ADDIMPORT: require_relative 'errors'
+
     # Introspects a token JWT from an authorization code response.
     # Access tokens are JWTs signed with the project's JWKs. Refresh tokens are opaque tokens.
     # Access tokens contain a standard set of claims as well as any custom claims generated from templates.
@@ -102,7 +112,7 @@ module Stytch
       jwt_response = res
       return nil unless jwt_response['active']
 
-      custom_claims = res.reject { |k, _| @non_custom_claim_keys.include?(k) }
+      custom_claims = res.reject { |k, _| non_custom_claim_keys.include?(k) }
       scope = jwt_response['scope']
 
       if authorization_check
@@ -171,18 +181,6 @@ module Stytch
       authorization_check: nil
     )
       scope_claim = 'scope'
-
-      # Create a JWKS loader similar to other classes in the codebase
-      @cache_last_update = 0
-      jwks_loader = lambda do |options|
-        @cached_keys = nil if options[:invalidate] && @cache_last_update < Time.now.to_i - 300
-        if @cached_keys.nil?
-          @cached_keys = get_jwks(project_id: @project_id)
-          @cache_last_update = Time.now.to_i
-        end
-        @cached_keys
-      end
-
       begin
         decoded_jwt = JWT.decode(
           access_token,
@@ -190,14 +188,14 @@ module Stytch
           true,
           {
             algorithms: ['RS256'],
-            jwks: jwks_loader,
+            jwks: @jwks_loader,
             iss: ["stytch.com/#{@project_id}", @connection.url_prefix],
             aud: @project_id
           }
         )[0]
 
         generic_claims = decoded_jwt
-        custom_claims = generic_claims.reject { |k, _| @non_custom_claim_keys.include?(k) }
+        custom_claims = generic_claims.reject { |k, _| non_custom_claim_keys.include?(k) }
         scope = generic_claims[scope_claim]
 
         if authorization_check
@@ -231,6 +229,26 @@ module Stytch
       end
     end
 
+    private
+
+    def non_custom_claim_keys
+      %w[
+        aud
+        exp
+        iat
+        iss
+        jti
+        nbf
+        sub
+        active
+        client_id
+        request_id
+        scope
+        status_code
+        token_type
+      ]
+    end
+
     # Gets the JWKS for the project.
     #
     # == Parameters:
@@ -247,5 +265,213 @@ module Stytch
       request = request_with_query_params("/v1/sessions/jwks/#{project_id}", query_params)
       get_request(request, headers)
     end
+
+    # ENDMANUAL(IDP::introspect_token_network)
+
+    class OAuth
+      include Stytch::RequestHelper
+
+      def initialize(connection)
+        @connection = connection
+      end
+
+      # Initiates a request for authorization of a Connected App to access a User's account.
+      #
+      # Call this endpoint using the query parameters from an OAuth Authorization request.
+      # This endpoint validates various fields (`scope`, `client_id`, `redirect_uri`, `prompt`, etc...) are correct and returns
+      # relevant information for rendering an OAuth Consent Screen.
+      #
+      # This endpoint returns:
+      # - A public representation of the Connected App requesting authorization
+      # - Whether _explicit_ user consent must be granted before proceeding with the authorization
+      # - A list of scopes the user has the ability to grant the Connected App
+      #
+      # Use this response to prompt the user for consent (if necessary) before calling the [Submit OAuth Authorization](https://stytch.com/docs/api/connected-apps-oauth-authorize) endpoint.
+      #
+      # Exactly one of the following must be provided to identify the user granting authorization:
+      # - `user_id`
+      # - `session_token`
+      # - `session_jwt`
+      #
+      # If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the user's session for tracking purposes.
+      # One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/api/connected-app-access-token-exchange) flow.
+      #
+      # == Parameters:
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # response_type::
+      #   The OAuth 2.0 response type. For authorization code flows this value is `code`.
+      #   The type of this field is +String+.
+      # scopes::
+      #   An array of scopes requested by the client.
+      #   The type of this field is list of +String+.
+      # user_id::
+      #   The unique ID of a specific User. You may use an `external_id` here if one is set for the user.
+      #   The type of this field is nilable +String+.
+      # session_token::
+      #   The `session_token` associated with a User's existing Session.
+      #   The type of this field is nilable +String+.
+      # session_jwt::
+      #   The `session_jwt` associated with a User's existing Session.
+      #   The type of this field is nilable +String+.
+      # prompt::
+      #   Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # user_id::
+      #   The unique ID of the affected User.
+      #   The type of this field is +String+.
+      # user::
+      #   The `user` object affected by this API call. See the [Get user endpoint](https://stytch.com/docs/api/get-user) for complete response field details.
+      #   The type of this field is +User+ (+object+).
+      # client::
+      #   (no documentation yet)
+      #   The type of this field is +ConnectedAppPublic+ (+object+).
+      # consent_required::
+      #   Whether the user must provide explicit consent for the authorization request.
+      #   The type of this field is +Boolean+.
+      # scope_results::
+      #   Details about each requested scope.
+      #   The type of this field is list of +ScopeResult+ (+object+).
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      def authorize_start(
+        client_id:,
+        redirect_uri:,
+        response_type:,
+        scopes:,
+        user_id: nil,
+        session_token: nil,
+        session_jwt: nil,
+        prompt: nil
+      )
+        headers = {}
+        request = {
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          response_type: response_type,
+          scopes: scopes
+        }
+        request[:user_id] = user_id unless user_id.nil?
+        request[:session_token] = session_token unless session_token.nil?
+        request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:prompt] = prompt unless prompt.nil?
+
+        post_request('/v1/idp/oauth/authorize/start', request, headers)
+      end
+
+      # Completes a request for authorization of a Connected App to access a User's account.
+      #
+      # Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the
+      # [Preflight Check](https://stytch.com/docs/api/connected-apps-oauth-authorize-start) API.
+      # Note that this endpoint takes in a few additional parameters the preflight check does not- `state`, `nonce`, and `code_challenge`.
+      #
+      # If the authorization was successful, the `redirect_uri` will contain a valid `authorization_code` embedded as a query parameter.
+      # If the authorization was unsuccessful, the `redirect_uri` will contain an OAuth2.1 `error_code`.
+      # In both cases, redirect the user to the location for the response to be consumed by the Connected App.
+      #
+      # Exactly one of the following must be provided to identify the user granting authorization:
+      # - `user_id`
+      # - `session_token`
+      # - `session_jwt`
+      #
+      # If a `session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the user's session for tracking purposes.
+      # One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](https://stytch.com/docs/api/connected-app-access-token-exchange) flow.
+      #
+      # == Parameters:
+      # consent_granted::
+      #   Indicates whether the user granted the requested scopes.
+      #   The type of this field is +Boolean+.
+      # scopes::
+      #   An array of scopes requested by the client.
+      #   The type of this field is list of +String+.
+      # client_id::
+      #   The ID of the Connected App client.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # response_type::
+      #   The OAuth 2.0 response type. For authorization code flows this value is `code`.
+      #   The type of this field is +String+.
+      # user_id::
+      #   The unique ID of a specific User. You may use an `external_id` here if one is set for the user.
+      #   The type of this field is nilable +String+.
+      # session_token::
+      #   The `session_token` associated with a User's existing Session.
+      #   The type of this field is nilable +String+.
+      # session_jwt::
+      #   The `session_jwt` associated with a User's existing Session.
+      #   The type of this field is nilable +String+.
+      # prompt::
+      #   Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only `consent` is supported today.
+      #   The type of this field is nilable +String+.
+      # state::
+      #   An opaque value used to maintain state between the request and callback.
+      #   The type of this field is nilable +String+.
+      # nonce::
+      #   A string used to associate a client session with an ID token to mitigate replay attacks.
+      #   The type of this field is nilable +String+.
+      # code_challenge::
+      #   A base64url encoded challenge derived from the code verifier for PKCE flows.
+      #   The type of this field is nilable +String+.
+      #
+      # == Returns:
+      # An object with the following fields:
+      # request_id::
+      #   Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+      #   The type of this field is +String+.
+      # redirect_uri::
+      #   The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.  This field is required when using the `authorization_code` grant.
+      #   The type of this field is +String+.
+      # status_code::
+      #   (no documentation yet)
+      #   The type of this field is +Integer+.
+      # authorization_code::
+      #   A one-time use code that can be exchanged for tokens.
+      #   The type of this field is nilable +String+.
+      def authorize(
+        consent_granted:,
+        scopes:,
+        client_id:,
+        redirect_uri:,
+        response_type:,
+        user_id: nil,
+        session_token: nil,
+        session_jwt: nil,
+        prompt: nil,
+        state: nil,
+        nonce: nil,
+        code_challenge: nil
+      )
+        headers = {}
+        request = {
+          consent_granted: consent_granted,
+          scopes: scopes,
+          client_id: client_id,
+          redirect_uri: redirect_uri,
+          response_type: response_type
+        }
+        request[:user_id] = user_id unless user_id.nil?
+        request[:session_token] = session_token unless session_token.nil?
+        request[:session_jwt] = session_jwt unless session_jwt.nil?
+        request[:prompt] = prompt unless prompt.nil?
+        request[:state] = state unless state.nil?
+        request[:nonce] = nonce unless nonce.nil?
+        request[:code_challenge] = code_challenge unless code_challenge.nil?
+
+        post_request('/v1/idp/oauth/authorize', request, headers)
+      end
+    end
   end
 end

data/lib/stytch/passwords.rb

@@ -327,7 +327,8 @@ module Stytch
     #   If a new user is created, this will set an identifier that can be used in API calls wherever a user_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters.
     #   The type of this field is nilable +String+.
     # roles::
-    #   (no documentation yet)
+    #   Roles to explicitly assign to this User.
+    #    See the [RBAC guide](https://stytch.com/docs/guides/rbac/role-assignment) for more information about role assignment.
     #   The type of this field is nilable list of +String+.
     #
     # == Returns:

data/lib/stytch/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Stytch
-  VERSION = '10.28.0'
+  VERSION = '10.29.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: stytch
 version: !ruby/object:Gem::Version
-  version: 10.28.0
+  version: 10.29.0
 platform: ruby
 authors:
 - stytch
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-08-12 00:00:00.000000000 Z
+date: 2025-08-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday