@boxyhq/saml-jackson 1.2.2 → 1.3.0

package/dist/controller/connection/oidc.d.ts

@@ -0,0 +1,18 @@
+import { IConnectionAPIController, OIDCSSOConnection, Storable } from '../../typings';
+declare const oidc: {
+    create: (body: OIDCSSOConnection, connectionStore: Storable) => Promise<Partial<OIDCSSOConnection> & {
+        clientID: string;
+        clientSecret: string;
+        oidcProvider?: {
+            provider?: string | undefined;
+            discoveryUrl?: string | undefined;
+            clientId?: string | undefined;
+            clientSecret?: string | undefined;
+        } | undefined;
+    }>;
+    update: (body: OIDCSSOConnection & {
+        clientID: string;
+        clientSecret: string;
+    }, connectionStore: Storable, connectionsGetter: IConnectionAPIController['getConnections']) => Promise<void>;
+};
+export default oidc;

package/dist/controller/connection/oidc.js

@@ -0,0 +1,145 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypto_1 = __importDefault(require("crypto"));
+const dbutils = __importStar(require("../../db/utils"));
+const utils_1 = require("../utils");
+const error_1 = require("../error");
+const oidc = {
+    create: (body, connectionStore) => __awaiter(void 0, void 0, void 0, function* () {
+        const { defaultRedirectUrl, redirectUrl, tenant, product, name, description, oidcDiscoveryUrl = '', oidcClientId = '', oidcClientSecret = '', } = body;
+        let connectionClientSecret;
+        (0, utils_1.validateSSOConnection)(body, 'oidc');
+        const redirectUrlList = (0, utils_1.extractRedirectUrls)(redirectUrl);
+        (0, utils_1.validateRedirectUrl)({ defaultRedirectUrl, redirectUrlList });
+        const record = {
+            defaultRedirectUrl,
+            redirectUrl: redirectUrlList,
+            tenant,
+            product,
+            name,
+            description,
+            clientID: '',
+            clientSecret: '',
+        };
+        //  from OpenID Provider
+        record.oidcProvider = {
+            discoveryUrl: oidcDiscoveryUrl,
+            clientId: oidcClientId,
+            clientSecret: oidcClientSecret,
+        };
+        // extract provider
+        const providerName = (0, utils_1.extractHostName)(oidcDiscoveryUrl);
+        record.oidcProvider.provider = providerName ? providerName : 'Unknown';
+        // Use the clientId from the OpenID Provider to generate the clientID hash for the connection
+        record.clientID = dbutils.keyDigest(dbutils.keyFromParts(tenant, product, oidcClientId));
+        const exists = yield connectionStore.get(record.clientID);
+        if (exists) {
+            connectionClientSecret = exists.clientSecret;
+        }
+        else {
+            connectionClientSecret = crypto_1.default.randomBytes(24).toString('hex');
+        }
+        record.clientSecret = connectionClientSecret;
+        yield connectionStore.put(record.clientID, record, {
+            // secondary index on tenant + product
+            name: utils_1.IndexNames.TenantProduct,
+            value: dbutils.keyFromParts(tenant, product),
+        });
+        return record;
+    }),
+    update: (body, connectionStore, connectionsGetter) => __awaiter(void 0, void 0, void 0, function* () {
+        const { defaultRedirectUrl, redirectUrl, name, description, oidcDiscoveryUrl, oidcClientId, oidcClientSecret } = body, clientInfo = __rest(body, ["defaultRedirectUrl", "redirectUrl", "name", "description", "oidcDiscoveryUrl", "oidcClientId", "oidcClientSecret"]);
+        if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID)) {
+            throw new error_1.JacksonError('Please provide clientID', 400);
+        }
+        if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientSecret)) {
+            throw new error_1.JacksonError('Please provide clientSecret', 400);
+        }
+        if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.tenant)) {
+            throw new error_1.JacksonError('Please provide tenant', 400);
+        }
+        if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.product)) {
+            throw new error_1.JacksonError('Please provide product', 400);
+        }
+        if (description && description.length > 100) {
+            throw new error_1.JacksonError('Description should not exceed 100 characters', 400);
+        }
+        const redirectUrlList = redirectUrl ? (0, utils_1.extractRedirectUrls)(redirectUrl) : null;
+        (0, utils_1.validateRedirectUrl)({ defaultRedirectUrl, redirectUrlList });
+        const _savedConnection = (yield connectionsGetter(clientInfo))[0];
+        if (_savedConnection.clientSecret !== (clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientSecret)) {
+            throw new error_1.JacksonError('clientSecret mismatch', 400);
+        }
+        let oidcProvider;
+        if (_savedConnection && typeof _savedConnection.oidcProvider === 'object') {
+            oidcProvider = Object.assign({}, _savedConnection.oidcProvider);
+            if (oidcClientId && typeof oidcClientId === 'string') {
+                const clientID = dbutils.keyDigest(dbutils.keyFromParts(clientInfo.tenant, clientInfo.product, oidcClientId));
+                if (clientID !== (clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID)) {
+                    throw new error_1.JacksonError('Tenant/Product config mismatch with OIDC Provider metadata', 400);
+                }
+            }
+            if (oidcClientSecret && typeof oidcClientSecret === 'string') {
+                oidcProvider.clientSecret = oidcClientSecret;
+            }
+            if (oidcDiscoveryUrl && typeof oidcDiscoveryUrl === 'string') {
+                oidcProvider.discoveryUrl = oidcDiscoveryUrl;
+                const providerName = (0, utils_1.extractHostName)(oidcDiscoveryUrl);
+                oidcProvider.provider = providerName ? providerName : 'Unknown';
+            }
+        }
+        const record = Object.assign(Object.assign({}, _savedConnection), { name: name ? name : _savedConnection.name, description: description ? description : _savedConnection.description, defaultRedirectUrl: defaultRedirectUrl ? defaultRedirectUrl : _savedConnection.defaultRedirectUrl, redirectUrl: redirectUrlList ? redirectUrlList : _savedConnection.redirectUrl, oidcProvider: oidcProvider ? oidcProvider : _savedConnection.oidcProvider });
+        yield connectionStore.put(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID, record, {
+            // secondary index on tenant + product
+            name: utils_1.IndexNames.TenantProduct,
+            value: dbutils.keyFromParts(_savedConnection.tenant, _savedConnection.product),
+        });
+    }),
+};
+exports.default = oidc;

package/dist/controller/connection/saml.d.ts

@@ -0,0 +1,14 @@
+import { IConnectionAPIController, SAMLSSOConnection, SAMLSSOConnectionWithEncodedMetadata, SAMLSSOConnectionWithRawMetadata, Storable } from '../../typings';
+declare const saml: {
+    create: (body: SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata, connectionStore: Storable) => Promise<Partial<SAMLSSOConnection> & {
+        clientID: string;
+        clientSecret: string;
+        idpMetadata?: Record<string, any> | undefined;
+        certs?: Record<"publicKey" | "privateKey", string> | undefined;
+    }>;
+    update: (body: (SAMLSSOConnectionWithRawMetadata | SAMLSSOConnectionWithEncodedMetadata) & {
+        clientID: string;
+        clientSecret: string;
+    }, connectionStore: Storable, connectionsGetter: IConnectionAPIController['getConnections']) => Promise<void>;
+};
+export default saml;

package/dist/controller/connection/saml.js

@@ -0,0 +1,168 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const crypto_1 = __importDefault(require("crypto"));
+const dbutils = __importStar(require("../../db/utils"));
+const utils_1 = require("../utils");
+const saml20_1 = __importDefault(require("@boxyhq/saml20"));
+const x509_1 = __importDefault(require("../../saml/x509"));
+const error_1 = require("../error");
+const saml = {
+    create: (body, connectionStore) => __awaiter(void 0, void 0, void 0, function* () {
+        const { encodedRawMetadata, rawMetadata, defaultRedirectUrl, redirectUrl, tenant, product, name, description, } = body;
+        const forceAuthn = body.forceAuthn == 'true' || body.forceAuthn == true;
+        let connectionClientSecret;
+        (0, utils_1.validateSSOConnection)(body, 'saml');
+        const redirectUrlList = (0, utils_1.extractRedirectUrls)(redirectUrl);
+        (0, utils_1.validateRedirectUrl)({ defaultRedirectUrl, redirectUrlList });
+        const record = {
+            defaultRedirectUrl,
+            redirectUrl: redirectUrlList,
+            tenant,
+            product,
+            name,
+            description,
+            clientID: '',
+            clientSecret: '',
+            forceAuthn,
+        };
+        let metaData = rawMetadata;
+        if (encodedRawMetadata) {
+            metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
+        }
+        const idpMetadata = yield saml20_1.default.parseMetadata(metaData, {});
+        // extract provider
+        let providerName = (0, utils_1.extractHostName)(idpMetadata.entityID);
+        if (!providerName) {
+            providerName = (0, utils_1.extractHostName)(idpMetadata.sso.redirectUrl || idpMetadata.sso.postUrl);
+        }
+        idpMetadata.provider = providerName ? providerName : 'Unknown';
+        record.clientID = dbutils.keyDigest(dbutils.keyFromParts(tenant, product, idpMetadata.entityID));
+        const certs = yield x509_1.default.generate();
+        if (!certs) {
+            throw new Error('Error generating x509 certs');
+        }
+        record.idpMetadata = idpMetadata;
+        record.certs = certs;
+        const exists = yield connectionStore.get(record.clientID);
+        if (exists) {
+            connectionClientSecret = exists.clientSecret;
+        }
+        else {
+            connectionClientSecret = crypto_1.default.randomBytes(24).toString('hex');
+        }
+        record.clientSecret = connectionClientSecret;
+        yield connectionStore.put(record.clientID, record, {
+            name: utils_1.IndexNames.EntityID,
+            value: idpMetadata.entityID,
+        }, {
+            // secondary index on tenant + product
+            name: utils_1.IndexNames.TenantProduct,
+            value: dbutils.keyFromParts(tenant, product),
+        });
+        return record;
+    }),
+    update: (body, connectionStore, connectionsGetter) => __awaiter(void 0, void 0, void 0, function* () {
+        const { encodedRawMetadata, // could be empty
+        rawMetadata, // could be empty
+        defaultRedirectUrl, redirectUrl, name, description, forceAuthn = false } = body, clientInfo = __rest(body, ["encodedRawMetadata", "rawMetadata", "defaultRedirectUrl", "redirectUrl", "name", "description", "forceAuthn"]);
+        if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID)) {
+            throw new error_1.JacksonError('Please provide clientID', 400);
+        }
+        if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientSecret)) {
+            throw new error_1.JacksonError('Please provide clientSecret', 400);
+        }
+        if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.tenant)) {
+            throw new error_1.JacksonError('Please provide tenant', 400);
+        }
+        if (!(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.product)) {
+            throw new error_1.JacksonError('Please provide product', 400);
+        }
+        if (description && description.length > 100) {
+            throw new error_1.JacksonError('Description should not exceed 100 characters', 400);
+        }
+        const redirectUrlList = redirectUrl ? (0, utils_1.extractRedirectUrls)(redirectUrl) : null;
+        (0, utils_1.validateRedirectUrl)({ defaultRedirectUrl, redirectUrlList });
+        const _savedConnection = (yield connectionsGetter(clientInfo))[0];
+        if (_savedConnection.clientSecret !== (clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientSecret)) {
+            throw new error_1.JacksonError('clientSecret mismatch', 400);
+        }
+        let metaData = rawMetadata;
+        if (encodedRawMetadata) {
+            metaData = Buffer.from(encodedRawMetadata, 'base64').toString();
+        }
+        let newMetadata;
+        if (metaData) {
+            newMetadata = yield saml20_1.default.parseMetadata(metaData, {});
+            // extract provider
+            let providerName = (0, utils_1.extractHostName)(newMetadata.entityID);
+            if (!providerName) {
+                providerName = (0, utils_1.extractHostName)(newMetadata.sso.redirectUrl || newMetadata.sso.postUrl);
+            }
+            newMetadata.provider = providerName ? providerName : 'Unknown';
+        }
+        if (newMetadata) {
+            // check if clientID matches with new metadata payload
+            const clientID = dbutils.keyDigest(dbutils.keyFromParts(clientInfo.tenant, clientInfo.product, newMetadata.entityID));
+            if (clientID !== (clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID)) {
+                throw new error_1.JacksonError('Tenant/Product config mismatch with IdP metadata', 400);
+            }
+        }
+        const record = Object.assign(Object.assign({}, _savedConnection), { name: name ? name : _savedConnection.name, description: description ? description : _savedConnection.description, idpMetadata: newMetadata ? newMetadata : _savedConnection.idpMetadata, defaultRedirectUrl: defaultRedirectUrl ? defaultRedirectUrl : _savedConnection.defaultRedirectUrl, redirectUrl: redirectUrlList ? redirectUrlList : _savedConnection.redirectUrl, forceAuthn });
+        yield connectionStore.put(clientInfo === null || clientInfo === void 0 ? void 0 : clientInfo.clientID, record, {
+            // secondary index on entityID
+            name: utils_1.IndexNames.EntityID,
+            value: _savedConnection.idpMetadata.entityID,
+        }, {
+            // secondary index on tenant + product
+            name: utils_1.IndexNames.TenantProduct,
+            value: dbutils.keyFromParts(_savedConnection.tenant, _savedConnection.product),
+        });
+    }),
+};
+exports.default = saml;

package/dist/controller/logout.d.ts

@@ -1,10 +1,10 @@
 import { SAMLResponsePayload, SLORequestParams } from '../typings';
 export declare class LogoutController {
-    private configStore;
+    private connectionStore;
     private sessionStore;
     private opts;
-    constructor({ configStore, sessionStore, opts }: {
-        configStore: any;
+    constructor({ connectionStore, sessionStore, opts }: {
+        connectionStore: any;
         sessionStore: any;
         opts: any;
     });

package/dist/controller/logout.js

@@ -50,29 +50,29 @@ const deflateRawAsync = (0, util_1.promisify)(zlib_1.deflateRaw);
 const relayStatePrefix = 'boxyhq_jackson_';
 const logoutXPath = "/*[local-name(.)='LogoutRequest']";
 class LogoutController {
-    constructor({ configStore, sessionStore, opts }) {
+    constructor({ connectionStore, sessionStore, opts }) {
         this.opts = opts;
-        this.configStore = configStore;
+        this.connectionStore = connectionStore;
         this.sessionStore = sessionStore;
     }
     // Create SLO Request
     createRequest({ nameId, tenant, product, redirectUrl }) {
         return __awaiter(this, void 0, void 0, function* () {
-            let samlConfig = null;
+            let samlConnection = null;
             if (tenant && product) {
-                const samlConfigs = yield this.configStore.getByIndex({
+                const samlConnections = yield this.connectionStore.getByIndex({
                     name: utils_1.IndexNames.TenantProduct,
                     value: dbutils.keyFromParts(tenant, product),
                 });
-                if (!samlConfigs || samlConfigs.length === 0) {
-                    throw new error_1.JacksonError('SAML configuration not found.', 403);
+                if (!samlConnections || samlConnections.length === 0) {
+                    throw new error_1.JacksonError('SAML connection not found.', 403);
                 }
-                samlConfig = samlConfigs[0];
+                samlConnection = samlConnections[0];
             }
-            if (!samlConfig) {
-                throw new error_1.JacksonError('SAML configuration not found.', 403);
+            if (!samlConnection) {
+                throw new error_1.JacksonError('SAML connection not found.', 403);
             }
-            const { idpMetadata: { slo, provider }, certs: { privateKey, publicKey }, } = samlConfig;
+            const { idpMetadata: { slo, provider }, certs: { privateKey, publicKey }, } = samlConnection;
             if ('redirectUrl' in slo === false && 'postUrl' in slo === false) {
                 throw new error_1.JacksonError(`${provider} doesn't support SLO or disabled by IdP.`, 400);
             }
@@ -126,14 +126,14 @@ class LogoutController {
             if (parsedResponse.inResponseTo !== session.id) {
                 throw new error_1.JacksonError(`SLO failed with mismatched request ID.`, 400);
             }
-            const samlConfigs = yield this.configStore.getByIndex({
+            const samlConnections = yield this.connectionStore.getByIndex({
                 name: utils_1.IndexNames.EntityID,
                 value: parsedResponse.issuer,
             });
-            if (!samlConfigs || samlConfigs.length === 0) {
-                throw new error_1.JacksonError('SAML configuration not found.', 403);
+            if (!samlConnections || samlConnections.length === 0) {
+                throw new error_1.JacksonError('SAML connection not found.', 403);
             }
-            const { idpMetadata, defaultRedirectUrl } = samlConfigs[0];
+            const { idpMetadata, defaultRedirectUrl } = samlConnections[0];
             if (!(yield saml20_1.default.validateSignature(rawResponse, null, idpMetadata.thumbprint))) {
                 throw new error_1.JacksonError('Invalid signature.', 403);
             }

package/dist/controller/oauth.d.ts

@@ -1,19 +1,19 @@
-import { IOAuthController, OAuthReqBody, OAuthTokenReq, OAuthTokenRes, Profile, SAMLResponsePayload } from '../typings';
+import type { OIDCAuthzResponsePayload, IOAuthController, OAuthReq, OAuthTokenReq, OAuthTokenRes, Profile, SAMLResponsePayload } from '../typings';
 export declare class OAuthController implements IOAuthController {
-    private configStore;
+    private connectionStore;
     private sessionStore;
     private codeStore;
     private tokenStore;
     private opts;
-    constructor({ configStore, sessionStore, codeStore, tokenStore, opts }: {
-        configStore: any;
+    constructor({ connectionStore, sessionStore, codeStore, tokenStore, opts }: {
+        connectionStore: any;
         sessionStore: any;
         codeStore: any;
         tokenStore: any;
         opts: any;
     });
-    private resolveMultipleConfigMatches;
-    authorize(body: OAuthReqBody): Promise<{
+    private resolveMultipleConnectionMatches;
+    authorize(body: OAuthReq): Promise<{
         redirect_url?: string;
         authorize_form?: string;
     }>;
@@ -21,6 +21,10 @@ export declare class OAuthController implements IOAuthController {
         redirect_url?: string;
         app_select_form?: string;
     }>;
+    private extractOIDCUserProfile;
+    oidcAuthzResponse(body: OIDCAuthzResponsePayload): Promise<{
+        redirect_url?: string;
+    }>;
     /**
      * @swagger
      *
@@ -42,13 +46,17 @@ export declare class OAuthController implements IOAuthController {
      *       - name: client_id
      *         in: formData
      *         type: string
-     *         description: Use the client_id returned by the SAML config API
+     *         description: Use the client_id returned by the SAML connection API
      *         required: true
      *       - name: client_secret
      *         in: formData
      *         type: string
-     *         description: Use the client_secret returned by the SAML config API
+     *         description: Use the client_secret returned by the SAML connection API
      *         required: true
+     *       - name: code_verifier
+     *         in: formData
+     *         type: string
+     *         description: code_verifier against the code_challenge in the authz request (relevant to PKCE flow)
      *       - name: redirect_uri
      *         in: formData
      *         type: string
@@ -100,11 +108,21 @@ export declare class OAuthController implements IOAuthController {
      *               type: string
      *             lastName:
      *               type: string
+     *             raw:
+     *               type: object
+     *             requested:
+     *               type: object
      *           example:
      *             id: 32b5af58fdf
      *             email: jackson@coolstartup.com
      *             firstName: SAML
      *             lastName: Jackson
+     *             raw: {
+     *
+     *             }
+     *             requested: {
+     *
+     *             }
      */
     userInfo(token: string): Promise<Profile>;
 }