@epilot/customer-portal-client 0.39.0 → 0.39.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/openapi.d.ts +216 -60
  2. package/package.json +1 -1
  3. package/src/openapi.json +72 -58
package/dist/openapi.d.ts CHANGED
@@ -3387,6 +3387,14 @@ declare namespace Components {
3387
3387
  * Optional path to the data (array) in the response. If omitted, the data is assumed to be on the top level.
3388
3388
  */
3389
3389
  dataPath?: string;
3390
+ /**
3391
+ * Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).
3392
+ * If specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.
3393
+ *
3394
+ * example:
3395
+ * error.message
3396
+ */
3397
+ errorMessagePath?: string;
3390
3398
  };
3391
3399
  /**
3392
3400
  * Deprecated. Prefer `secure_proxy` instead.
@@ -3516,6 +3524,14 @@ declare namespace Components {
3516
3524
  * Optional path to the data (array) in the response. If omitted, the data is assumed to be on the top level.
3517
3525
  */
3518
3526
  dataPath?: string;
3527
+ /**
3528
+ * Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).
3529
+ * If specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.
3530
+ *
3531
+ * example:
3532
+ * error.message
3533
+ */
3534
+ errorMessagePath?: string;
3519
3535
  };
3520
3536
  /**
3521
3537
  * Deprecated. Prefer `secure_proxy` instead.
@@ -3569,6 +3585,16 @@ declare namespace Components {
3569
3585
  [name: string]: string;
3570
3586
  };
3571
3587
  };
3588
+ resolved?: {
3589
+ /**
3590
+ * Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).
3591
+ * If specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.
3592
+ *
3593
+ * example:
3594
+ * error.message
3595
+ */
3596
+ errorMessagePath?: string;
3597
+ };
3572
3598
  /**
3573
3599
  * Deprecated. Prefer `secure_proxy` instead.
3574
3600
  * If true, requests are made from a set of static IP addresses and only allow connections to a set of allowed IP addresses. Get in touch with us to add your IP addresses.
@@ -3662,6 +3688,14 @@ declare namespace Components {
3662
3688
  * {{CallResponse.data.lower_limit}}
3663
3689
  */
3664
3690
  lower_limit?: string;
3691
+ /**
3692
+ * Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).
3693
+ * If specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.
3694
+ *
3695
+ * example:
3696
+ * error.message
3697
+ */
3698
+ errorMessagePath?: string;
3665
3699
  };
3666
3700
  /**
3667
3701
  * Deprecated. Prefer `secure_proxy` instead.
@@ -3712,6 +3746,14 @@ declare namespace Components {
3712
3746
  * Optional path to the data (array) in the response. If omitted, the data is assumed to be on the top level.
3713
3747
  */
3714
3748
  dataPath?: string;
3749
+ /**
3750
+ * Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).
3751
+ * If specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.
3752
+ *
3753
+ * example:
3754
+ * error.message
3755
+ */
3756
+ errorMessagePath?: string;
3715
3757
  };
3716
3758
  /**
3717
3759
  * Deprecated. Prefer `secure_proxy` instead.
@@ -3824,6 +3866,14 @@ declare namespace Components {
3824
3866
  * Optional path to the metadata object in the response. If omitted, the metadata is assumed to be on the top level.
3825
3867
  */
3826
3868
  dataPath?: string;
3869
+ /**
3870
+ * Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).
3871
+ * If specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.
3872
+ *
3873
+ * example:
3874
+ * error.message
3875
+ */
3876
+ errorMessagePath?: string;
3827
3877
  };
3828
3878
  /**
3829
3879
  * Deprecated. Prefer `secure_proxy` instead.
@@ -4564,8 +4614,9 @@ declare namespace Components {
4564
4614
  schema?: string;
4565
4615
  }
4566
4616
  /**
4567
- * Mobile OIDC configuration. All string fields support env var interpolation
4568
- * (incl. secrets) via mustache-like templates, e.g. `{{ env.MOBILE_CLIENT_SECRET }}`.
4617
+ * Mobile OIDC configuration. Values are resolved at SSO invocation time, so the
4618
+ * fields below may reference org env vars via mustache-like templates, e.g.
4619
+ * `{{ env.MOBILE_CLIENT_SECRET }}`.
4569
4620
  *
4570
4621
  */
4571
4622
  export interface MoblieOIDCConfig {
@@ -4585,8 +4636,12 @@ declare namespace Components {
4585
4636
  client_secret?: string;
4586
4637
  }
4587
4638
  /**
4588
- * OIDC provider configuration. All string fields support env var interpolation
4589
- * (incl. secrets) via mustache-like templates, e.g. `{{ env.MY_PROVIDER_CLIENT_SECRET }}`.
4639
+ * OIDC provider configuration. Values are resolved at SSO invocation time
4640
+ * (login / callback), so the fields below may reference org env vars via
4641
+ * mustache-like templates, e.g. `{{ env.MY_PROVIDER_CLIENT_SECRET }}`.
4642
+ *
4643
+ * Fields used to render the SSO buttons up-front (`ProviderConfig.slug`,
4644
+ * `ProviderConfig.display_name`) are NOT interpolated and must be literal.
4590
4645
  *
4591
4646
  */
4592
4647
  export interface OIDCProviderConfig {
@@ -4634,6 +4689,10 @@ declare namespace Components {
4634
4689
  prompt?: "login" | "select_account" | "consent";
4635
4690
  }
4636
4691
  export interface OIDCProviderMetadata {
4692
+ /**
4693
+ * Response modes the provider accepts (e.g. `form_post` for Apple)
4694
+ */
4695
+ response_modes_supported?: ("form_post" | "fragment" | "query")[];
4637
4696
  /**
4638
4697
  * URL of the authorization endpoint
4639
4698
  * example:
@@ -4689,47 +4748,6 @@ declare namespace Components {
4689
4748
  */
4690
4749
  test_auth_password?: string;
4691
4750
  }
4692
- /**
4693
- * Public OIDC provider configuration. Same as OIDCProviderConfig but never includes
4694
- * the `client_secret` field — it is kept server-side and only used to exchange the
4695
- * authorization code at the SSO callback. String fields are returned with env var
4696
- * placeholders already resolved when fetched via `GET /v2/portal/public/sso/providers/{provider_slug}`.
4697
- *
4698
- */
4699
- export interface OIDCProviderPublicConfig {
4700
- type?: "authorization_code" | "implicit";
4701
- /**
4702
- * Issuing Authority URL
4703
- * example:
4704
- * https://login.microsoftonline.com/33d4f3e5-3df2-421e-b92e-a63cfa680a88/v2.0
4705
- */
4706
- oidc_issuer: string;
4707
- /**
4708
- * Redirect URI for the OIDC flow
4709
- * example:
4710
- * https://customer-portal.com/login
4711
- */
4712
- redirect_uri?: string;
4713
- /**
4714
- * example:
4715
- * ab81daf8-8b1f-42d6-94ca-c51621054c75
4716
- */
4717
- client_id: string;
4718
- /**
4719
- * Whether the client secret is present (the value itself is kept server-side)
4720
- * example:
4721
- * true
4722
- */
4723
- has_client_secret?: boolean;
4724
- /**
4725
- * Space-separated list of OAuth 2.0 scopes to request from OpenID Connect
4726
- * example:
4727
- * openid email
4728
- */
4729
- scope: string;
4730
- metadata?: OIDCProviderMetadata;
4731
- prompt?: "login" | "select_account" | "consent";
4732
- }
4733
4751
  /**
4734
4752
  * The opportunity entity
4735
4753
  */
@@ -5800,6 +5818,18 @@ declare namespace Components {
5800
5818
  */
5801
5819
  onPendingUser?: AdminUser[];
5802
5820
  };
5821
+ /**
5822
+ * SSO identity providers for the portal. When sent on a portal save (PUT/POST),
5823
+ * the list is fully synced — incoming providers are upserted and any existing
5824
+ * providers not in the list are deleted. Omit the field to leave SSO
5825
+ * configuration unchanged; send an empty array to remove all providers.
5826
+ *
5827
+ * Each provider is persisted verbatim — `oidc_config.client_secret` is stored
5828
+ * as sent. Customers are encouraged to reference an org env secret via
5829
+ * `{{ env.VAR }}` rather than embed raw values.
5830
+ *
5831
+ */
5832
+ identity_providers?: ProviderPublicConfig[];
5803
5833
  /**
5804
5834
  * Enable/Disable the portal access
5805
5835
  */
@@ -6273,7 +6303,6 @@ declare namespace Components {
6273
6303
  * Permissions granted to a portal user while accessing entities
6274
6304
  */
6275
6305
  grants?: Grant[];
6276
- identity_providers?: ProviderPublicConfig[];
6277
6306
  pages?: Page[];
6278
6307
  }
6279
6308
  /**
@@ -6477,14 +6506,19 @@ declare namespace Components {
6477
6506
  attribute_mappings?: /* Dictionary of epilot user attributes to claims */ AttributeMappingConfig;
6478
6507
  entity_matching?: /* Configuration for matching existing entities during SSO login using token claims */ EntityMatchingConfig;
6479
6508
  oidc_config?: /**
6480
- * OIDC provider configuration. All string fields support env var interpolation
6481
- * (incl. secrets) via mustache-like templates, e.g. `{{ env.MY_PROVIDER_CLIENT_SECRET }}`.
6509
+ * OIDC provider configuration. Values are resolved at SSO invocation time
6510
+ * (login / callback), so the fields below may reference org env vars via
6511
+ * mustache-like templates, e.g. `{{ env.MY_PROVIDER_CLIENT_SECRET }}`.
6512
+ *
6513
+ * Fields used to render the SSO buttons up-front (`ProviderConfig.slug`,
6514
+ * `ProviderConfig.display_name`) are NOT interpolated and must be literal.
6482
6515
  *
6483
6516
  */
6484
6517
  OIDCProviderConfig;
6485
6518
  mobile_oidc_config?: /**
6486
- * Mobile OIDC configuration. All string fields support env var interpolation
6487
- * (incl. secrets) via mustache-like templates, e.g. `{{ env.MOBILE_CLIENT_SECRET }}`.
6519
+ * Mobile OIDC configuration. Values are resolved at SSO invocation time, so the
6520
+ * fields below may reference org env vars via mustache-like templates, e.g.
6521
+ * `{{ env.MOBILE_CLIENT_SECRET }}`.
6488
6522
  *
6489
6523
  */
6490
6524
  MoblieOIDCConfig;
@@ -6509,16 +6543,19 @@ declare namespace Components {
6509
6543
  */
6510
6544
  ProviderDisplayName;
6511
6545
  oidc_config?: /**
6512
- * Public OIDC provider configuration. Same as OIDCProviderConfig but never includes
6513
- * the `client_secret` field it is kept server-side and only used to exchange the
6514
- * authorization code at the SSO callback. String fields are returned with env var
6515
- * placeholders already resolved when fetched via `GET /v2/portal/public/sso/providers/{provider_slug}`.
6546
+ * OIDC provider configuration. Values are resolved at SSO invocation time
6547
+ * (login / callback), so the fields below may reference org env vars via
6548
+ * mustache-like templates, e.g. `{{ env.MY_PROVIDER_CLIENT_SECRET }}`.
6549
+ *
6550
+ * Fields used to render the SSO buttons up-front (`ProviderConfig.slug`,
6551
+ * `ProviderConfig.display_name`) are NOT interpolated and must be literal.
6516
6552
  *
6517
6553
  */
6518
- OIDCProviderPublicConfig;
6554
+ OIDCProviderConfig;
6519
6555
  mobile_oidc_config?: /**
6520
- * Mobile OIDC configuration. All string fields support env var interpolation
6521
- * (incl. secrets) via mustache-like templates, e.g. `{{ env.MOBILE_CLIENT_SECRET }}`.
6556
+ * Mobile OIDC configuration. Values are resolved at SSO invocation time, so the
6557
+ * fields below may reference org env vars via mustache-like templates, e.g.
6558
+ * `{{ env.MOBILE_CLIENT_SECRET }}`.
6522
6559
  *
6523
6560
  */
6524
6561
  MoblieOIDCConfig;
@@ -7055,6 +7092,32 @@ declare namespace Components {
7055
7092
  */
7056
7093
  onPendingUser?: AdminUser[];
7057
7094
  };
7095
+ /**
7096
+ * SSO identity providers for the portal. When sent on a portal save (PUT/POST),
7097
+ * the list is fully synced — incoming providers are upserted and any existing
7098
+ * providers not in the list are deleted. Omit the field to leave SSO
7099
+ * configuration unchanged; send an empty array to remove all providers.
7100
+ *
7101
+ * Each provider is persisted verbatim — `oidc_config.client_secret` is stored
7102
+ * as sent. Customers are encouraged to reference an org env secret via
7103
+ * `{{ env.VAR }}` rather than embed raw values.
7104
+ *
7105
+ */
7106
+ identity_providers?: /**
7107
+ * SSO identity provider configuration.
7108
+ *
7109
+ * Env var interpolation: only string fields under `oidc_config` and
7110
+ * `mobile_oidc_config` (incl. their nested `metadata`) are passed through
7111
+ * Liquid templating, so they may contain `{{ env.VAR }}` placeholders that
7112
+ * get resolved at runtime against the organization's environment.
7113
+ *
7114
+ * The following fields are used as literal values and MUST NOT contain
7115
+ * template syntax: `slug`, `display_name`, `provider_type`, all keys and
7116
+ * values under `attribute_mappings` (used as JSONPath-like accessors into
7117
+ * token claims), and all keys and values under `entity_matching`.
7118
+ *
7119
+ */
7120
+ ProviderConfig[];
7058
7121
  }
7059
7122
  export interface UpsertPortalConfig {
7060
7123
  /**
@@ -7097,6 +7160,32 @@ declare namespace Components {
7097
7160
  */
7098
7161
  onPendingUser?: AdminUser[];
7099
7162
  };
7163
+ /**
7164
+ * SSO identity providers for the portal. When sent on a portal save (PUT/POST),
7165
+ * the list is fully synced — incoming providers are upserted and any existing
7166
+ * providers not in the list are deleted. Omit the field to leave SSO
7167
+ * configuration unchanged; send an empty array to remove all providers.
7168
+ *
7169
+ * Each provider is persisted verbatim — `oidc_config.client_secret` is stored
7170
+ * as sent. Customers are encouraged to reference an org env secret via
7171
+ * `{{ env.VAR }}` rather than embed raw values.
7172
+ *
7173
+ */
7174
+ identity_providers?: /**
7175
+ * SSO identity provider configuration.
7176
+ *
7177
+ * Env var interpolation: only string fields under `oidc_config` and
7178
+ * `mobile_oidc_config` (incl. their nested `metadata`) are passed through
7179
+ * Liquid templating, so they may contain `{{ env.VAR }}` placeholders that
7180
+ * get resolved at runtime against the organization's environment.
7181
+ *
7182
+ * The following fields are used as literal values and MUST NOT contain
7183
+ * template syntax: `slug`, `display_name`, `provider_type`, all keys and
7184
+ * values under `attribute_mappings` (used as JSONPath-like accessors into
7185
+ * token claims), and all keys and values under `entity_matching`.
7186
+ *
7187
+ */
7188
+ ProviderConfig[];
7100
7189
  /**
7101
7190
  * Enable/Disable the portal access
7102
7191
  */
@@ -7576,6 +7665,32 @@ declare namespace Components {
7576
7665
  */
7577
7666
  onPendingUser?: AdminUser[];
7578
7667
  };
7668
+ /**
7669
+ * SSO identity providers for the portal. When sent on a portal save (PUT/POST),
7670
+ * the list is fully synced — incoming providers are upserted and any existing
7671
+ * providers not in the list are deleted. Omit the field to leave SSO
7672
+ * configuration unchanged; send an empty array to remove all providers.
7673
+ *
7674
+ * Each provider is persisted verbatim — `oidc_config.client_secret` is stored
7675
+ * as sent. Customers are encouraged to reference an org env secret via
7676
+ * `{{ env.VAR }}` rather than embed raw values.
7677
+ *
7678
+ */
7679
+ identity_providers?: /**
7680
+ * SSO identity provider configuration.
7681
+ *
7682
+ * Env var interpolation: only string fields under `oidc_config` and
7683
+ * `mobile_oidc_config` (incl. their nested `metadata`) are passed through
7684
+ * Liquid templating, so they may contain `{{ env.VAR }}` placeholders that
7685
+ * get resolved at runtime against the organization's environment.
7686
+ *
7687
+ * The following fields are used as literal values and MUST NOT contain
7688
+ * template syntax: `slug`, `display_name`, `provider_type`, all keys and
7689
+ * values under `attribute_mappings` (used as JSONPath-like accessors into
7690
+ * token claims), and all keys and values under `entity_matching`.
7691
+ *
7692
+ */
7693
+ ProviderConfig[];
7579
7694
  /**
7580
7695
  * Enable/Disable the portal access
7581
7696
  */
@@ -10911,7 +11026,28 @@ declare namespace Paths {
10911
11026
  * Permissions granted to a portal user while accessing entities
10912
11027
  */
10913
11028
  grants?: Components.Schemas.Grant[];
10914
- identity_providers?: Components.Schemas.ProviderPublicConfig[];
11029
+ /**
11030
+ * SSO identity providers configured for the portal. Includes raw
11031
+ * `oidc_config.client_secret` values so the admin UI can round-trip
11032
+ * them. Customers are encouraged to reference secrets via env
11033
+ * templates (`{{ env.VAR }}`) rather than embed raw values.
11034
+ *
11035
+ */
11036
+ identity_providers?: /**
11037
+ * SSO identity provider configuration.
11038
+ *
11039
+ * Env var interpolation: only string fields under `oidc_config` and
11040
+ * `mobile_oidc_config` (incl. their nested `metadata`) are passed through
11041
+ * Liquid templating, so they may contain `{{ env.VAR }}` placeholders that
11042
+ * get resolved at runtime against the organization's environment.
11043
+ *
11044
+ * The following fields are used as literal values and MUST NOT contain
11045
+ * template syntax: `slug`, `display_name`, `provider_type`, all keys and
11046
+ * values under `attribute_mappings` (used as JSONPath-like accessors into
11047
+ * token claims), and all keys and values under `entity_matching`.
11048
+ *
11049
+ */
11050
+ Components.Schemas.ProviderConfig[];
10915
11051
  certificate_details?: {
10916
11052
  /**
10917
11053
  * Status of the certificate
@@ -11426,7 +11562,28 @@ declare namespace Paths {
11426
11562
  * Permissions granted to a portal user while accessing entities
11427
11563
  */
11428
11564
  grants?: Components.Schemas.Grant[];
11429
- identity_providers?: Components.Schemas.ProviderPublicConfig[];
11565
+ /**
11566
+ * SSO identity providers configured for the portal. Includes raw
11567
+ * `oidc_config.client_secret` values so the admin UI can round-trip
11568
+ * them. Customers are encouraged to reference secrets via env
11569
+ * templates (`{{ env.VAR }}`) rather than embed raw values.
11570
+ *
11571
+ */
11572
+ identity_providers?: /**
11573
+ * SSO identity provider configuration.
11574
+ *
11575
+ * Env var interpolation: only string fields under `oidc_config` and
11576
+ * `mobile_oidc_config` (incl. their nested `metadata`) are passed through
11577
+ * Liquid templating, so they may contain `{{ env.VAR }}` placeholders that
11578
+ * get resolved at runtime against the organization's environment.
11579
+ *
11580
+ * The following fields are used as literal values and MUST NOT contain
11581
+ * template syntax: `slug`, `display_name`, `provider_type`, all keys and
11582
+ * values under `attribute_mappings` (used as JSONPath-like accessors into
11583
+ * token claims), and all keys and values under `entity_matching`.
11584
+ *
11585
+ */
11586
+ Components.Schemas.ProviderConfig[];
11430
11587
  certificate_details?: {
11431
11588
  /**
11432
11589
  * Status of the certificate
@@ -17647,7 +17804,6 @@ export type MeterReadingWidget = Components.Schemas.MeterReadingWidget;
17647
17804
  export type MoblieOIDCConfig = Components.Schemas.MoblieOIDCConfig;
17648
17805
  export type OIDCProviderConfig = Components.Schemas.OIDCProviderConfig;
17649
17806
  export type OIDCProviderMetadata = Components.Schemas.OIDCProviderMetadata;
17650
- export type OIDCProviderPublicConfig = Components.Schemas.OIDCProviderPublicConfig;
17651
17807
  export type Opportunity = Components.Schemas.Opportunity;
17652
17808
  export type Order = Components.Schemas.Order;
17653
17809
  export type OrganizationSettings = Components.Schemas.OrganizationSettings;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@epilot/customer-portal-client",
3
- "version": "0.39.0",
3
+ "version": "0.39.2",
4
4
  "description": "API Client for epilot portal API",
5
5
  "main": "dist/index.js",
6
6
  "types": "dist/index.d.ts",
package/src/openapi.json CHANGED
@@ -1867,6 +1867,13 @@
1867
1867
  "example": "CAA_ERROR"
1868
1868
  }
1869
1869
  }
1870
+ },
1871
+ "identity_providers": {
1872
+ "type": "array",
1873
+ "description": "SSO identity providers configured for the portal. Includes raw\n`oidc_config.client_secret` values so the admin UI can round-trip\nthem. Customers are encouraged to reference secrets via env\ntemplates (`{{ env.VAR }}`) rather than embed raw values.\n",
1874
+ "items": {
1875
+ "$ref": "#/components/schemas/ProviderConfig"
1876
+ }
1870
1877
  }
1871
1878
  }
1872
1879
  }
@@ -1994,6 +2001,13 @@
1994
2001
  "example": "CAA_ERROR"
1995
2002
  }
1996
2003
  }
2004
+ },
2005
+ "identity_providers": {
2006
+ "type": "array",
2007
+ "description": "SSO identity providers configured for the portal. Includes raw\n`oidc_config.client_secret` values so the admin UI can round-trip\nthem. Customers are encouraged to reference secrets via env\ntemplates (`{{ env.VAR }}`) rather than embed raw values.\n",
2008
+ "items": {
2009
+ "$ref": "#/components/schemas/ProviderConfig"
2010
+ }
1997
2011
  }
1998
2012
  }
1999
2013
  }
@@ -7668,7 +7682,7 @@
7668
7682
  ],
7669
7683
  "responses": {
7670
7684
  "200": {
7671
- "description": "Resolved public SSO provider configuration",
7685
+ "description": "Resolved public SSO provider configuration. The handler strips `oidc_config.client_secret` from the response (kept server-side for the token exchange); the schema includes it for shape compatibility with the portal-config response.",
7672
7686
  "content": {
7673
7687
  "application/json": {
7674
7688
  "schema": {
@@ -10708,6 +10722,13 @@
10708
10722
  "description": "Default admin users for pending user notification to notify"
10709
10723
  }
10710
10724
  }
10725
+ },
10726
+ "identity_providers": {
10727
+ "type": "array",
10728
+ "description": "SSO identity providers for the portal. When sent on a portal save (PUT/POST),\nthe list is fully synced — incoming providers are upserted and any existing\nproviders not in the list are deleted. Omit the field to leave SSO\nconfiguration unchanged; send an empty array to remove all providers.\n\nEach provider is persisted verbatim — `oidc_config.client_secret` is stored\nas sent. Customers are encouraged to reference an org env secret via\n`{{ env.VAR }}` rather than embed raw values.\n",
10729
+ "items": {
10730
+ "$ref": "#/components/schemas/ProviderConfig"
10731
+ }
10711
10732
  }
10712
10733
  }
10713
10734
  },
@@ -14859,6 +14880,11 @@
14859
14880
  "type": "string",
14860
14881
  "description": "Lower allowed limit of the meter reading",
14861
14882
  "example": "{{CallResponse.data.lower_limit}}"
14883
+ },
14884
+ "errorMessagePath": {
14885
+ "type": "string",
14886
+ "description": "Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).\nIf specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.\n",
14887
+ "example": "error.message"
14862
14888
  }
14863
14889
  }
14864
14890
  },
@@ -14938,6 +14964,11 @@
14938
14964
  "dataPath": {
14939
14965
  "type": "string",
14940
14966
  "description": "Optional path to the data (array) in the response. If omitted, the data is assumed to be on the top level."
14967
+ },
14968
+ "errorMessagePath": {
14969
+ "type": "string",
14970
+ "description": "Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).\nIf specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.\n",
14971
+ "example": "error.message"
14941
14972
  }
14942
14973
  }
14943
14974
  },
@@ -15016,6 +15047,11 @@
15016
15047
  "dataPath": {
15017
15048
  "type": "string",
15018
15049
  "description": "Optional path to the data (array) in the response. If omitted, the data is assumed to be on the top level."
15050
+ },
15051
+ "errorMessagePath": {
15052
+ "type": "string",
15053
+ "description": "Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).\nIf specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.\n",
15054
+ "example": "error.message"
15019
15055
  }
15020
15056
  }
15021
15057
  },
@@ -15095,6 +15131,16 @@
15095
15131
  "url"
15096
15132
  ]
15097
15133
  },
15134
+ "resolved": {
15135
+ "type": "object",
15136
+ "properties": {
15137
+ "errorMessagePath": {
15138
+ "type": "string",
15139
+ "description": "Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).\nIf specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.\n",
15140
+ "example": "error.message"
15141
+ }
15142
+ }
15143
+ },
15098
15144
  "use_static_ips": {
15099
15145
  "type": "boolean",
15100
15146
  "deprecated": true,
@@ -15170,6 +15216,11 @@
15170
15216
  "dataPath": {
15171
15217
  "type": "string",
15172
15218
  "description": "Optional path to the metadata object in the response. If omitted, the metadata is assumed to be on the top level."
15219
+ },
15220
+ "errorMessagePath": {
15221
+ "type": "string",
15222
+ "description": "Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).\nIf specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.\n",
15223
+ "example": "error.message"
15173
15224
  }
15174
15225
  }
15175
15226
  },
@@ -15248,6 +15299,11 @@
15248
15299
  "dataPath": {
15249
15300
  "type": "string",
15250
15301
  "description": "Optional path to the data (array) in the response. If omitted, the data is assumed to be on the top level."
15302
+ },
15303
+ "errorMessagePath": {
15304
+ "type": "string",
15305
+ "description": "Optional path to a human-readable error message in the third-party response body, used when the call fails (non-2xx status).\nIf specified and the path resolves to a string, that message is forwarded to the end user instead of a generic error.\n",
15306
+ "example": "error.message"
15251
15307
  }
15252
15308
  }
15253
15309
  },
@@ -15611,7 +15667,7 @@
15611
15667
  "$ref": "#/components/schemas/ProviderDisplayName"
15612
15668
  },
15613
15669
  "oidc_config": {
15614
- "$ref": "#/components/schemas/OIDCProviderPublicConfig"
15670
+ "$ref": "#/components/schemas/OIDCProviderConfig"
15615
15671
  },
15616
15672
  "mobile_oidc_config": {
15617
15673
  "$ref": "#/components/schemas/MoblieOIDCConfig"
@@ -15761,7 +15817,7 @@
15761
15817
  },
15762
15818
  "OIDCProviderConfig": {
15763
15819
  "type": "object",
15764
- "description": "OIDC provider configuration. All string fields support env var interpolation\n(incl. secrets) via mustache-like templates, e.g. `{{ env.MY_PROVIDER_CLIENT_SECRET }}`.\n",
15820
+ "description": "OIDC provider configuration. Values are resolved at SSO invocation time\n(login / callback), so the fields below may reference org env vars via\nmustache-like templates, e.g. `{{ env.MY_PROVIDER_CLIENT_SECRET }}`.\n\nFields used to render the SSO buttons up-front (`ProviderConfig.slug`,\n`ProviderConfig.display_name`) are NOT interpolated and must be literal.\n",
15765
15821
  "properties": {
15766
15822
  "type": {
15767
15823
  "type": "string",
@@ -15819,63 +15875,9 @@
15819
15875
  "scope"
15820
15876
  ]
15821
15877
  },
15822
- "OIDCProviderPublicConfig": {
15823
- "type": "object",
15824
- "description": "Public OIDC provider configuration. Same as OIDCProviderConfig but never includes\nthe `client_secret` field — it is kept server-side and only used to exchange the\nauthorization code at the SSO callback. String fields are returned with env var\nplaceholders already resolved when fetched via `GET /v2/portal/public/sso/providers/{provider_slug}`.\n",
15825
- "properties": {
15826
- "type": {
15827
- "type": "string",
15828
- "enum": [
15829
- "authorization_code",
15830
- "implicit"
15831
- ],
15832
- "default": "implicit"
15833
- },
15834
- "oidc_issuer": {
15835
- "type": "string",
15836
- "description": "Issuing Authority URL",
15837
- "example": "https://login.microsoftonline.com/33d4f3e5-3df2-421e-b92e-a63cfa680a88/v2.0"
15838
- },
15839
- "redirect_uri": {
15840
- "type": "string",
15841
- "description": "Redirect URI for the OIDC flow",
15842
- "example": "https://customer-portal.com/login"
15843
- },
15844
- "client_id": {
15845
- "type": "string",
15846
- "example": "ab81daf8-8b1f-42d6-94ca-c51621054c75"
15847
- },
15848
- "has_client_secret": {
15849
- "type": "boolean",
15850
- "description": "Whether the client secret is present (the value itself is kept server-side)",
15851
- "example": true
15852
- },
15853
- "scope": {
15854
- "type": "string",
15855
- "description": "Space-separated list of OAuth 2.0 scopes to request from OpenID Connect",
15856
- "example": "openid email"
15857
- },
15858
- "metadata": {
15859
- "$ref": "#/components/schemas/OIDCProviderMetadata"
15860
- },
15861
- "prompt": {
15862
- "type": "string",
15863
- "enum": [
15864
- "login",
15865
- "select_account",
15866
- "consent"
15867
- ]
15868
- }
15869
- },
15870
- "required": [
15871
- "oidc_issuer",
15872
- "client_id",
15873
- "scope"
15874
- ]
15875
- },
15876
15878
  "MoblieOIDCConfig": {
15877
15879
  "type": "object",
15878
- "description": "Mobile OIDC configuration. All string fields support env var interpolation\n(incl. secrets) via mustache-like templates, e.g. `{{ env.MOBILE_CLIENT_SECRET }}`.\n",
15880
+ "description": "Mobile OIDC configuration. Values are resolved at SSO invocation time, so the\nfields below may reference org env vars via mustache-like templates, e.g.\n`{{ env.MOBILE_CLIENT_SECRET }}`.\n",
15879
15881
  "properties": {
15880
15882
  "client_id": {
15881
15883
  "type": "string",
@@ -15892,6 +15894,18 @@
15892
15894
  "OIDCProviderMetadata": {
15893
15895
  "type": "object",
15894
15896
  "properties": {
15897
+ "response_modes_supported": {
15898
+ "type": "array",
15899
+ "description": "Response modes the provider accepts (e.g. `form_post` for Apple)",
15900
+ "items": {
15901
+ "type": "string",
15902
+ "enum": [
15903
+ "form_post",
15904
+ "fragment",
15905
+ "query"
15906
+ ]
15907
+ }
15908
+ },
15895
15909
  "authorization_endpoint": {
15896
15910
  "type": "string",
15897
15911
  "description": "URL of the authorization endpoint",