@logto/core-kit 2.6.1 → 2.7.1

package/lib/openid.d.ts

@@ -13,6 +13,12 @@ export declare enum ReservedResource {
      */
     Organization = "urn:logto:resource:organizations"
 }
+/**
+ * All extended claims for ID token that are controlled by tenant configuration.
+ * This is the single source of truth for which claims can be toggled on/off in ID tokens.
+ */
+export declare const extendedIdTokenClaims: readonly ["custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"];
+export type ExtendedIdTokenClaim = (typeof extendedIdTokenClaims)[number];
 /**
  * A comprehensive list of all available user claims that can be used in SAML applications.
  * This array serves two purposes:
@@ -26,11 +32,11 @@ export declare enum ReservedResource {
  * Note: This array must include ALL possible values from `UserClaim` type.
  * TypeScript will throw error if any value is missing.
  */
-export declare const userClaimsList: readonly ["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "roles", "organizations", "organization_data", "organization_roles", "custom_data", "identities", "sso_identities", "created_at"];
+export declare const userClaimsList: readonly ["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "created_at", "custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"];
 /**
  * Zod guard for `UserClaim` type, using `userClaimsList` as the single source of truth
  */
-export declare const userClaimGuard: z.ZodEnum<["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "roles", "organizations", "organization_data", "organization_roles", "custom_data", "identities", "sso_identities", "created_at"]>;
+export declare const userClaimGuard: z.ZodEnum<["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "created_at", "custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"]>;
 export type UserClaim = z.infer<typeof userClaimGuard>;
 /**
  * Scopes for ID Token and Userinfo Endpoint.
@@ -39,68 +45,97 @@ export declare enum UserScope {
     /**
      * Scope for basic user info.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Profile = "profile",
     /**
      * Scope for user email address.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Email = "email",
     /**
      * Scope for user phone number.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Phone = "phone",
     /**
      * Scope for user address.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Address = "address",
     /**
      * Scope for user's custom data.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     CustomData = "custom_data",
     /**
      * Scope for user's social and SSO identity details.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Identities = "identities",
     /**
      * Scope for user's roles.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Roles = "roles",
     /**
      * Scope for user's organization IDs and perform organization token grant per [RFC 0001](https://github.com/logto-io/rfcs).
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Organizations = "urn:logto:scope:organizations",
     /**
      * Scope for user's organization roles per [RFC 0001](https://github.com/logto-io/rfcs).
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
+     */
+    OrganizationRoles = "urn:logto:scope:organization_roles",
+    /**
+     * Scope for user's sessions.
+     *
+     * Only used for session management via account API.
+     * Not included in user claims, even when the scope is requested, as it's not meant for ID token or userinfo endpoint.
      */
-    OrganizationRoles = "urn:logto:scope:organization_roles"
+    Sessions = "urn:logto:scope:sessions"
 }
 /**
  * Mapped claims that ID Token includes.
  *
  * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0} for standard scope - claim mapping.
+ *
+ * Note: For scopes `Roles`, `Organizations`, `OrganizationRoles`, `CustomData`, and `Identities`,
+ * the claims are configured via `extendedIdTokenClaimsByScope` and are controlled by tenant settings.
  */
 export declare const idTokenClaims: Readonly<Record<UserScope, UserClaim[]>>;
 /**
- * Additional claims that Userinfo Endpoint returns.
+ * Extended claims for ID token grouped by scope, controlled by tenant configuration.
+ * These claims can be enabled or disabled in the ID token via tenant settings.
+ *
+ * @see {@link extendedIdTokenClaims} for the full list of extended claims.
+ * @see {@link idTokenClaims} for base claims always included in ID token.
+ * @see {@link userClaims} for all possible claims (used by userinfo endpoint).
+ */
+export declare const extendedIdTokenClaimsByScope: Readonly<Partial<Record<UserScope, ExtendedIdTokenClaim[]>>>;
+/**
+ * All possible claims for each scope, combining base ID token claims and extended claims.
+ *
+ * This mapping is used for:
+ * - OIDC provider claim configuration (to tell the provider which claims are available for each
+ *   scope)
+ * - Userinfo endpoint (always returns all claims regardless of tenant configuration)
+ * - SAML application attribute mapping (to determine which scope to request based on required
+ *   claims)
+ *
+ * Note: The actual claims returned in ID tokens are controlled by tenant configuration via
+ * {@link extendedIdTokenClaimsByScope}. See `getAcceptedUserClaims` in core for the filtering
+ * logic.
  */
-export declare const userinfoClaims: Readonly<Record<UserScope, UserClaim[]>>;
 export declare const userClaims: Readonly<Record<UserScope, UserClaim[]>>;
 /**
  * The prefix of the URN (Uniform Resource Name) for the organization in Logto.

package/lib/openid.js

@@ -15,6 +15,19 @@ export var ReservedResource;
      */
     ReservedResource["Organization"] = "urn:logto:resource:organizations";
 })(ReservedResource || (ReservedResource = {}));
+/**
+ * All extended claims for ID token that are controlled by tenant configuration.
+ * This is the single source of truth for which claims can be toggled on/off in ID tokens.
+ */
+export const extendedIdTokenClaims = [
+    'custom_data',
+    'identities',
+    'sso_identities',
+    'roles',
+    'organizations',
+    'organization_data',
+    'organization_roles',
+];
 /**
  * A comprehensive list of all available user claims that can be used in SAML applications.
  * This array serves two purposes:
@@ -50,15 +63,9 @@ export const userClaimsList = [
     'address',
     'updated_at',
     // Custom claims
-    'username',
-    'roles',
-    'organizations',
-    'organization_data',
-    'organization_roles',
-    'custom_data',
-    'identities',
-    'sso_identities',
-    'created_at',
+    'username', // Planned to be migrated into OIDC standard `preferred_username`, not configurable for now.
+    'created_at', // Follows the profile scope convention (always included). Not configurable for now, may change in the future.
+    ...extendedIdTokenClaims,
 ];
 /**
  * Zod guard for `UserClaim` type, using `userClaimsList` as the single source of truth
@@ -72,62 +79,72 @@ export var UserScope;
     /**
      * Scope for basic user info.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Profile"] = "profile";
     /**
      * Scope for user email address.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Email"] = "email";
     /**
      * Scope for user phone number.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Phone"] = "phone";
     /**
      * Scope for user address.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Address"] = "address";
     /**
      * Scope for user's custom data.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["CustomData"] = "custom_data";
     /**
      * Scope for user's social and SSO identity details.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Identities"] = "identities";
     /**
      * Scope for user's roles.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Roles"] = "roles";
     /**
      * Scope for user's organization IDs and perform organization token grant per [RFC 0001](https://github.com/logto-io/rfcs).
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Organizations"] = "urn:logto:scope:organizations";
     /**
      * Scope for user's organization roles per [RFC 0001](https://github.com/logto-io/rfcs).
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["OrganizationRoles"] = "urn:logto:scope:organization_roles";
+    /**
+     * Scope for user's sessions.
+     *
+     * Only used for session management via account API.
+     * Not included in user claims, even when the scope is requested, as it's not meant for ID token or userinfo endpoint.
+     */
+    UserScope["Sessions"] = "urn:logto:scope:sessions";
 })(UserScope || (UserScope = {}));
 /**
  * Mapped claims that ID Token includes.
  *
  * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0} for standard scope - claim mapping.
+ *
+ * Note: For scopes `Roles`, `Organizations`, `OrganizationRoles`, `CustomData`, and `Identities`,
+ * the claims are configured via `extendedIdTokenClaimsByScope` and are controlled by tenant settings.
  */
 export const idTokenClaims = Object.freeze({
     [UserScope.Profile]: [
@@ -153,32 +170,50 @@ export const idTokenClaims = Object.freeze({
     [UserScope.Email]: ['email', 'email_verified'],
     [UserScope.Phone]: ['phone_number', 'phone_number_verified'],
     [UserScope.Address]: ['address'],
-    [UserScope.Roles]: ['roles'],
-    [UserScope.Organizations]: ['organizations'],
-    [UserScope.OrganizationRoles]: ['organization_roles'],
+    // The following scopes have their claims controlled by tenant configuration
+    // via `extendedIdTokenClaimsByScope`. See below.
+    [UserScope.Roles]: [],
+    [UserScope.Organizations]: [],
+    [UserScope.OrganizationRoles]: [],
     [UserScope.CustomData]: [],
     [UserScope.Identities]: [],
+    [UserScope.Sessions]: [],
 });
 /**
- * Additional claims that Userinfo Endpoint returns.
+ * Extended claims for ID token grouped by scope, controlled by tenant configuration.
+ * These claims can be enabled or disabled in the ID token via tenant settings.
+ *
+ * @see {@link extendedIdTokenClaims} for the full list of extended claims.
+ * @see {@link idTokenClaims} for base claims always included in ID token.
+ * @see {@link userClaims} for all possible claims (used by userinfo endpoint).
  */
-export const userinfoClaims = Object.freeze({
-    [UserScope.Profile]: [],
-    [UserScope.Email]: [],
-    [UserScope.Phone]: [],
-    [UserScope.Address]: [],
-    [UserScope.Roles]: [],
-    [UserScope.Organizations]: ['organization_data'],
-    [UserScope.OrganizationRoles]: [],
+export const extendedIdTokenClaimsByScope = Object.freeze({
     [UserScope.CustomData]: ['custom_data'],
     [UserScope.Identities]: ['identities', 'sso_identities'],
+    [UserScope.Roles]: ['roles'],
+    [UserScope.Organizations]: ['organizations', 'organization_data'],
+    [UserScope.OrganizationRoles]: ['organization_roles'],
 });
+/**
+ * All possible claims for each scope, combining base ID token claims and extended claims.
+ *
+ * This mapping is used for:
+ * - OIDC provider claim configuration (to tell the provider which claims are available for each
+ *   scope)
+ * - Userinfo endpoint (always returns all claims regardless of tenant configuration)
+ * - SAML application attribute mapping (to determine which scope to request based on required
+ *   claims)
+ *
+ * Note: The actual claims returned in ID tokens are controlled by tenant configuration via
+ * {@link extendedIdTokenClaimsByScope}. See `getAcceptedUserClaims` in core for the filtering
+ * logic.
+ */
 export const userClaims = Object.freeze(
 // Hard to infer type directly, use `as` for a workaround.
 // eslint-disable-next-line no-restricted-syntax
 Object.fromEntries(Object.values(UserScope).map((current) => [
     current,
-    [...idTokenClaims[current], ...userinfoClaims[current]],
+    [...idTokenClaims[current], ...(extendedIdTokenClaimsByScope[current] ?? [])],
 ])));
 /**
  * The prefix of the URN (Uniform Resource Name) for the organization in Logto.

package/lib/regex.d.ts

@@ -12,3 +12,16 @@ export declare const noSpaceRegEx: RegExp;
 /** Full domain that consists of at least 3 parts, e.g. foo.bar.com or example-foo.bar.com */
 export declare const domainRegEx: RegExp;
 export declare const numberAndAlphabetRegEx: RegExp;
+/**
+ * Custom tenant ID validation rules.
+ * Used when creating tenants with custom IDs in private cloud regions.
+ */
+/** Maximum length for custom tenant ID */
+export declare const customTenantIdMaxLength = 21;
+/** Pattern for custom tenant ID: lowercase letters, numbers, and hyphens only */
+export declare const customTenantIdRegEx: RegExp;
+/**
+ * Validates a custom tenant ID format.
+ * @returns `true` if valid, `false` otherwise
+ */
+export declare const isValidCustomTenantId: (id: string) => boolean;

package/lib/regex.js

@@ -12,3 +12,18 @@ export const noSpaceRegEx = /^\S+$/;
 /** Full domain that consists of at least 3 parts, e.g. foo.bar.com or example-foo.bar.com */
 export const domainRegEx = /^[\dA-Za-z](?:[\dA-Za-z-]*[\dA-Za-z])?(?:\.[\dA-Za-z](?:[\dA-Za-z-]*[\dA-Za-z])?){2,}$/;
 export const numberAndAlphabetRegEx = /^[\dA-Za-z]+$/;
+/**
+ * Custom tenant ID validation rules.
+ * Used when creating tenants with custom IDs in private cloud regions.
+ */
+/** Maximum length for custom tenant ID */
+export const customTenantIdMaxLength = 21;
+/** Pattern for custom tenant ID: lowercase letters, numbers, and hyphens only */
+export const customTenantIdRegEx = /^[\da-z-]+$/;
+/**
+ * Validates a custom tenant ID format.
+ * @returns `true` if valid, `false` otherwise
+ */
+export const isValidCustomTenantId = (id) => {
+    return id.length <= customTenantIdMaxLength && customTenantIdRegEx.test(id);
+};

package/lib/utils/url.js

@@ -1,5 +1,11 @@
 import { mobileUriSchemeProtocolRegEx, webRedirectUriProtocolRegEx } from '../regex.js';
 export const validateRedirectUrl = (url, type) => {
+    if (type === 'web' && url.includes('*')) {
+        return validateWildcardWebRedirectUrl(url);
+    }
+    if (type === 'web' && hasDotSegmentsInAbsoluteUrlPath(url)) {
+        return false;
+    }
     try {
         const { protocol } = new URL(url);
         const protocolRegEx = type === 'mobile' ? mobileUriSchemeProtocolRegEx : webRedirectUriProtocolRegEx;
@@ -9,6 +15,82 @@ export const validateRedirectUrl = (url, type) => {
         return false;
     }
 };
+const validateWildcardWebRedirectUrl = (url) => {
+    const schemeSeparatorIndex = url.indexOf('://');
+    if (schemeSeparatorIndex <= 0) {
+        return false;
+    }
+    if (hasWildcardInScheme(url, schemeSeparatorIndex)) {
+        return false;
+    }
+    if (hasWildcardInQueryOrHash(url)) {
+        return false;
+    }
+    const authority = getAuthorityFromUrl(url, schemeSeparatorIndex);
+    if (!isAuthorityAllowedForWildcardWebRedirect(authority)) {
+        return false;
+    }
+    if (hasDotSegmentsInAbsoluteUrlPath(url)) {
+        return false;
+    }
+    return isUrlProtocolAllowedAfterWildcardReplacement(url);
+};
+const hasWildcardInScheme = (url, schemeSeparatorIndex) => url.slice(0, schemeSeparatorIndex).includes('*');
+const hasWildcardInQueryOrHash = (url) => {
+    // Disallow wildcards in query/hash to keep matching deterministic and safer.
+    const queryIndex = url.indexOf('?');
+    if (queryIndex >= 0 && url.slice(queryIndex).includes('*')) {
+        return true;
+    }
+    const hashIndex = url.indexOf('#');
+    return hashIndex >= 0 && url.slice(hashIndex).includes('*');
+};
+const getAuthorityFromUrl = (url, schemeSeparatorIndex) => url.slice(schemeSeparatorIndex + 3).split(/[#/?]/)[0] ?? '';
+const hasDotSegmentsInAbsoluteUrlPath = (url) => {
+    const schemeSeparatorIndex = url.indexOf('://');
+    if (schemeSeparatorIndex <= 0) {
+        return false;
+    }
+    const authority = getAuthorityFromUrl(url, schemeSeparatorIndex);
+    const afterAuthorityIndex = schemeSeparatorIndex + 3 + authority.length;
+    const rest = url.slice(afterAuthorityIndex);
+    const path = rest.split(/[#?]/)[0] ?? '';
+    if (!path) {
+        return false;
+    }
+    const segments = path.split('/');
+    return segments.some((segment) => {
+        const normalized = segment.toLowerCase();
+        return segment === '.' || segment === '..' || normalized === '%2e' || normalized === '%2e%2e';
+    });
+};
+const isAuthorityAllowedForWildcardWebRedirect = (authority) => {
+    // Disallow credentials in authority part.
+    if (authority.includes('@')) {
+        return false;
+    }
+    if (authority.startsWith('[')) {
+        // IPv6 literals are not a typical use-case for wildcard redirect URIs; reject for simplicity.
+        return false;
+    }
+    const lastColonIndex = authority.lastIndexOf(':');
+    const hasPort = lastColonIndex > -1 && authority.indexOf(':') === lastColonIndex;
+    const hostname = hasPort ? authority.slice(0, lastColonIndex) : authority;
+    // When wildcard is used in hostname, require at least one dot to avoid overly broad patterns.
+    if (hostname.includes('*') && !hostname.includes('.')) {
+        return false;
+    }
+    return !(hasPort && authority.slice(lastColonIndex + 1).includes('*'));
+};
+const isUrlProtocolAllowedAfterWildcardReplacement = (url) => {
+    try {
+        const parsed = new URL(url.replaceAll('*', 'wildcard'));
+        return webRedirectUriProtocolRegEx.test(parsed.protocol);
+    }
+    catch {
+        return false;
+    }
+};
 export const validateUriOrigin = (url) => {
     try {
         return new URL(url).origin === url;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/core-kit",
-  "version": "2.6.1",
+  "version": "2.7.1",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/toolkit#readme",
   "repository": {
@@ -12,15 +12,15 @@
   "main": "./lib/index.js",
   "exports": {
     ".": {
-      "default": "./lib/index.js",
       "types": "./lib/index.d.ts",
-      "import": "./lib/index.js"
+      "import": "./lib/index.js",
+      "default": "./lib/index.js"
     },
     "./declaration": "./declaration/index.ts",
     "./scss/*": "./scss/*.scss",
     "./custom-jwt": {
-      "node": "./lib/custom-jwt/index.js",
-      "types": "./lib/custom-jwt/index.d.ts"
+      "types": "./lib/custom-jwt/index.d.ts",
+      "node": "./lib/custom-jwt/index.js"
     }
   },
   "types": "./lib/index.d.ts",
@@ -36,7 +36,7 @@
     "@silverhand/essentials": "^2.9.1",
     "color": "^4.2.3",
     "@logto/language-kit": "^1.2.0",
-    "@logto/shared": "^3.3.0"
+    "@logto/shared": "^3.3.1"
   },
   "optionalDependencies": {
     "zod": "3.24.3"