@logto/core-kit 2.7.0 → 2.7.1

package/lib/openid.d.ts

@@ -13,6 +13,12 @@ export declare enum ReservedResource {
      */
     Organization = "urn:logto:resource:organizations"
 }
+/**
+ * All extended claims for ID token that are controlled by tenant configuration.
+ * This is the single source of truth for which claims can be toggled on/off in ID tokens.
+ */
+export declare const extendedIdTokenClaims: readonly ["custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"];
+export type ExtendedIdTokenClaim = (typeof extendedIdTokenClaims)[number];
 /**
  * A comprehensive list of all available user claims that can be used in SAML applications.
  * This array serves two purposes:
@@ -26,11 +32,11 @@ export declare enum ReservedResource {
  * Note: This array must include ALL possible values from `UserClaim` type.
  * TypeScript will throw error if any value is missing.
  */
-export declare const userClaimsList: readonly ["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "roles", "organizations", "organization_data", "organization_roles", "custom_data", "identities", "sso_identities", "created_at"];
+export declare const userClaimsList: readonly ["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "created_at", "custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"];
 /**
  * Zod guard for `UserClaim` type, using `userClaimsList` as the single source of truth
  */
-export declare const userClaimGuard: z.ZodEnum<["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "roles", "organizations", "organization_data", "organization_roles", "custom_data", "identities", "sso_identities", "created_at"]>;
+export declare const userClaimGuard: z.ZodEnum<["name", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "phone_number", "phone_number_verified", "address", "updated_at", "username", "created_at", "custom_data", "identities", "sso_identities", "roles", "organizations", "organization_data", "organization_roles"]>;
 export type UserClaim = z.infer<typeof userClaimGuard>;
 /**
  * Scopes for ID Token and Userinfo Endpoint.
@@ -39,68 +45,97 @@ export declare enum UserScope {
     /**
      * Scope for basic user info.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Profile = "profile",
     /**
      * Scope for user email address.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Email = "email",
     /**
      * Scope for user phone number.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Phone = "phone",
     /**
      * Scope for user address.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Address = "address",
     /**
      * Scope for user's custom data.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     CustomData = "custom_data",
     /**
      * Scope for user's social and SSO identity details.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Identities = "identities",
     /**
      * Scope for user's roles.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Roles = "roles",
     /**
      * Scope for user's organization IDs and perform organization token grant per [RFC 0001](https://github.com/logto-io/rfcs).
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     Organizations = "urn:logto:scope:organizations",
     /**
      * Scope for user's organization roles per [RFC 0001](https://github.com/logto-io/rfcs).
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
+     */
+    OrganizationRoles = "urn:logto:scope:organization_roles",
+    /**
+     * Scope for user's sessions.
+     *
+     * Only used for session management via account API.
+     * Not included in user claims, even when the scope is requested, as it's not meant for ID token or userinfo endpoint.
      */
-    OrganizationRoles = "urn:logto:scope:organization_roles"
+    Sessions = "urn:logto:scope:sessions"
 }
 /**
  * Mapped claims that ID Token includes.
  *
  * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0} for standard scope - claim mapping.
+ *
+ * Note: For scopes `Roles`, `Organizations`, `OrganizationRoles`, `CustomData`, and `Identities`,
+ * the claims are configured via `extendedIdTokenClaimsByScope` and are controlled by tenant settings.
  */
 export declare const idTokenClaims: Readonly<Record<UserScope, UserClaim[]>>;
 /**
- * Additional claims that Userinfo Endpoint returns.
+ * Extended claims for ID token grouped by scope, controlled by tenant configuration.
+ * These claims can be enabled or disabled in the ID token via tenant settings.
+ *
+ * @see {@link extendedIdTokenClaims} for the full list of extended claims.
+ * @see {@link idTokenClaims} for base claims always included in ID token.
+ * @see {@link userClaims} for all possible claims (used by userinfo endpoint).
+ */
+export declare const extendedIdTokenClaimsByScope: Readonly<Partial<Record<UserScope, ExtendedIdTokenClaim[]>>>;
+/**
+ * All possible claims for each scope, combining base ID token claims and extended claims.
+ *
+ * This mapping is used for:
+ * - OIDC provider claim configuration (to tell the provider which claims are available for each
+ *   scope)
+ * - Userinfo endpoint (always returns all claims regardless of tenant configuration)
+ * - SAML application attribute mapping (to determine which scope to request based on required
+ *   claims)
+ *
+ * Note: The actual claims returned in ID tokens are controlled by tenant configuration via
+ * {@link extendedIdTokenClaimsByScope}. See `getAcceptedUserClaims` in core for the filtering
+ * logic.
  */
-export declare const userinfoClaims: Readonly<Record<UserScope, UserClaim[]>>;
 export declare const userClaims: Readonly<Record<UserScope, UserClaim[]>>;
 /**
  * The prefix of the URN (Uniform Resource Name) for the organization in Logto.

package/lib/openid.js

@@ -15,6 +15,19 @@ export var ReservedResource;
      */
     ReservedResource["Organization"] = "urn:logto:resource:organizations";
 })(ReservedResource || (ReservedResource = {}));
+/**
+ * All extended claims for ID token that are controlled by tenant configuration.
+ * This is the single source of truth for which claims can be toggled on/off in ID tokens.
+ */
+export const extendedIdTokenClaims = [
+    'custom_data',
+    'identities',
+    'sso_identities',
+    'roles',
+    'organizations',
+    'organization_data',
+    'organization_roles',
+];
 /**
  * A comprehensive list of all available user claims that can be used in SAML applications.
  * This array serves two purposes:
@@ -50,15 +63,9 @@ export const userClaimsList = [
     'address',
     'updated_at',
     // Custom claims
-    'username',
-    'roles',
-    'organizations',
-    'organization_data',
-    'organization_roles',
-    'custom_data',
-    'identities',
-    'sso_identities',
-    'created_at',
+    'username', // Planned to be migrated into OIDC standard `preferred_username`, not configurable for now.
+    'created_at', // Follows the profile scope convention (always included). Not configurable for now, may change in the future.
+    ...extendedIdTokenClaims,
 ];
 /**
  * Zod guard for `UserClaim` type, using `userClaimsList` as the single source of truth
@@ -72,62 +79,72 @@ export var UserScope;
     /**
      * Scope for basic user info.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Profile"] = "profile";
     /**
      * Scope for user email address.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Email"] = "email";
     /**
      * Scope for user phone number.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Phone"] = "phone";
     /**
      * Scope for user address.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Address"] = "address";
     /**
      * Scope for user's custom data.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["CustomData"] = "custom_data";
     /**
      * Scope for user's social and SSO identity details.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Identities"] = "identities";
     /**
      * Scope for user's roles.
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Roles"] = "roles";
     /**
      * Scope for user's organization IDs and perform organization token grant per [RFC 0001](https://github.com/logto-io/rfcs).
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["Organizations"] = "urn:logto:scope:organizations";
     /**
      * Scope for user's organization roles per [RFC 0001](https://github.com/logto-io/rfcs).
      *
-     * See {@link idTokenClaims} for mapped claims in ID Token and {@link userinfoClaims} for additional claims in Userinfo Endpoint.
+     * See {@link userClaims} for mapped claims.
      */
     UserScope["OrganizationRoles"] = "urn:logto:scope:organization_roles";
+    /**
+     * Scope for user's sessions.
+     *
+     * Only used for session management via account API.
+     * Not included in user claims, even when the scope is requested, as it's not meant for ID token or userinfo endpoint.
+     */
+    UserScope["Sessions"] = "urn:logto:scope:sessions";
 })(UserScope || (UserScope = {}));
 /**
  * Mapped claims that ID Token includes.
  *
  * @see {@link https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims | OpenID Connect Core 1.0} for standard scope - claim mapping.
+ *
+ * Note: For scopes `Roles`, `Organizations`, `OrganizationRoles`, `CustomData`, and `Identities`,
+ * the claims are configured via `extendedIdTokenClaimsByScope` and are controlled by tenant settings.
  */
 export const idTokenClaims = Object.freeze({
     [UserScope.Profile]: [
@@ -153,32 +170,50 @@ export const idTokenClaims = Object.freeze({
     [UserScope.Email]: ['email', 'email_verified'],
     [UserScope.Phone]: ['phone_number', 'phone_number_verified'],
     [UserScope.Address]: ['address'],
-    [UserScope.Roles]: ['roles'],
-    [UserScope.Organizations]: ['organizations'],
-    [UserScope.OrganizationRoles]: ['organization_roles'],
+    // The following scopes have their claims controlled by tenant configuration
+    // via `extendedIdTokenClaimsByScope`. See below.
+    [UserScope.Roles]: [],
+    [UserScope.Organizations]: [],
+    [UserScope.OrganizationRoles]: [],
     [UserScope.CustomData]: [],
     [UserScope.Identities]: [],
+    [UserScope.Sessions]: [],
 });
 /**
- * Additional claims that Userinfo Endpoint returns.
+ * Extended claims for ID token grouped by scope, controlled by tenant configuration.
+ * These claims can be enabled or disabled in the ID token via tenant settings.
+ *
+ * @see {@link extendedIdTokenClaims} for the full list of extended claims.
+ * @see {@link idTokenClaims} for base claims always included in ID token.
+ * @see {@link userClaims} for all possible claims (used by userinfo endpoint).
  */
-export const userinfoClaims = Object.freeze({
-    [UserScope.Profile]: [],
-    [UserScope.Email]: [],
-    [UserScope.Phone]: [],
-    [UserScope.Address]: [],
-    [UserScope.Roles]: [],
-    [UserScope.Organizations]: ['organization_data'],
-    [UserScope.OrganizationRoles]: [],
+export const extendedIdTokenClaimsByScope = Object.freeze({
     [UserScope.CustomData]: ['custom_data'],
     [UserScope.Identities]: ['identities', 'sso_identities'],
+    [UserScope.Roles]: ['roles'],
+    [UserScope.Organizations]: ['organizations', 'organization_data'],
+    [UserScope.OrganizationRoles]: ['organization_roles'],
 });
+/**
+ * All possible claims for each scope, combining base ID token claims and extended claims.
+ *
+ * This mapping is used for:
+ * - OIDC provider claim configuration (to tell the provider which claims are available for each
+ *   scope)
+ * - Userinfo endpoint (always returns all claims regardless of tenant configuration)
+ * - SAML application attribute mapping (to determine which scope to request based on required
+ *   claims)
+ *
+ * Note: The actual claims returned in ID tokens are controlled by tenant configuration via
+ * {@link extendedIdTokenClaimsByScope}. See `getAcceptedUserClaims` in core for the filtering
+ * logic.
+ */
 export const userClaims = Object.freeze(
 // Hard to infer type directly, use `as` for a workaround.
 // eslint-disable-next-line no-restricted-syntax
 Object.fromEntries(Object.values(UserScope).map((current) => [
     current,
-    [...idTokenClaims[current], ...userinfoClaims[current]],
+    [...idTokenClaims[current], ...(extendedIdTokenClaimsByScope[current] ?? [])],
 ])));
 /**
  * The prefix of the URN (Uniform Resource Name) for the organization in Logto.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/core-kit",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "homepage": "https://github.com/logto-io/toolkit#readme",
   "repository": {