@logto/schemas 1.19.0 → 1.21.0

package/alterations/1.20.0-1723448981-personal-access-tokens.ts

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table personal_access_tokens (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        /** The name of the secret. Should be unique within the user. */
+        name varchar(256) not null,
+        value varchar(64) not null,
+        created_at timestamptz not null default now(),
+        expires_at timestamptz,
+        primary key (tenant_id, user_id, name)
+      );
+
+      create index personal_access_token__value on personal_access_tokens (tenant_id, value);
+    `);
+    await applyTableRls(pool, 'personal_access_tokens');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'personal_access_tokens');
+    await pool.query(sql`
+      drop table personal_access_tokens;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.20.0-1724229102-add-report-sub-updates-cloud-scope.ts

@@ -0,0 +1,102 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { generateStandardId } from './utils/1716643968-id-generation.js';
+
+type Resource = {
+  tenantId: string;
+  id: string;
+  name: string;
+  indicator: string;
+  isDefault: boolean;
+};
+
+type Scope = {
+  tenantId: string;
+  id: string;
+  resourceId: string;
+  name: string;
+  description: string;
+};
+
+type Role = {
+  tenantId: string;
+  id: string;
+  name: string;
+  description: string;
+};
+
+const cloudApiIndicator = 'https://cloud.logto.io/api';
+
+const cloudConnectionAppRoleName = 'tenantApplication';
+
+const adminTenantId = 'admin';
+
+const reportSubscriptionUpdatesScopeName = 'report:subscription:updates';
+const reportSubscriptionUpdatesScopeDescription =
+  'Allow reporting changes on Stripe subscription to Logto Cloud.';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    // Get the Cloud API resource
+    const cloudApiResource = await pool.maybeOne<Resource>(sql`
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+
+    if (!cloudApiResource) {
+      return;
+    }
+
+    // Get cloud connection application role
+    const tenantApplicationRole = await pool.one<Role>(sql`
+      select * from roles
+      where tenant_id = ${adminTenantId}
+      and name = ${cloudConnectionAppRoleName} and type = 'MachineToMachine'
+    `);
+
+    // Create the `report:subscription:updates` scope
+    const reportSubscriptionUpdatesCloudScope = await pool.one<Scope>(sql`
+      insert into scopes (id, tenant_id, resource_id, name, description)
+      values (${generateStandardId()}, ${adminTenantId}, ${
+        cloudApiResource.id
+      }, ${reportSubscriptionUpdatesScopeName}, ${reportSubscriptionUpdatesScopeDescription})
+      on conflict (tenant_id, name, resource_id) do nothing
+      returning *;
+    `);
+
+    // Assign the `report:subscription:updates` scope to cloud connection application role
+    await pool.query(sql`
+      insert into roles_scopes (id, tenant_id, role_id, scope_id)
+      values (${generateStandardId()}, ${adminTenantId}, ${tenantApplicationRole.id}, ${
+        reportSubscriptionUpdatesCloudScope.id
+      }) on conflict (tenant_id, role_id, scope_id) do nothing;
+    `);
+  },
+  down: async (pool) => {
+    // Get the Cloud API resource
+    const cloudApiResource = await pool.maybeOne<Resource>(sql`
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+
+    if (!cloudApiResource) {
+      return;
+    }
+
+    // Remove the `report:subscription:updates` scope
+    await pool.query(sql`
+      delete from scopes
+      where
+        tenant_id = ${adminTenantId} and
+        name = ${reportSubscriptionUpdatesScopeName} and
+        description = ${reportSubscriptionUpdatesScopeDescription} and
+        resource_id = ${cloudApiResource.id}
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.20.0-1724316971-add-verified-identifier-to-verification-statuses.ts

@@ -0,0 +1,18 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table verification_statuses add column verified_identifier varchar(255);
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table verification_statuses drop column verified_identifier;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.20.0-1725971571-add-verification-record.ts

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table verification_records (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        user_id varchar(21)
+          references users (id) on update cascade on delete cascade,
+        created_at timestamptz not null default(now()),
+        expires_at timestamptz not null,
+        data jsonb /* @use VerificationRecordData */ not null default '{}'::jsonb,
+        primary key (id)
+      );
+
+      create index verification_records__id
+        on verification_records (tenant_id, id);
+    `);
+    await applyTableRls(pool, 'verification_records');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'verification_records');
+    await pool.query(sql`
+      drop table verification_records;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.21.0-1728357690-add-sso-connector-idp-initated-auth-configs-table.ts

@@ -0,0 +1,40 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table sso_connector_idp_initiated_auth_configs (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The default Logto application id. */
+        default_application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** OIDC sign-in redirect URI. */
+        redirect_uri text,
+        /** Additional OIDC auth parameters. */
+        auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        primary key (tenant_id, connector_id),
+        /** Insure the application type is Traditional. */
+        constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'))
+      );
+    `);
+    await applyTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+    await pool.query(sql`
+      drop table sso_connector_idp_initiated_auth_configs;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.21.0-1728526649-add-idp-initiated-saml-sso-sessions-table.ts

@@ -0,0 +1,36 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table idp_initiated_saml_sso_sessions (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the assertion record. */
+        id varchar(21) not null,
+        /** The identifier of the SAML SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The SAML assertion. */
+        assertion_content jsonb /* @use SsoSamlAssertionContent */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        /** The expiration time of the assertion. */
+        expires_at timestamptz not null,
+        primary key (tenant_id, id)
+      );
+    `);
+    await applyTableRls(pool, 'idp_initiated_saml_sso_sessions');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'idp_initiated_saml_sso_sessions');
+    await pool.query(sql`
+      drop table idp_initiated_saml_sso_sessions;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.21.0-1728887713-add-client-idp-initiated-auth-callback-uri-columns.ts

@@ -0,0 +1,40 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        add column client_idp_initiated_auth_callback_uri text;
+      
+      alter table sso_connector_idp_initiated_auth_configs
+        add column auto_send_authorization_request boolean not null default false;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+          check (check_application_type(default_application_id, 'Traditional', 'SPA'));
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop column client_idp_initiated_auth_callback_uri;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop column auto_send_authorization_request;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'));
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.20.0-1723448981-personal-access-tokens.js

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table personal_access_tokens (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        user_id varchar(21) not null
+          references users (id) on update cascade on delete cascade,
+        /** The name of the secret. Should be unique within the user. */
+        name varchar(256) not null,
+        value varchar(64) not null,
+        created_at timestamptz not null default now(),
+        expires_at timestamptz,
+        primary key (tenant_id, user_id, name)
+      );
+
+      create index personal_access_token__value on personal_access_tokens (tenant_id, value);
+    `);
+        await applyTableRls(pool, 'personal_access_tokens');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'personal_access_tokens');
+        await pool.query(sql `
+      drop table personal_access_tokens;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.20.0-1724229102-add-report-sub-updates-cloud-scope.js

@@ -0,0 +1,59 @@
+import { sql } from '@silverhand/slonik';
+import { generateStandardId } from './utils/1716643968-id-generation.js';
+const cloudApiIndicator = 'https://cloud.logto.io/api';
+const cloudConnectionAppRoleName = 'tenantApplication';
+const adminTenantId = 'admin';
+const reportSubscriptionUpdatesScopeName = 'report:subscription:updates';
+const reportSubscriptionUpdatesScopeDescription = 'Allow reporting changes on Stripe subscription to Logto Cloud.';
+const alteration = {
+    up: async (pool) => {
+        // Get the Cloud API resource
+        const cloudApiResource = await pool.maybeOne(sql `
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+        if (!cloudApiResource) {
+            return;
+        }
+        // Get cloud connection application role
+        const tenantApplicationRole = await pool.one(sql `
+      select * from roles
+      where tenant_id = ${adminTenantId}
+      and name = ${cloudConnectionAppRoleName} and type = 'MachineToMachine'
+    `);
+        // Create the `report:subscription:updates` scope
+        const reportSubscriptionUpdatesCloudScope = await pool.one(sql `
+      insert into scopes (id, tenant_id, resource_id, name, description)
+      values (${generateStandardId()}, ${adminTenantId}, ${cloudApiResource.id}, ${reportSubscriptionUpdatesScopeName}, ${reportSubscriptionUpdatesScopeDescription})
+      on conflict (tenant_id, name, resource_id) do nothing
+      returning *;
+    `);
+        // Assign the `report:subscription:updates` scope to cloud connection application role
+        await pool.query(sql `
+      insert into roles_scopes (id, tenant_id, role_id, scope_id)
+      values (${generateStandardId()}, ${adminTenantId}, ${tenantApplicationRole.id}, ${reportSubscriptionUpdatesCloudScope.id}) on conflict (tenant_id, role_id, scope_id) do nothing;
+    `);
+    },
+    down: async (pool) => {
+        // Get the Cloud API resource
+        const cloudApiResource = await pool.maybeOne(sql `
+      select * from resources
+      where tenant_id = ${adminTenantId}
+      and indicator = ${cloudApiIndicator}
+    `);
+        if (!cloudApiResource) {
+            return;
+        }
+        // Remove the `report:subscription:updates` scope
+        await pool.query(sql `
+      delete from scopes
+      where
+        tenant_id = ${adminTenantId} and
+        name = ${reportSubscriptionUpdatesScopeName} and
+        description = ${reportSubscriptionUpdatesScopeDescription} and
+        resource_id = ${cloudApiResource.id}
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.20.0-1724316971-add-verified-identifier-to-verification-statuses.js

@@ -0,0 +1,14 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table verification_statuses add column verified_identifier varchar(255);
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table verification_statuses drop column verified_identifier;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.20.0-1725971571-add-verification-record.js

@@ -0,0 +1,30 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table verification_records (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        id varchar(21) not null,
+        user_id varchar(21)
+          references users (id) on update cascade on delete cascade,
+        created_at timestamptz not null default(now()),
+        expires_at timestamptz not null,
+        data jsonb /* @use VerificationRecordData */ not null default '{}'::jsonb,
+        primary key (id)
+      );
+
+      create index verification_records__id
+        on verification_records (tenant_id, id);
+    `);
+        await applyTableRls(pool, 'verification_records');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'verification_records');
+        await pool.query(sql `
+      drop table verification_records;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.21.0-1728357690-add-sso-connector-idp-initated-auth-configs-table.js

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table sso_connector_idp_initiated_auth_configs (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The default Logto application id. */
+        default_application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** OIDC sign-in redirect URI. */
+        redirect_uri text,
+        /** Additional OIDC auth parameters. */
+        auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        primary key (tenant_id, connector_id),
+        /** Insure the application type is Traditional. */
+        constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'))
+      );
+    `);
+        await applyTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+        await pool.query(sql `
+      drop table sso_connector_idp_initiated_auth_configs;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.21.0-1728526649-add-idp-initiated-saml-sso-sessions-table.js

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table idp_initiated_saml_sso_sessions (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the assertion record. */
+        id varchar(21) not null,
+        /** The identifier of the SAML SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The SAML assertion. */
+        assertion_content jsonb /* @use SsoSamlAssertionContent */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        /** The expiration time of the assertion. */
+        expires_at timestamptz not null,
+        primary key (tenant_id, id)
+      );
+    `);
+        await applyTableRls(pool, 'idp_initiated_saml_sso_sessions');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'idp_initiated_saml_sso_sessions');
+        await pool.query(sql `
+      drop table idp_initiated_saml_sso_sessions;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.21.0-1728887713-add-client-idp-initiated-auth-callback-uri-columns.js

@@ -0,0 +1,36 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        add column client_idp_initiated_auth_callback_uri text;
+      
+      alter table sso_connector_idp_initiated_auth_configs
+        add column auto_send_authorization_request boolean not null default false;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+          check (check_application_type(default_application_id, 'Traditional', 'SPA'));
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop column client_idp_initiated_auth_callback_uri;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop column auto_send_authorization_request;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'));
+    `);
+    },
+};
+export default alteration;

package/lib/consts/experience.d.ts

@@ -1,8 +1,11 @@
 export declare const experience: Readonly<{
-    routes: Readonly<{
-        signIn: "sign-in";
-        register: "register";
-        sso: "single-sign-on";
-        consent: "consent";
+    readonly routes: Readonly<{
+        readonly signIn: "sign-in";
+        readonly register: "register";
+        readonly sso: "single-sign-on";
+        readonly consent: "consent";
+        readonly resetPassword: "reset-password";
+        readonly identifierSignIn: "identifier-sign-in";
+        readonly identifierRegister: "identifier-register";
     }>;
 }>;

package/lib/consts/experience.js

@@ -3,6 +3,9 @@ const routes = Object.freeze({
     register: 'register',
     sso: 'single-sign-on',
     consent: 'consent',
+    resetPassword: 'reset-password',
+    identifierSignIn: 'identifier-sign-in',
+    identifierRegister: 'identifier-register',
 });
 export const experience = Object.freeze({
     routes,

package/lib/consts/oidc.d.ts

@@ -32,7 +32,24 @@ export declare enum ExtraParamsKey {
      * Override the default sign-in experience configuration with the settings from the specified
      * organization ID.
      */
-    OrganizationId = "organization_id"
+    OrganizationId = "organization_id",
+    /**
+     * Provides a hint about the login identifier the user might use.
+     * This can be used to pre-fill the identifier field **only on the first screen** of the sign-in/sign-up flow.
+     */
+    LoginHint = "login_hint",
+    /**
+     * Specifies the identifier used in the identifier sign-in or identifier register page.
+     *
+     * This parameter is applicable only when first_screen is set to either `FirstScreen.IdentifierSignIn` or `FirstScreen.IdentifierRegister`.
+     * Multiple identifiers can be provided in the identifier parameter, separated by spaces.
+     *
+     * If the provided identifier is not supported in the Logto sign-in experience configuration, it will be ignored,
+     * and if no one of them is supported, it will fallback to the sign-in / sign-up method value set in the sign-in experience configuration.
+     *
+     * @see {@link SignInIdentifier} for available values.
+     */
+    Identifier = "identifier"
 }
 /** @deprecated Use {@link FirstScreen} instead. */
 export declare enum InteractionMode {
@@ -40,28 +57,42 @@ export declare enum InteractionMode {
     SignUp = "signUp"
 }
 export declare enum FirstScreen {
-    SignIn = "signIn",
-    Register = "register"
+    SignIn = "sign_in",
+    Register = "register",
+    ResetPassword = "reset_password",
+    IdentifierSignIn = "identifier:sign_in",
+    IdentifierRegister = "identifier:register",
+    SingleSignOn = "single_sign_on",
+    /** @deprecated Use snake_case 'sign_in' instead. */
+    SignInDeprecated = "signIn"
 }
 export declare const extraParamsObjectGuard: z.ZodObject<{
     interaction_mode: z.ZodOptional<z.ZodNativeEnum<typeof InteractionMode>>;
     first_screen: z.ZodOptional<z.ZodNativeEnum<typeof FirstScreen>>;
     direct_sign_in: z.ZodOptional<z.ZodString>;
     organization_id: z.ZodOptional<z.ZodString>;
+    login_hint: z.ZodOptional<z.ZodString>;
+    identifier: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {
     interaction_mode?: InteractionMode | undefined;
     first_screen?: FirstScreen | undefined;
     direct_sign_in?: string | undefined;
     organization_id?: string | undefined;
+    login_hint?: string | undefined;
+    identifier?: string | undefined;
 }, {
     interaction_mode?: InteractionMode | undefined;
     first_screen?: FirstScreen | undefined;
     direct_sign_in?: string | undefined;
     organization_id?: string | undefined;
+    login_hint?: string | undefined;
+    identifier?: string | undefined;
 }>;
 export type ExtraParamsObject = Partial<{
     [ExtraParamsKey.InteractionMode]: InteractionMode;
     [ExtraParamsKey.FirstScreen]: FirstScreen;
     [ExtraParamsKey.DirectSignIn]: string;
     [ExtraParamsKey.OrganizationId]: string;
+    [ExtraParamsKey.LoginHint]: string;
+    [ExtraParamsKey.Identifier]: string;
 }>;