@logto/schemas 1.20.0 → 1.21.0

package/alterations/1.21.0-1728357690-add-sso-connector-idp-initated-auth-configs-table.ts

@@ -0,0 +1,40 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table sso_connector_idp_initiated_auth_configs (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The default Logto application id. */
+        default_application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** OIDC sign-in redirect URI. */
+        redirect_uri text,
+        /** Additional OIDC auth parameters. */
+        auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        primary key (tenant_id, connector_id),
+        /** Insure the application type is Traditional. */
+        constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'))
+      );
+    `);
+    await applyTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+    await pool.query(sql`
+      drop table sso_connector_idp_initiated_auth_configs;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.21.0-1728526649-add-idp-initiated-saml-sso-sessions-table.ts

@@ -0,0 +1,36 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      create table idp_initiated_saml_sso_sessions (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the assertion record. */
+        id varchar(21) not null,
+        /** The identifier of the SAML SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The SAML assertion. */
+        assertion_content jsonb /* @use SsoSamlAssertionContent */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        /** The expiration time of the assertion. */
+        expires_at timestamptz not null,
+        primary key (tenant_id, id)
+      );
+    `);
+    await applyTableRls(pool, 'idp_initiated_saml_sso_sessions');
+  },
+  down: async (pool) => {
+    await dropTableRls(pool, 'idp_initiated_saml_sso_sessions');
+    await pool.query(sql`
+      drop table idp_initiated_saml_sso_sessions;
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.21.0-1728887713-add-client-idp-initiated-auth-callback-uri-columns.ts

@@ -0,0 +1,40 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        add column client_idp_initiated_auth_callback_uri text;
+      
+      alter table sso_connector_idp_initiated_auth_configs
+        add column auto_send_authorization_request boolean not null default false;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+          check (check_application_type(default_application_id, 'Traditional', 'SPA'));
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop column client_idp_initiated_auth_callback_uri;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop column auto_send_authorization_request;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'));
+    `);
+  },
+};
+
+export default alteration;

package/alterations-js/1.21.0-1728357690-add-sso-connector-idp-initated-auth-configs-table.js

@@ -0,0 +1,35 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table sso_connector_idp_initiated_auth_configs (
+        tenant_id varchar(21) not null 
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The default Logto application id. */
+        default_application_id varchar(21) not null
+          references applications (id) on update cascade on delete cascade,
+        /** OIDC sign-in redirect URI. */
+        redirect_uri text,
+        /** Additional OIDC auth parameters. */
+        auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        primary key (tenant_id, connector_id),
+        /** Insure the application type is Traditional. */
+        constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'))
+      );
+    `);
+        await applyTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'sso_connector_idp_initiated_auth_configs');
+        await pool.query(sql `
+      drop table sso_connector_idp_initiated_auth_configs;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.21.0-1728526649-add-idp-initiated-saml-sso-sessions-table.js

@@ -0,0 +1,31 @@
+import { sql } from '@silverhand/slonik';
+import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      create table idp_initiated_saml_sso_sessions (
+        tenant_id varchar(21) not null
+          references tenants (id) on update cascade on delete cascade,
+        /** The globally unique identifier of the assertion record. */
+        id varchar(21) not null,
+        /** The identifier of the SAML SSO connector. */
+        connector_id varchar(128) not null
+          references sso_connectors (id) on update cascade on delete cascade,
+        /** The SAML assertion. */
+        assertion_content jsonb /* @use SsoSamlAssertionContent */ not null default '{}'::jsonb,
+        created_at timestamptz not null default(now()),
+        /** The expiration time of the assertion. */
+        expires_at timestamptz not null,
+        primary key (tenant_id, id)
+      );
+    `);
+        await applyTableRls(pool, 'idp_initiated_saml_sso_sessions');
+    },
+    down: async (pool) => {
+        await dropTableRls(pool, 'idp_initiated_saml_sso_sessions');
+        await pool.query(sql `
+      drop table idp_initiated_saml_sso_sessions;
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.21.0-1728887713-add-client-idp-initiated-auth-callback-uri-columns.js

@@ -0,0 +1,36 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        add column client_idp_initiated_auth_callback_uri text;
+      
+      alter table sso_connector_idp_initiated_auth_configs
+        add column auto_send_authorization_request boolean not null default false;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+          check (check_application_type(default_application_id, 'Traditional', 'SPA'));
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table sso_connector_idp_initiated_auth_configs
+        drop constraint application_type;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop column client_idp_initiated_auth_callback_uri;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        drop column auto_send_authorization_request;
+
+      alter table sso_connector_idp_initiated_auth_configs
+        add constraint application_type
+          check (check_application_type(default_application_id, 'Traditional'));
+    `);
+    },
+};
+export default alteration;

package/lib/db-entries/idp-initiated-saml-sso-session.d.ts

@@ -0,0 +1,32 @@
+import { SsoSamlAssertionContent, GeneratedSchema } from './../foundations/index.js';
+/**
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link IdpInitiatedSamlSsoSession} for the original type.
+ */
+export type CreateIdpInitiatedSamlSsoSession = {
+    tenantId?: string;
+    /** The globally unique identifier of the assertion record. */
+    id: string;
+    /** The identifier of the SAML SSO connector. */
+    connectorId: string;
+    /** The SAML assertion. */
+    assertionContent?: SsoSamlAssertionContent;
+    createdAt?: number;
+    /** The expiration time of the assertion. */
+    expiresAt: number;
+};
+export type IdpInitiatedSamlSsoSession = {
+    tenantId: string;
+    /** The globally unique identifier of the assertion record. */
+    id: string;
+    /** The identifier of the SAML SSO connector. */
+    connectorId: string;
+    /** The SAML assertion. */
+    assertionContent: SsoSamlAssertionContent;
+    createdAt: number;
+    /** The expiration time of the assertion. */
+    expiresAt: number;
+};
+export type IdpInitiatedSamlSsoSessionKeys = 'tenantId' | 'id' | 'connectorId' | 'assertionContent' | 'createdAt' | 'expiresAt';
+export declare const IdpInitiatedSamlSsoSessions: GeneratedSchema<IdpInitiatedSamlSsoSessionKeys, CreateIdpInitiatedSamlSsoSession, IdpInitiatedSamlSsoSession, 'idp_initiated_saml_sso_sessions', 'idp_initiated_saml_sso_session'>;

package/lib/db-entries/idp-initiated-saml-sso-session.js

@@ -0,0 +1,42 @@
+// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+import { z } from 'zod';
+import { ssoSamlAssertionContentGuard } from './../foundations/index.js';
+const createGuard = z.object({
+    tenantId: z.string().max(21).optional(),
+    id: z.string().min(1).max(21),
+    connectorId: z.string().min(1).max(128),
+    assertionContent: ssoSamlAssertionContentGuard.optional(),
+    createdAt: z.number().optional(),
+    expiresAt: z.number(),
+});
+const guard = z.object({
+    tenantId: z.string().max(21),
+    id: z.string().min(1).max(21),
+    connectorId: z.string().min(1).max(128),
+    assertionContent: ssoSamlAssertionContentGuard,
+    createdAt: z.number(),
+    expiresAt: z.number(),
+});
+export const IdpInitiatedSamlSsoSessions = Object.freeze({
+    table: 'idp_initiated_saml_sso_sessions',
+    tableSingular: 'idp_initiated_saml_sso_session',
+    fields: {
+        tenantId: 'tenant_id',
+        id: 'id',
+        connectorId: 'connector_id',
+        assertionContent: 'assertion_content',
+        createdAt: 'created_at',
+        expiresAt: 'expires_at',
+    },
+    fieldKeys: [
+        'tenantId',
+        'id',
+        'connectorId',
+        'assertionContent',
+        'createdAt',
+        'expiresAt',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/db-entries/index.d.ts

@@ -18,6 +18,7 @@ export * from './daily-active-user.js';
 export * from './daily-token-usage.js';
 export * from './domain.js';
 export * from './hook.js';
+export * from './idp-initiated-saml-sso-session.js';
 export * from './log.js';
 export * from './logto-config.js';
 export * from './oidc-model-instance.js';
@@ -44,6 +45,7 @@ export * from './scope.js';
 export * from './sentinel-activity.js';
 export * from './service-log.js';
 export * from './sign-in-experience.js';
+export * from './sso-connector-idp-initiated-auth-config.js';
 export * from './sso-connector.js';
 export * from './subject-token.js';
 export * from './system.js';

package/lib/db-entries/index.js

@@ -19,6 +19,7 @@ export * from './daily-active-user.js';
 export * from './daily-token-usage.js';
 export * from './domain.js';
 export * from './hook.js';
+export * from './idp-initiated-saml-sso-session.js';
 export * from './log.js';
 export * from './logto-config.js';
 export * from './oidc-model-instance.js';
@@ -45,6 +46,7 @@ export * from './scope.js';
 export * from './sentinel-activity.js';
 export * from './service-log.js';
 export * from './sign-in-experience.js';
+export * from './sso-connector-idp-initiated-auth-config.js';
 export * from './sso-connector.js';
 export * from './subject-token.js';
 export * from './system.js';

package/lib/db-entries/sso-connector-idp-initiated-auth-config.d.ts

@@ -0,0 +1,42 @@
+import { IdpInitiatedAuthParams, GeneratedSchema } from './../foundations/index.js';
+/**
+ * init_order = 2
+ *
+ * @remarks This is a type for database creation.
+ * @see {@link SsoConnectorIdpInitiatedAuthConfig} for the original type.
+ */
+export type CreateSsoConnectorIdpInitiatedAuthConfig = {
+    tenantId?: string;
+    /** The globally unique identifier of the SSO connector. */
+    connectorId: string;
+    /** The default Logto application id. */
+    defaultApplicationId: string;
+    /** OIDC sign-in redirect URI. */
+    redirectUri?: string | null;
+    /** Additional OIDC auth parameters. */
+    authParameters?: IdpInitiatedAuthParams;
+    /** Whether to auto-trigger the auth flow on an IdP-initiated auth request. */
+    autoSendAuthorizationRequest?: boolean;
+    /** The client side callback URI for handling IdP-initiated auth request. */
+    clientIdpInitiatedAuthCallbackUri?: string | null;
+    createdAt?: number;
+};
+/** init_order = 2 */
+export type SsoConnectorIdpInitiatedAuthConfig = {
+    tenantId: string;
+    /** The globally unique identifier of the SSO connector. */
+    connectorId: string;
+    /** The default Logto application id. */
+    defaultApplicationId: string;
+    /** OIDC sign-in redirect URI. */
+    redirectUri: string | null;
+    /** Additional OIDC auth parameters. */
+    authParameters: IdpInitiatedAuthParams;
+    /** Whether to auto-trigger the auth flow on an IdP-initiated auth request. */
+    autoSendAuthorizationRequest: boolean;
+    /** The client side callback URI for handling IdP-initiated auth request. */
+    clientIdpInitiatedAuthCallbackUri: string | null;
+    createdAt: number;
+};
+export type SsoConnectorIdpInitiatedAuthConfigKeys = 'tenantId' | 'connectorId' | 'defaultApplicationId' | 'redirectUri' | 'authParameters' | 'autoSendAuthorizationRequest' | 'clientIdpInitiatedAuthCallbackUri' | 'createdAt';
+export declare const SsoConnectorIdpInitiatedAuthConfigs: GeneratedSchema<SsoConnectorIdpInitiatedAuthConfigKeys, CreateSsoConnectorIdpInitiatedAuthConfig, SsoConnectorIdpInitiatedAuthConfig, 'sso_connector_idp_initiated_auth_configs', 'sso_connector_idp_initiated_auth_config'>;

package/lib/db-entries/sso-connector-idp-initiated-auth-config.js

@@ -0,0 +1,50 @@
+// THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+import { z } from 'zod';
+import { idpInitiatedAuthParamsGuard } from './../foundations/index.js';
+const createGuard = z.object({
+    tenantId: z.string().max(21).optional(),
+    connectorId: z.string().min(1).max(128),
+    defaultApplicationId: z.string().min(1).max(21),
+    redirectUri: z.string().nullable().optional(),
+    authParameters: idpInitiatedAuthParamsGuard.optional(),
+    autoSendAuthorizationRequest: z.boolean().optional(),
+    clientIdpInitiatedAuthCallbackUri: z.string().nullable().optional(),
+    createdAt: z.number().optional(),
+});
+const guard = z.object({
+    tenantId: z.string().max(21),
+    connectorId: z.string().min(1).max(128),
+    defaultApplicationId: z.string().min(1).max(21),
+    redirectUri: z.string().nullable(),
+    authParameters: idpInitiatedAuthParamsGuard,
+    autoSendAuthorizationRequest: z.boolean(),
+    clientIdpInitiatedAuthCallbackUri: z.string().nullable(),
+    createdAt: z.number(),
+});
+export const SsoConnectorIdpInitiatedAuthConfigs = Object.freeze({
+    table: 'sso_connector_idp_initiated_auth_configs',
+    tableSingular: 'sso_connector_idp_initiated_auth_config',
+    fields: {
+        tenantId: 'tenant_id',
+        connectorId: 'connector_id',
+        defaultApplicationId: 'default_application_id',
+        redirectUri: 'redirect_uri',
+        authParameters: 'auth_parameters',
+        autoSendAuthorizationRequest: 'auto_send_authorization_request',
+        clientIdpInitiatedAuthCallbackUri: 'client_idp_initiated_auth_callback_uri',
+        createdAt: 'created_at',
+    },
+    fieldKeys: [
+        'tenantId',
+        'connectorId',
+        'defaultApplicationId',
+        'redirectUri',
+        'authParameters',
+        'autoSendAuthorizationRequest',
+        'clientIdpInitiatedAuthCallbackUri',
+        'createdAt',
+    ],
+    createGuard,
+    guard,
+    updateGuard: guard.partial(),
+});

package/lib/foundations/jsonb-types/sign-in-experience.d.ts

@@ -66,6 +66,9 @@ export declare enum SignInIdentifier {
     Phone = "phone"
 }
 export declare const signInIdentifierGuard: z.ZodNativeEnum<typeof SignInIdentifier>;
+export declare enum AdditionalIdentifier {
+    UserId = "userId"
+}
 export declare const signUpGuard: z.ZodObject<{
     identifiers: z.ZodArray<z.ZodNativeEnum<typeof SignInIdentifier>, "many">;
     password: z.ZodBoolean;

package/lib/foundations/jsonb-types/sign-in-experience.js

@@ -32,6 +32,10 @@ export var SignInIdentifier;
     SignInIdentifier["Phone"] = "phone";
 })(SignInIdentifier || (SignInIdentifier = {}));
 export const signInIdentifierGuard = z.nativeEnum(SignInIdentifier);
+export var AdditionalIdentifier;
+(function (AdditionalIdentifier) {
+    AdditionalIdentifier["UserId"] = "userId";
+})(AdditionalIdentifier || (AdditionalIdentifier = {}));
 export const signUpGuard = z.object({
     identifiers: z.nativeEnum(SignInIdentifier).array(),
     password: z.boolean(),

package/lib/foundations/jsonb-types/sso-connector.d.ts

@@ -15,3 +15,52 @@ export declare const ssoBrandingGuard: z.ZodObject<{
     darkLogo?: string | undefined;
 }>;
 export type SsoBranding = z.infer<typeof ssoBrandingGuard>;
+export declare const idpInitiatedAuthParamsGuard: z.ZodObject<{
+    scope: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodString, z.objectOutputType<{
+    scope: z.ZodOptional<z.ZodString>;
+}, z.ZodString, "strip">, z.objectInputType<{
+    scope: z.ZodOptional<z.ZodString>;
+}, z.ZodString, "strip">>;
+export type IdpInitiatedAuthParams = z.infer<typeof idpInitiatedAuthParamsGuard>;
+export declare const ssoSamlAssertionContentGuard: z.ZodObject<{
+    nameID: z.ZodOptional<z.ZodString>;
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>>;
+    conditions: z.ZodOptional<z.ZodObject<{
+        notBefore: z.ZodOptional<z.ZodString>;
+        notOnOrAfter: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }>>;
+}, "strip", z.ZodUnknown, z.objectOutputType<{
+    nameID: z.ZodOptional<z.ZodString>;
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>>;
+    conditions: z.ZodOptional<z.ZodObject<{
+        notBefore: z.ZodOptional<z.ZodString>;
+        notOnOrAfter: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }>>;
+}, z.ZodUnknown, "strip">, z.objectInputType<{
+    nameID: z.ZodOptional<z.ZodString>;
+    attributes: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnion<[z.ZodString, z.ZodArray<z.ZodString, "many">]>>>;
+    conditions: z.ZodOptional<z.ZodObject<{
+        notBefore: z.ZodOptional<z.ZodString>;
+        notOnOrAfter: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }, {
+        notBefore?: string | undefined;
+        notOnOrAfter?: string | undefined;
+    }>>;
+}, z.ZodUnknown, "strip">>;
+export type SsoSamlAssertionContent = z.infer<typeof ssoSamlAssertionContentGuard>;

package/lib/foundations/jsonb-types/sso-connector.js

@@ -5,3 +5,20 @@ export const ssoBrandingGuard = z.object({
     logo: z.string().optional(),
     darkLogo: z.string().optional(),
 });
+export const idpInitiatedAuthParamsGuard = z
+    .object({
+    scope: z.string().optional(),
+})
+    .catchall(z.string());
+export const ssoSamlAssertionContentGuard = z
+    .object({
+    nameID: z.string().optional(),
+    attributes: z.record(z.string().or(z.array(z.string()))).optional(),
+    conditions: z
+        .object({
+        notBefore: z.string().optional(),
+        notOnOrAfter: z.string().optional(),
+    })
+        .optional(),
+})
+    .catchall(z.unknown());

package/lib/types/consent.d.ts

@@ -882,6 +882,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
         termsOfUseUrl?: string | null | undefined;
         privacyPolicyUrl?: string | null | undefined;
     };
+    redirectUri: string;
     user: {
         name: string | null;
         id: string;
@@ -890,7 +891,6 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
         primaryPhone: string | null;
         avatar: string | null;
     };
-    redirectUri: string;
     organizations?: {
         name: string;
         id: string;
@@ -934,6 +934,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
         termsOfUseUrl?: string | null | undefined;
         privacyPolicyUrl?: string | null | undefined;
     };
+    redirectUri: string;
     user: {
         name: string | null;
         id: string;
@@ -942,7 +943,6 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
         primaryPhone: string | null;
         avatar: string | null;
     };
-    redirectUri: string;
     organizations?: {
         name: string;
         id: string;

package/lib/types/interactions.d.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { MfaFactor, SignInIdentifier } from '../foundations/index.js';
+import { AdditionalIdentifier, MfaFactor, SignInIdentifier } from '../foundations/index.js';
 import type { EmailVerificationCodePayload, PhoneVerificationCodePayload } from './verification-code.js';
 /**
  * User interaction events defined in Logto RFC 0004.
@@ -10,6 +10,20 @@ export declare enum InteractionEvent {
     Register = "Register",
     ForgotPassword = "ForgotPassword"
 }
+export type VerificationIdentifier = {
+    type: SignInIdentifier | AdditionalIdentifier;
+    value: string;
+};
+export declare const verificationIdentifierGuard: z.ZodObject<{
+    type: z.ZodUnion<[z.ZodNativeEnum<typeof SignInIdentifier>, z.ZodNativeEnum<typeof AdditionalIdentifier>]>;
+    value: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    type: SignInIdentifier | AdditionalIdentifier;
+    value: string;
+}, {
+    type: SignInIdentifier | AdditionalIdentifier;
+    value: string;
+}>;
 /** Identifiers that can be used to uniquely identify a user. */
 export type InteractionIdentifier<T extends SignInIdentifier = SignInIdentifier> = {
     type: T;
@@ -50,11 +64,11 @@ export declare const socialAuthorizationUrlPayloadGuard: z.ZodObject<{
     state: z.ZodString;
     redirectUri: z.ZodString;
 }, "strip", z.ZodTypeAny, {
-    state: string;
     redirectUri: string;
-}, {
     state: string;
+}, {
     redirectUri: string;
+    state: string;
 }>;
 /** Payload type for `POST /api/experience/verification/{social|sso}/:connectorId/verify`. */
 export type SocialVerificationCallbackPayload = {

package/lib/types/interactions.js

@@ -1,6 +1,6 @@
 import { emailRegEx, phoneRegEx, usernameRegEx } from '@logto/core-kit';
 import { z } from 'zod';
-import { MfaFactor, SignInIdentifier, jsonObjectGuard, webAuthnTransportGuard, } from '../foundations/index.js';
+import { AdditionalIdentifier, MfaFactor, SignInIdentifier, jsonObjectGuard, webAuthnTransportGuard, } from '../foundations/index.js';
 import { emailVerificationCodePayloadGuard, phoneVerificationCodePayloadGuard, } from './verification-code.js';
 /**
  * User interaction events defined in Logto RFC 0004.
@@ -12,6 +12,10 @@ export var InteractionEvent;
     InteractionEvent["Register"] = "Register";
     InteractionEvent["ForgotPassword"] = "ForgotPassword";
 })(InteractionEvent || (InteractionEvent = {}));
+export const verificationIdentifierGuard = z.object({
+    type: z.union([z.nativeEnum(SignInIdentifier), z.nativeEnum(AdditionalIdentifier)]),
+    value: z.string(),
+});
 export const interactionIdentifierGuard = z.object({
     type: z.nativeEnum(SignInIdentifier),
     value: z.string(),

package/lib/types/log/interaction.d.ts

@@ -67,4 +67,4 @@ export declare enum Action {
  *   - When {@link Method} is `VerificationCode`, {@link Action} can be `Create` (generate and send a code) or `Submit` (verify and submit to the identifiers);
  *   - Otherwise, {@link Action} is fixed to `Submit` (other methods can be verified on submitting).
  */
-export type LogKey = `${Prefix}.${Action.Create | Action.End}` | `${Prefix}.${InteractionEvent}.${Action.Create | Action.Update | Action.Submit}` | `${Prefix}.${InteractionEvent}.${Field.Profile}.${Action.Update | Action.Create | Action.Delete}` | `${Prefix}.${Exclude<InteractionEvent, InteractionEvent.ForgotPassword>}.${Field.Identifier}.${Exclude<Method, Method.Password>}.${Action.Create | Action.Submit}` | `${Prefix}.${Exclude<InteractionEvent, InteractionEvent.ForgotPassword>}.${Field.Identifier}.${Method.Password}.${Action.Submit}` | `${Prefix}.${InteractionEvent.ForgotPassword}.${Field.Identifier}.${Method.VerificationCode}.${Action.Create | Action.Submit}` | `${Prefix}.${InteractionEvent}.${Field.BindMfa}.${MfaFactor}.${Action.Submit | Action.Create}` | `${Prefix}.${InteractionEvent.SignIn}.${Field.Mfa}.${MfaFactor}.${Action.Submit | Action.Create}` | `${Prefix}.${InteractionEvent}.${Field.Verification}.${VerificationType}.${Action}` | `${Prefix}.${InteractionEvent}.${Field.Identifier}.${Action.Submit}`;
+export type LogKey = `${Prefix}.${Action.Create | Action.End}` | `${Prefix}.${InteractionEvent}.${Action.Create | Action.Update | Action.Submit}` | `${Prefix}.${InteractionEvent}.${Field.Profile}.${Action.Update | Action.Create | Action.Delete}` | `${Prefix}.${Exclude<InteractionEvent, InteractionEvent.ForgotPassword>}.${Field.Identifier}.${Exclude<Method, Method.Password>}.${Action.Create | Action.Submit}` | `${Prefix}.${Exclude<InteractionEvent, InteractionEvent.ForgotPassword>}.${Field.Identifier}.${Method.Password}.${Action.Submit}` | `${Prefix}.${InteractionEvent.ForgotPassword}.${Field.Identifier}.${Method.VerificationCode}.${Action.Create | Action.Submit}` | `${Prefix}.${InteractionEvent}.${Field.BindMfa}.${MfaFactor}.${Action.Submit | Action.Create}` | `${Prefix}.${InteractionEvent.SignIn}.${Field.Mfa}.${MfaFactor}.${Action.Submit | Action.Create}` | `${Prefix}.${InteractionEvent}.${Field.Verification}.${VerificationType}.${Action}` | `${Prefix}.${InteractionEvent}.${Field.Identifier}.${Action.Submit}` | `${Prefix}.${InteractionEvent.SignIn}.${Field.Verification}.IdpInitiatedSso.${Action.Create}`;

package/lib/types/sso-connector.d.ts

@@ -140,4 +140,7 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<z.objectUt
     providerConfig?: Record<string, unknown> | undefined;
 }>;
 export type SsoConnectorWithProviderConfig = z.infer<typeof ssoConnectorWithProviderConfigGuard>;
+export declare enum SsoAuthenticationQueryKey {
+    SsoConnectorId = "ssoConnectorId"
+}
 export {};

package/lib/types/sso-connector.js

@@ -69,3 +69,7 @@ z.object({
     // - SAML: connection config fetched from the metadata url or metadata file.
     providerConfig: z.record(z.unknown()).optional(),
 }));
+export var SsoAuthenticationQueryKey;
+(function (SsoAuthenticationQueryKey) {
+    SsoAuthenticationQueryKey["SsoConnectorId"] = "ssoConnectorId";
+})(SsoAuthenticationQueryKey || (SsoAuthenticationQueryKey = {}));

package/lib/types/system.d.ts

@@ -250,8 +250,25 @@ export type CloudflareType = {
 export declare const cloudflareGuard: Readonly<{
     [key in CloudflareKey]: ZodType<CloudflareType[key]>;
 }>;
-export type SystemKey = AlterationStateKey | StorageProviderKey | DemoSocialKey | CloudflareKey | EmailServiceProviderKey;
-export type SystemType = AlterationStateType | StorageProviderType | DemoSocialType | CloudflareType | EmailServiceProviderType;
-export type SystemGuard = typeof alterationStateGuard & typeof storageProviderGuard & typeof demoSocialGuard & typeof cloudflareGuard & typeof emailServiceProviderGuard;
+export declare enum FeatureFlagConfigKey {
+    NewExperienceFeatureFlag = "newExperienceFeatureFlag"
+}
+export declare const featureFlagConfigGuard: z.ZodObject<{
+    percentage: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    percentage: number;
+}, {
+    percentage: number;
+}>;
+export type FeatureFlagConfig = z.infer<typeof featureFlagConfigGuard>;
+export type FeatureFlagConfigType = {
+    [FeatureFlagConfigKey.NewExperienceFeatureFlag]: FeatureFlagConfig;
+};
+export declare const featureFlagConfigsGuard: Readonly<{
+    [key in FeatureFlagConfigKey]: ZodType<FeatureFlagConfigType[key]>;
+}>;
+export type SystemKey = AlterationStateKey | StorageProviderKey | DemoSocialKey | CloudflareKey | EmailServiceProviderKey | FeatureFlagConfigKey;
+export type SystemType = AlterationStateType | StorageProviderType | DemoSocialType | CloudflareType | EmailServiceProviderType | FeatureFlagConfigType;
+export type SystemGuard = typeof alterationStateGuard & typeof storageProviderGuard & typeof demoSocialGuard & typeof cloudflareGuard & typeof emailServiceProviderGuard & typeof featureFlagConfigsGuard;
 export declare const systemKeys: readonly SystemKey[];
 export declare const systemGuards: SystemGuard;

package/lib/types/system.js

@@ -145,12 +145,24 @@ export const cloudflareGuard = Object.freeze({
     [CloudflareKey.ProtectedAppHostnameProvider]: hostnameProviderDataGuard,
     [CloudflareKey.CustomJwtWorkerConfig]: customJwtWorkerConfigGuard,
 });
+// A/B Test settings
+export var FeatureFlagConfigKey;
+(function (FeatureFlagConfigKey) {
+    FeatureFlagConfigKey["NewExperienceFeatureFlag"] = "newExperienceFeatureFlag";
+})(FeatureFlagConfigKey || (FeatureFlagConfigKey = {}));
+export const featureFlagConfigGuard = z.object({
+    percentage: z.number().min(0).max(1),
+});
+export const featureFlagConfigsGuard = Object.freeze({
+    [FeatureFlagConfigKey.NewExperienceFeatureFlag]: featureFlagConfigGuard,
+});
 export const systemKeys = Object.freeze([
     ...Object.values(AlterationStateKey),
     ...Object.values(StorageProviderKey),
     ...Object.values(DemoSocialKey),
     ...Object.values(CloudflareKey),
     ...Object.values(EmailServiceProviderKey),
+    ...Object.values(FeatureFlagConfigKey),
 ]);
 export const systemGuards = Object.freeze({
     ...alterationStateGuard,
@@ -158,4 +170,5 @@ export const systemGuards = Object.freeze({
     ...demoSocialGuard,
     ...cloudflareGuard,
     ...emailServiceProviderGuard,
+    ...featureFlagConfigsGuard,
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@logto/schemas",
-  "version": "1.20.0",
+  "version": "1.21.0",
   "author": "Silverhand Inc. <contact@silverhand.io>",
   "license": "MPL-2.0",
   "type": "module",
@@ -66,9 +66,9 @@
     "@logto/connector-kit": "^4.0.0",
     "@logto/core-kit": "^2.5.0",
     "@logto/language-kit": "^1.1.0",
-    "@logto/phrases": "^1.14.0",
+    "@logto/phrases": "^1.14.1",
     "@logto/phrases-experience": "^1.8.0",
-    "@logto/shared": "^3.1.1",
+    "@logto/shared": "^3.1.2",
     "@withtyped/server": "^0.14.0",
     "nanoid": "^5.0.1"
   },

package/tables/idp_initiated_saml_sso_sessions.sql

@@ -0,0 +1,16 @@
+/* init_order = 2 */
+create table idp_initiated_saml_sso_sessions (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the assertion record. */
+  id varchar(21) not null,
+  /** The identifier of the SAML SSO connector. */
+  connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade on delete cascade,
+  /** The SAML assertion. */
+  assertion_content jsonb /* @use SsoSamlAssertionContent */ not null default '{}'::jsonb,
+  created_at timestamptz not null default(now()),
+  /** The expiration time of the assertion. */
+  expires_at timestamptz not null,
+  primary key (tenant_id, id)
+);

package/tables/sso_connector_idp_initiated_auth_configs.sql

@@ -0,0 +1,24 @@
+/** init_order = 2 */
+create table sso_connector_idp_initiated_auth_configs (
+  tenant_id varchar(21) not null 
+    references tenants (id) on update cascade on delete cascade,
+  /** The globally unique identifier of the SSO connector. */
+  connector_id varchar(128) not null
+    references sso_connectors (id) on update cascade on delete cascade,
+  /** The default Logto application id. */
+  default_application_id varchar(21) not null
+    references applications (id) on update cascade on delete cascade,
+  /** OIDC sign-in redirect URI. */
+  redirect_uri text,
+  /** Additional OIDC auth parameters. */
+  auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb,
+  /** Whether to auto-trigger the auth flow on an IdP-initiated auth request. */
+  auto_send_authorization_request boolean not null default false,
+  /** The client side callback URI for handling IdP-initiated auth request. */
+  client_idp_initiated_auth_callback_uri text,
+  created_at timestamptz not null default(now()),
+  primary key (tenant_id, connector_id),
+  /** Insure the application type is Traditional or SPA. */
+  constraint application_type
+    check (check_application_type(default_application_id, 'Traditional', 'SPA'))
+);