@logto/schemas 1.36.0 → 1.37.1

package/lib/foundations/jsonb-types/oidc-module.d.ts

@@ -122,3 +122,331 @@ export declare const customClientMetadataGuard: z.ZodObject<{
  * @see {@link CustomClientMetadataKey} for key descriptions.
  */
 export type CustomClientMetadata = z.infer<typeof customClientMetadataGuard>;
+export declare const oidcSessionAuthorizationDetailsGuard: z.ZodObject<{
+    /**
+     * The `sid` (session ID) Claim associated with the session for the current client.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     * Should always be present in the session authorization details
+     */
+    sid: z.ZodOptional<z.ZodString>;
+    /**
+     * The grantId associated with the session for the current client.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     * Should always be present in the session authorization details when the session is authorized with a grant.
+     */
+    grantId: z.ZodOptional<z.ZodString>;
+    /**
+     * Whether the grant associated with the session should be persisted after the session is terminated.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     */
+    persistsLogout: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodUnknown, z.objectOutputType<{
+    /**
+     * The `sid` (session ID) Claim associated with the session for the current client.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     * Should always be present in the session authorization details
+     */
+    sid: z.ZodOptional<z.ZodString>;
+    /**
+     * The grantId associated with the session for the current client.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     * Should always be present in the session authorization details when the session is authorized with a grant.
+     */
+    grantId: z.ZodOptional<z.ZodString>;
+    /**
+     * Whether the grant associated with the session should be persisted after the session is terminated.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     */
+    persistsLogout: z.ZodOptional<z.ZodBoolean>;
+}, z.ZodUnknown, "strip">, z.objectInputType<{
+    /**
+     * The `sid` (session ID) Claim associated with the session for the current client.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     * Should always be present in the session authorization details
+     */
+    sid: z.ZodOptional<z.ZodString>;
+    /**
+     * The grantId associated with the session for the current client.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     * Should always be present in the session authorization details when the session is authorized with a grant.
+     */
+    grantId: z.ZodOptional<z.ZodString>;
+    /**
+     * Whether the grant associated with the session should be persisted after the session is terminated.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     */
+    persistsLogout: z.ZodOptional<z.ZodBoolean>;
+}, z.ZodUnknown, "strip">>;
+export type OidcSessionAuthorizationDetails = z.infer<typeof oidcSessionAuthorizationDetailsGuard>;
+export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
+    exp: z.ZodNumber;
+    iat: z.ZodNumber;
+    jti: z.ZodString;
+    uid: z.ZodString;
+    kind: z.ZodLiteral<"Session">;
+    loginTs: z.ZodNumber;
+    accountId: z.ZodString;
+    /**
+     * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
+     */
+    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, z.ZodUnknown, "strip">>>;
+}, "strip", z.ZodUnknown, z.objectOutputType<{
+    exp: z.ZodNumber;
+    iat: z.ZodNumber;
+    jti: z.ZodString;
+    uid: z.ZodString;
+    kind: z.ZodLiteral<"Session">;
+    loginTs: z.ZodNumber;
+    accountId: z.ZodString;
+    /**
+     * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
+     */
+    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, z.ZodUnknown, "strip">>>;
+}, z.ZodUnknown, "strip">, z.objectInputType<{
+    exp: z.ZodNumber;
+    iat: z.ZodNumber;
+    jti: z.ZodString;
+    uid: z.ZodString;
+    kind: z.ZodLiteral<"Session">;
+    loginTs: z.ZodNumber;
+    accountId: z.ZodString;
+    /**
+     * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
+     */
+    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodUnknown, z.objectOutputType<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, z.ZodUnknown, "strip">, z.objectInputType<{
+        /**
+         * The `sid` (session ID) Claim associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details
+         */
+        sid: z.ZodOptional<z.ZodString>;
+        /**
+         * The grantId associated with the session for the current client.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         * Should always be present in the session authorization details when the session is authorized with a grant.
+         */
+        grantId: z.ZodOptional<z.ZodString>;
+        /**
+         * Whether the grant associated with the session should be persisted after the session is terminated.
+         *
+         * @remarks
+         * Mark optional to make the guard more robust.
+         */
+        persistsLogout: z.ZodOptional<z.ZodBoolean>;
+    }, z.ZodUnknown, "strip">>>;
+}, z.ZodUnknown, "strip">>;
+export type OidcSessionInstancePayload = z.infer<typeof oidcSessionInstancePayloadGuard>;

package/lib/foundations/jsonb-types/oidc-module.js

@@ -66,3 +66,45 @@ export const customClientMetadataGuard = z.object({
     [CustomClientMetadataKey.RotateRefreshToken]: z.boolean().optional(),
     [CustomClientMetadataKey.AllowTokenExchange]: z.boolean().optional(),
 });
+export const oidcSessionAuthorizationDetailsGuard = z
+    .object({
+    /**
+     * The `sid` (session ID) Claim associated with the session for the current client.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     * Should always be present in the session authorization details
+     */
+    sid: z.string().optional(),
+    /**
+     * The grantId associated with the session for the current client.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     * Should always be present in the session authorization details when the session is authorized with a grant.
+     */
+    grantId: z.string().optional(),
+    /**
+     * Whether the grant associated with the session should be persisted after the session is terminated.
+     *
+     * @remarks
+     * Mark optional to make the guard more robust.
+     */
+    persistsLogout: z.boolean().optional(),
+})
+    .catchall(z.unknown());
+export const oidcSessionInstancePayloadGuard = z
+    .object({
+    exp: z.number(),
+    iat: z.number(),
+    jti: z.string(),
+    uid: z.string(),
+    kind: z.literal('Session'),
+    loginTs: z.number(),
+    accountId: z.string(),
+    /**
+     * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
+     */
+    authorizations: z.record(z.string(), oidcSessionAuthorizationDetailsGuard),
+})
+    .catchall(z.unknown());

package/lib/foundations/jsonb-types/saml-application-configs.d.ts

@@ -1,7 +1,7 @@
 import { type UserClaim } from '@logto/core-kit';
 import { z } from 'zod';
 export type SamlAttributeMapping = Partial<Record<UserClaim | 'sub', string>>;
-export declare const samlAttributeMappingKeys: readonly ("name" | "email" | "username" | "sub" | "nickname" | "profile" | "website" | "gender" | "birthdate" | "zoneinfo" | "locale" | "address" | "given_name" | "family_name" | "middle_name" | "preferred_username" | "picture" | "email_verified" | "phone_number" | "phone_number_verified" | "updated_at" | "roles" | "organizations" | "organization_data" | "organization_roles" | "custom_data" | "identities" | "sso_identities" | "created_at")[];
+export declare const samlAttributeMappingKeys: readonly ("name" | "username" | "email" | "sub" | "nickname" | "profile" | "website" | "gender" | "birthdate" | "zoneinfo" | "locale" | "address" | "given_name" | "family_name" | "middle_name" | "preferred_username" | "picture" | "email_verified" | "phone_number" | "phone_number_verified" | "updated_at" | "created_at" | "custom_data" | "identities" | "sso_identities" | "roles" | "organizations" | "organization_data" | "organization_roles")[];
 export declare const samlAttributeMappingGuard: z.ZodObject<{
     [x: string]: z.ZodOptional<z.ZodString>;
 }, "strip", z.ZodTypeAny, {

package/lib/foundations/jsonb-types/sentinel.d.ts

@@ -35,7 +35,7 @@ export declare enum SentinelActivityAction {
     /**
      * The subject tries to pass a WebAuthn MFA verification.
      */
-    MfaWebAuthn = "MfaWebAuthn",
+    WebAuthn = "WebAuthn",
     /**
      * The subject tries to pass a backup code MFA verification.
      */

package/lib/foundations/jsonb-types/sentinel.js

@@ -37,7 +37,7 @@ export var SentinelActivityAction;
     /**
      * The subject tries to pass a WebAuthn MFA verification.
      */
-    SentinelActivityAction["MfaWebAuthn"] = "MfaWebAuthn";
+    SentinelActivityAction["WebAuthn"] = "WebAuthn";
     /**
      * The subject tries to pass a backup code MFA verification.
      */

package/lib/seeds/logto-config.d.ts

@@ -1,4 +1,4 @@
-import type { AdminConsoleData, CloudConnectionData } from '../types/index.js';
+import type { AdminConsoleData, CloudConnectionData, IdTokenConfig } from '../types/index.js';
 import { LogtoTenantConfigKey } from '../types/index.js';
 export declare const createDefaultAdminConsoleConfig: (forTenantId: string) => Readonly<{
     tenantId: string;
@@ -10,3 +10,8 @@ export declare const createCloudConnectionConfig: (forTenantId: string, appId: s
     key: LogtoTenantConfigKey;
     value: CloudConnectionData;
 }>;
+export declare const createDefaultIdTokenConfig: (forTenantId: string) => Readonly<{
+    tenantId: string;
+    key: LogtoTenantConfigKey;
+    value: IdTokenConfig;
+}>;

package/lib/seeds/logto-config.js

@@ -17,3 +17,14 @@ export const createCloudConnectionConfig = (forTenantId, appId, appSecret) => Ob
         resource: cloudApiIndicator,
     },
 });
+export const createDefaultIdTokenConfig = (forTenantId) => Object.freeze({
+    tenantId: forTenantId,
+    key: LogtoTenantConfigKey.IdToken,
+    value: {
+        enabledExtendedClaims: [
+            'roles',
+            'organizations',
+            'organization_roles',
+        ],
+    },
+});