@logto/schemas 1.37.1 → 1.38.0

package/alterations/1.38.0-1772615848-add-oidc-model-instances-grant-id-partial-index.ts

@@ -0,0 +1,26 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  beforeUp: async (pool) => {
+    await pool.query(sql`
+      create index concurrently oidc_model_instances__model_name_payload_grant_id_partial
+        on oidc_model_instances (tenant_id, model_name, (payload->>'grantId'))
+        where payload ? 'grantId';
+    `);
+  },
+  up: async () => {
+    /** `concurrently` cannot be used inside a transaction. */
+  },
+  beforeDown: async (pool) => {
+    await pool.query(sql`
+      drop index concurrently oidc_model_instances__model_name_payload_grant_id_partial;
+    `);
+  },
+  down: async () => {
+    /** `concurrently` cannot be used inside a transaction. */
+  },
+};
+
+export default alteration;

package/alterations/1.38.0-1772619963-tune-oidc-model-instances-autovacuum.ts

@@ -0,0 +1,28 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  up: async (pool) => {
+    await pool.query(sql`
+      alter table oidc_model_instances set (
+        autovacuum_vacuum_scale_factor = 0.05,
+        autovacuum_analyze_scale_factor = 0.02,
+        autovacuum_vacuum_threshold = 5000,
+        autovacuum_analyze_threshold = 2000
+      );
+    `);
+  },
+  down: async (pool) => {
+    await pool.query(sql`
+      alter table oidc_model_instances reset (
+        autovacuum_vacuum_scale_factor,
+        autovacuum_analyze_scale_factor,
+        autovacuum_vacuum_threshold,
+        autovacuum_analyze_threshold
+      );
+    `);
+  },
+};
+
+export default alteration;

package/alterations/1.38.0-1772621060-add-oidc-model-instances-grant-account-id-index.ts

@@ -0,0 +1,26 @@
+import { sql } from '@silverhand/slonik';
+
+import type { AlterationScript } from '../lib/types/alteration.js';
+
+const alteration: AlterationScript = {
+  beforeUp: async (pool) => {
+    await pool.query(sql`
+      create index concurrently oidc_model_instances__grant_payload_account_id_expires_at
+        on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+        WHERE model_name = 'Grant';
+    `);
+  },
+  up: async () => {
+    /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+  },
+  beforeDown: async (pool) => {
+    await pool.query(sql`
+      drop index concurrently oidc_model_instances__grant_payload_account_id_expires_at;
+    `);
+  },
+  down: async () => {
+    /** 'concurrently' cannot be used inside a transaction, so this down is intentionally left empty. */
+  },
+};
+
+export default alteration;

package/alterations-js/1.38.0-1772615848-add-oidc-model-instances-grant-id-partial-index.js

@@ -0,0 +1,22 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    beforeUp: async (pool) => {
+        await pool.query(sql `
+      create index concurrently oidc_model_instances__model_name_payload_grant_id_partial
+        on oidc_model_instances (tenant_id, model_name, (payload->>'grantId'))
+        where payload ? 'grantId';
+    `);
+    },
+    up: async () => {
+        /** `concurrently` cannot be used inside a transaction. */
+    },
+    beforeDown: async (pool) => {
+        await pool.query(sql `
+      drop index concurrently oidc_model_instances__model_name_payload_grant_id_partial;
+    `);
+    },
+    down: async () => {
+        /** `concurrently` cannot be used inside a transaction. */
+    },
+};
+export default alteration;

package/alterations-js/1.38.0-1772619963-tune-oidc-model-instances-autovacuum.js

@@ -0,0 +1,24 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    up: async (pool) => {
+        await pool.query(sql `
+      alter table oidc_model_instances set (
+        autovacuum_vacuum_scale_factor = 0.05,
+        autovacuum_analyze_scale_factor = 0.02,
+        autovacuum_vacuum_threshold = 5000,
+        autovacuum_analyze_threshold = 2000
+      );
+    `);
+    },
+    down: async (pool) => {
+        await pool.query(sql `
+      alter table oidc_model_instances reset (
+        autovacuum_vacuum_scale_factor,
+        autovacuum_analyze_scale_factor,
+        autovacuum_vacuum_threshold,
+        autovacuum_analyze_threshold
+      );
+    `);
+    },
+};
+export default alteration;

package/alterations-js/1.38.0-1772621060-add-oidc-model-instances-grant-account-id-index.js

@@ -0,0 +1,22 @@
+import { sql } from '@silverhand/slonik';
+const alteration = {
+    beforeUp: async (pool) => {
+        await pool.query(sql `
+      create index concurrently oidc_model_instances__grant_payload_account_id_expires_at
+        on oidc_model_instances (tenant_id, (payload->>'accountId'), expires_at)
+        WHERE model_name = 'Grant';
+    `);
+    },
+    up: async () => {
+        /** 'concurrently' cannot be used inside a transaction, so this up is intentionally left empty. */
+    },
+    beforeDown: async (pool) => {
+        await pool.query(sql `
+      drop index concurrently oidc_model_instances__grant_payload_account_id_expires_at;
+    `);
+    },
+    down: async () => {
+        /** 'concurrently' cannot be used inside a transaction, so this down is intentionally left empty. */
+    },
+};
+export default alteration;

package/lib/consts/cookie.d.ts

@@ -1 +1,2 @@
 export declare const logtoCookieKey = "_logto";
+export declare const deviceFlowXsrfCookieKey = "_logto_device_flow_xsrf";

package/lib/consts/cookie.js

@@ -1 +1,2 @@
 export const logtoCookieKey = '_logto';
+export const deviceFlowXsrfCookieKey = '_logto_device_flow_xsrf';

package/lib/consts/experience.d.ts

@@ -4,6 +4,7 @@ export declare const experience: Readonly<{
         readonly register: "register";
         readonly sso: "single-sign-on";
         readonly consent: "consent";
+        readonly device: "device";
         readonly resetPassword: "reset-password";
         readonly identifierSignIn: "identifier-sign-in";
         readonly identifierRegister: "identifier-register";

package/lib/consts/experience.js

@@ -3,6 +3,7 @@ const routes = Object.freeze({
     register: 'register',
     sso: 'single-sign-on',
     consent: 'consent',
+    device: 'device',
     resetPassword: 'reset-password',
     identifierSignIn: 'identifier-sign-in',
     identifierRegister: 'identifier-register',

package/lib/consts/oidc.d.ts

@@ -1,5 +1,8 @@
 import { z } from 'zod';
 export declare const tenantIdKey = "tenant_id";
+export declare const oidcRoutes: Readonly<{
+    readonly codeVerification: "/oidc/device";
+}>;
 export declare const customClientMetadataDefault: Readonly<{
     readonly idTokenTtl: number;
     readonly refreshTokenTtlInDays: 14;

package/lib/consts/oidc.js

@@ -1,6 +1,9 @@
 import { z } from 'zod';
 import { inSeconds } from './date.js';
 export const tenantIdKey = 'tenant_id';
+export const oidcRoutes = Object.freeze({
+    codeVerification: '/oidc/device',
+});
 export const customClientMetadataDefault = Object.freeze({
     idTokenTtl: inSeconds.oneHour,
     refreshTokenTtlInDays: 14,

package/lib/consts/system.d.ts

@@ -11,3 +11,7 @@
 export declare const ossConsolePath = "/console";
 /** The prefix for keys and values that need to be explicitly marked as internal. */
 export declare const internalPrefix = "#internal:";
+/**
+ * The timeout for WebAuthn authentication options, in milliseconds.
+ */
+export declare const webAuthnAuthenticationOptionsTimeout = 60000;

package/lib/consts/system.js

@@ -11,3 +11,7 @@
 export const ossConsolePath = '/console';
 /** The prefix for keys and values that need to be explicitly marked as internal. */
 export const internalPrefix = '#internal:';
+/**
+ * The timeout for WebAuthn authentication options, in milliseconds.
+ */
+export const webAuthnAuthenticationOptionsTimeout = 60_000;

package/lib/foundations/jsonb-types/oidc-module.d.ts

@@ -88,7 +88,20 @@ export declare enum CustomClientMetadataKey {
      *
      * Defaults to `false` for all new applications. Users must explicitly enable it.
      */
-    AllowTokenExchange = "allowTokenExchange"
+    AllowTokenExchange = "allowTokenExchange",
+    /**
+     * Whether the application uses the OAuth 2.0 Device Authorization Grant (RFC 8628)
+     * instead of the standard Authorization Code flow.
+     *
+     * Only applicable to native applications. Defaults to `false`.
+     */
+    IsDeviceFlow = "isDeviceFlow",
+    /**
+     * The maximum number of active sessions (devices) allowed per user for this application.
+     *
+     * When exceeded, old sessions should be revoked according to server policy.
+     */
+    MaxAllowedGrants = "maxAllowedGrants"
 }
 export declare const customClientMetadataGuard: z.ZodObject<{
     corsAllowedOrigins: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
@@ -99,6 +112,8 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     alwaysIssueRefreshToken: z.ZodOptional<z.ZodBoolean>;
     rotateRefreshToken: z.ZodOptional<z.ZodBoolean>;
     allowTokenExchange: z.ZodOptional<z.ZodBoolean>;
+    isDeviceFlow: z.ZodOptional<z.ZodBoolean>;
+    maxAllowedGrants: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
     corsAllowedOrigins?: string[] | undefined;
     idTokenTtl?: number | undefined;
@@ -108,6 +123,8 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     alwaysIssueRefreshToken?: boolean | undefined;
     rotateRefreshToken?: boolean | undefined;
     allowTokenExchange?: boolean | undefined;
+    isDeviceFlow?: boolean | undefined;
+    maxAllowedGrants?: number | undefined;
 }, {
     corsAllowedOrigins?: string[] | undefined;
     idTokenTtl?: number | undefined;
@@ -117,6 +134,8 @@ export declare const customClientMetadataGuard: z.ZodObject<{
     alwaysIssueRefreshToken?: boolean | undefined;
     rotateRefreshToken?: boolean | undefined;
     allowTokenExchange?: boolean | undefined;
+    isDeviceFlow?: boolean | undefined;
+    maxAllowedGrants?: number | undefined;
 }>;
 /**
  * @see {@link CustomClientMetadataKey} for key descriptions.
@@ -207,7 +226,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
     /**
      * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
      */
-    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+    authorizations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         /**
          * The `sid` (session ID) Claim associated with the session for the current client.
          *
@@ -279,7 +298,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
          * Mark optional to make the guard more robust.
          */
         persistsLogout: z.ZodOptional<z.ZodBoolean>;
-    }, z.ZodUnknown, "strip">>>;
+    }, z.ZodUnknown, "strip">>>>;
 }, "strip", z.ZodUnknown, z.objectOutputType<{
     exp: z.ZodNumber;
     iat: z.ZodNumber;
@@ -291,7 +310,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
     /**
      * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
      */
-    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+    authorizations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         /**
          * The `sid` (session ID) Claim associated with the session for the current client.
          *
@@ -363,7 +382,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
          * Mark optional to make the guard more robust.
          */
         persistsLogout: z.ZodOptional<z.ZodBoolean>;
-    }, z.ZodUnknown, "strip">>>;
+    }, z.ZodUnknown, "strip">>>>;
 }, z.ZodUnknown, "strip">, z.objectInputType<{
     exp: z.ZodNumber;
     iat: z.ZodNumber;
@@ -375,7 +394,7 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
     /**
      * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
      */
-    authorizations: z.ZodRecord<z.ZodString, z.ZodObject<{
+    authorizations: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodObject<{
         /**
          * The `sid` (session ID) Claim associated with the session for the current client.
          *
@@ -447,6 +466,6 @@ export declare const oidcSessionInstancePayloadGuard: z.ZodObject<{
          * Mark optional to make the guard more robust.
          */
         persistsLogout: z.ZodOptional<z.ZodBoolean>;
-    }, z.ZodUnknown, "strip">>>;
+    }, z.ZodUnknown, "strip">>>>;
 }, z.ZodUnknown, "strip">>;
 export type OidcSessionInstancePayload = z.infer<typeof oidcSessionInstancePayloadGuard>;

package/lib/foundations/jsonb-types/oidc-module.js

@@ -55,6 +55,19 @@ export var CustomClientMetadataKey;
      * Defaults to `false` for all new applications. Users must explicitly enable it.
      */
     CustomClientMetadataKey["AllowTokenExchange"] = "allowTokenExchange";
+    /**
+     * Whether the application uses the OAuth 2.0 Device Authorization Grant (RFC 8628)
+     * instead of the standard Authorization Code flow.
+     *
+     * Only applicable to native applications. Defaults to `false`.
+     */
+    CustomClientMetadataKey["IsDeviceFlow"] = "isDeviceFlow";
+    /**
+     * The maximum number of active sessions (devices) allowed per user for this application.
+     *
+     * When exceeded, old sessions should be revoked according to server policy.
+     */
+    CustomClientMetadataKey["MaxAllowedGrants"] = "maxAllowedGrants";
 })(CustomClientMetadataKey || (CustomClientMetadataKey = {}));
 export const customClientMetadataGuard = z.object({
     [CustomClientMetadataKey.CorsAllowedOrigins]: z.string().min(1).array().optional(),
@@ -65,6 +78,8 @@ export const customClientMetadataGuard = z.object({
     [CustomClientMetadataKey.AlwaysIssueRefreshToken]: z.boolean().optional(),
     [CustomClientMetadataKey.RotateRefreshToken]: z.boolean().optional(),
     [CustomClientMetadataKey.AllowTokenExchange]: z.boolean().optional(),
+    [CustomClientMetadataKey.IsDeviceFlow]: z.boolean().optional(),
+    [CustomClientMetadataKey.MaxAllowedGrants]: z.number().int().positive().optional(),
 });
 export const oidcSessionAuthorizationDetailsGuard = z
     .object({
@@ -105,6 +120,6 @@ export const oidcSessionInstancePayloadGuard = z
     /**
      * A map of client_id to session authorization details. @see OidcSessionAuthorizationDetails
      */
-    authorizations: z.record(z.string(), oidcSessionAuthorizationDetailsGuard),
+    authorizations: z.record(z.string(), oidcSessionAuthorizationDetailsGuard).optional(),
 })
     .catchall(z.unknown());

package/lib/foundations/jsonb-types/sign-in-experience.d.ts

@@ -51,13 +51,13 @@ export declare const brandingGuard: z.ZodObject<{
 export type Branding = z.infer<typeof brandingGuard>;
 export declare const languageInfoGuard: z.ZodObject<{
     autoDetect: z.ZodBoolean;
-    fallbackLanguage: z.ZodType<"af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR", z.ZodTypeDef, "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR">;
+    fallbackLanguage: z.ZodType<"af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR", z.ZodTypeDef, "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR">;
 }, "strip", z.ZodTypeAny, {
     autoDetect: boolean;
-    fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
+    fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
 }, {
     autoDetect: boolean;
-    fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
+    fallbackLanguage: "af-ZA" | "am-ET" | "ar" | "ar-AR" | "as-IN" | "az-AZ" | "be-BY" | "bg-BG" | "bn-IN" | "br-FR" | "bs-BA" | "ca-ES" | "cb-IQ" | "co-FR" | "cs" | "cs-CZ" | "cx-PH" | "cy-GB" | "da-DK" | "de" | "de-DE" | "el-GR" | "en" | "en-GB" | "en-US" | "eo-EO" | "es" | "es-ES" | "es-419" | "et-EE" | "eu-ES" | "fa-IR" | "ff-NG" | "fi" | "fi-FI" | "fo-FO" | "fr" | "fr-CA" | "fr-FR" | "fy-NL" | "ga-IE" | "gl-ES" | "gn-PY" | "gu-IN" | "ha-NG" | "he-IL" | "hi-IN" | "hr-HR" | "ht-HT" | "hu-HU" | "hy-AM" | "id-ID" | "ik-US" | "is-IS" | "it" | "it-IT" | "iu-CA" | "ja" | "ja-JP" | "ja-KS" | "jv-ID" | "ka-GE" | "kk-KZ" | "km-KH" | "kn-IN" | "ko" | "ko-KR" | "ku-TR" | "ky-KG" | "lo-LA" | "lt-LT" | "lv-LV" | "mg-MG" | "mk-MK" | "ml-IN" | "mn-MN" | "mr-IN" | "ms-MY" | "mt-MT" | "my-MM" | "nb-NO" | "ne-NP" | "nl" | "nl-BE" | "nl-NL" | "nn-NO" | "or-IN" | "pa-IN" | "pl-PL" | "ps-AF" | "pt" | "pt-BR" | "pt-PT" | "ro-RO" | "ru" | "ru-RU" | "rw-RW" | "sc-IT" | "si-LK" | "sk-SK" | "sl-SI" | "sn-ZW" | "sq-AL" | "sr-RS" | "sv" | "sv-SE" | "sw-KE" | "sy-SY" | "sz-PL" | "ta-IN" | "te-IN" | "tg-TJ" | "th" | "th-TH" | "tl-PH" | "tr" | "tr-TR" | "tt-RU" | "tz-MA" | "uk-UA" | "ur-PK" | "uz-UZ" | "vi-VN" | "zh" | "zh-CN" | "zh-HK" | "zh-MO" | "zh-TW" | "zz-TR";
 }>;
 export type LanguageInfo = z.infer<typeof languageInfoGuard>;
 export declare enum SignInIdentifier {
@@ -237,12 +237,16 @@ export declare enum MfaPolicy {
     UserControlled = "UserControlled",
     /** MFA is required for all users */
     Mandatory = "Mandatory",
-    /** Ask users to set up MFA on their sign-in after registration (skippable, one-time prompt) */
+    /** Ask users to set up MFA on their sign-in after registration (skippable, one-time prompt, Optional MFA only) */
     PromptOnlyAtSignIn = "PromptOnlyAtSignIn",
-    /** Ask users to set up MFA during registration (skippable, one-time prompt) */
+    /** Ask users to set up MFA during registration (skippable, one-time prompt, Optional MFA only) */
     PromptAtSignInAndSignUp = "PromptAtSignInAndSignUp",
     /** Do not ask users to set up MFA */
-    NoPrompt = "NoPrompt"
+    NoPrompt = "NoPrompt",
+    /** Ask users to set up MFA during registration or at next sign-in (no-skip, Adaptive MFA only) */
+    PromptAtSignInAndSignUpMandatory = "PromptAtSignInAndSignUpMandatory",
+    /** Ask users to set up MFA at next sign-in after registration (no-skip, Adaptive MFA only) */
+    PromptOnlyAtSignInMandatory = "PromptOnlyAtSignInMandatory"
 }
 export declare enum OrganizationRequiredMfaPolicy {
     /** Do not ask users to set up MFA */

package/lib/foundations/jsonb-types/sign-in-experience.js

@@ -83,12 +83,16 @@ export var MfaPolicy;
     MfaPolicy["UserControlled"] = "UserControlled";
     /** MFA is required for all users */
     MfaPolicy["Mandatory"] = "Mandatory";
-    /** Ask users to set up MFA on their sign-in after registration (skippable, one-time prompt) */
+    /** Ask users to set up MFA on their sign-in after registration (skippable, one-time prompt, Optional MFA only) */
     MfaPolicy["PromptOnlyAtSignIn"] = "PromptOnlyAtSignIn";
-    /** Ask users to set up MFA during registration (skippable, one-time prompt) */
+    /** Ask users to set up MFA during registration (skippable, one-time prompt, Optional MFA only) */
     MfaPolicy["PromptAtSignInAndSignUp"] = "PromptAtSignInAndSignUp";
     /** Do not ask users to set up MFA */
     MfaPolicy["NoPrompt"] = "NoPrompt";
+    /** Ask users to set up MFA during registration or at next sign-in (no-skip, Adaptive MFA only) */
+    MfaPolicy["PromptAtSignInAndSignUpMandatory"] = "PromptAtSignInAndSignUpMandatory";
+    /** Ask users to set up MFA at next sign-in after registration (no-skip, Adaptive MFA only) */
+    MfaPolicy["PromptOnlyAtSignInMandatory"] = "PromptOnlyAtSignInMandatory";
 })(MfaPolicy || (MfaPolicy = {}));
 export var OrganizationRequiredMfaPolicy;
 (function (OrganizationRequiredMfaPolicy) {

package/lib/seeds/application.d.ts

@@ -7,9 +7,11 @@ import type { Application, CreateApplication, CreateApplicationsRole } from '../
 export declare const adminConsoleApplicationId = "admin-console";
 export declare const demoAppApplicationId = "demo-app";
 export declare const accountCenterApplicationId = "account-center";
+export declare const deviceDemoAppApplicationId = "device-demo-app";
 export declare const buildDemoAppDataForTenant: (tenantId: string) => Application;
 export declare const buildAccountCenterAppDataForTenant: (tenantId: string) => Application;
-export type BuiltInApplicationId = typeof demoAppApplicationId | typeof accountCenterApplicationId;
+export declare const buildDeviceDemoAppDataForTenant: (tenantId: string) => Application;
+export type BuiltInApplicationId = typeof demoAppApplicationId | typeof accountCenterApplicationId | typeof deviceDemoAppApplicationId;
 export declare const isBuiltInApplicationId: (applicationId: string) => applicationId is BuiltInApplicationId;
 export declare const isBuiltInClientId: (applicationId: string) => applicationId is BuiltInApplicationId;
 export declare const buildBuiltInApplicationDataForTenant: (tenantId: string, applicationId: BuiltInApplicationId) => Application;

package/lib/seeds/application.js

@@ -9,6 +9,7 @@ import { adminTenantId } from './tenant.js';
 export const adminConsoleApplicationId = 'admin-console';
 export const demoAppApplicationId = 'demo-app';
 export const accountCenterApplicationId = 'account-center';
+export const deviceDemoAppApplicationId = 'device-demo-app';
 const buildSpaApplicationData = (tenantId, { id, name, description, }) => ({
     tenantId,
     id,
@@ -33,12 +34,36 @@ export const buildAccountCenterAppDataForTenant = (tenantId) => buildSpaApplicat
     name: 'Account Center',
     description: 'Placeholder application for Account Center.',
 });
-export const isBuiltInApplicationId = (applicationId) => applicationId === demoAppApplicationId || applicationId === accountCenterApplicationId;
+const buildNativeApplicationData = (tenantId, { id, name, description, }) => ({
+    tenantId,
+    id,
+    name,
+    secret: 'N/A',
+    description,
+    type: ApplicationType.Native,
+    oidcClientMetadata: { redirectUris: [], postLogoutRedirectUris: [] },
+    customClientMetadata: { isDeviceFlow: true },
+    protectedAppMetadata: null,
+    isThirdParty: false,
+    createdAt: 0,
+    customData: {},
+});
+export const buildDeviceDemoAppDataForTenant = (tenantId) => buildNativeApplicationData(tenantId, {
+    id: deviceDemoAppApplicationId,
+    name: 'Device Flow Preview',
+    description: 'Preview for Device Authorization Flow.',
+});
+export const isBuiltInApplicationId = (applicationId) => applicationId === demoAppApplicationId ||
+    applicationId === accountCenterApplicationId ||
+    applicationId === deviceDemoAppApplicationId;
 export const isBuiltInClientId = isBuiltInApplicationId;
 export const buildBuiltInApplicationDataForTenant = (tenantId, applicationId) => {
     if (applicationId === demoAppApplicationId) {
         return buildDemoAppDataForTenant(tenantId);
     }
+    if (applicationId === deviceDemoAppApplicationId) {
+        return buildDeviceDemoAppDataForTenant(tenantId);
+    }
     return buildAccountCenterAppDataForTenant(tenantId);
 };
 export const createDefaultAdminConsoleApplication = () => Object.freeze({

package/lib/types/application.d.ts

@@ -27,6 +27,8 @@ export declare const featuredApplicationGuard: z.ZodObject<Pick<{
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
         allowTokenExchange?: boolean | undefined;
+        isDeviceFlow?: boolean | undefined;
+        maxAllowedGrants?: number | undefined;
     }, z.ZodTypeDef, {
         corsAllowedOrigins?: string[] | undefined;
         idTokenTtl?: number | undefined;
@@ -36,6 +38,8 @@ export declare const featuredApplicationGuard: z.ZodObject<Pick<{
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
         allowTokenExchange?: boolean | undefined;
+        isDeviceFlow?: boolean | undefined;
+        maxAllowedGrants?: number | undefined;
     }>;
     protectedAppMetadata: z.ZodType<{
         host: string;
@@ -119,6 +123,8 @@ export declare const applicationCreateGuard: z.ZodObject<{
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
         allowTokenExchange?: boolean | undefined;
+        isDeviceFlow?: boolean | undefined;
+        maxAllowedGrants?: number | undefined;
     }, z.ZodTypeDef, {
         corsAllowedOrigins?: string[] | undefined;
         idTokenTtl?: number | undefined;
@@ -128,6 +134,8 @@ export declare const applicationCreateGuard: z.ZodObject<{
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
         allowTokenExchange?: boolean | undefined;
+        isDeviceFlow?: boolean | undefined;
+        maxAllowedGrants?: number | undefined;
     }>>>;
     protectedAppMetadata: z.ZodOptional<z.ZodOptional<z.ZodType<{
         host: string;
@@ -222,6 +230,8 @@ export declare const applicationPatchGuard: z.ZodObject<Omit<{
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
         allowTokenExchange?: boolean | undefined;
+        isDeviceFlow?: boolean | undefined;
+        maxAllowedGrants?: number | undefined;
     }, z.ZodTypeDef, {
         corsAllowedOrigins?: string[] | undefined;
         idTokenTtl?: number | undefined;
@@ -231,6 +241,8 @@ export declare const applicationPatchGuard: z.ZodObject<Omit<{
         alwaysIssueRefreshToken?: boolean | undefined;
         rotateRefreshToken?: boolean | undefined;
         allowTokenExchange?: boolean | undefined;
+        isDeviceFlow?: boolean | undefined;
+        maxAllowedGrants?: number | undefined;
     }>>>>;
     protectedAppMetadata: z.ZodOptional<z.ZodOptional<z.ZodOptional<z.ZodType<{
         host: string;

package/lib/types/connector.d.ts

@@ -241,6 +241,7 @@ export declare const connectorResponseGuard: z.ZodObject<{
         "ca-ES"?: string | undefined;
         "cb-IQ"?: string | undefined;
         "co-FR"?: string | undefined;
+        cs?: string | undefined;
         "cs-CZ"?: string | undefined;
         "cx-PH"?: string | undefined;
         "cy-GB"?: string | undefined;
@@ -374,6 +375,7 @@ export declare const connectorResponseGuard: z.ZodObject<{
         "ca-ES"?: string | undefined;
         "cb-IQ"?: string | undefined;
         "co-FR"?: string | undefined;
+        cs?: string | undefined;
         "cs-CZ"?: string | undefined;
         "cx-PH"?: string | undefined;
         "cy-GB"?: string | undefined;
@@ -577,6 +579,7 @@ export declare const connectorResponseGuard: z.ZodObject<{
         "ca-ES"?: string | undefined;
         "cb-IQ"?: string | undefined;
         "co-FR"?: string | undefined;
+        cs?: string | undefined;
         "cs-CZ"?: string | undefined;
         "cx-PH"?: string | undefined;
         "cy-GB"?: string | undefined;
@@ -710,6 +713,7 @@ export declare const connectorResponseGuard: z.ZodObject<{
         "ca-ES"?: string | undefined;
         "cb-IQ"?: string | undefined;
         "co-FR"?: string | undefined;
+        cs?: string | undefined;
         "cs-CZ"?: string | undefined;
         "cx-PH"?: string | undefined;
         "cy-GB"?: string | undefined;
@@ -1118,6 +1122,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<{
         "ca-ES"?: string | undefined;
         "cb-IQ"?: string | undefined;
         "co-FR"?: string | undefined;
+        cs?: string | undefined;
         "cs-CZ"?: string | undefined;
         "cx-PH"?: string | undefined;
         "cy-GB"?: string | undefined;
@@ -1251,6 +1256,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<{
         "ca-ES"?: string | undefined;
         "cb-IQ"?: string | undefined;
         "co-FR"?: string | undefined;
+        cs?: string | undefined;
         "cs-CZ"?: string | undefined;
         "cx-PH"?: string | undefined;
         "cy-GB"?: string | undefined;
@@ -1447,6 +1453,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<{
         "ca-ES"?: string | undefined;
         "cb-IQ"?: string | undefined;
         "co-FR"?: string | undefined;
+        cs?: string | undefined;
         "cs-CZ"?: string | undefined;
         "cx-PH"?: string | undefined;
         "cy-GB"?: string | undefined;
@@ -1580,6 +1587,7 @@ export declare const connectorFactoryResponseGuard: z.ZodObject<{
         "ca-ES"?: string | undefined;
         "cb-IQ"?: string | undefined;
         "co-FR"?: string | undefined;
+        cs?: string | undefined;
         "cs-CZ"?: string | undefined;
         "cx-PH"?: string | undefined;
         "cy-GB"?: string | undefined;