zuplo 6.72.0 → 6.72.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/docs/analytics/access-and-entitlements.md +7 -8
- package/docs/analytics/overview.md +5 -5
- package/docs/analytics/shared-controls.md +2 -2
- package/docs/dev-portal/zudoku/components/landing-page.mdx +1 -1
- package/docs/policies/mcp-token-exchange-inbound/doc.md +41 -3
- package/docs/policies/mcp-token-exchange-inbound/schema.json +13 -0
- package/package.json +4 -4
|
@@ -5,23 +5,22 @@ sidebar_label: "Access & Entitlements"
|
|
|
5
5
|
|
|
6
6
|
## When to use this
|
|
7
7
|
|
|
8
|
-
- Confirm whether your account can see
|
|
8
|
+
- Confirm whether your account can see analytics.
|
|
9
9
|
- Find out how many days of history you have access to.
|
|
10
10
|
- Understand the trial banner or the demo mode link.
|
|
11
11
|
|
|
12
12
|
## Plan requirements
|
|
13
13
|
|
|
14
|
-
|
|
15
|
-
|
|
14
|
+
Analytics must be enabled on your account. Without it, the Analytics page shows
|
|
15
|
+
an upsell view with a **Contact Sales** call-to-action and no charts.
|
|
16
16
|
|
|
17
17
|
## Free trial
|
|
18
18
|
|
|
19
|
-
New accounts with
|
|
20
|
-
trial:
|
|
19
|
+
New accounts with analytics enabled get an automatic free trial. The trial:
|
|
21
20
|
|
|
22
21
|
- Runs for the same number of days as your account's retention window.
|
|
23
22
|
- Shows a banner across the top of the Analytics page: "You're on a {N}-day
|
|
24
|
-
preview of
|
|
23
|
+
preview of Analytics, {N} days left."
|
|
25
24
|
- Includes two call-to-actions: **View demo →** (loads the dashboard with sample
|
|
26
25
|
data) and **Contact sales**.
|
|
27
26
|
|
|
@@ -54,8 +53,8 @@ Append `?demo=true` to the Analytics URL, or click **View demo →** in the tria
|
|
|
54
53
|
banner, to switch into demo mode. In demo mode:
|
|
55
54
|
|
|
56
55
|
- Charts and tables are populated with synthetic sample data.
|
|
57
|
-
- A persistent banner reads: "You're viewing the
|
|
58
|
-
|
|
56
|
+
- A persistent banner reads: "You're viewing the Analytics demo with sample
|
|
57
|
+
data. Your real analytics aren't shown here."
|
|
59
58
|
|
|
60
59
|
Remove the `demo` parameter from the URL to return to your real data.
|
|
61
60
|
|
|
@@ -56,12 +56,12 @@ You'll see a subset of sections depending on your plan and project setup:
|
|
|
56
56
|
|
|
57
57
|
| Section | When it appears |
|
|
58
58
|
| --------- | ---------------------------------------------------------- |
|
|
59
|
-
| Requests | All accounts with
|
|
59
|
+
| Requests | All accounts with analytics enabled. |
|
|
60
60
|
| Origins | The project uses managed-edge origins. |
|
|
61
|
-
| Consumers | All accounts with
|
|
62
|
-
| Agents | All accounts with
|
|
61
|
+
| Consumers | All accounts with analytics enabled. |
|
|
62
|
+
| Agents | All accounts with analytics enabled. |
|
|
63
63
|
| MCP | The project type is **standard** and the project uses MCP. |
|
|
64
64
|
| GraphQL | The project proxies a GraphQL API. |
|
|
65
65
|
|
|
66
|
-
If you don't see Analytics at all, your account likely doesn't have
|
|
67
|
-
|
|
66
|
+
If you don't see Analytics at all, your account likely doesn't have analytics
|
|
67
|
+
enabled. See [Access and entitlements](./access-and-entitlements.md).
|
|
@@ -99,8 +99,8 @@ Banners appear at the top of the page in this priority order:
|
|
|
99
99
|
1. **Preview banner**: when `preview=1` is set. Indicates legacy preview mode.
|
|
100
100
|
2. **Demo banner**: when `demo=true` is set. Reminds you sample data is shown
|
|
101
101
|
instead of your real analytics.
|
|
102
|
-
3. **Trial banner**: for new accounts with
|
|
103
|
-
|
|
102
|
+
3. **Trial banner**: for new accounts with analytics. Shows days remaining and
|
|
103
|
+
offers **View demo →** and **Contact Sales**.
|
|
104
104
|
|
|
105
105
|
## Loading and empty states
|
|
106
106
|
|
|
@@ -10,7 +10,7 @@ A ready-made, customizable landing page for your developer portal. It comes in t
|
|
|
10
10
|
covering the most common layouts: a centered hero, a two-column split hero, and a compact
|
|
11
11
|
documentation hub.
|
|
12
12
|
|
|
13
|
-
Use it as the `element` of a [custom page](/dev-portal/zudoku/custom-pages) — typically your home page:
|
|
13
|
+
Use it as the `element` of a [custom page](/dev-portal/zudoku/guides/custom-pages) — typically your home page:
|
|
14
14
|
|
|
15
15
|
```tsx title=zudoku.config.tsx
|
|
16
16
|
import { LandingPage } from "zudoku/components";
|
|
@@ -65,9 +65,47 @@ can discover:
|
|
|
65
65
|
2. The upstream protected resource metadata `scopes_supported` value.
|
|
66
66
|
3. No `scope` parameter if the upstream does not advertise one.
|
|
67
67
|
|
|
68
|
-
Explicit configured scopes always win
|
|
69
|
-
|
|
70
|
-
|
|
68
|
+
Explicit configured scopes always win: they are sent as the `scope` parameter on
|
|
69
|
+
the upstream authorization request even when the upstream advertises a different
|
|
70
|
+
`scopes_supported` in its protected resource metadata. Use them for providers
|
|
71
|
+
such as Microsoft 365 where the correct resource-specific application scope is
|
|
72
|
+
known from the provider configuration rather than from MCP discovery, or to add
|
|
73
|
+
`offline_access` when the upstream requires it for refresh-token issuance but
|
|
74
|
+
does not advertise it.
|
|
75
|
+
|
|
76
|
+
## Consent Prompt Override
|
|
77
|
+
|
|
78
|
+
The MCP SDK that the gateway uses as its upstream OAuth client adds
|
|
79
|
+
`prompt=consent` to the authorization request whenever the requested scope
|
|
80
|
+
includes `offline_access`, because most providers require a fresh consent grant
|
|
81
|
+
before issuing a refresh token. The gateway itself never injects `prompt`; the
|
|
82
|
+
`prompt` option strips or replaces the SDK's parameter at the gateway's
|
|
83
|
+
authorization seam. Some providers honor `prompt=consent` literally: Microsoft
|
|
84
|
+
Entra ID forces the consent screen on every single authorization, even after a
|
|
85
|
+
tenant admin has granted org-wide admin consent.
|
|
86
|
+
|
|
87
|
+
Set `prompt` to control this behavior:
|
|
88
|
+
|
|
89
|
+
- **Unset** (default): keep the SDK's behavior, including the automatic
|
|
90
|
+
`prompt=consent` for `offline_access`.
|
|
91
|
+
- **`false`**: strip the `prompt` parameter from the authorization request. Use
|
|
92
|
+
this for Entra upstreams where a tenant admin has already granted admin
|
|
93
|
+
consent — users connect without seeing the consent screen, and refresh tokens
|
|
94
|
+
are still issued because admin consent satisfies the requirement.
|
|
95
|
+
- **`"none"` / `"login"` / `"consent"` / `"select_account"`**: set or replace
|
|
96
|
+
the `prompt` parameter with an explicit value.
|
|
97
|
+
|
|
98
|
+
Note that the effective scope can include `offline_access` even when `scopes` is
|
|
99
|
+
not configured, because the gateway also reads scopes from the upstream's
|
|
100
|
+
`WWW-Authenticate` challenge and protected resource metadata.
|
|
101
|
+
|
|
102
|
+
**Warning**: stripping `prompt=consent` while requesting `offline_access` can
|
|
103
|
+
silently prevent refresh-token issuance on providers that require a fresh
|
|
104
|
+
consent grant for offline access (for example, Google). Only use `false` when
|
|
105
|
+
the provider grants offline access through pre-authorized or admin consent, such
|
|
106
|
+
as Entra tenant admin consent. If connections start requiring frequent
|
|
107
|
+
reauthorization after setting `prompt: false`, remove the option so the consent
|
|
108
|
+
grant is requested again.
|
|
71
109
|
|
|
72
110
|
## Route Shape
|
|
73
111
|
|
|
@@ -71,6 +71,19 @@
|
|
|
71
71
|
"type": "string",
|
|
72
72
|
"description": "Delimiter used to join scopes in the OAuth authorization request. Defaults to a single space."
|
|
73
73
|
},
|
|
74
|
+
"prompt": {
|
|
75
|
+
"description": "Overrides the OIDC `prompt` parameter on upstream authorization requests. The MCP SDK adds `prompt=consent` whenever the requested scope includes `offline_access`, which forces a consent screen on every authorization on providers like Microsoft Entra ID even after a tenant admin has granted org-wide admin consent. Leave unset to keep the SDK's behavior; set to `false` to strip the `prompt` parameter; set an explicit value to replace it. Warning: stripping `prompt=consent` while requesting `offline_access` can silently prevent refresh-token issuance on providers that require a fresh consent grant for offline access (e.g. Google) — only use this when the provider grants offline access via pre-authorized/admin consent (e.g. Entra tenant admin consent).",
|
|
76
|
+
"oneOf": [
|
|
77
|
+
{
|
|
78
|
+
"type": "string",
|
|
79
|
+
"enum": ["none", "login", "consent", "select_account"]
|
|
80
|
+
},
|
|
81
|
+
{
|
|
82
|
+
"type": "boolean",
|
|
83
|
+
"const": false
|
|
84
|
+
}
|
|
85
|
+
]
|
|
86
|
+
},
|
|
74
87
|
"clientRegistration": {
|
|
75
88
|
"description": "OAuth client registration mode. Defaults to `auto`, which uses Client ID Metadata Documents when the upstream advertises support and falls back to Dynamic Client Registration otherwise.",
|
|
76
89
|
"oneOf": [
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "zuplo",
|
|
3
|
-
"version": "6.72.
|
|
3
|
+
"version": "6.72.1",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "The programmable API Gateway",
|
|
6
6
|
"author": "Zuplo, Inc.",
|
|
@@ -19,9 +19,9 @@
|
|
|
19
19
|
"zuplo": "zuplo.js"
|
|
20
20
|
},
|
|
21
21
|
"dependencies": {
|
|
22
|
-
"@zuplo/cli": "6.72.
|
|
23
|
-
"@zuplo/core": "6.72.
|
|
24
|
-
"@zuplo/runtime": "6.72.
|
|
22
|
+
"@zuplo/cli": "6.72.1",
|
|
23
|
+
"@zuplo/core": "6.72.1",
|
|
24
|
+
"@zuplo/runtime": "6.72.1",
|
|
25
25
|
"@zuplo/test": "1.4.0"
|
|
26
26
|
}
|
|
27
27
|
}
|