Add identity_provider to SSO connections (#179)

stytchauth · May 20, 2024 · 1d0ef4e · 1d0ef4e
1 parent c2d90e4
commit 1d0ef4e
Show file tree

Hide file tree

Showing 16 changed files with 138 additions and 31 deletions.
diff --git a/stytch/b2b/discovery_organizations.go b/stytch/b2b/discovery_organizations.go
@@ -35,7 +35,7 @@ func NewDiscoveryOrganizationsClient(c stytch.Client) *DiscoveryOrganizationsCli
 // This endpoint will also create an initial Member Session for the newly created Member.
 //
 // The Member created by this endpoint will automatically be granted the `stytch_admin` Role. See the
-// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults) for more details on this Role.
+// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role.
 //
 // If the new Organization is created with a `mfa_policy` of `REQUIRED_FOR_ALL`, the newly created Member
 // will need to complete an MFA step to log in to the Organization.

diff --git a/stytch/b2b/oauth/types.go b/stytch/b2b/oauth/types.go
@@ -71,11 +71,11 @@ type AuthenticateParams struct {
 
 // ProviderValues:
 type ProviderValues struct {
-	// AccessToken: The `access_token` that you may use to access the User's data in the provider's API.
-	AccessToken string `json:"access_token,omitempty"`
 	// Scopes: The OAuth scopes included for a given provider. See each provider's section above to see which
 	// scopes are included by default and how to add custom scopes.
 	Scopes []string `json:"scopes,omitempty"`
+	// AccessToken: The `access_token` that you may use to access the User's data in the provider's API.
+	AccessToken string `json:"access_token,omitempty"`
 	// RefreshToken: The `refresh_token` that you may use to obtain a new `access_token` for the User within
 	// the provider's API.
 	RefreshToken string     `json:"refresh_token,omitempty"`
@@ -139,7 +139,7 @@ type AuthenticateResponse struct {
 	// access the provider's API for a given user.
 	//
 	//   Note that these values will vary based on the OAuth provider in question, e.g. `id_token` is only
-	// returned by Microsoft.
+	// returned by Microsoft. Google One Tap does not return access tokens or refresh tokens.
 	ProviderValues *ProviderValues `json:"provider_values,omitempty"`
 	// MFARequired: Information about the MFA requirements of the Organization and the Member's options for
 	// fulfilling MFA.

diff --git a/stytch/b2b/organizations/members/oauthproviders/types.go b/stytch/b2b/organizations/members/oauthproviders/types.go
@@ -32,10 +32,6 @@ type GoogleResponse struct {
 	// ProviderSubject: The unique identifier for the User within a given OAuth provider. Also commonly called
 	// the `sub` or "Subject field" in OAuth protocols.
 	ProviderSubject string `json:"provider_subject,omitempty"`
-	// AccessToken: The `access_token` that you may use to access the User's data in the provider's API.
-	AccessToken string `json:"access_token,omitempty"`
-	// AccessTokenExpiresIn: The number of seconds until the access token expires.
-	AccessTokenExpiresIn int32 `json:"access_token_expires_in,omitempty"`
 	// IDToken: The `id_token` returned by the OAuth provider. ID Tokens are JWTs that contain structured
 	// information about a user. The exact content of each ID Token varies from provider to provider. ID Tokens
 	// are returned from OAuth providers that conform to the [OpenID Connect](https://openid.net/foundation/)
@@ -48,6 +44,10 @@ type GoogleResponse struct {
 	// patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX
 	// are server errors.
 	StatusCode int32 `json:"status_code,omitempty"`
+	// AccessToken: The `access_token` that you may use to access the User's data in the provider's API.
+	AccessToken string `json:"access_token,omitempty"`
+	// AccessTokenExpiresIn: The number of seconds until the access token expires.
+	AccessTokenExpiresIn int32 `json:"access_token_expires_in,omitempty"`
 	// RefreshToken: The `refresh_token` that you may use to obtain a new `access_token` for the User within
 	// the provider's API.
 	RefreshToken string `json:"refresh_token,omitempty"`

diff --git a/stytch/b2b/organizations/members/types.go b/stytch/b2b/organizations/members/types.go
@@ -89,9 +89,14 @@ type DeletePasswordParams struct {
 	MemberPasswordID string `json:"member_password_id,omitempty"`
 }
 
+// DeleteTOTPParams: Request type for `Members.DeleteTOTP`.
 type DeleteTOTPParams struct {
+	// OrganizationID: Globally unique UUID that identifies a specific Organization. The `organization_id` is
+	// critical to perform operations on an Organization, so be sure to preserve this value.
 	OrganizationID string `json:"organization_id,omitempty"`
-	MemberID       string `json:"member_id,omitempty"`
+	// MemberID: Globally unique UUID that identifies a specific Member. The `member_id` is critical to perform
+	// operations on a Member, so be sure to preserve this value.
+	MemberID string `json:"member_id,omitempty"`
 }
 
 // GetParams: Request type for `Members.Get`.
@@ -415,12 +420,22 @@ type DeleteResponse struct {
 	StatusCode int32 `json:"status_code,omitempty"`
 }
 
+// DeleteTOTPResponse: Response type for `Members.DeleteTOTP`.
 type DeleteTOTPResponse struct {
-	RequestID    string                     `json:"request_id,omitempty"`
-	MemberID     string                     `json:"member_id,omitempty"`
-	Member       organizations.Member       `json:"member,omitempty"`
+	// RequestID: Globally unique UUID that is returned with every API call. This value is important to log for
+	// debugging purposes; we may ask for this value to help identify a specific API call when helping you
+	// debug an issue.
+	RequestID string `json:"request_id,omitempty"`
+	// MemberID: Globally unique UUID that identifies a specific Member.
+	MemberID string `json:"member_id,omitempty"`
+	// Member: The [Member object](https://stytch.com/docs/b2b/api/member-object)
+	Member organizations.Member `json:"member,omitempty"`
+	// Organization: The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
 	Organization organizations.Organization `json:"organization,omitempty"`
-	StatusCode   int32                      `json:"status_code,omitempty"`
+	// StatusCode: The HTTP status code of the response. Stytch follows standard HTTP response status code
+	// patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX
+	// are server errors.
+	StatusCode int32 `json:"status_code,omitempty"`
 }
 
 // GetResponse: Response type for `Members.DangerouslyGet`, `Members.Get`.

diff --git a/stytch/b2b/organizations/types.go b/stytch/b2b/organizations/types.go
@@ -161,7 +161,7 @@ type EmailImplicitRoleAssignment struct {
 	//   * `stytch_member`
 	//   * `stytch_admin`
 	//
-	//   Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults)
+	//   Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default)
 	// for a more detailed explanation.
 	//
 	//
@@ -210,7 +210,7 @@ type Member struct {
 	// Members
 	//   who create an Organization through the
 	// [discovery flow](https://stytch.com/docs/b2b/api/create-organization-via-discovery). See the
-	//   [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults) for more details on this Role.
+	//   [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role.
 	IsAdmin            bool   `json:"is_admin,omitempty"`
 	TOTPRegistrationID string `json:"totp_registration_id,omitempty"`
 	// SCIMRegistrations: An array of scim member registrations, each one referencing a
@@ -249,7 +249,7 @@ type MemberRole struct {
 	//   * `stytch_member`
 	//   * `stytch_admin`
 	//
-	//   Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults)
+	//   Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default)
 	// for a more detailed explanation.
 	//
 	//

diff --git a/stytch/b2b/organizations_members.go b/stytch/b2b/organizations_members.go
@@ -174,6 +174,15 @@ func (c *OrganizationsMembersClient) DeleteMFAPhoneNumber(
 	return &retVal, err
 }
 
+// DeleteTOTP: Delete a Member's MFA TOTP registration.
+//
+// To mint a new registration for a Member, you must first call this endpoint to delete the existing
+// registration.
+//
+// Existing Member Sessions that include the TOTP authentication factor will not be revoked if the
+// registration is deleted, and MFA will not be enforced until the Member logs in again.
+//
+//	/%}
 func (c *OrganizationsMembersClient) DeleteTOTP(
 	ctx context.Context,
 	body *members.DeleteTOTPParams,

diff --git a/stytch/b2b/organizations_members_oauthproviders.go b/stytch/b2b/organizations_members_oauthproviders.go
@@ -30,6 +30,9 @@ func NewOrganizationsMembersOAuthProvidersClient(c stytch.Client) *Organizations
 // will refresh the
 // access token automatically.
 //
+// Google One Tap does not return access tokens. If the member has only authenticated through Google One
+// Tap and not through a regular Google OAuth flow, this endpoint will not return any tokens.
+//
 // __Note:__ Google does not issue a refresh token on every login, and refresh tokens may expire if unused.
 // To force a refresh token to be issued, pass the `?provider_prompt=consent` query param into the
 // [Start Google OAuth flow](https://stytch.com/docs/b2b/api/oauth-google-start) endpoint.

diff --git a/stytch/b2b/rbac/types.go b/stytch/b2b/rbac/types.go
@@ -31,7 +31,7 @@ type PolicyResource struct {
 	//   * `stytch.self`
 	//
 	//   Check out the
-	// [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults) for a more
+	// [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more
 	// detailed explanation.
 	//
 	//
@@ -93,7 +93,7 @@ type PolicyRole struct {
 	//   * `stytch_member`
 	//   * `stytch_admin`
 	//
-	//   Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults)
+	//   Check out the [guide on Stytch default Roles](https://stytch.com/docs/b2b/guides/rbac/stytch-default)
 	// for a more detailed explanation.
 	//
 	//
@@ -119,7 +119,7 @@ type PolicyRolePermission struct {
 	//   * `stytch.self`
 	//
 	//   Check out the
-	// [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults) for a more
+	// [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more
 	// detailed explanation.
 	//
 	//

diff --git a/stytch/b2b/scim/types.go b/stytch/b2b/scim/types.go
@@ -19,7 +19,9 @@ type SCIMConnection struct {
 	BaseURL                          string                             `json:"base_url,omitempty"`
 	BearerTokenLastFour              string                             `json:"bearer_token_last_four,omitempty"`
 	SCIMGroupImplicitRoleAssignments []SCIMGroupImplicitRoleAssignments `json:"scim_group_implicit_role_assignments,omitempty"`
+	NextBearerTokenLastFour          string                             `json:"next_bearer_token_last_four,omitempty"`
 	BearerTokenExpiresAt             *time.Time                         `json:"bearer_token_expires_at,omitempty"`
+	NextBearerTokenExpiresAt         *time.Time                         `json:"next_bearer_token_expires_at,omitempty"`
 }
 
 type SCIMConnectionWithNextToken struct {

diff --git a/stytch/b2b/sessions.go b/stytch/b2b/sessions.go
@@ -68,7 +68,9 @@ func (c *SessionsClient) Get(
 // It will return an error if both are present.
 //
 // You may provide a JWT that needs to be refreshed and is expired according to its `exp` claim. A new JWT
-// will be returned if both the signature and the underlying Session are still valid.
+// will be returned if both the signature and the underlying Session are still valid. See our
+// [How to use Stytch Session JWTs](https://stytch.com/docs/b2b/guides/sessions/using-jwts) guide for more
+// information.
 //
 // If an `authorization_check` object is passed in, this method will also check if the Member is authorized
 // to perform the given action on the given Resource in the specified Organization. A Member is authorized
@@ -258,7 +260,8 @@ func (c *SessionsClient) Exchange(
 // Migrate a session from an external OIDC compliant endpoint. Stytch will call the external UserInfo
 // endpoint defined in your Stytch Project settings in the [Dashboard](/dashboard), and then perform a
 // lookup using the `session_token`. If the response contains a valid email address, Stytch will attempt to
-// match that email address with a Member in your Organization and create a Stytch Session.
+// match that email address with an existing Member in your Organization and create a Stytch Session. You
+// will need to create the member before using this endpoint.
 func (c *SessionsClient) Migrate(
 	ctx context.Context,
 	body *sessions.MigrateParams,
@@ -302,6 +305,9 @@ func (c *SessionsClient) Migrate(
 // If you're using your own JWT validation library, many have built-in support for JWKS rotation, and
 // you'll just need to supply this API endpoint. If not, your application should decide which JWKS to use
 // for validation by inspecting the `kid` value.
+//
+// See our [How to use Stytch Session JWTs](https://stytch.com/docs/b2b/guides/sessions/using-jwts) guide
+// for more information.
 func (c *SessionsClient) GetJWKS(
 	ctx context.Context,
 	body *sessions.GetJWKSParams,

diff --git a/stytch/b2b/sessions/types.go b/stytch/b2b/sessions/types.go
@@ -84,7 +84,7 @@ type AuthorizationCheck struct {
 	//   * `stytch.self`
 	//
 	//   Check out the
-	// [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults) for a more
+	// [guide on Stytch default Resources](https://stytch.com/docs/b2b/guides/rbac/stytch-default) for a more
 	// detailed explanation.
 	//
 	//

diff --git a/stytch/b2b/sso/oidc/types.go b/stytch/b2b/sso/oidc/types.go
@@ -18,6 +18,10 @@ type CreateConnectionParams struct {
 	OrganizationID string `json:"organization_id,omitempty"`
 	// DisplayName: A human-readable display name for the connection.
 	DisplayName string `json:"display_name,omitempty"`
+	// IdentityProvider: The identity provider of this connection. For OIDC, the accepted values are `generic`,
+	// `okta`, and `microsoft-entra`. For SAML, the accepted values are `generic`, `okta`, `microsoft-entra`,
+	// and `google-workspace`.
+	IdentityProvider CreateConnectionRequestIdentityProvider `json:"identity_provider,omitempty"`
 }
 
 // UpdateConnectionParams: Request type for `OIDC.UpdateConnection`.
@@ -50,6 +54,10 @@ type UpdateConnectionParams struct {
 	// JWKSURL: The location of the IdP's JSON Web Key Set, used to verify credentials issued by the IdP. This
 	// will be provided by the IdP.
 	JWKSURL string `json:"jwks_url,omitempty"`
+	// IdentityProvider: The identity provider of this connection. For OIDC, the accepted values are `generic`,
+	// `okta`, and `microsoft-entra`. For SAML, the accepted values are `generic`, `okta`, `microsoft-entra`,
+	// and `google-workspace`.
+	IdentityProvider UpdateConnectionRequestIdentityProvider `json:"identity_provider,omitempty"`
 }
 
 // CreateConnectionRequestOptions:
@@ -113,3 +121,21 @@ type UpdateConnectionResponse struct {
 	// overall request succeeds, there could be relevant warnings related to the connection update.
 	Warning string `json:"warning,omitempty"`
 }
+
+type CreateConnectionRequestIdentityProvider string
+
+const (
+	CreateConnectionRequestIdentityProviderGeneric         CreateConnectionRequestIdentityProvider = "generic"
+	CreateConnectionRequestIdentityProviderOkta            CreateConnectionRequestIdentityProvider = "okta"
+	CreateConnectionRequestIdentityProviderMicrosoftentra  CreateConnectionRequestIdentityProvider = "microsoft-entra"
+	CreateConnectionRequestIdentityProviderGoogleworkspace CreateConnectionRequestIdentityProvider = "google-workspace"
+)
+
+type UpdateConnectionRequestIdentityProvider string
+
+const (
+	UpdateConnectionRequestIdentityProviderGeneric         UpdateConnectionRequestIdentityProvider = "generic"
+	UpdateConnectionRequestIdentityProviderOkta            UpdateConnectionRequestIdentityProvider = "okta"
+	UpdateConnectionRequestIdentityProviderMicrosoftentra  UpdateConnectionRequestIdentityProvider = "microsoft-entra"
+	UpdateConnectionRequestIdentityProviderGoogleworkspace UpdateConnectionRequestIdentityProvider = "google-workspace"
+)
diff --git a/stytch/b2b/sso/saml/types.go b/stytch/b2b/sso/saml/types.go
@@ -18,6 +18,10 @@ type CreateConnectionParams struct {
 	OrganizationID string `json:"organization_id,omitempty"`
 	// DisplayName: A human-readable display name for the connection.
 	DisplayName string `json:"display_name,omitempty"`
+	// IdentityProvider: The identity provider of this connection. For OIDC, the accepted values are `generic`,
+	// `okta`, and `microsoft-entra`. For SAML, the accepted values are `generic`, `okta`, `microsoft-entra`,
+	// and `google-workspace`.
+	IdentityProvider CreateConnectionRequestIdentityProvider `json:"identity_provider,omitempty"`
 }
 
 // DeleteVerificationCertificateParams: Request type for `SAML.DeleteVerificationCertificate`.
@@ -82,6 +86,10 @@ type UpdateConnectionParams struct {
 	// AlternativeAudienceURI: An alternative URL to use for the Audience Restriction. This value can be used
 	// when you wish to migrate an existing SAML integration to Stytch with zero downtime.
 	AlternativeAudienceURI string `json:"alternative_audience_uri,omitempty"`
+	// IdentityProvider: The identity provider of this connection. For OIDC, the accepted values are `generic`,
+	// `okta`, and `microsoft-entra`. For SAML, the accepted values are `generic`, `okta`, `microsoft-entra`,
+	// and `google-workspace`.
+	IdentityProvider UpdateConnectionRequestIdentityProvider `json:"identity_provider,omitempty"`
 }
 
 // CreateConnectionRequestOptions:
@@ -197,3 +205,21 @@ type UpdateConnectionResponse struct {
 	// field details.
 	Connection *sso.SAMLConnection `json:"connection,omitempty"`
 }
+
+type CreateConnectionRequestIdentityProvider string
+
+const (
+	CreateConnectionRequestIdentityProviderGeneric         CreateConnectionRequestIdentityProvider = "generic"
+	CreateConnectionRequestIdentityProviderOkta            CreateConnectionRequestIdentityProvider = "okta"
+	CreateConnectionRequestIdentityProviderMicrosoftentra  CreateConnectionRequestIdentityProvider = "microsoft-entra"
+	CreateConnectionRequestIdentityProviderGoogleworkspace CreateConnectionRequestIdentityProvider = "google-workspace"
+)
+
+type UpdateConnectionRequestIdentityProvider string
+
+const (
+	UpdateConnectionRequestIdentityProviderGeneric         UpdateConnectionRequestIdentityProvider = "generic"
+	UpdateConnectionRequestIdentityProviderOkta            UpdateConnectionRequestIdentityProvider = "okta"
+	UpdateConnectionRequestIdentityProviderMicrosoftentra  UpdateConnectionRequestIdentityProvider = "microsoft-entra"
+	UpdateConnectionRequestIdentityProviderGoogleworkspace UpdateConnectionRequestIdentityProvider = "google-workspace"
+)