stytchauth · ci-stytch · Nov 10, 2023
@@ -177,6 +177,7 @@ export type {
   B2BSSOSAMLCreateConnectionResponse,
   B2BSSOSAMLDeleteVerificationCertificateRequest,
   B2BSSOSAMLDeleteVerificationCertificateResponse,
+  B2BSSOSAMLUpdateByURLRequest,
+  B2BSSOSAMLUpdateByURLResponse,
   B2BSSOSAMLUpdateConnectionRequest,
-  B2BSSOSAMLUpdateConnectionResponse,
 } from "./sso_saml";
@@ -685,7 +685,7 @@ export class Organizations {
 
   /**
    * Updates an Organization specified by `organization_id`. An Organization must always have at least one
-   * auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members. test
+   * auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members.
    *
    * *See the [Organization authentication settings](https://stytch.com/docs/b2b/api/org-auth-settings)
    * resource to learn more about fields like `email_jit_provisioning`, `email_invites`,

@@ -190,6 +190,10 @@ export class Sms {
    * Before configuring SMS or WhatsApp OTPs, please review how Stytch
    * [bills the costs of international OTPs](https://stytch.com/pricing) and understand how to protect your
    * app against [toll fraud](https://stytch.com/docs/guides/passcodes/toll-fraud/overview).
+   *
+   * __Note:__ SMS to phone numbers outside of the US and Canada is disabled by default for customers who did
+   * not use SMS prior to October 2023. If you're interested in sending international SMS, please reach out
+   * to [[email protected]](mailto:[email protected]?subject=Enable%20international%20SMS).
    * @param data {@link B2BOTPSmsSendRequest}
    * @returns {@link B2BOTPSmsSendResponse}
    * @async

@@ -23,44 +23,8 @@ export interface B2BPasswordsSessionResetRequest {
   session_token?: string;
   // The JSON Web Token (JWT) for a given Stytch Session.
   session_jwt?: string;
-  /**
-   * Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't
-   * already exist,
-   *   returning both an opaque `session_token` and `session_jwt` for this session. Remember that the
-   * `session_jwt` will have a fixed lifetime of
-   *   five minutes regardless of the underlying session duration, and will need to be refreshed over time.
-   *
-   *   This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
-   *
-   *   If a `session_token` or `session_jwt` is provided then a successful authentication will continue to
-   * extend the session this many minutes.
-   *
-   *   If the `session_duration_minutes` parameter is not specified, a Stytch session will be created with a
-   * 60 minute duration. If you don't want
-   *   to use the Stytch session product, you can ignore the session fields in the response.
-   */
   session_duration_minutes?: number;
-  /**
-   * Add a custom claims map to the Session being authenticated. Claims are only created if a Session is
-   * initialized by providing a value in
-   *   `session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a
-   * key in an existing Session, supply a new value. To
-   *   delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`,
-   * `exp`, `nbf`, `iat`, `jti`) will be ignored.
-   *   Total custom claims size cannot exceed four kilobytes.
-   */
   session_custom_claims?: Record<string, any>; // eslint-disable-line @typescript-eslint/no-explicit-any
-  /**
-   * Used to determine which language to use when sending the user this delivery method. Parameter is a
-   * [IETF BCP 47 language tag](https://www.w3.org/International/articles/language-tags/), e.g. `"en"`.
-   *
-   * Currently supported languages are English (`"en"`), Spanish (`"es"`), and Brazilian Portuguese
-   * (`"pt-br"`); if no value is provided, the copy defaults to English.
-   *
-   * Request support for additional languages
-   * [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
-   *
-   */
   locale?: "en" | "es" | "pt-br" | string;
 }
 
@@ -77,27 +41,9 @@ export interface B2BPasswordsSessionResetResponse {
   member: Member;
   // The [Organization object](https://stytch.com/docs/b2b/api/organization-object).
   organization: Organization;
-  // A secret token for a given Stytch Session.
   session_token: string;
-  // The JSON Web Token (JWT) for a given Stytch Session.
   session_jwt: string;
-  /**
-   * The Intermediate Session Token. This token does not necessarily belong to a specific instance of a
-   * Member, but represents a bag of factors that may be converted to a member session.
-   *     The token can be used with the
-   * [OTP SMS Authenticate endpoint](https://stytch.com/docs/b2b/api/authenticate-otp-sms) to complete an MFA
-   * flow;
-   *     the
-   * [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session)
-   * to join a specific Organization that allows the factors represented by the intermediate session token;
-   *     or the
-   * [Create Organization via Discovery endpoint](https://stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member.
-   */
   intermediate_session_token: string;
-  /**
-   * Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step
-   * to log in to the Organization.
-   */
   member_authenticated: boolean;
   /**
    * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g.
@@ -106,7 +52,6 @@ export interface B2BPasswordsSessionResetResponse {
   status_code: number;
   // The [Session object](https://stytch.com/docs/b2b/api/session-object).
   member_session?: MemberSession;
-  // Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA.
   mfa_required?: MfaRequired;
 }
 

@@ -452,6 +452,20 @@ export class Sessions {
 
   /**
    * Get the JSON Web Key Set (JWKS) for a project.
+   *
+   * JWKS are rotated every ~6 months. Upon rotation, new JWTs will be signed using the new key set, and both
+   * key sets will be returned by this endpoint for a period of 1 month.
+   *
+   * JWTs have a set lifetime of 5 minutes, so there will be a 5 minute period where some JWTs will be signed
+   * by the old JWKS, and some JWTs will be signed by the new JWKS. The correct JWKS to use for validation is
+   * determined by matching the `kid` value of the JWT and JWKS.
+   *
+   * If you're using one of our [backend SDKs](https://stytch.com/docs/b2b/sdks), the JWKS roll will be
+   * handled for you.
+   *
+   * If you're using your own JWT validation library, many have built-in support for JWKS rotation, and
+   * you'll just need to supply this API endpoint. If not, your application should decide which JWKS to use
+   * for validation by inspecting the `kid` value.
    * @param data {@link B2BSessionsGetJWKSRequest}
    * @returns {@link B2BSessionsGetJWKSResponse}
    * @async

@@ -38,6 +38,7 @@ export interface SAMLConnection {
   audience_uri: string;
   signing_certificates: X509Certificate[];
   verification_certificates: X509Certificate[];
+  alternative_audience_uri: string;
   attribute_mapping?: Record<string, any>; // eslint-disable-line @typescript-eslint/no-explicit-any
 }
 

@@ -65,6 +65,39 @@ export interface B2BSSOSAMLDeleteVerificationCertificateResponse {
   status_code: number;
 }
 
+// Request type for `sso.saml.updateByURL`.
+export interface B2BSSOSAMLUpdateByURLRequest {
+  /**
+   * Globally unique UUID that identifies a specific Organization. The `organization_id` is critical to
+   * perform operations on an Organization, so be sure to preserve this value.
+   */
+  organization_id: string;
+  // Globally unique UUID that identifies a specific SSO `connection_id` for a Member.
+  connection_id: string;
+  // A URL that points to the IdP metadata. This will be provided by the IdP.
+  metadata_url: string;
+}
+
+// Response type for `sso.saml.updateByURL`.
+export interface B2BSSOSAMLUpdateByURLResponse {
+  /**
+   * Globally unique UUID that is returned with every API call. This value is important to log for debugging
+   * purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
+   */
+  request_id: string;
+  /**
+   * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g.
+   * 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
+   */
+  status_code: number;
+  /**
+   * The `SAML Connection` object affected by this API call. See the
+   * [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object) for complete response
+   * field details.
+   */
+  connection?: SAMLConnection;
+}
+
 // Request type for `sso.saml.updateConnection`.
 export interface B2BSSOSAMLUpdateConnectionRequest {
   /**
@@ -94,26 +127,6 @@ export interface B2BSSOSAMLUpdateConnectionRequest {
   idp_sso_url?: string;
 }
 
-// Response type for `sso.saml.updateConnection`.
-export interface B2BSSOSAMLUpdateConnectionResponse {
-  /**
-   * Globally unique UUID that is returned with every API call. This value is important to log for debugging
-   * purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
-   */
-  request_id: string;
-  /**
-   * The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g.
-   * 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
-   */
-  status_code: number;
-  /**
-   * The `SAML Connection` object affected by this API call. See the
-   * [SAML Connection Object](https://stytch.com/docs/b2b/api/saml-connection-object) for complete response
-   * field details.
-   */
-  connection?: SAMLConnection;
-}
-
 export class SAML {
   private fetchConfig: fetchConfig;
 
@@ -150,15 +163,15 @@ export class SAML {
    * * `idp_entity_id`
    * * `x509_certificate`
    * @param data {@link B2BSSOSAMLUpdateConnectionRequest}
-   * @returns {@link B2BSSOSAMLUpdateConnectionResponse}
+   * @returns {@link B2BSSOSAMLUpdateByURLResponse}
    * @async
    * @throws A {@link StytchError} on a non-2xx response from the Stytch API
    * @throws A {@link RequestError} when the Stytch API cannot be reached
    */
   updateConnection(
     data: B2BSSOSAMLUpdateConnectionRequest
-  ): Promise<B2BSSOSAMLUpdateConnectionResponse> {
-    return request<B2BSSOSAMLUpdateConnectionResponse>(this.fetchConfig, {
+  ): Promise<B2BSSOSAMLUpdateByURLResponse> {
+    return request<B2BSSOSAMLUpdateByURLResponse>(this.fetchConfig, {
       method: "PUT",
       url: `/v1/b2b/sso/saml/${data.organization_id}/connections/${data.connection_id}`,
       data: {
@@ -171,6 +184,32 @@ export class SAML {
     });
   }
 
+  /**
+   * Used to update an existing SAML connection using an IDP metadata URL.
+   *
+   * A newly created connection will not become active until all the following are provided:
+   * * `idp_sso_url`
+   * * `idp_entity_id`
+   * * `x509_certificate`
+   * * `attribute_mapping` (must be supplied using [Update SAML Connection](update-saml-connection))
+   * @param data {@link B2BSSOSAMLUpdateByURLRequest}
+   * @returns {@link B2BSSOSAMLUpdateByURLResponse}
+   * @async
+   * @throws A {@link StytchError} on a non-2xx response from the Stytch API
+   * @throws A {@link RequestError} when the Stytch API cannot be reached
+   */
+  updateByURL(
+    data: B2BSSOSAMLUpdateByURLRequest
+  ): Promise<B2BSSOSAMLUpdateByURLResponse> {
+    return request<B2BSSOSAMLUpdateByURLResponse>(this.fetchConfig, {
+      method: "PUT",
+      url: `/v1/b2b/sso/saml/${data.organization_id}/connections/${data.connection_id}/url`,
+      data: {
+        metadata_url: data.metadata_url,
+      },
+    });
+  }
+
   /**
    * Delete a SAML verification certificate.
    *