Class: StytchB2B::Discovery::Organizations

Inherits:
Object
  • Object
show all
Includes:
Stytch::RequestHelper
Defined in:
lib/stytch/b2b_discovery.rb

Instance Method Summary collapse

Methods included from Stytch::RequestHelper

#delete_request, #get_request, #post_request, #put_request, #request_with_query_params

Constructor Details

#initialize(connection) ⇒ Organizations 



151
152
153
 
# File 'lib/stytch/b2b_discovery.rb', line 151

def initialize(connection)
  @connection = connection
end

Instance Method Details

#create(intermediate_session_token:, session_duration_minutes: nil, session_custom_claims: nil, organization_name: nil, organization_slug: nil, organization_external_id: nil, organization_logo_url: nil, trusted_metadata: nil, sso_jit_provisioning: nil, email_allowed_domains: nil, email_jit_provisioning: nil, email_invites: nil, auth_methods: nil, allowed_auth_methods: nil, mfa_policy: nil, rbac_email_implicit_role_assignments: nil, mfa_methods: nil, allowed_mfa_methods: nil, oauth_tenant_jit_provisioning: nil, allowed_oauth_tenants: nil, first_party_connected_apps_allowed_type: nil, allowed_first_party_connected_apps: nil, third_party_connected_apps_allowed_type: nil, allowed_third_party_connected_apps: nil, telemetry_id: nil) ⇒ Object

This endpoint allows you to exchange the ‘intermediate_session_token` returned when the user successfully completes a Discovery authentication flow to create a new [Organization](stytch.com/docs/b2b/api/organization-object) and [Member](stytch.com/docs/b2b/api/member-object) and log the user in. If the user wants to log into an existing Organization, use the [Exchange Intermediate Session endpoint](stytch.com/docs/b2b/api/exchange-intermediate-session) instead.

Stytch **requires that users verify their email address** prior to creating a new Organization in order to prevent Account Takeover (ATO) attacks and phishing.

If the user authenticated using a method that **does not** provide real-time email verification (returning password auth, Github/Slack/Hubspot OAuth) this API will return ‘member_authenticated: false` and an `intermediate_session_token` to indicate that the user must perform additional authentication via one of the options listed in `primary_required.allowed_auth_methods` to finish logging in.

If you specified an ‘mfa_policy: REQUIRED_FOR_ALL` in the request, this API will return `member_authenticated: false`, an `intermediate_session_token`, and `mfa_required` in order to indicate that you must prompt the user to enroll in MFA.

Include the ‘intermediate_session_token` when calling the `authenticate()` method that the user needed to perform to verify their email or enroll in MFA. Once the user has completed the authentication requirements they were missing, they will be granted a full `session_token` and `session_jwt` and be successfully logged in.

If the user logged in with a method that does provide real-time email verification (Email Magic Links, Email OTP, Google/Microsoft OAuth, initial email verification when creating a new password) this API will return ‘member_authenticated: true` and a `session_jwt` and `session_token` to indicate that the user has successfully logged in.

The Member created by this endpoint will automatically be granted the ‘stytch_admin` Role. See the [RBAC guide](stytch.com/docs/b2b/guides/rbac/stytch-default) for more details on this Role.

Parameters:

intermediate_session_token

The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. The type of this field is String.

session_duration_minutes

Set the session lifetime to be this many minutes from now. This will start a new session if one doesn’t already exist, returning both an opaque ‘session_token` and `session_jwt` for this session. Remember that the `session_jwt` will have a fixed lifetime of five minutes regardless of the underlying session duration, and will need to be refreshed over time.

This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).

If a ‘session_token` or `session_jwt` is provided then a successful authentication will continue to extend the session this many minutes.

If the ‘session_duration_minutes` parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don’t want to use the Stytch session product, you can ignore the session fields in the response. The type of this field is nilable Integer.

session_custom_claims

Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in ‘session_duration_minutes`. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value. Custom claims made with reserved claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`) will be ignored. Total custom claims size cannot exceed four kilobytes. The type of this field is nilable object.

organization_name

The name of the Organization. If the name is not specified, a default name will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization name will be generated based on the name portion of the email. Otherwise, the organization name will be generated based on the email domain. The type of this field is nilable String.

organization_slug

The unique URL slug of the Organization. A minimum of two characters is required. The slug only accepts alphanumeric characters and the following reserved characters: ‘-` `.` `_` `~`. If the slug is not specified, a default slug will be created based on the email used to initiate the discovery flow. If the email domain is a common email provider such as gmail.com, or if the email is a .edu email, the organization slug will be generated based on the name portion of the email. Otherwise, the organization slug will be generated based on the email domain. The type of this field is nilable String.

organization_external_id

An identifier that can be used in API calls wherever a organization_id is expected. This is a string consisting of alphanumeric, ‘.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within a project, but may be reused across different projects in the same workspace. The type of this field is nilable String.

organization_logo_url

The image URL of the Organization logo. The type of this field is nilable String.

trusted_metadata

An arbitrary JSON object for storing application-specific data or identity-provider-specific data. The type of this field is nilable object.

sso_jit_provisioning

The authentication setting that controls the JIT provisioning of Members when authenticating via SSO. The accepted values are:

‘ALL_ALLOWED` – the default setting, new Members will be automatically provisioned upon successful authentication via any of the Organization’s ‘sso_active_connections`.

‘RESTRICTED` – only new Members with SSO logins that comply with `sso_jit_provisioning_allowed_connections` can be provisioned upon authentication.

‘NOT_ALLOWED` – disable JIT provisioning via SSO.

The type of this field is nilable String.

email_allowed_domains

An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either ‘email_invites` or `email_jit_provisioning` is set to `RESTRICTED`.

Common domains such as `gmail.com` are not allowed. See the [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.

The type of this field is nilable list of String.

email_jit_provisioning

The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:

‘RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be provisioned upon authentication via Email Magic Link or OAuth.

‘NOT_ALLOWED` – the default setting, disables JIT provisioning via Email Magic Link and OAuth.

The type of this field is nilable String.

email_invites

The authentication setting that controls how a new Member can be invited to an organization by email. The accepted values are:

‘ALL_ALLOWED` – any new Member can be invited to join via email.

‘RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be invited via email.

‘NOT_ALLOWED` – disable email invites.

The type of this field is nilable String.

auth_methods

The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:

‘ALL_ALLOWED` – the default setting which allows all authentication methods to be used.

‘RESTRICTED` – only methods that comply with `allowed_auth_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.

The type of this field is nilable String.

allowed_auth_methods

An array of allowed authentication methods. This list is enforced when ‘auth_methods` is set to `RESTRICTED`. The list’s accepted values are: ‘sso`, `magic_link`, `email_otp`, `password`, `google_oauth`, `microsoft_oauth`, `slack_oauth`, `github_oauth`, and `hubspot_oauth`.

The type of this field is nilable list of String.

mfa_policy

The setting that controls the MFA policy for all Members in the Organization. The accepted values are:

‘REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time they wish to log in. However, any active Session that existed prior to this setting change will remain valid.

‘OPTIONAL` – The default value. The Organization does not require MFA by default for all Members. Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.

The type of this field is nilable String.

rbac_email_implicit_role_assignments

Implicit role assignments based off of email domains. For each domain-Role pair, all Members whose email addresses have the specified email domain will be granted the associated Role, regardless of their login method. See the [RBAC guide](stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment. The type of this field is nilable list of EmailImplicitRoleAssignment (object).

mfa_methods

The setting that controls which MFA methods can be used by Members of an Organization. The accepted values are:

‘ALL_ALLOWED` – the default setting which allows all authentication methods to be used.

‘RESTRICTED` – only methods that comply with `allowed_mfa_methods` can be used for authentication. This setting does not apply to Members with `is_breakglass` set to `true`.

The type of this field is nilable String.

allowed_mfa_methods

An array of allowed MFA authentication methods. This list is enforced when ‘mfa_methods` is set to `RESTRICTED`. The list’s accepted values are: ‘sms_otp` and `totp`.

The type of this field is nilable list of String.

oauth_tenant_jit_provisioning

The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:

‘RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.

‘NOT_ALLOWED` – the default setting, disables JIT provisioning by OAuth Tenant.

The type of this field is nilable String.

allowed_oauth_tenants

A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are “slack”, “hubspot”, and “github”. The type of this field is nilable object.

first_party_connected_apps_allowed_type

The authentication setting that sets the Organization’s policy towards first party Connected Apps. The accepted values are:

‘ALL_ALLOWED` – the default setting, any first party Connected App in the Project is permitted for use by Members.

‘RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.

‘NOT_ALLOWED` – no first party Connected Apps are permitted.

The type of this field is nilable CreateRequestFirstPartyConnectedAppsAllowedType (string enum).

allowed_first_party_connected_apps

An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization’s ‘first_party_connected_apps_allowed_type` is `RESTRICTED`. The type of this field is nilable list of String.

third_party_connected_apps_allowed_type

The authentication setting that sets the Organization’s policy towards third party Connected Apps. The accepted values are:

‘ALL_ALLOWED` – the default setting, any third party Connected App in the Project is permitted for use by Members.

‘RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.

‘NOT_ALLOWED` – no third party Connected Apps are permitted.

The type of this field is nilable CreateRequestThirdPartyConnectedAppsAllowedType (string enum).

allowed_third_party_connected_apps

An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization’s ‘third_party_connected_apps_allowed_type` is `RESTRICTED`. The type of this field is nilable list of String.

telemetry_id

If the ‘telemetry_id` is passed, as part of this request, Stytch will call the [Fingerprint Lookup API](stytch.com/docs/fraud/api/fingerprint-lookup) and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature. The type of this field is nilable String.

Returns:

An object with the following fields:

request_id

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. The type of this field is String.

member_id

Globally unique UUID that identifies a specific Member. The type of this field is String.

session_token

A secret token for a given Stytch Session. The type of this field is String.

session_jwt

The JSON Web Token (JWT) for a given Stytch Session. The type of this field is String.

member

The [Member object](stytch.com/docs/b2b/api/member-object) The type of this field is Member (object).

member_authenticated

Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization. The type of this field is Boolean.

intermediate_session_token

The returned Intermediate Session Token is identical to the one that was originally passed in to the request. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the [OTP SMS Authenticate endpoint](stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. The type of this field is String.

status_code

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. The type of this field is Integer.

member_session

The [Session object](stytch.com/docs/b2b/api/session-object). The type of this field is nilable MemberSession (object).

organization

The [Organization object](stytch.com/docs/b2b/api/organization-object). The type of this field is nilable Organization (object).

mfa_required

Information about the MFA requirements of the Organization and the Member’s options for fulfilling MFA. The type of this field is nilable MfaRequired (object).

primary_required

Information about the primary authentication requirements of the Organization. The type of this field is nilable PrimaryRequired (object).

member_device

If a valid ‘telemetry_id` was passed in the request and the [Fingerprint Lookup API](stytch.com/docs/fraud/api/fingerprint-lookup) returned results, the `member_device` response field will contain information about the member’s device attributes. The type of this field is nilable DeviceInfo (object).



364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
 
# File 'lib/stytch/b2b_discovery.rb', line 364

def create(
  intermediate_session_token:,
  session_duration_minutes: nil,
  session_custom_claims: nil,
  organization_name: nil,
  organization_slug: nil,
  organization_external_id: nil,
  organization_logo_url: nil,
  trusted_metadata: nil,
  sso_jit_provisioning: nil,
  email_allowed_domains: nil,
  email_jit_provisioning: nil,
  email_invites: nil,
  auth_methods: nil,
  allowed_auth_methods: nil,
  mfa_policy: nil,
  rbac_email_implicit_role_assignments: nil,
  mfa_methods: nil,
  allowed_mfa_methods: nil,
  oauth_tenant_jit_provisioning: nil,
  allowed_oauth_tenants: nil,
  first_party_connected_apps_allowed_type: nil,
  allowed_first_party_connected_apps: nil,
  third_party_connected_apps_allowed_type: nil,
  allowed_third_party_connected_apps: nil,
  telemetry_id: nil
)
  headers = {}
  request = {
    intermediate_session_token: intermediate_session_token
  }
  request[:session_duration_minutes] = session_duration_minutes unless session_duration_minutes.nil?
  request[:session_custom_claims] = session_custom_claims unless session_custom_claims.nil?
  request[:organization_name] = organization_name unless organization_name.nil?
  request[:organization_slug] = organization_slug unless organization_slug.nil?
  request[:organization_external_id] = organization_external_id unless organization_external_id.nil?
  request[:organization_logo_url] = organization_logo_url unless organization_logo_url.nil?
  request[:trusted_metadata] = trusted_metadata unless trusted_metadata.nil?
  request[:sso_jit_provisioning] = sso_jit_provisioning unless sso_jit_provisioning.nil?
  request[:email_allowed_domains] = email_allowed_domains unless email_allowed_domains.nil?
  request[:email_jit_provisioning] = email_jit_provisioning unless email_jit_provisioning.nil?
  request[:email_invites] = email_invites unless email_invites.nil?
  request[:auth_methods] = auth_methods unless auth_methods.nil?
  request[:allowed_auth_methods] = allowed_auth_methods unless allowed_auth_methods.nil?
  request[:mfa_policy] = mfa_policy unless mfa_policy.nil?
  request[:rbac_email_implicit_role_assignments] = rbac_email_implicit_role_assignments unless rbac_email_implicit_role_assignments.nil?
  request[:mfa_methods] = mfa_methods unless mfa_methods.nil?
  request[:allowed_mfa_methods] = allowed_mfa_methods unless allowed_mfa_methods.nil?
  request[:oauth_tenant_jit_provisioning] = oauth_tenant_jit_provisioning unless oauth_tenant_jit_provisioning.nil?
  request[:allowed_oauth_tenants] = allowed_oauth_tenants unless allowed_oauth_tenants.nil?
  request[:first_party_connected_apps_allowed_type] = first_party_connected_apps_allowed_type unless first_party_connected_apps_allowed_type.nil?
  request[:allowed_first_party_connected_apps] = allowed_first_party_connected_apps unless allowed_first_party_connected_apps.nil?
  request[:third_party_connected_apps_allowed_type] = third_party_connected_apps_allowed_type unless third_party_connected_apps_allowed_type.nil?
  request[:allowed_third_party_connected_apps] = allowed_third_party_connected_apps unless allowed_third_party_connected_apps.nil?
  request[:telemetry_id] = telemetry_id unless telemetry_id.nil?

  post_request('/v1/b2b/discovery/organizations/create', request, headers)
end

#list(intermediate_session_token: nil, session_token: nil, session_jwt: nil) ⇒ Object

List all possible organization relationships connected to a [Member Session](stytch.com/docs/b2b/api/session-object) or Intermediate Session.

When a Member Session is passed in, relationships with a type of ‘active_member`, `pending_member`, or `invited_member` will be returned, and any membership can be assumed by calling the [Exchange Session](stytch.com/docs/b2b/api/exchange-session) endpoint.

When an Intermediate Session is passed in, all relationship types - ‘active_member`, `pending_member`, `invited_member`, `eligible_to_join_by_email_domain`, and `eligible_to_join_by_oauth_tenant` - will be returned, and any membership can be assumed by calling the [Exchange Intermediate Session](stytch.com/docs/b2b/api/exchange-intermediate-session) endpoint.

This endpoint requires either an ‘intermediate_session_token`, `session_jwt` or `session_token` be included in the request. It will return an error if multiple are present.

This operation does not consume the Intermediate Session or Session Token passed in.

Parameters:

intermediate_session_token

The Intermediate Session Token. This token does not necessarily belong to a specific instance of a Member, but represents a bag of factors that may be converted to a member session. The token can be used with the [OTP SMS Authenticate endpoint](stytch.com/docs/b2b/api/authenticate-otp-sms), [TOTP Authenticate endpoint](stytch.com/docs/b2b/api/authenticate-totp), or [Recovery Codes Recover endpoint](stytch.com/docs/b2b/api/recovery-codes-recover) to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the [Exchange Intermediate Session endpoint](stytch.com/docs/b2b/api/exchange-intermediate-session) to join a specific Organization that allows the factors represented by the intermediate session token; or the [Create Organization via Discovery endpoint](stytch.com/docs/b2b/api/create-organization-via-discovery) to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes. The type of this field is nilable String.

session_token

A secret token for a given Stytch Session. The type of this field is nilable String.

session_jwt

The JSON Web Token (JWT) for a given Stytch Session. The type of this field is nilable String.

Returns:

An object with the following fields:

request_id

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. The type of this field is String.

email_address

The email address. The type of this field is String.

discovered_organizations

An array of ‘discovered_organization` objects tied to the `intermediate_session_token`, `session_token`, or `session_jwt`. See the [Discovered Organization Object](stytch.com/docs/b2b/api/discovered-organization-object) for complete details.

Note that Organizations will only appear here under any of the following conditions:

  1. The end user is already a Member of the Organization.

  2. The end user is invited to the Organization.

  3. The end user can join the Organization because:

    a) The Organization allows JIT provisioning.

b) The Organizations' allowed domains list contains the Member's email domain.

c) The Organization has at least one other Member with a verified email address with the same domain as the end user (to prevent phishing attacks).

The type of this field is list of DiscoveredOrganization (object).

status_code

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors. The type of this field is Integer.

organization_id_hint

If the intermediate session token is associated with a specific Organization, that Organization ID will be returned here. The Organization ID will be null if the intermediate session token was generated by a email magic link discovery or OAuth discovery flow. If a session token or session JWT is provided, the Organization ID hint will be null. The type of this field is nilable String.



476
477
478
479
480
481
482
483
484
485
486
487
488
 
# File 'lib/stytch/b2b_discovery.rb', line 476

def list(
  intermediate_session_token: nil,
  session_token: nil,
  session_jwt: nil
)
  headers = {}
  request = {}
  request[:intermediate_session_token] = intermediate_session_token unless intermediate_session_token.nil?
  request[:session_token] = session_token unless session_token.nil?
  request[:session_jwt] = session_jwt unless session_jwt.nil?

  post_request('/v1/b2b/discovery/organizations', request, headers)
end