Class: StytchB2B::IDP::OAuth

Inherits:

Object

• Object
• StytchB2B::IDP::OAuth

Includes:

Stytch::RequestHelper

Defined in:

lib/stytch/b2b_idp.rb

Overview

ENDMANUAL(IDP::introspect_token_network)

Instance Method Summary

• #authorize(consent_granted:, scopes:, client_id:, redirect_uri:, response_type:, organization_id: nil, member_id: nil, session_token: nil, session_jwt: nil, prompt: nil, state: nil, nonce: nil, code_challenge: nil, resources: nil) ⇒ Object

  Completes a request for authorization of a Connected App to access a Member’s account.

• #authorize_start(client_id:, redirect_uri:, response_type:, scopes:, organization_id: nil, member_id: nil, session_token: nil, session_jwt: nil, prompt: nil) ⇒ Object

  Initiates a request for authorization of a Connected App to access a Member’s account.

• #initialize(connection) ⇒ OAuth constructor

  A new instance of OAuth.

Methods included from Stytch::RequestHelper

#delete_request, #get_request, #post_request, #put_request, #request_with_query_params

Constructor Details

#initialize(connection) ⇒ OAuth

Returns a new instance of OAuth.

# File 'lib/stytch/b2b_idp.rb', line 279

def initialize(connection)
  @connection = connection
end

Instance Method Details

#authorize(consent_granted:, scopes:, client_id:, redirect_uri:, response_type:, organization_id: nil, member_id: nil, session_token: nil, session_jwt: nil, prompt: nil, state: nil, nonce: nil, code_challenge: nil, resources: nil) ⇒ Object

Completes a request for authorization of a Connected App to access a Member’s account.

Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the [Preflight Check](stytch.com/docs/b2b/api/connected-apps-oauth-authorize-start) API. Note that this endpoint takes in a few additional parameters the preflight check does not- ‘state`, `nonce`, and `code_challenge`.

If the authorization was successful, the ‘redirect_uri` will contain a valid `authorization_code` embedded as a query parameter. If the authorization was unsuccessful, the `redirect_uri` will contain an OAuth2.1 `error_code`. In both cases, redirect the Member to the location for the response to be consumed by the Connected App.

Exactly one of the following must be provided to identify the Member granting authorization:

• ‘organization_id` + `member_id`

• ‘session_token`

• ‘session_jwt`

If a ‘session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the Member’s session for tracking purposes. One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow.

Parameters:

consent_granted

Indicates whether the user granted the requested scopes. The type of this field is Boolean.

scopes

An array of scopes requested by the client. The type of this field is list of String.

client_id

The ID of the Connected App client. The type of this field is String.

redirect_uri

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the ‘authorization_code` grant. The type of this field is String.

response_type

The OAuth 2.0 response type. For authorization code flows this value is ‘code`. The type of this field is String.

organization_id

Globally unique UUID that identifies a specific Organization. The ‘organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. The type of this field is nilable String.

member_id

Globally unique UUID that identifies a specific Member. The ‘member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. The type of this field is nilable String.

session_token

A secret token for a given Stytch Session. The type of this field is nilable String.

session_jwt

The JSON Web Token (JWT) for a given Stytch Session. The type of this field is nilable String.

prompt

Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only ‘consent` is supported today. The type of this field is nilable String.

state

An opaque value used to maintain state between the request and callback. The type of this field is nilable String.

nonce

A string used to associate a client session with an ID token to mitigate replay attacks. The type of this field is nilable String.

code_challenge

A base64url encoded challenge derived from the code verifier for PKCE flows. The type of this field is nilable String.

resources

(no documentation yet) The type of this field is nilable list of String.

Returns:

An object with the following fields:

request_id

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. The type of this field is String.

redirect_uri

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the ‘authorization_code` grant. The type of this field is String.

status_code

(no documentation yet) The type of this field is Integer.

authorization_code

A one-time use code that can be exchanged for tokens. The type of this field is nilable String.

# File 'lib/stytch/b2b_idp.rb', line 462

def authorize(
  consent_granted:,
  scopes:,
  client_id:,
  redirect_uri:,
  response_type:,
  organization_id: nil,
  member_id: nil,
  session_token: nil,
  session_jwt: nil,
  prompt: nil,
  state: nil,
  nonce: nil,
  code_challenge: nil,
  resources: nil
)
  headers = {}
  request = {
    consent_granted: consent_granted,
    scopes: scopes,
    client_id: client_id,
    redirect_uri: redirect_uri,
    response_type: response_type
  }
  request[:organization_id] = organization_id unless organization_id.nil?
  request[:member_id] = member_id unless member_id.nil?
  request[:session_token] = session_token unless session_token.nil?
  request[:session_jwt] = session_jwt unless session_jwt.nil?
  request[:prompt] = prompt unless prompt.nil?
  request[:state] = state unless state.nil?
  request[:nonce] = nonce unless nonce.nil?
  request[:code_challenge] = code_challenge unless code_challenge.nil?
  request[:resources] = resources unless resources.nil?

  post_request('/v1/b2b/idp/oauth/authorize', request, headers)
end

#authorize_start(client_id:, redirect_uri:, response_type:, scopes:, organization_id: nil, member_id: nil, session_token: nil, session_jwt: nil, prompt: nil) ⇒ Object

Initiates a request for authorization of a Connected App to access a Member’s account.

Call this endpoint using the query parameters from an OAuth Authorization request. This endpoint validates various fields (‘scope`, `client_id`, `redirect_uri`, `prompt`, etc…) are correct and returns relevant information for rendering an OAuth Consent Screen.

This endpoint returns:

• A public representation of the Connected App requesting authorization

• Whether explicit consent must be granted before proceeding with the authorization

• A list of scopes the Member has the ability to grant the Connected App

Use this response to prompt the Member for consent (if necessary) before calling the [Submit OAuth Authorization](stytch.com/docs/b2b/api/connected-apps-oauth-authorize) endpoint.

Exactly one of the following must be provided to identify the Member granting authorization:

• ‘organization_id` + `member_id`

• ‘session_token`

• ‘session_jwt`

If a ‘session_token` or `session_jwt` is passed, the OAuth Authorization will be linked to the Member’s session for tracking purposes. One of these fields must be used if the Connected App intends to complete the [Exchange Access Token](stytch.com/docs/b2b/api/connected-app-access-token-exchange) flow.

Parameters:

client_id

The ID of the Connected App client. The type of this field is String.

redirect_uri

The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the ‘authorization_code` grant. The type of this field is String.

response_type

The OAuth 2.0 response type. For authorization code flows this value is ‘code`. The type of this field is String.

scopes

An array of scopes requested by the client. The type of this field is list of String.

organization_id

Globally unique UUID that identifies a specific Organization. The ‘organization_id` is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience. The type of this field is nilable String.

member_id

Globally unique UUID that identifies a specific Member. The ‘member_id` is critical to perform operations on a Member, so be sure to preserve this value. You may use an external_id here if one is set for the member. The type of this field is nilable String.

session_token

A secret token for a given Stytch Session. The type of this field is nilable String.

session_jwt

The JSON Web Token (JWT) for a given Stytch Session. The type of this field is nilable String.

prompt

Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only ‘consent` is supported today. The type of this field is nilable String.

Returns:

An object with the following fields:

request_id

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue. The type of this field is String.

member_id

Globally unique UUID that identifies a specific Member. The type of this field is String.

member

The [Member object](stytch.com/docs/b2b/api/member-object) The type of this field is Member (object).

organization

The [Organization object](stytch.com/docs/b2b/api/organization-object). The type of this field is Organization (object).

client

(no documentation yet) The type of this field is ConnectedAppPublic (object).

consent_required

Whether the user must provide explicit consent for the authorization request. The type of this field is Boolean.

scope_results

Details about each requested scope. The type of this field is list of ScopeResult (object).

status_code

(no documentation yet) The type of this field is Integer.

# File 'lib/stytch/b2b_idp.rb', line 359

def authorize_start(
  client_id:,
  redirect_uri:,
  response_type:,
  scopes:,
  organization_id: nil,
  member_id: nil,
  session_token: nil,
  session_jwt: nil,
  prompt: nil
)
  headers = {}
  request = {
    client_id: client_id,
    redirect_uri: redirect_uri,
    response_type: response_type,
    scopes: scopes
  }
  request[:organization_id] = organization_id unless organization_id.nil?
  request[:member_id] = member_id unless member_id.nil?
  request[:session_token] = session_token unless session_token.nil?
  request[:session_jwt] = session_jwt unless session_jwt.nil?
  request[:prompt] = prompt unless prompt.nil?

  post_request('/v1/b2b/idp/oauth/authorize/start', request, headers)
end