Add Organization Consent Management settings (#267)

Co-authored-by: Stytch Codegen Bot <[email protected]>

Author: ci-stytch

stytch/b2b/api/discovery_organizations.py

@@ -8,7 +8,12 @@
 
 from typing import Any, Dict, List, Optional, Union
 
-from stytch.b2b.models.discovery_organizations import CreateResponse, ListResponse
+from stytch.b2b.models.discovery_organizations import (
+    CreateRequestFirstPartyConnectedAppsAllowedType,
+    CreateRequestThirdPartyConnectedAppsAllowedType,
+    CreateResponse,
+    ListResponse,
+)
 from stytch.b2b.models.organizations import EmailImplicitRoleAssignment
 from stytch.core.api_base import ApiBase
 from stytch.core.http.client import AsyncClient, SyncClient
@@ -45,6 +50,14 @@ def create(
         allowed_mfa_methods: Optional[List[str]] = None,
         oauth_tenant_jit_provisioning: Optional[str] = None,
         allowed_oauth_tenants: Optional[Dict[str, Any]] = None,
+        first_party_connected_apps_allowed_type: Optional[
+            Union[CreateRequestFirstPartyConnectedAppsAllowedType, str]
+        ] = None,
+        allowed_first_party_connected_apps: Optional[List[str]] = None,
+        third_party_connected_apps_allowed_type: Optional[
+            Union[CreateRequestThirdPartyConnectedAppsAllowedType, str]
+        ] = None,
+        allowed_third_party_connected_apps: Optional[List[str]] = None,
     ) -> CreateResponse:
         """This endpoint allows you to exchange the `intermediate_session_token` returned when the user successfully completes a authentication flow to create a new
         [Organization](https://stytch.com/docs/b2b/api/organization-object) and [Member](https://stytch.com/docs/b2b/api/member-object) and log the user in. If the user wants to log into an existing Organization, use the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) instead.
@@ -143,6 +156,24 @@ def create(
           `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
 
           - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github".
+          - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are:
+
+          `ALL_ALLOWED` – any first party Connected App in the Project is permitted for use by Members.
+
+          `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
+
+          `NOT_ALLOWED` – no first party Connected Apps are permitted.
+
+          - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`.
+          - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are:
+
+          `ALL_ALLOWED` – any third party Connected App in the Project is permitted for use by Members.
+
+          `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
+
+          `NOT_ALLOWED` – no third party Connected Apps are permitted.
+
+          - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`.
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -187,6 +218,22 @@ def create(
             data["oauth_tenant_jit_provisioning"] = oauth_tenant_jit_provisioning
         if allowed_oauth_tenants is not None:
             data["allowed_oauth_tenants"] = allowed_oauth_tenants
+        if first_party_connected_apps_allowed_type is not None:
+            data["first_party_connected_apps_allowed_type"] = (
+                first_party_connected_apps_allowed_type
+            )
+        if allowed_first_party_connected_apps is not None:
+            data["allowed_first_party_connected_apps"] = (
+                allowed_first_party_connected_apps
+            )
+        if third_party_connected_apps_allowed_type is not None:
+            data["third_party_connected_apps_allowed_type"] = (
+                third_party_connected_apps_allowed_type
+            )
+        if allowed_third_party_connected_apps is not None:
+            data["allowed_third_party_connected_apps"] = (
+                allowed_third_party_connected_apps
+            )
 
         url = self.api_base.url_for("/v1/b2b/discovery/organizations/create", data)
         res = self.sync_client.post(url, data, headers)
@@ -215,6 +262,14 @@ async def create_async(
         allowed_mfa_methods: Optional[List[str]] = None,
         oauth_tenant_jit_provisioning: Optional[str] = None,
         allowed_oauth_tenants: Optional[Dict[str, Any]] = None,
+        first_party_connected_apps_allowed_type: Optional[
+            CreateRequestFirstPartyConnectedAppsAllowedType
+        ] = None,
+        allowed_first_party_connected_apps: Optional[List[str]] = None,
+        third_party_connected_apps_allowed_type: Optional[
+            CreateRequestThirdPartyConnectedAppsAllowedType
+        ] = None,
+        allowed_third_party_connected_apps: Optional[List[str]] = None,
     ) -> CreateResponse:
         """This endpoint allows you to exchange the `intermediate_session_token` returned when the user successfully completes a authentication flow to create a new
         [Organization](https://stytch.com/docs/b2b/api/organization-object) and [Member](https://stytch.com/docs/b2b/api/member-object) and log the user in. If the user wants to log into an existing Organization, use the [Exchange Intermediate Session endpoint](https://stytch.com/docs/b2b/api/exchange-intermediate-session) instead.
@@ -313,6 +368,24 @@ async def create_async(
           `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
 
           - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack", "hubspot", and "github".
+          - first_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards first party Connected Apps. The accepted values are:
+
+          `ALL_ALLOWED` – any first party Connected App in the Project is permitted for use by Members.
+
+          `RESTRICTED` – only first party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
+
+          `NOT_ALLOWED` – no first party Connected Apps are permitted.
+
+          - allowed_first_party_connected_apps: An array of first party Connected App IDs that are allowed for the Organization. Only used when the Organization's `first_party_connected_apps_allowed_type` is `RESTRICTED`.
+          - third_party_connected_apps_allowed_type: The authentication setting that sets the Organization's policy towards third party Connected Apps. The accepted values are:
+
+          `ALL_ALLOWED` – any third party Connected App in the Project is permitted for use by Members.
+
+          `RESTRICTED` – only third party Connected Apps with IDs in `allowed_first_party_connected_apps` can be used by Members.
+
+          `NOT_ALLOWED` – no third party Connected Apps are permitted.
+
+          - allowed_third_party_connected_apps: An array of third party Connected App IDs that are allowed for the Organization. Only used when the Organization's `third_party_connected_apps_allowed_type` is `RESTRICTED`.
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -357,6 +430,22 @@ async def create_async(
             data["oauth_tenant_jit_provisioning"] = oauth_tenant_jit_provisioning
         if allowed_oauth_tenants is not None:
             data["allowed_oauth_tenants"] = allowed_oauth_tenants
+        if first_party_connected_apps_allowed_type is not None:
+            data["first_party_connected_apps_allowed_type"] = (
+                first_party_connected_apps_allowed_type
+            )
+        if allowed_first_party_connected_apps is not None:
+            data["allowed_first_party_connected_apps"] = (
+                allowed_first_party_connected_apps
+            )
+        if third_party_connected_apps_allowed_type is not None:
+            data["third_party_connected_apps_allowed_type"] = (
+                third_party_connected_apps_allowed_type
+            )
+        if allowed_third_party_connected_apps is not None:
+            data["allowed_third_party_connected_apps"] = (
+                allowed_third_party_connected_apps
+            )
 
         url = self.api_base.url_for("/v1/b2b/discovery/organizations/create", data)
         res = await self.async_client.post(url, data, headers)

stytch/b2b/api/organizations_members.py

@@ -918,7 +918,7 @@ def create(
           for complete field behavior details.
           - create_member_as_pending: Flag for whether or not to save a Member as `pending` or `active` in Stytch. It defaults to false. If true, new Members will be created with status `pending` in Stytch's backend. Their status will remain `pending` and they will continue to receive signup email templates for every Email Magic Link until that Member authenticates and becomes `active`. If false, new Members will be created with status `active`.
           - is_breakglass: Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
-          - mfa_phone_number: The Member's phone number. A Member may only have one phone number.
+          - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
           - mfa_enrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
           - roles: Roles to explicitly assign to this Member. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
            for more information about role assignment.
@@ -983,7 +983,7 @@ async def create_async(
           for complete field behavior details.
           - create_member_as_pending: Flag for whether or not to save a Member as `pending` or `active` in Stytch. It defaults to false. If true, new Members will be created with status `pending` in Stytch's backend. Their status will remain `pending` and they will continue to receive signup email templates for every Email Magic Link until that Member authenticates and becomes `active`. If false, new Members will be created with status `active`.
           - is_breakglass: Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization's settings. A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the [Organization object](organization-object) and its `auth_methods` and `allowed_auth_methods` fields for more details.
-          - mfa_phone_number: The Member's phone number. A Member may only have one phone number.
+          - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
           - mfa_enrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
           - roles: Roles to explicitly assign to this Member. See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
            for more information about role assignment.

stytch/b2b/api/passwords.py

@@ -140,9 +140,13 @@ def migrate(
         set_phone_number_verified: Optional[bool] = None,
         external_id: Optional[str] = None,
     ) -> MigrateResponse:
-        """Adds an existing password to a member's email that doesn't have a password yet. We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
+        """Adds an existing password to a Member's email that doesn't have a password yet.
 
-        The member's email will be marked as verified when you use this endpoint. If you are using **cross-organization passwords**, call this method separately for each `organization_id` associated with the given `email_address` to ensure the email is verified across all of their organizations.
+        We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
+
+        The Member's email will be marked as verified when you use this endpoint.
+
+        If you are using **cross-organization passwords**, i.e. allowing an end user to share the same password across all of their Organizations, call this method separately for each `organization_id` associated with the given `email_address` to ensure the password is set across all of their Organizations.
 
         Fields:
           - email_address: The email address of the Member.
@@ -170,8 +174,9 @@ def migrate(
           - preserve_existing_sessions: Whether to preserve existing sessions when explicit Roles that are revoked are also implicitly assigned
           by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO
           authentication factors with the affected SSO connection IDs will be revoked.
-          - mfa_phone_number: (no documentation yet)
-          - set_phone_number_verified: (no documentation yet)
+          - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
+          - set_phone_number_verified: Whether to set the user's phone number as verified. This is a dangerous field. This flag should only be set if you can attest that
+           the user owns the phone number in question.
           - external_id: If a new member is created, this will set an identifier that can be used in API calls wherever a member_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored.
         """  # noqa
         headers: Dict[str, str] = {}
@@ -248,9 +253,13 @@ async def migrate_async(
         set_phone_number_verified: Optional[bool] = None,
         external_id: Optional[str] = None,
     ) -> MigrateResponse:
-        """Adds an existing password to a member's email that doesn't have a password yet. We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
+        """Adds an existing password to a Member's email that doesn't have a password yet.
+
+        We support migrating members from passwords stored with bcrypt, scrypt, argon2, MD-5, SHA-1, and PBKDF2. This endpoint has a rate limit of 100 requests per second.
+
+        The Member's email will be marked as verified when you use this endpoint.
 
-        The member's email will be marked as verified when you use this endpoint. If you are using **cross-organization passwords**, call this method separately for each `organization_id` associated with the given `email_address` to ensure the email is verified across all of their organizations.
+        If you are using **cross-organization passwords**, i.e. allowing an end user to share the same password across all of their Organizations, call this method separately for each `organization_id` associated with the given `email_address` to ensure the password is set across all of their Organizations.
 
         Fields:
           - email_address: The email address of the Member.
@@ -278,8 +287,9 @@ async def migrate_async(
           - preserve_existing_sessions: Whether to preserve existing sessions when explicit Roles that are revoked are also implicitly assigned
           by SSO connection or SSO group. Defaults to `false` - that is, existing Member Sessions that contain SSO
           authentication factors with the affected SSO connection IDs will be revoked.
-          - mfa_phone_number: (no documentation yet)
-          - set_phone_number_verified: (no documentation yet)
+          - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
+          - set_phone_number_verified: Whether to set the user's phone number as verified. This is a dangerous field. This flag should only be set if you can attest that
+           the user owns the phone number in question.
           - external_id: If a new member is created, this will set an identifier that can be used in API calls wherever a member_id is expected. This is a string consisting of alphanumeric, `.`, `_`, `-`, or `|` characters with a maximum length of 128 characters. External IDs must be unique within an organization, but may be reused across different organizations in the same project. Note that if a member already exists, this field will be ignored.
         """  # noqa
         headers: Dict[str, str] = {}

stytch/b2b/models/discovery_organizations.py

@@ -6,6 +6,7 @@
 
 from __future__ import annotations
 
+import enum
 from typing import List, Optional
 
 from stytch.b2b.models.discovery import DiscoveredOrganization
@@ -15,6 +16,18 @@
 from stytch.core.response_base import ResponseBase
 
 
+class CreateRequestFirstPartyConnectedAppsAllowedType(str, enum.Enum):
+    ALL_ALLOWED = "ALL_ALLOWED"
+    RESTRICTED = "RESTRICTED"
+    NOT_ALLOWED = "NOT_ALLOWED"
+
+
+class CreateRequestThirdPartyConnectedAppsAllowedType(str, enum.Enum):
+    ALL_ALLOWED = "ALL_ALLOWED"
+    RESTRICTED = "RESTRICTED"
+    NOT_ALLOWED = "NOT_ALLOWED"
+
+
 class CreateResponse(ResponseBase):
     """Response type for `Organizations.create`.
     Fields:

stytch/b2b/models/organizations.py

@@ -540,7 +540,7 @@ class Member(pydantic.BaseModel):
 
       - is_locked: (no documentation yet)
       - mfa_enrolled: Sets whether the Member is enrolled in MFA. If true, the Member must complete an MFA step whenever they wish to log in to their Organization. If false, the Member only needs to complete an MFA step if the Organization's MFA policy is set to `REQUIRED_FOR_ALL`.
-      - mfa_phone_number: The Member's phone number. A Member may only have one phone number.
+      - mfa_phone_number: The Member's phone number. A Member may only have one phone number. The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).
       - default_mfa_method: (no documentation yet)
       - roles: Explicit or implicit Roles assigned to this Member, along with details about the role assignment source.
        See the [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment) for more information about role assignment.

stytch/version.py

@@ -1 +1 @@
-__version__ = "13.8.0"
+__version__ = "13.9.0"