From 18866683c5e1b295a6c82d667107499fef7fc48f Mon Sep 17 00:00:00 2001 From: Lyle Schemmerling Date: Wed, 17 Sep 2025 16:48:00 -0600 Subject: [PATCH 1/6] new optional tenant id param added (breaking) --- openapi.yaml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index 221a5d5..10ef7b7 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -3780,7 +3780,7 @@ components: type: string kty: "$ref": "#/components/schemas/KeyType" - "n": + n: type: string other: type: object @@ -3804,7 +3804,7 @@ components: type: string x5t#S256: type: string - "y": + y: type: string JSONWebKeyInfoProvider: description: Interface for any object that can provide JSON Web key Information. @@ -18158,7 +18158,12 @@ paths: API is useful if you want to build your own login workflow to complete a device grant. operationId: retrieveDeviceUserCode - parameters: [] + parameters: + - name: tenantId + in: query + schema: + type: string + description: The Id of the tenant to use for this request. responses: '200': description: Success @@ -18182,6 +18187,11 @@ paths: schema: type: string description: The client Id. + - name: tenantId + in: query + schema: + type: string + description: The Id of the tenant to use for this request. responses: '200': description: Success @@ -18244,7 +18254,12 @@ paths: operationId: retrieveUserInfoFromAccessTokenWithId security: - BearerAuth: [] - parameters: [] + parameters: + - name: tenantId + in: query + schema: + type: string + description: The Id of the tenant to use for this request. responses: '200': description: Success From c52926c2b8a90985600f29d20063db8503bb5e70 Mon Sep 17 00:00:00 2001 From: Lyle Schemmerling Date: Tue, 23 Sep 2025 12:17:33 -0600 Subject: [PATCH 2/6] validate and libs --- openapi.yaml | 296 +++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 278 insertions(+), 18 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index 10ef7b7..ae22db3 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -99,6 +99,16 @@ components: userId: type: string format: uuid + AccessTokenIntrospectRequest: + description: The request object for introspecting an access token. + type: object + properties: + client_id: + type: string + tenantId: + type: string + token: + type: string ActionData: type: object properties: @@ -1158,6 +1168,30 @@ components: - Required - NotRequired - NotRequiredWhenUsingPKCE + ClientCredentialsAccessTokenIntrospectRequest: + description: Contains the parameters used to introspect an access token that + was obtained via the client credentials grant. + type: object + properties: + tenantId: + type: string + token: + type: string + ClientCredentialsGrantRequest: + description: The request object to make a Client Credentials grant request to + obtain an access token. + type: object + properties: + client_id: + type: string + client_secret: + type: string + grant_type: + type: string + scope: + type: string + tenantId: + type: string ConnectorLambdaConfiguration: type: object properties: @@ -1365,6 +1399,23 @@ components: type: integer enabled: type: boolean + DeviceApprovalRequest: + description: The request object to approve a device grant. + type: object + properties: + client_id: + type: string + client_secret: + type: string + metaData: + "$ref": "#/components/schemas/MetaData" + tenantId: + type: string + format: uuid + token: + type: string + user_code: + type: string DeviceApprovalResponse: description: '' type: object @@ -1381,6 +1432,21 @@ components: userId: type: string format: uuid + DeviceAuthorizationRequest: + description: '' + type: object + properties: + client_id: + type: string + client_secret: + type: string + metaData: + "$ref": "#/components/schemas/MetaData" + scope: + type: string + tenantId: + type: string + format: uuid DeviceInfo: description: '' type: object @@ -5013,6 +5079,44 @@ components: enum: - FirstParty - ThirdParty + OAuthCodeAccessTokenRequest: + description: The request object for exchanging an OAuth authorization code for + an access token. + type: object + properties: + client_id: + type: string + client_secret: + type: string + code: + type: string + grant_type: + type: string + redirect_uri: + type: string + tenantId: + type: string + OAuthCodePKCEAccessTokenRequest: + description: The request object to make a request to the Token endpoint to exchange + the authorization code returned from the Authorize endpoint and a code_verifier + for an access token. + type: object + properties: + client_id: + type: string + client_secret: + type: string + code: + type: string + code_verifier: + type: string + grant_type: + type: string + redirect_uri: + type: string + tenantId: + type: string + format: uuid OAuthConfigurationResponse: description: '' type: object @@ -5806,6 +5910,25 @@ components: userId: type: string format: uuid + RefreshTokenAccessTokenRequest: + description: The request object to exchange a Refresh Token for an Access Token. + type: object + properties: + client_id: + type: string + client_secret: + type: string + grant_type: + type: string + refresh_token: + type: string + scope: + type: string + tenantId: + type: string + format: uuid + user_code: + type: string RefreshTokenExpirationPolicy: description: '' type: string @@ -6022,6 +6145,30 @@ components: - discouraged - preferred - required + RetrieveUserCodeRequest: + description: The request object for retrieving a user code that is part of an + in-progress Device Authorization Grant. + type: object + properties: + client_id: + type: string + client_secret: + type: string + tenantId: + type: string + format: uuid + user_code: + type: string + RetrieveUserCodeUsingAPIKeyRequest: + description: The request object for retrieving a user code that is part of an + in-progress Device Authorization Grant using an API key + type: object + properties: + tenantId: + type: string + format: uuid + user_code: + type: string SAMLLogoutBehavior: type: string enum: @@ -8267,6 +8414,27 @@ components: properties: user: "$ref": "#/components/schemas/User" + UserCredentialsAccessTokenRequest: + description: The request object for exchanging user credentials (username and + password) for an access token. + type: object + properties: + client_id: + type: string + client_secret: + type: string + grant_type: + type: string + password: + type: string + scope: + type: string + tenantId: + type: string + user_code: + type: string + username: + type: string UserDeactivateEvent: description: Models the User Deactivate Event. type: object @@ -8857,6 +9025,18 @@ components: format: uuid enabled: type: boolean + ValidateDeviceRequest: + description: The request object for validating an end-user provided user_code + from the user-interaction of the Device Authorization Grant + type: object + properties: + client_id: + type: string + tenantId: + type: string + format: uuid + user_code: + type: string ValidateResponse: description: '' type: object @@ -18133,9 +18313,14 @@ paths: "$ref": "#/components/schemas/Errors" "/oauth2/device/approve": post: - description: Approve a device grant. - operationId: approveDeviceWithId + description: Approve a device grant. OR Approve a device grant. + operationId: createDeviceApprove parameters: [] + requestBody: + content: + application/json: + schema: + "$ref": "#/components/schemas/DeviceApprovalRequest" responses: '200': description: Success @@ -18158,12 +18343,26 @@ paths: API is useful if you want to build your own login workflow to complete a device grant. operationId: retrieveDeviceUserCode - parameters: - - name: tenantId - in: query - schema: - type: string - description: The Id of the tenant to use for this request. + parameters: [] + responses: + '200': + description: Success + default: + description: Error + post: + description: Retrieve a user_code that is part of an in-progress Device Authorization + Grant. This API is useful if you want to build your own login workflow to + complete a device grant. OR Retrieve a user_code that is part of an in-progress + Device Authorization Grant. This API is useful if you want to build your + own login workflow to complete a device grant. This request will require + an API key. + operationId: createDeviceUserCode + parameters: [] + requestBody: + content: + application/json: + schema: + "$ref": "#/components/schemas/RetrieveUserCodeRequest" responses: '200': description: Success @@ -18187,24 +18386,68 @@ paths: schema: type: string description: The client Id. - - name: tenantId - in: query - schema: - type: string - description: The Id of the tenant to use for this request. responses: '200': description: Success default: description: Error + post: + description: Validates the end-user provided user_code from the user-interaction + of the Device Authorization Grant. If you build your own activation form you + should validate the user provided code prior to beginning the Authorization + grant. + operationId: validateDeviceWithRequestWithId + parameters: [] + requestBody: + content: + application/json: + schema: + "$ref": "#/components/schemas/ValidateDeviceRequest" + responses: + '200': + description: Success + default: + description: Error + "/oauth2/device_authorize": + post: + description: Start the Device Authorization flow using a request body OR Start + the Device Authorization flow using form-encoded parameters + operationId: createDevice_authorize + parameters: [] + requestBody: + content: + application/json: + schema: + "$ref": "#/components/schemas/DeviceAuthorizationRequest" + responses: + '200': + description: Success + content: + application/json: + schema: + "$ref": "#/components/schemas/DeviceResponse" + default: + description: Error + content: + application/json: + schema: + "$ref": "#/components/schemas/OAuthError" "/oauth2/introspect": post: description: Inspect an access token issued as the result of the Client Credentials + Grant. OR Inspect an access token issued as the result of the Client Credentials Grant. OR Inspect an access token issued as the result of the User based grant such as the Authorization Code Grant, Implicit Grant, the User Credentials - Grant or the Refresh Grant. + Grant or the Refresh Grant. OR Inspect an access token issued as the result + of the User based grant such as the Authorization Code Grant, Implicit Grant, + the User Credentials Grant or the Refresh Grant. operationId: createIntrospect parameters: [] + requestBody: + content: + application/json: + schema: + "$ref": "#/components/schemas/ClientCredentialsAccessTokenIntrospectRequest" responses: '200': description: Success @@ -18223,17 +18466,34 @@ paths: description: Exchange User Credentials for a Token. If you will be using the Resource Owner Password Credential Grant, you will make a request to the Token endpoint to exchange the user’s email and password for an access token. OR - Exchange a Refresh Token for an Access Token. If you will be using the Refresh - Token Grant, you will make a request to the Token endpoint to exchange the - user’s refresh token for an access token. OR Exchanges an OAuth authorization + Exchange User Credentials for a Token. If you will be using the Resource Owner + Password Credential Grant, you will make a request to the Token endpoint to + exchange the user’s email and password for an access token. OR Exchange a + Refresh Token for an Access Token. If you will be using the Refresh Token + Grant, you will make a request to the Token endpoint to exchange the user’s + refresh token for an access token. OR Exchange a Refresh Token for an Access + Token. If you will be using the Refresh Token Grant, you will make a request + to the Token endpoint to exchange the user’s refresh token for an access token. + OR Exchanges an OAuth authorization code for an access token. Makes a request + to the Token endpoint to exchange the authorization code returned from the + Authorize endpoint for an access token. OR Exchanges an OAuth authorization code and code_verifier for an access token. Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint and a code_verifier for an access token. OR Exchanges an OAuth authorization code + and code_verifier for an access token. Makes a request to the Token endpoint + to exchange the authorization code returned from the Authorize endpoint and + a code_verifier for an access token. OR Exchanges an OAuth authorization code for an access token. Makes a request to the Token endpoint to exchange the authorization code returned from the Authorize endpoint for an access token. - OR Make a Client Credentials grant request to obtain an access token. + OR Make a Client Credentials grant request to obtain an access token. OR Make + a Client Credentials grant request to obtain an access token. operationId: createToken parameters: [] + requestBody: + content: + application/json: + schema: + "$ref": "#/components/schemas/UserCredentialsAccessTokenRequest" responses: '200': description: Success From 4406b67493bcf0fe1aaaf56687a27d1a8343b528 Mon Sep 17 00:00:00 2001 From: Lyle Schemmerling Date: Tue, 23 Sep 2025 12:42:55 -0600 Subject: [PATCH 3/6] fix imports and user info --- openapi.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index ae22db3..c2915aa 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -18514,12 +18514,7 @@ paths: operationId: retrieveUserInfoFromAccessTokenWithId security: - BearerAuth: [] - parameters: - - name: tenantId - in: query - schema: - type: string - description: The Id of the tenant to use for this request. + parameters: [] responses: '200': description: Success From 6839c8c51e43b39f8ac1be47e443b4cf647c88d7 Mon Sep 17 00:00:00 2001 From: Lyle Schemmerling Date: Wed, 17 Dec 2025 11:26:10 -0700 Subject: [PATCH 4/6] PR Feedback, additional validation on oauth routes affected by the tenant id checks, update the client libraries to pass in the tenant id in request objects to preserve backwards compat, additional testing, and some cleanup --- openapi.yaml | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index b845053..d31851b 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -1410,8 +1410,6 @@ components: type: string client_secret: type: string - metaData: - "$ref": "#/components/schemas/MetaData" tenantId: type: string format: uuid @@ -1443,8 +1441,6 @@ components: type: string client_secret: type: string - metaData: - "$ref": "#/components/schemas/MetaData" scope: type: string tenantId: @@ -18385,11 +18381,6 @@ paths: description: Approve a device grant. OR Approve a device grant. operationId: createDeviceApprove parameters: [] - requestBody: - content: - application/json: - schema: - "$ref": "#/components/schemas/DeviceApprovalRequest" responses: '200': description: Success @@ -18427,11 +18418,6 @@ paths: an API key. operationId: createDeviceUserCode parameters: [] - requestBody: - content: - application/json: - schema: - "$ref": "#/components/schemas/RetrieveUserCodeRequest" responses: '200': description: Success @@ -18467,11 +18453,6 @@ paths: grant. operationId: validateDeviceWithRequestWithId parameters: [] - requestBody: - content: - application/json: - schema: - "$ref": "#/components/schemas/ValidateDeviceRequest" responses: '200': description: Success @@ -18483,11 +18464,6 @@ paths: the Device Authorization flow using form-encoded parameters operationId: createDevice_authorize parameters: [] - requestBody: - content: - application/json: - schema: - "$ref": "#/components/schemas/DeviceAuthorizationRequest" responses: '200': description: Success @@ -18512,11 +18488,6 @@ paths: the User Credentials Grant or the Refresh Grant. operationId: createIntrospect parameters: [] - requestBody: - content: - application/json: - schema: - "$ref": "#/components/schemas/ClientCredentialsAccessTokenIntrospectRequest" responses: '200': description: Success @@ -18558,11 +18529,6 @@ paths: a Client Credentials grant request to obtain an access token. operationId: createToken parameters: [] - requestBody: - content: - application/json: - schema: - "$ref": "#/components/schemas/UserCredentialsAccessTokenRequest" responses: '200': description: Success From 4d8442dc5a198c3b819aed297660d1f517ac4c7e Mon Sep 17 00:00:00 2001 From: Lyle Schemmerling Date: Wed, 17 Dec 2025 13:04:48 -0700 Subject: [PATCH 5/6] quotes --- openapi.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index 99a3874..d57ad6d 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -3866,7 +3866,7 @@ components: type: string kty: "$ref": "#/components/schemas/KeyType" - n: + "n": type: string other: type: object @@ -3890,7 +3890,7 @@ components: type: string x5t#S256: type: string - y: + "y": type: string JSONWebKeyInfoProvider: description: Interface for any object that can provide JSON Web key Information. From 51b0050772bfec9034488bf290577df475478ef5 Mon Sep 17 00:00:00 2001 From: Lyle Schemmerling Date: Thu, 18 Dec 2025 12:35:00 -0700 Subject: [PATCH 6/6] handle GET on validateDeviceWithRequest with tenantId --- openapi.yaml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/openapi.yaml b/openapi.yaml index 2e69022..25e3e4e 100644 --- a/openapi.yaml +++ b/openapi.yaml @@ -18633,10 +18633,13 @@ paths: "/oauth2/device/validate": get: description: Validates the end-user provided user_code from the user-interaction + of the Device Authorization Grant. If you build your own activation form you + should validate the user provided code prior to beginning the Authorization + grant. OR Validates the end-user provided user_code from the user-interaction of the Device Authorization Grant. If you build your own activation form you should validate the user provided code prior to beginning the Authorization grant. - operationId: validateDeviceWithId + operationId: retrieveDeviceValidate parameters: - name: user_code in: query @@ -18653,18 +18656,6 @@ paths: description: Success default: description: Error - post: - description: Validates the end-user provided user_code from the user-interaction - of the Device Authorization Grant. If you build your own activation form you - should validate the user provided code prior to beginning the Authorization - grant. - operationId: validateDeviceWithRequestWithId - parameters: [] - responses: - '200': - description: Success - default: - description: Error "/oauth2/device_authorize": post: description: Start the Device Authorization flow using a request body OR Start