Add allowed OAuth Tenants (#214)

Add allowed OAuth Tenants (#214)

stytch/b2b/api/discovery_organizations.py

@@ -43,6 +43,8 @@ def create(
         ] = None,
         mfa_methods: Optional[str] = None,
         allowed_mfa_methods: Optional[List[str]] = None,
+        oauth_tenant_jit_provisioning: Optional[str] = None,
+        allowed_oauth_tenants: Optional[Dict[str, Any]] = None,
     ) -> CreateResponse:
         """If an end user does not want to join any already-existing Organization, or has no possible Organizations to join, this endpoint can be used to create a new
         [Organization](https://stytch.com/docs/b2b/api/organization-object) and [Member](https://stytch.com/docs/b2b/api/member-object).
@@ -134,6 +136,13 @@ def create(
           - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`.
           The list's accepted values are: `sms_otp` and `totp`.
 
+          - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:
+
+          `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
+
+          `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+
+          - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack" and "hubspot".
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -172,6 +181,10 @@ def create(
             data["mfa_methods"] = mfa_methods
         if allowed_mfa_methods is not None:
             data["allowed_mfa_methods"] = allowed_mfa_methods
+        if oauth_tenant_jit_provisioning is not None:
+            data["oauth_tenant_jit_provisioning"] = oauth_tenant_jit_provisioning
+        if allowed_oauth_tenants is not None:
+            data["allowed_oauth_tenants"] = allowed_oauth_tenants
 
         url = self.api_base.url_for("/v1/b2b/discovery/organizations/create", data)
         res = self.sync_client.post(url, data, headers)
@@ -198,6 +211,8 @@ async def create_async(
         ] = None,
         mfa_methods: Optional[str] = None,
         allowed_mfa_methods: Optional[List[str]] = None,
+        oauth_tenant_jit_provisioning: Optional[str] = None,
+        allowed_oauth_tenants: Optional[Dict[str, Any]] = None,
     ) -> CreateResponse:
         """If an end user does not want to join any already-existing Organization, or has no possible Organizations to join, this endpoint can be used to create a new
         [Organization](https://stytch.com/docs/b2b/api/organization-object) and [Member](https://stytch.com/docs/b2b/api/member-object).
@@ -289,6 +304,13 @@ async def create_async(
           - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`.
           The list's accepted values are: `sms_otp` and `totp`.
 
+          - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:
+
+          `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
+
+          `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+
+          - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack" and "hubspot".
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -327,6 +349,10 @@ async def create_async(
             data["mfa_methods"] = mfa_methods
         if allowed_mfa_methods is not None:
             data["allowed_mfa_methods"] = allowed_mfa_methods
+        if oauth_tenant_jit_provisioning is not None:
+            data["oauth_tenant_jit_provisioning"] = oauth_tenant_jit_provisioning
+        if allowed_oauth_tenants is not None:
+            data["allowed_oauth_tenants"] = allowed_oauth_tenants
 
         url = self.api_base.url_for("/v1/b2b/discovery/organizations/create", data)
         res = await self.async_client.post(url, data, headers)

stytch/b2b/api/organizations.py

@@ -56,6 +56,8 @@ def create(
         ] = None,
         mfa_methods: Optional[str] = None,
         allowed_mfa_methods: Optional[List[str]] = None,
+        oauth_tenant_jit_provisioning: Optional[str] = None,
+        allowed_oauth_tenants: Optional[Dict[str, Any]] = None,
     ) -> CreateResponse:
         """Creates an Organization. An `organization_name` and a unique `organization_slug` are required.
 
@@ -122,6 +124,13 @@ def create(
           - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`.
           The list's accepted values are: `sms_otp` and `totp`.
 
+          - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:
+
+          `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
+
+          `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+
+          - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack" and "hubspot".
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -156,6 +165,10 @@ def create(
             data["mfa_methods"] = mfa_methods
         if allowed_mfa_methods is not None:
             data["allowed_mfa_methods"] = allowed_mfa_methods
+        if oauth_tenant_jit_provisioning is not None:
+            data["oauth_tenant_jit_provisioning"] = oauth_tenant_jit_provisioning
+        if allowed_oauth_tenants is not None:
+            data["allowed_oauth_tenants"] = allowed_oauth_tenants
 
         url = self.api_base.url_for("/v1/b2b/organizations", data)
         res = self.sync_client.post(url, data, headers)
@@ -179,6 +192,8 @@ async def create_async(
         ] = None,
         mfa_methods: Optional[str] = None,
         allowed_mfa_methods: Optional[List[str]] = None,
+        oauth_tenant_jit_provisioning: Optional[str] = None,
+        allowed_oauth_tenants: Optional[Dict[str, Any]] = None,
     ) -> CreateResponse:
         """Creates an Organization. An `organization_name` and a unique `organization_slug` are required.
 
@@ -245,6 +260,13 @@ async def create_async(
           - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`.
           The list's accepted values are: `sms_otp` and `totp`.
 
+          - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:
+
+          `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
+
+          `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+
+          - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack" and "hubspot".
         """  # noqa
         headers: Dict[str, str] = {}
         data: Dict[str, Any] = {
@@ -279,6 +301,10 @@ async def create_async(
             data["mfa_methods"] = mfa_methods
         if allowed_mfa_methods is not None:
             data["allowed_mfa_methods"] = allowed_mfa_methods
+        if oauth_tenant_jit_provisioning is not None:
+            data["oauth_tenant_jit_provisioning"] = oauth_tenant_jit_provisioning
+        if allowed_oauth_tenants is not None:
+            data["allowed_oauth_tenants"] = allowed_oauth_tenants
 
         url = self.api_base.url_for("/v1/b2b/organizations", data)
         res = await self.async_client.post(url, data, headers)
@@ -341,6 +367,8 @@ def update(
         ] = None,
         mfa_methods: Optional[str] = None,
         allowed_mfa_methods: Optional[List[str]] = None,
+        oauth_tenant_jit_provisioning: Optional[str] = None,
+        allowed_oauth_tenants: Optional[Dict[str, Any]] = None,
         method_options: Optional[UpdateRequestOptions] = None,
     ) -> UpdateResponse:
         """Updates an Organization specified by `organization_id`. An Organization must always have at least one auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members.
@@ -442,6 +470,17 @@ def update(
 
 
         If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource.
+          - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:
+
+          `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
+
+          `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+
+
+        If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource.
+          - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack" and "hubspot".
+
+        If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource.
         """  # noqa
         headers: Dict[str, str] = {}
         if method_options is not None:
@@ -486,6 +525,10 @@ def update(
             data["mfa_methods"] = mfa_methods
         if allowed_mfa_methods is not None:
             data["allowed_mfa_methods"] = allowed_mfa_methods
+        if oauth_tenant_jit_provisioning is not None:
+            data["oauth_tenant_jit_provisioning"] = oauth_tenant_jit_provisioning
+        if allowed_oauth_tenants is not None:
+            data["allowed_oauth_tenants"] = allowed_oauth_tenants
 
         url = self.api_base.url_for("/v1/b2b/organizations/{organization_id}", data)
         res = self.sync_client.put(url, data, headers)
@@ -512,6 +555,8 @@ async def update_async(
         ] = None,
         mfa_methods: Optional[str] = None,
         allowed_mfa_methods: Optional[List[str]] = None,
+        oauth_tenant_jit_provisioning: Optional[str] = None,
+        allowed_oauth_tenants: Optional[Dict[str, Any]] = None,
         method_options: Optional[UpdateRequestOptions] = None,
     ) -> UpdateResponse:
         """Updates an Organization specified by `organization_id`. An Organization must always have at least one auth setting set to either `RESTRICTED` or `ALL_ALLOWED` in order to provision new Members.
@@ -613,6 +658,17 @@ async def update_async(
 
 
         If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-mfa-methods` action on the `stytch.organization` Resource.
+          - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:
+
+          `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
+
+          `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+
+
+        If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.oauth-tenant-jit-provisioning` action on the `stytch.organization` Resource.
+          - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack" and "hubspot".
+
+        If this field is provided and a session header is passed into the request, the Member Session must have permission to perform the `update.settings.allowed-oauth-tenants` action on the `stytch.organization` Resource.
         """  # noqa
         headers: Dict[str, str] = {}
         if method_options is not None:
@@ -657,6 +713,10 @@ async def update_async(
             data["mfa_methods"] = mfa_methods
         if allowed_mfa_methods is not None:
             data["allowed_mfa_methods"] = allowed_mfa_methods
+        if oauth_tenant_jit_provisioning is not None:
+            data["oauth_tenant_jit_provisioning"] = oauth_tenant_jit_provisioning
+        if allowed_oauth_tenants is not None:
+            data["allowed_oauth_tenants"] = allowed_oauth_tenants
 
         url = self.api_base.url_for("/v1/b2b/organizations/{organization_id}", data)
         res = await self.async_client.put(url, data, headers)

stytch/b2b/models/organizations.py

@@ -243,11 +243,18 @@ class Organization(pydantic.BaseModel):
       - allowed_mfa_methods: An array of allowed MFA authentication methods. This list is enforced when `mfa_methods` is set to `RESTRICTED`.
       The list's accepted values are: `sms_otp` and `totp`.
 
+      - oauth_tenant_jit_provisioning: The authentication setting that controls how a new Member can JIT provision into an organization by tenant. The accepted values are:
+
+      `RESTRICTED` – only new Members with tenants in `allowed_oauth_tenants` can JIT provision via tenant.
+
+      `NOT_ALLOWED` – disable JIT provisioning by OAuth Tenant.
+
       - trusted_metadata: An arbitrary JSON object for storing application-specific data or identity-provider-specific data.
       - created_at: The timestamp of the Organization's creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
       - updated_at: The timestamp of when the Organization was last updated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. `2021-12-29T12:33:09Z`.
       - sso_default_connection_id: The default connection used for SSO when there are multiple active connections.
       - scim_active_connection: An active [SCIM Connection references](https://stytch.com/docs/b2b/api/scim-connection-object).
+      - allowed_oauth_tenants: A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are "slack" and "hubspot".
     """  # noqa
 
     organization_id: str
@@ -266,11 +273,13 @@ class Organization(pydantic.BaseModel):
     rbac_email_implicit_role_assignments: List[EmailImplicitRoleAssignment]
     mfa_methods: str
     allowed_mfa_methods: List[str]
+    oauth_tenant_jit_provisioning: str
     trusted_metadata: Optional[Dict[str, Any]] = None
     created_at: Optional[datetime.datetime] = None
     updated_at: Optional[datetime.datetime] = None
     sso_default_connection_id: Optional[str] = None
     scim_active_connection: Optional[ActiveSCIMConnection] = None
+    allowed_oauth_tenants: Optional[Dict[str, Any]] = None
 
 
 class ResultsMetadata(pydantic.BaseModel):

stytch/version.py

@@ -1 +1 @@
-__version__ = "11.3.0"
+__version__ = "11.4.0"