feat: add passkey authentication methods, ephemeral session support, and improved error handling (#1342)

Author: amitsingh05667

.fern/replay.lock

@@ -48,4 +48,7 @@ eslint.config.mjs
 
 .prettierignore
 CONTRIBUTING.md
-.fern/
+.fern/
+.fern/replay.lock
+.fern/replay.yml
+.gitattributes

.fernignore

@@ -0,0 +1 @@
+.fern/replay.lock linguist-generated=true

.gitattributes

@@ -1312,6 +1312,8 @@ export interface RevokeRefreshTokensRequestContent {
     user_id?: string;
     /** Revoke all refresh tokens for this client. */
     client_id?: string;
+    /** Resource server identifier (audience) to scope the revocation. Must be used with both `user_id` and `client_id`. */
+    audience?: string;
 }
 
 /**
@@ -1366,6 +1368,8 @@ export interface CreateResourceServerRequestContent {
     allow_offline_access?: boolean;
     /** Whether Online Refresh Tokens can be issued for this API (true) or not (false). */
     allow_online_access?: boolean;
+    /** Whether Online Refresh Tokens can be issued even when sessions are configured as ephemeral (true) or not (false). */
+    allow_online_access_with_ephemeral_sessions?: boolean;
     /** Expiration value (in seconds) for access tokens issued for this API from the token endpoint. */
     token_lifetime?: number;
     token_dialect?: Management.ResourceServerTokenDialectSchemaEnum;
@@ -1410,6 +1414,8 @@ export interface UpdateResourceServerRequestContent {
     allow_offline_access?: boolean;
     /** Whether Online Refresh Tokens can be issued for this API (true) or not (false). */
     allow_online_access?: boolean;
+    /** Whether Online Refresh Tokens can be issued even when sessions are configured as ephemeral (true) or not (false). */
+    allow_online_access_with_ephemeral_sessions?: boolean;
     /** Expiration value (in seconds) for access tokens issued for this API from the token endpoint. */
     token_lifetime?: number;
     token_dialect?: Management.ResourceServerTokenDialectSchemaEnum;
@@ -1665,7 +1671,7 @@ export interface VerifyEmailTicketRequestContent {
  *     {}
  */
 export interface ChangePasswordTicketRequestContent {
-    /** URL the user will be redirected to in the classic Universal Login experience once the ticket is used. Cannot be specified when using client_id or organization_id. */
+    /** URL the user will be redirected to in the classic Universal Login experience once the ticket is used. Cannot be specified when using organization_id. May be specified together with client_id when the tenant has a custom password reset page enabled and a password-reset-post-challenge Action bound. */
     result_url?: string;
     /** user_id of for whom the ticket should be created. */
     user_id?: string;
@@ -3747,12 +3753,25 @@ export interface CreateUserAuthenticationMethodRequestContent {
     /** Applies to email authentication methods only. The email address used to send verification messages. */
     email?: string;
     preferred_authentication_method?: Management.PreferredAuthenticationMethodEnum;
-    /** Applies to webauthn authentication methods only. The id of the credential. */
+    /** Applies to webauthn/passkey authentication methods only. The id of the credential. */
     key_id?: string;
-    /** Applies to webauthn authentication methods only. The public key, which is encoded as base64. */
+    /** Applies to webauthn/passkey authentication methods only. The public key, which is encoded as base64. */
     public_key?: string;
+    /** Applies to passkeys only. Authenticator Attestation Globally Unique Identifier */
+    aaguid?: string;
     /** Applies to webauthn authentication methods only. The relying party identifier. */
     relying_party_identifier?: string;
+    credential_device_type?: Management.CredentialDeviceTypeEnum;
+    /** Applies to passkeys only. Whether the credential was backed up. */
+    credential_backed_up?: boolean;
+    /** Applies to passkeys only. The ID of the user identity linked with the authentication method. */
+    identity_user_id?: string;
+    /** Applies to passkeys only. The user-agent of the browser used to create the passkey. */
+    user_agent?: string;
+    /** Applies to passkeys only. The user handle of the user identity. */
+    user_handle?: string;
+    /** Applies to passkeys only. The transports used by clients to communicate with the authenticator. */
+    transports?: string[];
 }
 
 /**

src/management/api/requests/requests.ts

@@ -31,8 +31,10 @@ export class RolesClient {
      * @param {Management.ListUserRolesRequestParameters} request
      * @param {RolesClient.RequestOptions} requestOptions - Request-specific configuration.
      *
+     * @throws {@link Management.BadRequestError}
      * @throws {@link Management.UnauthorizedError}
      * @throws {@link Management.ForbiddenError}
+     * @throws {@link Management.NotFoundError}
      * @throws {@link Management.TooManyRequestsError}
      *
      * @example
@@ -91,13 +93,20 @@ export class RolesClient {
                 }
                 if (_response.error.reason === "status-code") {
                     switch (_response.error.statusCode) {
+                        case 400:
+                            throw new Management.BadRequestError(
+                                _response.error.body as unknown,
+                                _response.rawResponse,
+                            );
                         case 401:
                             throw new Management.UnauthorizedError(
                                 _response.error.body as unknown,
                                 _response.rawResponse,
                             );
                         case 403:
                             throw new Management.ForbiddenError(_response.error.body as unknown, _response.rawResponse);
+                        case 404:
+                            throw new Management.NotFoundError(_response.error.body as unknown, _response.rawResponse);
                         case 429:
                             throw new Management.TooManyRequestsError(
                                 _response.error.body as unknown,

src/management/api/resources/users/resources/roles/client/Client.ts

@@ -1425,6 +1425,22 @@ export const AuthenticationTypeEnum = {
 } as const;
 export type AuthenticationTypeEnum = (typeof AuthenticationTypeEnum)[keyof typeof AuthenticationTypeEnum];
 
+/**
+ * Bad Request
+ */
+export interface BadRequestSchema {
+    message: string;
+    statusCode: string;
+    error: BadRequestSchema.Error_;
+}
+
+export namespace BadRequestSchema {
+    export const Error_ = {
+        BadRequest: "Bad Request",
+    } as const;
+    export type Error_ = (typeof Error_)[keyof typeof Error_];
+}
+
 /**
  * List of IP addresses or CIDR blocks to allowlist
  */
@@ -6121,7 +6137,7 @@ export type ConnectionRequireRequestUriRegistration = boolean;
 export type ConnectionRequiresUsername = boolean;
 
 export interface ConnectionResponseCommon extends Management.CreateConnectionCommon {
-    id?: Management.ConnectionId | undefined;
+    id: Management.ConnectionId;
     realms?: Management.ConnectionRealms | undefined;
 }
 
@@ -7846,7 +7862,7 @@ export interface CreateClientResponseContent {
 }
 
 export interface CreateConnectionCommon {
-    name?: Management.ConnectionName | undefined;
+    name: Management.ConnectionName;
     /** Use of this property is NOT RECOMMENDED. Use the PATCH /v2/connections/{id}/clients endpoint to enable the connection for a set of clients. */
     enabled_clients?: string[] | undefined;
     display_name?: Management.ConnectionDisplayName | undefined;
@@ -9730,6 +9746,8 @@ export interface CreateResourceServerResponseContent {
     allow_offline_access?: boolean | undefined;
     /** Whether Online Refresh Tokens can be issued for this API (true) or not (false). */
     allow_online_access?: boolean | undefined;
+    /** Whether Online Refresh Tokens can be issued even when sessions are configured as ephemeral (true) or not (false). */
+    allow_online_access_with_ephemeral_sessions?: boolean | undefined;
     /** Whether to skip user consent for applications flagged as first party (true) or not (false). */
     skip_consent_for_verifiable_first_party_clients?: boolean | undefined;
     /** Expiration value (in seconds) for access tokens issued for this API from the token endpoint. */
@@ -9892,6 +9910,17 @@ export interface CreateUserAuthenticationMethodResponseContent {
     aaguid?: string | undefined;
     /** Applies to webauthn authenticators only. The relying party identifier. */
     relying_party_identifier?: string | undefined;
+    credential_device_type?: Management.CredentialDeviceTypeEnum | undefined;
+    /** Applies to passkeys only. Whether the credential was backed up. */
+    credential_backed_up?: boolean | undefined;
+    /** Applies to passkeys only. The ID of the user identity linked with the authentication method. */
+    identity_user_id?: string | undefined;
+    /** Applies to passkeys only. The user-agent of the browser used to create the passkey. */
+    user_agent?: string | undefined;
+    /** Applies to passkeys only. The user handle of the user identity. */
+    user_handle?: string | undefined;
+    /** Applies to passkeys only. The transports used by clients to communicate with the authenticator. */
+    transports?: string[] | undefined;
     /** Authentication method creation date */
     created_at?: string | undefined;
 }
@@ -9992,6 +10021,13 @@ export const CreatedUserAuthenticationMethodTypeEnum = {
 export type CreatedUserAuthenticationMethodTypeEnum =
     (typeof CreatedUserAuthenticationMethodTypeEnum)[keyof typeof CreatedUserAuthenticationMethodTypeEnum];
 
+/** Applies to passkeys only. The kind of device the credential is stored on as defined by backup eligibility. "single_device" credentials cannot be backed up and synced to another device, "multi_device" credentials can be backed up if enabled by the end-user. */
+export const CredentialDeviceTypeEnum = {
+    SingleDevice: "single_device",
+    MultiDevice: "multi_device",
+} as const;
+export type CredentialDeviceTypeEnum = (typeof CredentialDeviceTypeEnum)[keyof typeof CredentialDeviceTypeEnum];
+
 export interface CredentialId {
     /** Credential ID */
     id: string;
@@ -17201,6 +17237,22 @@ export interface FlowsVaultConnectionSummary {
     fingerprint: string;
 }
 
+/**
+ * Forbidden
+ */
+export interface ForbiddenSchema {
+    message: string;
+    statusCode: string;
+    error: ForbiddenSchema.Error_;
+}
+
+export namespace ForbiddenSchema {
+    export const Error_ = {
+        Forbidden: "Forbidden",
+    } as const;
+    export type Error_ = (typeof Error_)[keyof typeof Error_];
+}
+
 export type FormBlock =
     | Management.FormBlockDivider
     | Management.FormBlockHtml
@@ -19344,6 +19396,8 @@ export interface GetResourceServerResponseContent {
     allow_offline_access?: boolean | undefined;
     /** Whether Online Refresh Tokens can be issued for this API (true) or not (false). */
     allow_online_access?: boolean | undefined;
+    /** Whether Online Refresh Tokens can be issued even when sessions are configured as ephemeral (true) or not (false). */
+    allow_online_access_with_ephemeral_sessions?: boolean | undefined;
     /** Whether to skip user consent for applications flagged as first party (true) or not (false). */
     skip_consent_for_verifiable_first_party_clients?: boolean | undefined;
     /** Expiration value (in seconds) for access tokens issued for this API from the token endpoint. */
@@ -19669,6 +19723,10 @@ export interface GetUserAuthenticationMethodResponseContent {
     identity_user_id?: string | undefined;
     /** Applies to passkeys only. The user-agent of the browser used to create the passkey. */
     user_agent?: string | undefined;
+    /** Applies to passkeys only. The user handle of the user identity. */
+    user_handle?: string | undefined;
+    /** Applies to passkeys only. The transports used by clients to communicate with the authenticator. */
+    transports?: string[] | undefined;
     /** Applies to passkey authentication methods only. Authenticator Attestation Globally Unique Identifier. */
     aaguid?: string | undefined;
     /** Applies to webauthn/passkey authentication methods only. The credential's relying party identifier. */
@@ -22100,6 +22158,8 @@ export interface ResourceServer {
     allow_offline_access?: boolean | undefined;
     /** Whether Online Refresh Tokens can be issued for this API (true) or not (false). */
     allow_online_access?: boolean | undefined;
+    /** Whether Online Refresh Tokens can be issued even when sessions are configured as ephemeral (true) or not (false). */
+    allow_online_access_with_ephemeral_sessions?: boolean | undefined;
     /** Whether to skip user consent for applications flagged as first party (true) or not (false). */
     skip_consent_for_verifiable_first_party_clients?: boolean | undefined;
     /** Expiration value (in seconds) for access tokens issued for this API from the token endpoint. */
@@ -23679,6 +23739,22 @@ export interface TokenQuotaConfiguration {
     [key: string]: any;
 }
 
+/**
+ * Too Many Requests
+ */
+export interface TooManyRequestsSchema {
+    message: string;
+    statusCode: string;
+    error: TooManyRequestsSchema.Error_;
+}
+
+export namespace TooManyRequestsSchema {
+    export const Error_ = {
+        TooManyRequests: "Too Many Requests",
+    } as const;
+    export type Error_ = (typeof Error_)[keyof typeof Error_];
+}
+
 export interface TwilioProviderConfiguration {
     default_from?: string | undefined;
     mssid?: string | undefined;
@@ -23697,6 +23773,22 @@ export const TwilioProviderDeliveryMethodEnum = {
 export type TwilioProviderDeliveryMethodEnum =
     (typeof TwilioProviderDeliveryMethodEnum)[keyof typeof TwilioProviderDeliveryMethodEnum];
 
+/**
+ * Unauthorized
+ */
+export interface UnauthorizedSchema {
+    message: string;
+    statusCode: string;
+    error: UnauthorizedSchema.Error_;
+}
+
+export namespace UnauthorizedSchema {
+    export const Error_ = {
+        Unauthorized: "Unauthorized",
+    } as const;
+    export type Error_ = (typeof Error_)[keyof typeof Error_];
+}
+
 /** Which login experience to use. Can be `new` or `classic`. */
 export const UniversalLoginExperienceEnum = {
     New: "new",
@@ -24940,6 +25032,8 @@ export interface UpdateResourceServerResponseContent {
     allow_offline_access?: boolean | undefined;
     /** Whether Online Refresh Tokens can be issued for this API (true) or not (false). */
     allow_online_access?: boolean | undefined;
+    /** Whether Online Refresh Tokens can be issued even when sessions are configured as ephemeral (true) or not (false). */
+    allow_online_access_with_ephemeral_sessions?: boolean | undefined;
     /** Whether to skip user consent for applications flagged as first party (true) or not (false). */
     skip_consent_for_verifiable_first_party_clients?: boolean | undefined;
     /** Expiration value (in seconds) for access tokens issued for this API from the token endpoint. */
@@ -25448,6 +25542,10 @@ export interface UserAuthenticationMethod {
     identity_user_id?: string | undefined;
     /** Applies to passkeys only. The user-agent of the browser used to create the passkey. */
     user_agent?: string | undefined;
+    /** Applies to passkeys only. The user handle of the user identity. */
+    user_handle?: string | undefined;
+    /** Applies to passkeys only. The transports used by clients to communicate with the authenticator. */
+    transports?: string[] | undefined;
     /** Applies to passkey authentication methods only. Authenticator Attestation Globally Unique Identifier. */
     aaguid?: string | undefined;
     /** Applies to webauthn/passkey authentication methods only. The credential's relying party identifier. */

src/management/api/types/types.ts

@@ -24,6 +24,7 @@ describe("ResourceServersClient", () => {
                     signing_secret: "signing_secret",
                     allow_offline_access: true,
                     allow_online_access: true,
+                    allow_online_access_with_ephemeral_sessions: true,
                     skip_consent_for_verifiable_first_party_clients: true,
                     token_lifetime: 1,
                     token_lifetime_for_web: 1,
@@ -154,6 +155,7 @@ describe("ResourceServersClient", () => {
             signing_secret: "signing_secret",
             allow_offline_access: true,
             allow_online_access: true,
+            allow_online_access_with_ephemeral_sessions: true,
             skip_consent_for_verifiable_first_party_clients: true,
             token_lifetime: 1,
             token_lifetime_for_web: 1,
@@ -310,6 +312,7 @@ describe("ResourceServersClient", () => {
             signing_secret: "signing_secret",
             allow_offline_access: true,
             allow_online_access: true,
+            allow_online_access_with_ephemeral_sessions: true,
             skip_consent_for_verifiable_first_party_clients: true,
             token_lifetime: 1,
             token_lifetime_for_web: 1,
@@ -536,6 +539,7 @@ describe("ResourceServersClient", () => {
             signing_secret: "signing_secret",
             allow_offline_access: true,
             allow_online_access: true,
+            allow_online_access_with_ephemeral_sessions: true,
             skip_consent_for_verifiable_first_party_clients: true,
             token_lifetime: 1,
             token_lifetime_for_web: 1,

src/management/tests/wire/resourceServers.test.ts

@@ -33,6 +33,8 @@ describe("AuthenticationMethodsClient", () => {
                     credential_backed_up: true,
                     identity_user_id: "identity_user_id",
                     user_agent: "user_agent",
+                    user_handle: "user_handle",
+                    transports: ["transports"],
                     aaguid: "aaguid",
                     relying_party_identifier: "relying_party_identifier",
                 },
@@ -172,6 +174,12 @@ describe("AuthenticationMethodsClient", () => {
             public_key: "public_key",
             aaguid: "aaguid",
             relying_party_identifier: "relying_party_identifier",
+            credential_device_type: "single_device",
+            credential_backed_up: true,
+            identity_user_id: "identity_user_id",
+            user_agent: "user_agent",
+            user_handle: "user_handle",
+            transports: ["transports"],
             created_at: "2024-01-15T09:30:00Z",
         };
 
@@ -605,6 +613,8 @@ describe("AuthenticationMethodsClient", () => {
             credential_backed_up: true,
             identity_user_id: "identity_user_id",
             user_agent: "user_agent",
+            user_handle: "user_handle",
+            transports: ["transports"],
             aaguid: "aaguid",
             relying_party_identifier: "relying_party_identifier",
         };