feat(backend): add enterpriseAccounts to User resource (#8181)

Author: iagodahlem

.changeset/wild-badgers-kiss.md

@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Add EnterpriseAccount and EnterpriseAccountConnection classes to @clerk/backend, restoring enterprise SSO account data on the User object that was lost when samlAccounts was removed in v3.

packages/backend/src/api/__tests__/factory.test.ts

@@ -29,6 +29,9 @@ describe('api.client', () => {
     expect(response.emailAddresses[0].emailAddress).toBe('john.doe@clerk.test');
     expect(response.phoneNumbers[0].phoneNumber).toBe('+311-555-2368');
     expect(response.externalAccounts[0].emailAddress).toBe('john.doe@clerk.test');
+    expect(response.enterpriseAccounts[0].emailAddress).toBe('john.doe@clerk.test');
+    expect(response.enterpriseAccounts[0].provider).toBe('saml_okta');
+    expect(response.enterpriseAccounts[0].enterpriseConnection?.name).toBe('Okta SSO');
     expect(response.publicMetadata.zodiac_sign).toBe('leo');
   });
 

packages/backend/src/api/resources/Deserializer.ts

@@ -10,6 +10,7 @@ import {
   Domain,
   Email,
   EmailAddress,
+  EnterpriseAccount,
   EnterpriseConnection,
   IdPOAuthAccessToken,
   Instance,
@@ -154,6 +155,8 @@ function jsonToObject(item: any): any {
       return Domain.fromJSON(item);
     case ObjectType.EmailAddress:
       return EmailAddress.fromJSON(item);
+    case ObjectType.EnterpriseAccount:
+      return EnterpriseAccount.fromJSON(item);
     case ObjectType.Email:
       return Email.fromJSON(item);
     case ObjectType.IdpOAuthAccessToken:

packages/backend/src/api/resources/EnterpriseAccount.ts

@@ -0,0 +1,158 @@
+import type { EnterpriseAccountConnectionJSON, EnterpriseAccountJSON } from './JSON';
+import { Verification } from './Verification';
+
+/**
+ * Represents an enterprise SSO connection associated with an enterprise account.
+ */
+export class EnterpriseAccountConnection {
+  constructor(
+    /**
+     * The unique identifier for this enterprise connection.
+     */
+    readonly id: string,
+    /**
+     * Whether the connection is currently active.
+     */
+    readonly active: boolean,
+    /**
+     * Whether IdP-initiated SSO is allowed.
+     */
+    readonly allowIdpInitiated: boolean,
+    /**
+     * Whether subdomains are allowed for this connection.
+     */
+    readonly allowSubdomains: boolean,
+    /**
+     * Whether additional identifications are disabled for users authenticating via this connection.
+     */
+    readonly disableAdditionalIdentifications: boolean,
+    /**
+     * The domain associated with this connection.
+     */
+    readonly domain: string,
+    /**
+     * The public URL of the connection's logo, if available.
+     */
+    readonly logoPublicUrl: string | null,
+    /**
+     * The name of the enterprise connection.
+     */
+    readonly name: string,
+    /**
+     * The SSO protocol used (e.g., `saml` or `oauth`).
+     */
+    readonly protocol: string,
+    /**
+     * The SSO provider (e.g., `saml_custom`, `saml_okta`).
+     */
+    readonly provider: string,
+    /**
+     * Whether user attributes are synced from the IdP.
+     */
+    readonly syncUserAttributes: boolean,
+    /**
+     * The date when this connection was created.
+     */
+    readonly createdAt: number,
+    /**
+     * The date when this connection was last updated.
+     */
+    readonly updatedAt: number,
+  ) {}
+
+  static fromJSON(data: EnterpriseAccountConnectionJSON): EnterpriseAccountConnection {
+    return new EnterpriseAccountConnection(
+      data.id,
+      data.active,
+      data.allow_idp_initiated,
+      data.allow_subdomains,
+      data.disable_additional_identifications,
+      data.domain,
+      data.logo_public_url,
+      data.name,
+      data.protocol,
+      data.provider,
+      data.sync_user_attributes,
+      data.created_at,
+      data.updated_at,
+    );
+  }
+}
+
+/**
+ * The Backend `EnterpriseAccount` object represents an identification obtained via enterprise SSO (SAML or OIDC).
+ */
+export class EnterpriseAccount {
+  constructor(
+    /**
+     * The unique identifier for this enterprise account.
+     */
+    readonly id: string,
+    /**
+     * Whether this enterprise account is currently active.
+     */
+    readonly active: boolean,
+    /**
+     * The email address associated with this enterprise account.
+     */
+    readonly emailAddress: string,
+    /**
+     * The enterprise connection through which this account was authenticated.
+     */
+    readonly enterpriseConnection: EnterpriseAccountConnection | null,
+    /**
+     * The user's first name as provided by the IdP.
+     */
+    readonly firstName: string | null,
+    /**
+     * The user's last name as provided by the IdP.
+     */
+    readonly lastName: string | null,
+    /**
+     * The SSO protocol used (e.g., `saml` or `oauth`).
+     */
+    readonly protocol: string,
+    /**
+     * The SSO provider (e.g., `saml_custom`, `saml_okta`).
+     */
+    readonly provider: string,
+    /**
+     * The unique ID of the user in the provider.
+     */
+    readonly providerUserId: string | null,
+    /**
+     * Metadata that can be read from the Frontend API and Backend API and can be set only from the Backend API.
+     */
+    readonly publicMetadata: Record<string, unknown>,
+    /**
+     * An object holding information on the verification of this enterprise account.
+     */
+    readonly verification: Verification | null,
+    /**
+     * The date when the user last authenticated via this enterprise account.
+     */
+    readonly lastAuthenticatedAt: number | null,
+    /**
+     * The ID of the enterprise connection associated with this account.
+     */
+    readonly enterpriseConnectionId: string | null,
+  ) {}
+
+  static fromJSON(data: EnterpriseAccountJSON): EnterpriseAccount {
+    return new EnterpriseAccount(
+      data.id,
+      data.active,
+      data.email_address,
+      data.enterprise_connection && EnterpriseAccountConnection.fromJSON(data.enterprise_connection),
+      data.first_name,
+      data.last_name,
+      data.protocol,
+      data.provider,
+      data.provider_user_id,
+      data.public_metadata,
+      data.verification && Verification.fromJSON(data.verification),
+      data.last_authenticated_at,
+      data.enterprise_connection_id,
+    );
+  }
+}

packages/backend/src/api/resources/JSON.ts

@@ -27,6 +27,7 @@ export const ObjectType = {
   Cookies: 'cookies',
   Domain: 'domain',
   Email: 'email',
+  EnterpriseAccount: 'enterprise_account',
   EnterpriseConnection: 'enterprise_connection',
   EmailAddress: 'email_address',
   ExternalAccount: 'external_account',
@@ -194,6 +195,37 @@ export interface EmailAddressJSON extends ClerkResourceJSON {
   linked_to: IdentificationLinkJSON[];
 }
 
+export interface EnterpriseAccountConnectionJSON extends ClerkResourceJSON {
+  active: boolean;
+  allow_idp_initiated: boolean;
+  allow_subdomains: boolean;
+  disable_additional_identifications: boolean;
+  domain: string;
+  logo_public_url: string | null;
+  name: string;
+  protocol: string;
+  provider: string;
+  sync_user_attributes: boolean;
+  created_at: number;
+  updated_at: number;
+}
+
+export interface EnterpriseAccountJSON extends ClerkResourceJSON {
+  object: typeof ObjectType.EnterpriseAccount;
+  active: boolean;
+  email_address: string;
+  enterprise_connection: EnterpriseAccountConnectionJSON | null;
+  first_name: string | null;
+  last_name: string | null;
+  protocol: string;
+  provider: string;
+  provider_user_id: string | null;
+  public_metadata: Record<string, unknown>;
+  verification: VerificationJSON | null;
+  last_authenticated_at: number | null;
+  enterprise_connection_id: string | null;
+}
+
 export interface ExternalAccountJSON extends ClerkResourceJSON {
   object: typeof ObjectType.ExternalAccount;
   provider: string;
@@ -596,6 +628,7 @@ export interface UserJSON extends ClerkResourceJSON {
   web3_wallets: Web3WalletJSON[];
   organization_memberships: OrganizationMembershipJSON[] | null;
   external_accounts: ExternalAccountJSON[];
+  enterprise_accounts: EnterpriseAccountJSON[];
   password_last_updated_at: number | null;
   public_metadata: UserPublicMetadata;
   private_metadata: UserPrivateMetadata;

packages/backend/src/api/resources/User.ts

@@ -1,6 +1,7 @@
 import { EmailAddress } from './EmailAddress';
+import { EnterpriseAccount } from './EnterpriseAccount';
 import { ExternalAccount } from './ExternalAccount';
-import type { ExternalAccountJSON, UserJSON } from './JSON';
+import type { EnterpriseAccountJSON, ExternalAccountJSON, UserJSON } from './JSON';
 import { PhoneNumber } from './PhoneNumber';
 import { Web3Wallet } from './Web3Wallet';
 
@@ -119,6 +120,10 @@ export class User {
      * An array of all the `ExternalAccount` objects associated with the user via OAuth. **Note**: This includes both verified & unverified external accounts.
      */
     readonly externalAccounts: ExternalAccount[] = [],
+    /**
+     * An array of all the `EnterpriseAccount` objects associated with the user via enterprise SSO.
+     */
+    readonly enterpriseAccounts: EnterpriseAccount[] = [],
     /**
      * Date when the user was last active.
      */
@@ -174,6 +179,7 @@ export class User {
       (data.phone_numbers || []).map(x => PhoneNumber.fromJSON(x)),
       (data.web3_wallets || []).map(x => Web3Wallet.fromJSON(x)),
       (data.external_accounts || []).map((x: ExternalAccountJSON) => ExternalAccount.fromJSON(x)),
+      (data.enterprise_accounts || []).map((x: EnterpriseAccountJSON) => EnterpriseAccount.fromJSON(x)),
       data.last_active_at,
       data.create_organization_enabled,
       data.create_organizations_limit,

packages/backend/src/api/resources/index.ts

@@ -26,6 +26,7 @@ export type { SignUpStatus } from '@clerk/shared/types';
 export * from './CommercePlan';
 export * from './CommerceSubscription';
 export * from './CommerceSubscriptionItem';
+export * from './EnterpriseAccount';
 export * from './EnterpriseConnection';
 export * from './ExternalAccount';
 export * from './Feature';

packages/backend/src/fixtures/user.json

@@ -91,6 +91,44 @@
       "updated_at": 1611948436
     }
   ],
+  "enterprise_accounts": [
+    {
+      "object": "enterprise_account",
+      "id": "ea_okta",
+      "active": true,
+      "email_address": "john.doe@clerk.test",
+      "first_name": "John",
+      "last_name": "Doe",
+      "protocol": "saml",
+      "provider": "saml_okta",
+      "provider_user_id": "okta_user_123",
+      "public_metadata": {},
+      "verification": {
+        "status": "verified",
+        "strategy": "saml",
+        "attempts": null,
+        "expire_at": 1613831855
+      },
+      "last_authenticated_at": 1611948436,
+      "enterprise_connection_id": "ent_conn_okta",
+      "enterprise_connection": {
+        "id": "ent_conn_okta",
+        "object": "enterprise_account_connection",
+        "active": true,
+        "allow_idp_initiated": false,
+        "allow_subdomains": false,
+        "disable_additional_identifications": false,
+        "domain": "clerk.test",
+        "logo_public_url": null,
+        "name": "Okta SSO",
+        "protocol": "saml",
+        "provider": "saml_okta",
+        "sync_user_attributes": true,
+        "created_at": 1611948436,
+        "updated_at": 1611948436
+      }
+    }
+  ],
   "saml_accounts": [
     {
       "object": "saml_account",