diff --git a/packages/schemas/alterations/next-1728357690-add-sso-connector-idp-initated-auth-configs-table.ts b/packages/schemas/alterations/next-1728357690-add-sso-connector-idp-initated-auth-configs-table.ts new file mode 100644 index 000000000..222b89426 --- /dev/null +++ b/packages/schemas/alterations/next-1728357690-add-sso-connector-idp-initated-auth-configs-table.ts @@ -0,0 +1,40 @@ +import { sql } from '@silverhand/slonik'; + +import type { AlterationScript } from '../lib/types/alteration.js'; + +import { applyTableRls, dropTableRls } from './utils/1704934999-tables.js'; + +const alteration: AlterationScript = { + up: async (pool) => { + await pool.query(sql` + create table sso_connector_idp_initiated_auth_configs ( + tenant_id varchar(21) not null + references tenants (id) on update cascade on delete cascade, + /** The globally unique identifier of the SSO connector. */ + connector_id varchar(128) not null + references sso_connectors (id) on update cascade on delete cascade, + /** The default Logto application id. */ + default_application_id varchar(21) not null + references applications (id) on update cascade on delete cascade, + /** OIDC sign-in redirect URI. */ + redirect_uri text, + /** Additional OIDC auth parameters. */ + auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb, + created_at timestamptz not null default(now()), + primary key (tenant_id, connector_id), + /** Insure the application type is Traditional. */ + constraint application_type + check (check_application_type(default_application_id, 'Traditional')) + ); + `); + await applyTableRls(pool, 'sso_connector_idp_initiated_auth_configs'); + }, + down: async (pool) => { + await dropTableRls(pool, 'sso_connector_idp_initiated_auth_configs'); + await pool.query(sql` + drop table sso_connector_idp_initiated_auth_configs; + `); + }, +}; + +export default alteration; diff --git a/packages/schemas/src/foundations/jsonb-types/sso-connector.ts b/packages/schemas/src/foundations/jsonb-types/sso-connector.ts index f0839aabb..64207b33a 100644 --- a/packages/schemas/src/foundations/jsonb-types/sso-connector.ts +++ b/packages/schemas/src/foundations/jsonb-types/sso-connector.ts @@ -10,4 +10,13 @@ export const ssoBrandingGuard = z.object({ darkLogo: z.string().optional(), }); +export const idpInitiatedAuthParamsGuard = z + .object({ + resources: z.array(z.string()).optional(), + scopes: z.array(z.string()).optional(), + }) + .catchall(z.string()); + +export type IdpInitiatedAuthParams = z.infer; + export type SsoBranding = z.infer; diff --git a/packages/schemas/tables/sso_connector_idp_initiated_auth_configs.sql b/packages/schemas/tables/sso_connector_idp_initiated_auth_configs.sql new file mode 100644 index 000000000..2298fc35e --- /dev/null +++ b/packages/schemas/tables/sso_connector_idp_initiated_auth_configs.sql @@ -0,0 +1,20 @@ +/** init_order = 2 */ +create table sso_connector_idp_initiated_auth_configs ( + tenant_id varchar(21) not null + references tenants (id) on update cascade on delete cascade, + /** The globally unique identifier of the SSO connector. */ + connector_id varchar(128) not null + references sso_connectors (id) on update cascade on delete cascade, + /** The default Logto application id. */ + default_application_id varchar(21) not null + references applications (id) on update cascade on delete cascade, + /** OIDC sign-in redirect URI. */ + redirect_uri text, + /** Additional OIDC auth parameters. */ + auth_parameters jsonb /* @use IdpInitiatedAuthParams */ not null default '{}'::jsonb, + created_at timestamptz not null default(now()), + primary key (tenant_id, connector_id), + /** Insure the application type is Traditional. */ + constraint application_type + check (check_application_type(default_application_id, 'Traditional')) +);