stytchauth · logan-stytch · Dec 13, 2023 · Dec 8, 2023 · Dec 8, 2023 · Dec 8, 2023
@@ -41,6 +41,7 @@ type API struct {
 	OTPs          *b2b.OTPsClient
 	Organizations *b2b.OrganizationsClient
 	Passwords     *b2b.PasswordsClient
+	RBAC          *b2b.RBACClient
 	SSO           *b2b.SSOClient
 	Sessions      *b2b.SessionsClient
 }
@@ -129,21 +130,24 @@ func NewClient(projectID string, secret string, opts ...Option) (*API, error) {
 		o(a)
 	}
 
+	policyCache := b2b.NewPolicyCache(b2b.NewRBACClient(a.client))
+
+	// Set up JWKS for local session authentication
+	jwks, err := a.instantiateJWKSClient(a.client.GetHTTPClient())
+	if err != nil {
+		return nil, fmt.Errorf("fetch JWKS from URL: %w", err)
+	}
+
 	a.Discovery = b2b.NewDiscoveryClient(a.client)
-	a.M2M = consumer.NewM2MClient(a.client)
+	a.M2M = consumer.NewM2MClient(a.client, jwks)
 	a.MagicLinks = b2b.NewMagicLinksClient(a.client)
 	a.OAuth = b2b.NewOAuthClient(a.client)
 	a.OTPs = b2b.NewOTPsClient(a.client)
 	a.Organizations = b2b.NewOrganizationsClient(a.client)
 	a.Passwords = b2b.NewPasswordsClient(a.client)
+	a.RBAC = b2b.NewRBACClient(a.client)
 	a.SSO = b2b.NewSSOClient(a.client)
-	a.Sessions = b2b.NewSessionsClient(a.client)
-	// Set up JWKS for local session authentication
-	jwks, err := a.instantiateJWKSClient(a.client.GetHTTPClient())
-	if err != nil {
-		return nil, fmt.Errorf("fetch JWKS from URL: %w", err)
-	}
-	a.M2M.JWKS = jwks
+	a.Sessions = b2b.NewSessionsClient(a.client, jwks, policyCache)
 
 	return a, nil
 }

@@ -18,7 +18,8 @@ type DiscoveryClient struct {
 
 func NewDiscoveryClient(c stytch.Client) *DiscoveryClient {
 	return &DiscoveryClient{
-		C:                    c,
+		C: c,
+
 		IntermediateSessions: NewDiscoveryIntermediateSessionsClient(c),
 		Organizations:        NewDiscoveryOrganizationsClient(c),
 	}

@@ -87,12 +87,12 @@ type CreateParams struct {
 	// [common email domains resource](https://stytch.com/docs/b2b/api/common-email-domains) for the full list.
 	EmailAllowedDomains []string `json:"email_allowed_domains,omitempty"`
 	// EmailJITProvisioning: The authentication setting that controls how a new Member can be provisioned by
-	// authenticating via Email Magic Link. The accepted values are:
+	// authenticating via Email Magic Link or OAuth. The accepted values are:
 	//
 	//   `RESTRICTED` – only new Members with verified emails that comply with `email_allowed_domains` can be
-	// provisioned upon authentication via Email Magic Link.
+	// provisioned upon authentication via Email Magic Link or OAuth.
 	//
-	//   `NOT_ALLOWED` – disable JIT provisioning via Email Magic Link.
+	//   `NOT_ALLOWED` – disable JIT provisioning via Email Magic Link and OAuth.
 	//
 	EmailJITProvisioning string `json:"email_jit_provisioning,omitempty"`
 	// EmailInvites: The authentication setting that controls how a new Member can be invited to an
@@ -115,22 +115,29 @@ type CreateParams struct {
 	// This setting does not apply to Members with `is_breakglass` set to `true`.
 	//
 	AuthMethods string `json:"auth_methods,omitempty"`
-	// AllowedAuthMethods:
-	//   An array of allowed authentication methods. This list is enforced when `auth_methods` is set to
-	// `RESTRICTED`.
+	// AllowedAuthMethods: An array of allowed authentication methods. This list is enforced when
+	// `auth_methods` is set to `RESTRICTED`.
 	//   The list's accepted values are: `sso`, `magic_link`, `password`, `google_oauth`, and `microsoft_oauth`.
 	//
 	AllowedAuthMethods []string `json:"allowed_auth_methods,omitempty"`
 	// MFAPolicy: The setting that controls the MFA policy for all Members in the Organization. The accepted
 	// values are:
 	//
 	//   `REQUIRED_FOR_ALL` – All Members within the Organization will be required to complete MFA every time
-	// they wish to log in.
+	// they wish to log in. However, any active Session that existed prior to this setting change will remain
+	// valid.
 	//
 	//   `OPTIONAL` – The default value. The Organization does not require MFA by default for all Members.
 	// Members will be required to complete MFA only if their `mfa_enrolled` status is set to true.
 	//
 	MFAPolicy string `json:"mfa_policy,omitempty"`
+	// RBACEmailImplicitRoleAssignments: (Coming Soon) Implicit role assignments based off of email domains.
+	//   For each domain-Role pair, all Members whose email addresses have the specified email domain will be
+	// granted the
+	//   associated Role, regardless of their login method. See the
+	// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
+	//   for more information about role assignment.
+	RBACEmailImplicitRoleAssignments []*organizations.EmailImplicitRoleAssignment `json:"rbac_email_implicit_role_assignments,omitempty"`
 }
 
 // ListParams: Request type for `Organizations.List`.

@@ -56,6 +56,8 @@ func (c *DiscoveryIntermediateSessionsClient) Exchange(
 		}
 	}
 
+	headers := make(map[string][]string)
+
 	var retVal intermediatesessions.ExchangeResponse
 	err = c.C.NewRequest(
 		ctx,
@@ -64,6 +66,7 @@ func (c *DiscoveryIntermediateSessionsClient) Exchange(
 		nil,
 		jsonBody,
 		&retVal,
+		headers,
 	)
 	return &retVal, err
 }
@@ -25,14 +25,17 @@ func NewDiscoveryOrganizationsClient(c stytch.Client) *DiscoveryOrganizationsCli
 	}
 }
 
-// Create: If an end user does not want to join any already-existing organization, or has no possible
-// organizations to join, this endpoint can be used to create a new
+// Create: If an end user does not want to join any already-existing Organization, or has no possible
+// Organizations to join, this endpoint can be used to create a new
 // [Organization](https://stytch.com/docs/b2b/api/organization-object) and
 // [Member](https://stytch.com/docs/b2b/api/member-object).
 //
 // This operation consumes the Intermediate Session.
 //
-// This endpoint can also be used to start an initial session for the newly created member and organization.
+// This endpoint will also create an initial Member Session for the newly created Member.
+//
+// The Member created by this endpoint will automatically be granted the `stytch_admin` Role. See the
+// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/stytch-defaults) for more details on this Role.
 //
 // If the new Organization is created with a `mfa_policy` of `REQUIRED_FOR_ALL`, the newly created Member
 // will need to complete an MFA step to log in to the Organization.
@@ -58,6 +61,8 @@ func (c *DiscoveryOrganizationsClient) Create(
 		}
 	}
 
+	headers := make(map[string][]string)
+
 	var retVal organizations.CreateResponse
 	err = c.C.NewRequest(
 		ctx,
@@ -66,6 +71,7 @@ func (c *DiscoveryOrganizationsClient) Create(
 		nil,
 		jsonBody,
 		&retVal,
+		headers,
 	)
 	return &retVal, err
 }
@@ -102,6 +108,8 @@ func (c *DiscoveryOrganizationsClient) List(
 		}
 	}
 
+	headers := make(map[string][]string)
+
 	var retVal organizations.ListResponse
 	err = c.C.NewRequest(
 		ctx,
@@ -110,6 +118,7 @@ func (c *DiscoveryOrganizationsClient) List(
 		nil,
 		jsonBody,
 		&retVal,
+		headers,
 	)
 	return &retVal, err
 }
@@ -25,7 +25,8 @@ type MagicLinksClient struct {
 
 func NewMagicLinksClient(c stytch.Client) *MagicLinksClient {
 	return &MagicLinksClient{
-		C:         c,
+		C: c,
+
 		Email:     NewMagicLinksEmailClient(c),
 		Discovery: NewMagicLinksDiscoveryClient(c),
 	}
@@ -63,6 +64,8 @@ func (c *MagicLinksClient) Authenticate(
 		}
 	}
 
+	headers := make(map[string][]string)
+
 	var retVal magiclinks.AuthenticateResponse
 	err = c.C.NewRequest(
 		ctx,
@@ -71,6 +74,7 @@ func (c *MagicLinksClient) Authenticate(
 		nil,
 		jsonBody,
 		&retVal,
+		headers,
 	)
 	return &retVal, err
 }
@@ -93,12 +97,15 @@ func (c *MagicLinksClient) AuthenticateWithClaims(
 		}
 	}
 
+	headers := make(map[string][]string)
+
 	b, err := c.C.RawRequest(
 		ctx,
 		"POST",
 		"/v1/b2b/magic_links/authenticate",
 		nil,
 		jsonBody,
+		headers,
 	)
 	if err != nil {
 		return nil, err

@@ -8,6 +8,7 @@ package email
 
 import (
 	"github.com/stytchauth/stytch-go/v11/stytch/b2b/organizations"
+	"github.com/stytchauth/stytch-go/v11/stytch/methodoptions"
 )
 
 // InviteParams: Request type for `Email.Invite`.
@@ -51,6 +52,10 @@ type InviteParams struct {
 	// [here](https://docs.google.com/forms/d/e/1FAIpQLScZSpAu_m2AmLXRT3F3kap-s_mcV6UTBitYn6CdyWP0-o7YjQ/viewform?usp=sf_link")!
 	//
 	Locale InviteRequestLocale `json:"locale,omitempty"`
+	// Roles: (Coming Soon) Roles to explicitly assign to this Member. See the
+	// [RBAC guide](https://stytch.com/docs/b2b/guides/rbac/role-assignment)
+	//    for more information about role assignment.
+	Roles []string `json:"roles,omitempty"`
 }
 
 // LoginOrSignupParams: Request type for `Email.LoginOrSignup`.
@@ -97,6 +102,19 @@ type LoginOrSignupParams struct {
 	Locale LoginOrSignupRequestLocale `json:"locale,omitempty"`
 }
 
+// InviteRequestOptions:
+type InviteRequestOptions struct {
+	// Authorization: Optional authorization object.
+	// Pass in an active Stytch Member session token or session JWT and the request
+	// will be run using that member's permissions.
+	Authorization methodoptions.Authorization `json:"authorization,omitempty"`
+}
+
+func (o *InviteRequestOptions) AddHeaders(headers map[string][]string) map[string][]string {
+	headers = o.Authorization.AddHeaders(headers)
+	return headers
+}
+
 // InviteResponse: Response type for `Email.Invite`.
 type InviteResponse struct {
 	// RequestID: Globally unique UUID that is returned with every API call. This value is important to log for

@@ -41,6 +41,8 @@ func (c *MagicLinksDiscoveryClient) Authenticate(
 		}
 	}
 
+	headers := make(map[string][]string)
+
 	var retVal discovery.AuthenticateResponse
 	err = c.C.NewRequest(
 		ctx,
@@ -49,6 +51,7 @@ func (c *MagicLinksDiscoveryClient) Authenticate(
 		nil,
 		jsonBody,
 		&retVal,
+		headers,
 	)
 	return &retVal, err
 }
@@ -22,7 +22,8 @@ type MagicLinksEmailClient struct {
 
 func NewMagicLinksEmailClient(c stytch.Client) *MagicLinksEmailClient {
 	return &MagicLinksEmailClient{
-		C:         c,
+		C: c,
+
 		Discovery: NewMagicLinksEmailDiscoveryClient(c),
 	}
 }
@@ -43,6 +44,8 @@ func (c *MagicLinksEmailClient) LoginOrSignup(
 		}
 	}
 
+	headers := make(map[string][]string)
+
 	var retVal email.LoginOrSignupResponse
 	err = c.C.NewRequest(
 		ctx,
@@ -51,16 +54,18 @@ func (c *MagicLinksEmailClient) LoginOrSignup(
 		nil,
 		jsonBody,
 		&retVal,
+		headers,
 	)
 	return &retVal, err
 }
 
 // Invite: Send an invite email to a new Member to join an Organization. The Member will be created with an
 // `invited` status until they successfully authenticate. Sending invites to `pending` Members will update
-// their status to `invited`. Sending invites to already `active` Members will return an error.
+// their status to `invited`. Sending invites to already `active` Members will return an error. /%}
 func (c *MagicLinksEmailClient) Invite(
 	ctx context.Context,
 	body *email.InviteParams,
+	methodOptions ...*email.InviteRequestOptions,
 ) (*email.InviteResponse, error) {
 	var jsonBody []byte
 	var err error
@@ -71,6 +76,11 @@ func (c *MagicLinksEmailClient) Invite(
 		}
 	}
 
+	headers := make(map[string][]string)
+	for _, methodOption := range methodOptions {
+		headers = methodOption.AddHeaders(headers)
+	}
+
 	var retVal email.InviteResponse
 	err = c.C.NewRequest(
 		ctx,
@@ -79,6 +89,7 @@ func (c *MagicLinksEmailClient) Invite(
 		nil,
 		jsonBody,
 		&retVal,
+		headers,
 	)
 	return &retVal, err
 }
@@ -39,6 +39,8 @@ func (c *MagicLinksEmailDiscoveryClient) Send(
 		}
 	}
 
+	headers := make(map[string][]string)
+
 	var retVal discovery.SendResponse
 	err = c.C.NewRequest(
 		ctx,
@@ -47,6 +49,7 @@ func (c *MagicLinksEmailDiscoveryClient) Send(
 		nil,
 		jsonBody,
 		&retVal,
+		headers,
 	)
 	return &retVal, err
 }