feat(api): add additional_scopes to organization SSO configuration

Author: stainless-app[bot]

.stats.yml

@@ -1,4 +1,4 @@
 configured_endpoints: 172
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-4e76b45ac7aedb89d725b01fea9f009672c3f3b0117393178e034718095339a3.yml
-openapi_spec_hash: 11437695b49cfe5d28bef5d4ee65d696
-config_hash: 401f8a117c48e880889ed27a8403db29
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-a6b5c6f4bd34c0b9cbb1321be432905e6120f4479ad2a53d35790f99c2e05b29.yml
+openapi_spec_hash: 83b243294469b6646f0c4659566b3f48
+config_hash: 73b8de7922813d562151d404149c768d

api.md

@@ -495,6 +495,7 @@ Types:
 
 ```python
 from gitpod.types.organizations import (
+    AdditionalScopesUpdate,
     ProviderType,
     SSOConfiguration,
     SSOConfigurationState,

src/gitpod/resources/organizations/sso_configurations.py

@@ -28,6 +28,7 @@
 )
 from ...types.organizations.sso_configuration import SSOConfiguration
 from ...types.organizations.sso_configuration_state import SSOConfigurationState
+from ...types.organizations.additional_scopes_update_param import AdditionalScopesUpdateParam
 from ...types.organizations.sso_configuration_create_response import SSOConfigurationCreateResponse
 from ...types.organizations.sso_configuration_retrieve_response import SSOConfigurationRetrieveResponse
 
@@ -61,6 +62,7 @@ def create(
         client_secret: str,
         issuer_url: str,
         organization_id: str,
+        additional_scopes: SequenceNotStr[str] | Omit = omit,
         display_name: str | Omit = omit,
         email_domain: Optional[str] | Omit = omit,
         email_domains: SequenceNotStr[str] | Omit = omit,
@@ -114,6 +116,10 @@ def create(
 
           issuer_url: issuer_url is the URL of the IdP issuer
 
+          additional_scopes: additional_scopes are extra OIDC scopes to request from the identity provider
+              during sign-in. These are appended to the default scopes (openid, email,
+              profile).
+
           email_domain: email_domain is the domain that is allowed to sign in to the organization
 
           extra_headers: Send extra headers
@@ -132,6 +138,7 @@ def create(
                     "client_secret": client_secret,
                     "issuer_url": issuer_url,
                     "organization_id": organization_id,
+                    "additional_scopes": additional_scopes,
                     "display_name": display_name,
                     "email_domain": email_domain,
                     "email_domains": email_domains,
@@ -201,6 +208,7 @@ def update(
         self,
         *,
         sso_configuration_id: str,
+        additional_scopes: Optional[AdditionalScopesUpdateParam] | Omit = omit,
         claims: Dict[str, str] | Omit = omit,
         client_id: Optional[str] | Omit = omit,
         client_secret: Optional[str] | Omit = omit,
@@ -251,6 +259,10 @@ def update(
         Args:
           sso_configuration_id: sso_configuration_id is the ID of the SSO configuration to update
 
+          additional_scopes: additional_scopes replaces the configured OIDC scopes when present. When absent
+              (nil), scopes are left unchanged. When present with an empty scopes list, all
+              additional scopes are cleared.
+
           claims: claims are key/value pairs that defines a mapping of claims issued by the IdP.
 
           client_id: client_id is the client ID of the SSO provider
@@ -274,6 +286,7 @@ def update(
             body=maybe_transform(
                 {
                     "sso_configuration_id": sso_configuration_id,
+                    "additional_scopes": additional_scopes,
                     "claims": claims,
                     "client_id": client_id,
                     "client_secret": client_secret,
@@ -455,6 +468,7 @@ async def create(
         client_secret: str,
         issuer_url: str,
         organization_id: str,
+        additional_scopes: SequenceNotStr[str] | Omit = omit,
         display_name: str | Omit = omit,
         email_domain: Optional[str] | Omit = omit,
         email_domains: SequenceNotStr[str] | Omit = omit,
@@ -508,6 +522,10 @@ async def create(
 
           issuer_url: issuer_url is the URL of the IdP issuer
 
+          additional_scopes: additional_scopes are extra OIDC scopes to request from the identity provider
+              during sign-in. These are appended to the default scopes (openid, email,
+              profile).
+
           email_domain: email_domain is the domain that is allowed to sign in to the organization
 
           extra_headers: Send extra headers
@@ -526,6 +544,7 @@ async def create(
                     "client_secret": client_secret,
                     "issuer_url": issuer_url,
                     "organization_id": organization_id,
+                    "additional_scopes": additional_scopes,
                     "display_name": display_name,
                     "email_domain": email_domain,
                     "email_domains": email_domains,
@@ -595,6 +614,7 @@ async def update(
         self,
         *,
         sso_configuration_id: str,
+        additional_scopes: Optional[AdditionalScopesUpdateParam] | Omit = omit,
         claims: Dict[str, str] | Omit = omit,
         client_id: Optional[str] | Omit = omit,
         client_secret: Optional[str] | Omit = omit,
@@ -645,6 +665,10 @@ async def update(
         Args:
           sso_configuration_id: sso_configuration_id is the ID of the SSO configuration to update
 
+          additional_scopes: additional_scopes replaces the configured OIDC scopes when present. When absent
+              (nil), scopes are left unchanged. When present with an empty scopes list, all
+              additional scopes are cleared.
+
           claims: claims are key/value pairs that defines a mapping of claims issued by the IdP.
 
           client_id: client_id is the client ID of the SSO provider
@@ -668,6 +692,7 @@ async def update(
             body=await async_maybe_transform(
                 {
                     "sso_configuration_id": sso_configuration_id,
+                    "additional_scopes": additional_scopes,
                     "claims": claims,
                     "client_id": client_id,
                     "client_secret": client_secret,

src/gitpod/types/organizations/__init__.py

@@ -34,6 +34,7 @@
 from .custom_domain_retrieve_params import CustomDomainRetrieveParams as CustomDomainRetrieveParams
 from .custom_domain_update_response import CustomDomainUpdateResponse as CustomDomainUpdateResponse
 from .sso_configuration_list_params import SSOConfigurationListParams as SSOConfigurationListParams
+from .additional_scopes_update_param import AdditionalScopesUpdateParam as AdditionalScopesUpdateParam
 from .announcement_banner_get_params import AnnouncementBannerGetParams as AnnouncementBannerGetParams
 from .scim_configuration_list_params import ScimConfigurationListParams as ScimConfigurationListParams
 from .custom_domain_retrieve_response import CustomDomainRetrieveResponse as CustomDomainRetrieveResponse

src/gitpod/types/organizations/additional_scopes_update_param.py

@@ -0,0 +1,19 @@
+# File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
+
+from __future__ import annotations
+
+from typing_extensions import TypedDict
+
+from ..._types import SequenceNotStr
+
+__all__ = ["AdditionalScopesUpdateParam"]
+
+
+class AdditionalScopesUpdateParam(TypedDict, total=False):
+    """
+    AdditionalScopesUpdate wraps a list of OIDC scopes so that the update request
+     can distinguish "not changing scopes" (field absent) from "clearing all scopes"
+     (field present, empty list).
+    """
+
+    scopes: SequenceNotStr[str]

src/gitpod/types/organizations/sso_configuration.py

@@ -26,6 +26,12 @@ class SSOConfiguration(BaseModel):
     state: SSOConfigurationState
     """state is the state of the SSO configuration"""
 
+    additional_scopes: Optional[List[str]] = FieldInfo(alias="additionalScopes", default=None)
+    """
+    additional_scopes are extra OIDC scopes requested from the identity provider
+    during sign-in.
+    """
+
     claims: Optional[Dict[str, str]] = None
     """claims are key/value pairs that defines a mapping of claims issued by the IdP."""
 

src/gitpod/types/organizations/sso_configuration_create_params.py

@@ -23,6 +23,13 @@ class SSOConfigurationCreateParams(TypedDict, total=False):
 
     organization_id: Required[Annotated[str, PropertyInfo(alias="organizationId")]]
 
+    additional_scopes: Annotated[SequenceNotStr[str], PropertyInfo(alias="additionalScopes")]
+    """
+    additional_scopes are extra OIDC scopes to request from the identity provider
+    during sign-in. These are appended to the default scopes (openid, email,
+    profile).
+    """
+
     display_name: Annotated[str, PropertyInfo(alias="displayName")]
 
     email_domain: Annotated[Optional[str], PropertyInfo(alias="emailDomain")]

src/gitpod/types/organizations/sso_configuration_update_params.py

@@ -8,6 +8,7 @@
 from ..._types import SequenceNotStr
 from ..._utils import PropertyInfo
 from .sso_configuration_state import SSOConfigurationState
+from .additional_scopes_update_param import AdditionalScopesUpdateParam
 
 __all__ = ["SSOConfigurationUpdateParams"]
 
@@ -16,6 +17,13 @@ class SSOConfigurationUpdateParams(TypedDict, total=False):
     sso_configuration_id: Required[Annotated[str, PropertyInfo(alias="ssoConfigurationId")]]
     """sso_configuration_id is the ID of the SSO configuration to update"""
 
+    additional_scopes: Annotated[Optional[AdditionalScopesUpdateParam], PropertyInfo(alias="additionalScopes")]
+    """
+    additional_scopes replaces the configured OIDC scopes when present. When absent
+    (nil), scopes are left unchanged. When present with an empty scopes list, all
+    additional scopes are cleared.
+    """
+
     claims: Dict[str, str]
     """claims are key/value pairs that defines a mapping of claims issued by the IdP."""
 

tests/api_resources/organizations/test_sso_configurations.py

@@ -41,6 +41,7 @@ def test_method_create_with_all_params(self, client: Gitpod) -> None:
             client_secret="GOCSPX-abcdefghijklmnopqrstuvwxyz123456",
             issuer_url="https://accounts.google.com",
             organization_id="b0e12f6c-4c67-429d-a4a6-d9838b5da047",
+            additional_scopes=["x"],
             display_name="displayName",
             email_domain="acme-corp.com",
             email_domains=["sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB"],
@@ -126,6 +127,7 @@ def test_method_update(self, client: Gitpod) -> None:
     def test_method_update_with_all_params(self, client: Gitpod) -> None:
         sso_configuration = client.organizations.sso_configurations.update(
             sso_configuration_id="d2c94c27-3b76-4a42-b88c-95a85e392c68",
+            additional_scopes={"scopes": ["x"]},
             claims={"foo": "string"},
             client_id="new-client-id",
             client_secret="new-client-secret",
@@ -270,6 +272,7 @@ async def test_method_create_with_all_params(self, async_client: AsyncGitpod) ->
             client_secret="GOCSPX-abcdefghijklmnopqrstuvwxyz123456",
             issuer_url="https://accounts.google.com",
             organization_id="b0e12f6c-4c67-429d-a4a6-d9838b5da047",
+            additional_scopes=["x"],
             display_name="displayName",
             email_domain="acme-corp.com",
             email_domains=["sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB"],
@@ -355,6 +358,7 @@ async def test_method_update(self, async_client: AsyncGitpod) -> None:
     async def test_method_update_with_all_params(self, async_client: AsyncGitpod) -> None:
         sso_configuration = await async_client.organizations.sso_configurations.update(
             sso_configuration_id="d2c94c27-3b76-4a42-b88c-95a85e392c68",
+            additional_scopes={"scopes": ["x"]},
             claims={"foo": "string"},
             client_id="new-client-id",
             client_secret="new-client-secret",