Skip to content

Commit

Permalink
Merge branch 'master' into feat/cli-v1
Browse files Browse the repository at this point in the history
  • Loading branch information
@zepatrik
zepatrik authored Jul 31, 2024
2 parents bc9dd31 + 0b31c94 commit bd1fe43
Show file tree
Hide file tree
Showing 12 changed files with 358 additions and 56 deletions.
2 changes: 1 addition & 1 deletion docs/actions/require-verified-address.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Follow these steps to toggle this action on or off:
1. Go to <ConsoleLink route="project.verification" />.
2. Toggle **Require Verified Address for Login**.
6. Click **Save**.
3. Click **Save**.
</TabItem>
<TabItem value="cli" label="Ory CLI">
Expand Down
33 changes: 30 additions & 3 deletions docs/guides/integrate-with-ory-cloud-through-webhooks.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,9 +85,36 @@ Webhooks trigger HTTP requests to the webhook URL. You can configure the request
### Customizing request body with Jsonnet
Webhooks bind the `flow`, as well as request headers (`request_headers`), request method (`request_method`), and the request URL
(`request_url`) of the flow into the Jsonnet template for all methods and execution paths (before and after). For the `after`
execution path of all flows, it binds the `identity` and the `transient_payload` object into the Jsonnet template as well. These
objects are available through a `ctx` object.
(`request_url`) of the flow into the [Jsonnet](https://jsonnet.org) template for all methods and execution paths (before and
after). For the `after` execution path of all flows, it binds the `identity` and the `transient_payload` object into the Jsonnet
template as well. These objects are available through a `ctx` object.

:::info

After August 1st, 2024, we will remove all headers from `ctx.request_headers` of the webhook request context that do not match the
following allow-list:

```
Accept
Accept-Encoding
Accept-Language
Content-Length
Content-Type
Origin
Priority
Referer
Sec-Ch-Ua
Sec-Ch-Ua-Mobile
Sec-Ch-Ua-Platform
Sec-Fetch-Dest
Sec-Fetch-Mode
Sec-Fetch-Site
Sec-Fetch-User
True-Client-Ip
User-Agent
```

:::

To send `{ user_id: {some-id} }` in the request body, create the following the [Jsonnet](https://jsonnet.org) template:

Expand Down
15 changes: 10 additions & 5 deletions docs/identities/sign-in/social-sign-in/redirect-url.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,14 +22,18 @@ will initiate the OIDC flow with the new redirect URL.

:::

```mdx-code-block
<Tabs>
<TabItem value="console" label="Ory Console" default>
```

To use a custom domain as the redirect URL, go to <ConsoleLink route="project.socialSignIn" /> and add the domain to the **Base
Redirect URI**.

```mdx-code-block
</TabItem>
<TabItem value="cli" label="Ory CLI">
```

To change the redirect URL to your custom domain, you need to update the `base_redirect_uri`:

Expand All @@ -42,18 +46,19 @@ ory patch identity-config <project-id> \
--add '/selfservice/methods/oidc/config/base_redirect_uri="https://ory.example.org"'
```

```mdx-code-block
</TabItem>
</Tabs>
````
```

After changing the base redirect URI you need to update the redirect URL of social sign-in providers you want to use. This is done
in the configuration of the social sign-in provider. To update an existing social sign in provider, follow these steps:

1. Open the Ory Console and navigate to the social sign-in configuration screen.
1. Choose the provider you want to fix and click on the configuration button.
1. Copy the **Redirect URI** from the form.
1. Replace the Ory Network URL `{project-slug}.projects.oryapis.com` with your custom hostname, such as `ory.example.org`.
1. Update the Redirect URI - also called Authorization callback URL - in the social sign-in provider configuration.
2. Choose the provider you want to fix and click on the configuration button.
3. Copy the **Redirect URI** from the form.
4. Replace the Ory Network URL `{project-slug}.projects.oryapis.com` with your custom hostname, such as `ory.example.org`.
5. Update the Redirect URI - also called Authorization callback URL - in the social sign-in provider configuration.

:::info

Expand Down
45 changes: 42 additions & 3 deletions docs/keto/reference/proto-api.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,11 @@ title: Protocol buffers API
- [SubjectSet](#ory-keto-relation_tuples-v1alpha2-SubjectSet)
- [ory/keto/relation_tuples/v1alpha2/check_service.proto](#ory_keto_relation_tuples_v1alpha2_check_service-proto)

- [BatchCheckRequest](#ory-keto-relation_tuples-v1alpha2-BatchCheckRequest)
- [BatchCheckResponse](#ory-keto-relation_tuples-v1alpha2-BatchCheckResponse)
- [CheckRequest](#ory-keto-relation_tuples-v1alpha2-CheckRequest)
- [CheckResponse](#ory-keto-relation_tuples-v1alpha2-CheckResponse)
- [CheckResponseWithError](#ory-keto-relation_tuples-v1alpha2-CheckResponseWithError)
- [CheckService](#ory-keto-relation_tuples-v1alpha2-CheckService)

- [ory/keto/relation_tuples/v1alpha2/expand_service.proto](#ory_keto_relation_tuples_v1alpha2_expand_service-proto)
Expand Down Expand Up @@ -213,6 +216,29 @@ SubjectSet refers to all subjects who have the same `relation` on an `object`.

## ory/keto/relation_tuples/v1alpha2/check_service.proto

<a name="ory-keto-relation_tuples-v1alpha2-BatchCheckRequest"></a>

### BatchCheckRequest

The request for a CheckService.BatchCheck RPC. Checks a batch of relations.

| Field | Type | Label | Description |
| --------- | ----------------------------------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| tuples | [RelationTuple](#ory-keto-relation_tuples-v1alpha2-RelationTuple) | repeated | |
| latest | [bool](#bool) | | This field is not implemented yet and has no effect.<br/><!--<br/>Set this field to `true` in case your application<br/>needs to authorize depending on up to date ACLs,<br/>also called a "content-change check".<br/><br/>If set to `true` the `snaptoken` field is ignored,<br/>the check is evaluated at the latest snapshot<br/>(globally consistent) and the response includes a<br/>snaptoken for clients to store along with object<br/>contents that can be used for subsequent checks<br/>of the same content version.<br/><br/>Example use case:<br/> - You need to authorize a user to modify/delete some resource<br/> and it is unacceptable that if the permission to do that had<br/> just been revoked some seconds ago so that the change had not<br/> yet been fully replicated to all availability zones.<br/>--> |
| snaptoken | [string](#string) | | This field is not implemented yet and has no effect.<br/><!--<br/>Optional. Like reads, a check is always evaluated at a<br/>consistent snapshot no earlier than the given snaptoken.<br/><br/>Leave this field blank if you want to evaluate the check<br/>based on eventually consistent ACLs, benefiting from very<br/>low latency, but possibly slightly stale results.<br/><br/>If the specified token is too old and no longer known,<br/>the server falls back as if no snaptoken had been specified.<br/><br/>If not specified the server tries to evaluate the check<br/>on the best snapshot version where it is very likely that<br/>ACLs had already been replicated to all availability zones.<br/>--> |
| max_depth | [int32](#int32) | | The maximum depth to search for a relation.<br/><br/>If the value is less than 1 or greater than the global<br/>max-depth then the global max-depth will be used instead. |

<a name="ory-keto-relation_tuples-v1alpha2-BatchCheckResponse"></a>

### BatchCheckResponse

The response for a CheckService.BatchCheck rpc.

| Field | Type | Label | Description |
| ------- | ----------------------------------------------------------------------------------- | -------- | ------------------------------------------------------------------------------------------------- |
| results | [CheckResponseWithError](#ory-keto-relation_tuples-v1alpha2-CheckResponseWithError) | repeated | The results of the batch check. The order of these<br/>results will match the order of the input. |

<a name="ory-keto-relation_tuples-v1alpha2-CheckRequest"></a>

### CheckRequest
Expand Down Expand Up @@ -242,6 +268,18 @@ The response for a CheckService.Check rpc.
| allowed | [bool](#bool) | | Whether the specified subject (id)<br/>is related to the requested object.<br/><br/>It is false by default if no ACL matches. |
| snaptoken | [string](#string) | | This field is not implemented yet and has no effect.<br/><!--<br/>The last known snapshot token ONLY specified if<br/>the request had not specified a snaptoken,<br/>since this performed a "content-change request"<br/>and consistently fetched the last known snapshot token.<br/><br/>This field is not set if the request had specified a snaptoken!<br/><br/>If set, clients should cache and use this token<br/>for subsequent requests to have minimal latency,<br/>but allow slightly stale responses (only some milliseconds or seconds).<br/>--> |

<a name="ory-keto-relation_tuples-v1alpha2-CheckResponseWithError"></a>

### CheckResponseWithError

The response for an individual check in the CheckService.BatchCheck rpc.

| Field | Type | Label | Description |
| --------- | ----------------- | ----- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| allowed | [bool](#bool) | | Whether the specified subject (id)<br/>is related to the requested object.<br/><br/>It is false by default if no ACL matches. |
| error | [string](#string) | | If there was an error checking the tuple,<br/>this will contain the error message.<br/><br/>If the check was performed successfully, this will be empty. |
| snaptoken | [string](#string) | | This field is not implemented yet and has no effect.<br/><!--<br/>The last known snapshot token ONLY specified if<br/>the request had not specified a snaptoken,<br/>since this performed a "content-change request"<br/>and consistently fetched the last known snapshot token.<br/><br/>This field is not set if the request had specified a snaptoken!<br/><br/>If set, clients should cache and use this token<br/>for subsequent requests to have minimal latency,<br/>but allow slightly stale responses (only some milliseconds or seconds).<br/>--> |

<!-- end messages -->

<!-- end enums -->
Expand All @@ -258,9 +296,10 @@ Control Lists.
This service is part of the
[read-APIs](../concepts/25_api-overview.mdx#read-apis).

| Method Name | Request Type | Response Type | Description |
| ----------- | --------------------------------------------------------------- | ----------------------------------------------------------------- | -------------------------------- |
| Check | [CheckRequest](#ory-keto-relation_tuples-v1alpha2-CheckRequest) | [CheckResponse](#ory-keto-relation_tuples-v1alpha2-CheckResponse) | Performs an authorization check. |
| Method Name | Request Type | Response Type | Description |
| ----------- | ------------------------------------------------------------------------- | --------------------------------------------------------------------------- | -------------------------------- |
| Check | [CheckRequest](#ory-keto-relation_tuples-v1alpha2-CheckRequest) | [CheckResponse](#ory-keto-relation_tuples-v1alpha2-CheckResponse) | Performs an authorization check. |
| BatchCheck | [BatchCheckRequest](#ory-keto-relation_tuples-v1alpha2-BatchCheckRequest) | [BatchCheckResponse](#ory-keto-relation_tuples-v1alpha2-BatchCheckResponse) | |

<!-- end services -->

Expand Down
Loading

0 comments on commit bd1fe43

Please sign in to comment.