fix/authentication-using-external-jwt

CLAUDE.md

@@ -113,6 +113,8 @@ Many files are auto-generated (marked with `// WARNING: This file is auto-genera
 - Filter classes in `filters/`
 - Wrapper code in `ts-wrapper/`, `python-wrapper/`, `dart-wrapper/`
 
+The code generation is a two steps process: JSON files that describe the syntax and semantics of the entities and APIs are maintained in `build/generated/ksp/jvm/jvmMain/resources/.../Class.json` and then the `sdk-codegen` tool generates the actual Kotlin/JS/Python/Dart code.
+
 **Do not manually edit auto-generated files.** Generation is done by the external `sdk-codegen` tool.
 
 ### Key Annotations
@@ -134,4 +136,4 @@ Many files are auto-generated (marked with `// WARNING: This file is auto-genera
 - Max line length: 140
 - Trailing commas: enabled
 - Wildcard imports: allowed
-- Style: ktlint_official
+- Style: ktlint_official

cardinal-sdk/src/commonMain/kotlin/com/icure/cardinal/sdk/auth/AuthSecretDetails.kt

@@ -53,8 +53,8 @@ sealed interface AuthSecretDetails {
 	 * @param secret the token or another secret that will be used for authentication.
 	 * @param minimumAuthenticationClass only consider configurations that can provide at least this authentication class. The actual
 	 * authentication class obtained for the token may be higher.
-	 * @param doNotUseProjectIdForGroupSelection only use the project id specified in the initialize method to choose the configuration of
-	 * the external token, but not the group where to log in.
+	 * @param doNotUseProjectIdForGroupSelection (INTERNAL USE ONLY) only use the project id specified in the initialize method to choose the configuration of
+	 * the external token, but not the group where to log in. This is probably not the option you are looking for.
 	 */
 	data class ConfiguredExternalAuthenticationDetails(
 		val configId: String,

cardinal-sdk/src/commonMain/kotlin/com/icure/cardinal/sdk/auth/Credentials.kt

@@ -54,8 +54,8 @@ data class ExternalAuthenticationToken(
 	 */
 	val minimumAuthenticationClass: AuthenticationClass = AuthenticationClass.ExternalAuthentication,
 	/**
-	 * If set to true, the project id specified in the initialize method will be used to find the external configuration for the external
-	 * token but not to restrict the group where to log in.
+	 * (INTERNAL USE ONLY) only use the project id specified in the initialize method to choose the configuration of
+	 * the external token, but not the group where to log in. This is probably not the option you are looking for.
 	 */
 	val doNotUseProjectIdForGroupSelection: Boolean = false
 ) : Credentials

cardinal-sdk/src/commonMain/kotlin/com/icure/cardinal/sdk/options/AuthenticationMethod.kt

@@ -119,7 +119,7 @@ sealed interface AuthenticationMethod {
 			@Serializable
 			data class LongLivedToken(val token: String) : InitialSecret
 			@Serializable
-			data class ExternalAuthenticationToken(val token: String, val configId: String) : InitialSecret
+			data class ExternalAuthenticationToken(val token: String, val configId: String, val doNotUseProjectIdForGroupSelection: Boolean?) : InitialSecret
 		}
 	}
 }
@@ -176,7 +176,7 @@ suspend fun AuthenticationMethod.getAuthProvider(
 			is AuthenticationMethod.UsingSecretProvider.InitialSecret.LongLivedToken ->
 				AuthSecretDetails.LongLivedTokenDetails(initialSecret.token)
 			is AuthenticationMethod.UsingSecretProvider.InitialSecret.ExternalAuthenticationToken ->
-				AuthSecretDetails.ConfiguredExternalAuthenticationDetails(initialSecret.configId, initialSecret.token)
+				AuthSecretDetails.ConfiguredExternalAuthenticationDetails(initialSecret.configId, initialSecret.token, AuthenticationClass.ExternalAuthentication, initialSecret.doNotUseProjectIdForGroupSelection ?: false)
 			is AuthenticationMethod.UsingSecretProvider.InitialSecret.Password ->
 				AuthSecretDetails.PasswordDetails(initialSecret.password)
 			null -> null

ts-wrapper/src/jsMain/kotlin/com/icure/cardinal/sdk/js/options/AuthenticationMethod.kt

@@ -41,6 +41,7 @@ import kotlinx.coroutines.GlobalScope
 import kotlinx.coroutines.await
 import kotlinx.coroutines.promise
 import kotlin.js.Promise
+import kotlin.js.json
 
 
 @OptIn(InternalIcureApi::class)
@@ -85,7 +86,8 @@ private fun InitialSecretJs.toKt(): AuthenticationMethod.UsingSecretProvider.Ini
 	is ExternalAuthenticationTokenJs ->
 		AuthenticationMethod.UsingSecretProvider.InitialSecret.ExternalAuthenticationToken(
 			token = token,
-			configId = configId
+			configId = configId,
+			doNotUseProjectIdForGroupSelection = doNotUseProjectIdForGroupSelection
 		)
 	is InitialSecretLongLivedTokenJs ->
 		AuthenticationMethod.UsingSecretProvider.InitialSecret.LongLivedToken(token)
@@ -125,20 +127,28 @@ private fun AuthSecretDetailsJs.toKt(): AuthSecretDetails = when (this) {
 	else -> throw IllegalArgumentException("Unrecognised auth secret details: ${this::class.simpleName}")
 }
 private fun AuthSecretDetails.toJs(): AuthSecretDetailsJs = when (this) {
-	is AuthSecretDetails.ConfiguredExternalAuthenticationDetails ->
+	is AuthSecretDetails.ConfiguredExternalAuthenticationDetails -> {
 		ConfiguredExternalAuthenticationDetailsJs(
 			secret = secret,
 			configId = configId,
-			minimumAuthenticationClass = minimumAuthenticationClass.name
+			props = json(
+				"minimumAuthenticationClass" to minimumAuthenticationClass.name,
+				"doNotUseProjectIdForGroupSelection" to doNotUseProjectIdForGroupSelection
+			)
 		)
-	is AuthSecretDetails.LongLivedTokenDetails ->
+	}
+	is AuthSecretDetails.LongLivedTokenDetails -> {
 		LongLivedTokenDetailsJs(secret = secret)
-	is AuthSecretDetails.PasswordDetails ->
+	}
+	is AuthSecretDetails.PasswordDetails -> {
 		PasswordDetailsJs(secret = secret)
-	is AuthSecretDetails.ShortLivedTokenDetails ->
+	}
+	is AuthSecretDetails.ShortLivedTokenDetails -> {
 		ShortLivedTokenDetailsJs(secret = secret, authenticationProcessInfo = authenticationProcessInfo.toJs())
-	is AuthSecretDetails.TwoFactorAuthTokenDetails ->
+	}
+	is AuthSecretDetails.TwoFactorAuthTokenDetails -> {
 		TwoFactorAuthTokenDetailsJs(secret = secret)
+	}
 }
 @OptIn(InternalIcureApi::class)
 private fun AuthenticationProcessRequest.toJs(): AuthenticationProcessRequestJs = AuthenticationProcessRequestJs(
@@ -181,4 +191,4 @@ internal fun AuthenticationProcessTemplateParametersJs.toKt() =
 	AuthenticationProcessTemplateParameters(
 		firstName = this.firstName,
 		lastName = this.lastName
-	)
+	)

ts-wrapper/src/jsMain/kotlin/com/icure/cardinal/sdk/js/options/external/AuthSecretDetailsJs.kt

@@ -35,9 +35,12 @@ external class LongLivedTokenDetailsJs(
 external class ConfiguredExternalAuthenticationDetailsJs(
 	configId: String,
 	secret: String,
-	minimumAuthenticationClass: String?,
+	// minimumAuthenticationClass: String?,
+	// doNotUseProjectIdForGroupSelection: Boolean?,
+	props: dynamic
 ) : AuthSecretDetailsJs {
 	val configId: String
 	val secret: String
 	val minimumAuthenticationClass: String?
+	val doNotUseProjectIdForGroupSelection: Boolean?
 }

ts-wrapper/src/jsMain/kotlin/com/icure/cardinal/sdk/js/options/external/SecretProviderAuthenticationOptionsInitialSecretJs.kt

@@ -15,4 +15,5 @@ external class InitialSecretLongLivedTokenJs : InitialSecretJs {
 external class ExternalAuthenticationTokenJs : InitialSecretJs {
 	val token: String
 	val configId: String
+	val doNotUseProjectIdForGroupSelection: Boolean?
 }

ts-wrapper/src/jsMain/typescript/options/AuthenticationMethod.mts

@@ -51,6 +51,17 @@ export namespace AuthenticationMethod {
     }
 
     export class ExternalAuthenticationToken {
+
+      /**
+       * During login consider only configurations that can provide at least this authentication class
+       */
+      readonly minimumAuthenticationClass: AuthenticationClass | undefined
+      /**
+       * (INTERNAL USE ONLY) only use the project id specified in the initialize method to choose the configuration of
+       * the external token, but not the group where to log in. This is probably not the option you are looking for.
+       */
+      readonly doNotUseProjectIdForGroupSelection: boolean | undefined
+
       constructor(
         /**
          * The id of the configuration that specifies how the token should be validated and how it should be used to find
@@ -63,11 +74,14 @@ export namespace AuthenticationMethod {
          * A token used to perform the external authentication
          */
         readonly token: string,
-        /**
-         * During login consider only configurations that can provide at least this authentication class
-         */
-        readonly minimumAuthenticationClass?: AuthenticationClass,
-      ) {}
+        props: {
+          minimumAuthenticationClass?: AuthenticationClass,
+          doNotUseProjectIdForGroupSelection?: boolean
+        } = {},
+      ) {
+        this.minimumAuthenticationClass = props.minimumAuthenticationClass
+        this.doNotUseProjectIdForGroupSelection = props.doNotUseProjectIdForGroupSelection
+      }
     }
 
     export class JwtCredentials {
@@ -154,7 +168,13 @@ export namespace SecretProviderAuthenticationOptions {
   export namespace InitialSecret {
     export class Password { constructor(readonly password: string) {} }
     export class LongLivedToken { constructor(readonly token: string) {} }
-    export class ExternalAuthenticationToken { constructor(readonly token: string, readonly configId: string) {} }
+    export class ExternalAuthenticationToken {
+      readonly doNotUseProjectIdForGroupSelection: boolean | undefined
+
+      constructor(readonly token: string, readonly configId: string, props: { doNotUseProjectIdForGroupSelection?: boolean } = {}) {
+        this.doNotUseProjectIdForGroupSelection = props.doNotUseProjectIdForGroupSelection
+      }
+    }
   }
 
   export type InitialSecret = InitialSecret.Password | InitialSecret.LongLivedToken | InitialSecret.ExternalAuthenticationToken
@@ -212,7 +232,7 @@ export namespace AuthSecretDetails {
      */
     constructor (readonly secret: String) {}
   }
-  
+
   export class TwoFactorAuthTokenDetails {
     /**
      * @param secret the current two-factor authentication token of the user.
@@ -227,15 +247,17 @@ export namespace AuthSecretDetails {
      */
     constructor(readonly secret: String, readonly authenticationProcessInfo: AuthenticationProcessRequest) {}
   }
-  
+
   export class LongLivedTokenDetails {
     /**
      * @param secret a long-lived token of the user.
      */
     constructor (readonly secret: String) {}
   }
-  
+
   export class ConfiguredExternalAuthenticationDetails {
+    readonly minimumAuthenticationClass: AuthenticationClass | undefined
+    readonly doNotUseProjectIdForGroupSelection: boolean | undefined
     /**
      * Login using a token or other secret provided by another authentication service configured for your project.
      *
@@ -245,10 +267,16 @@ export namespace AuthSecretDetails {
      *
      * @param configId id of the configuration to use for authentication.
      * @param secret the token or another secret that will be used for authentication.
-     * @param minimumAuthenticationClass only consider configurations that can provide at least this authentication class. The actual
+     * @param props
+     *  - minimumAuthenticationClass only consider configurations that can provide at least this authentication class. The actual
      * authentication class obtained for the token may be higher.
+     *  - doNotUseProjectIdForGroupSelection (INTERNAL USE ONLY) only use the project id specified in the initialize method to choose the configuration of
+     *     the external token, but not the group where to log in. This is probably not the option you are looking for.
      */
-    constructor (readonly configId: string, readonly secret: string, readonly minimumAuthenticationClass?: AuthenticationClass) {}
+    constructor (readonly configId: string, readonly secret: string, props: { minimumAuthenticationClass?: AuthenticationClass, doNotUseProjectIdForGroupSelection?: boolean } = {}) {
+      this.minimumAuthenticationClass = props.minimumAuthenticationClass
+      this.doNotUseProjectIdForGroupSelection = props.doNotUseProjectIdForGroupSelection
+    }
   }
 }
 export type AuthSecretDetails =
@@ -312,4 +340,4 @@ export class AuthenticationProcessRequest {
     readonly specId: String,
     readonly requestId: String
   ) {}
-}
+}