Skip to main content

nominal_api/conjure/clients/authorization/
authorization_service.rs

1use conjure_http::endpoint;
2/// Authorization service manages the permissions for a user
3/// to access resources.
4#[conjure_http::conjure_client(name = "AuthorizationService")]
5pub trait AuthorizationService<
6    #[response_body]
7    I: Iterator<
8            Item = Result<conjure_http::private::Bytes, conjure_http::private::Error>,
9        >,
10> {
11    /// Given a set of resources, returns the set of resources that the
12    /// user is authorized to access.
13    #[endpoint(
14        method = POST,
15        path = "/authorization/v1/authorize",
16        name = "authorize",
17        accept = conjure_http::client::conjure::CollectionResponseDeserializer
18    )]
19    fn authorize(
20        &self,
21        #[auth]
22        auth_: &conjure_object::BearerToken,
23        #[body(serializer = conjure_http::client::StdRequestSerializer)]
24        request: &super::super::super::objects::authorization::AuthorizationRequest,
25    ) -> Result<
26        std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
27        conjure_http::private::Error,
28    >;
29    /// Given a set of resources, returns the workspace that each resource belongs to. If a user
30    /// is not authorized on the resource, will omit the resource from the response.
31    #[endpoint(
32        method = POST,
33        path = "/authorization/v1/batch-get-workspace-for-resource",
34        name = "batchGetWorkspaceForResource",
35        accept = conjure_http::client::conjure::CollectionResponseDeserializer
36    )]
37    fn batch_get_workspace_for_resource(
38        &self,
39        #[auth]
40        auth_: &conjure_object::BearerToken,
41        #[body(serializer = conjure_http::client::StdRequestSerializer)]
42        request: &std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
43    ) -> Result<
44        std::collections::BTreeMap<
45            conjure_object::ResourceIdentifier,
46            super::super::super::objects::api::rids::WorkspaceRid,
47        >,
48        conjure_http::private::Error,
49    >;
50    /// Marks a set of resources as belonging to a workspace. Either all resources are
51    /// registered or none are.
52    /// If the user is not in the workspace, this will throw.
53    /// If a resource already belongs to a different workspace, this will throw.
54    /// If a resource already belongs to this workspace, this is a no-op.
55    #[endpoint(
56        method = POST,
57        path = "/authorization/v1/register-in-workspace",
58        name = "registerInWorkspace",
59        accept = conjure_http::client::conjure::EmptyResponseDeserializer
60    )]
61    fn register_in_workspace(
62        &self,
63        #[auth]
64        auth_: &conjure_object::BearerToken,
65        #[body(serializer = conjure_http::client::StdRequestSerializer)]
66        request: &super::super::super::objects::authorization::RegisterInWorkspaceRequest,
67    ) -> Result<(), conjure_http::private::Error>;
68    /// Given an authenticated session, this endpoint returns a HTTP 204 if the
69    /// authenticated user is an admin and HTTP 403 otherwise.
70    #[endpoint(
71        method = GET,
72        path = "/authorization/v1/checkAdmin",
73        name = "checkAdmin",
74        accept = conjure_http::client::conjure::EmptyResponseDeserializer
75    )]
76    fn check_admin(
77        &self,
78        #[auth]
79        auth_: &conjure_object::BearerToken,
80    ) -> Result<(), conjure_http::private::Error>;
81    /// Checks if the email is allowed to register.
82    #[endpoint(
83        method = POST,
84        path = "/authorization/v1/is-email-allowed",
85        name = "isEmailAllowed",
86        accept = conjure_http::client::StdResponseDeserializer
87    )]
88    fn is_email_allowed(
89        &self,
90        #[body(serializer = conjure_http::client::StdRequestSerializer)]
91        request: &super::super::super::objects::authorization::IsEmailAllowedRequest,
92    ) -> Result<
93        super::super::super::objects::authorization::IsEmailAllowedResponse,
94        conjure_http::private::Error,
95    >;
96    /// Checks if the email is allowed to register, following Okta "registration inline hook" API.
97    #[endpoint(
98        method = POST,
99        path = "/authorization/v1/is-email-allowed-okta",
100        name = "isEmailAllowedOkta",
101        accept = conjure_http::client::StdResponseDeserializer
102    )]
103    fn is_email_allowed_okta(
104        &self,
105        #[body(serializer = conjure_http::client::StdRequestSerializer)]
106        request: &super::super::super::objects::authorization::OktaRegistrationRequest,
107    ) -> Result<
108        super::super::super::objects::authorization::OktaRegistrationResponse,
109        conjure_http::private::Error,
110    >;
111    /// Provides an OIDC ID token to get the orgs that the user is a member of. Throws NotAuthorized if the ID token
112    /// is invalid or if the OIDC provider is not known.
113    #[endpoint(
114        method = POST,
115        path = "/authorization/v1/user-orgs",
116        name = "getUserOrgs",
117        accept = conjure_http::client::StdResponseDeserializer
118    )]
119    fn get_user_orgs(
120        &self,
121        #[body(serializer = conjure_http::client::StdRequestSerializer)]
122        request: &super::super::super::objects::authorization::GetUserOrgsRequest,
123    ) -> Result<
124        super::super::super::objects::authorization::GetUserOrgsResponse,
125        conjure_http::private::Error,
126    >;
127    /// Provide an OIDC ID token to get a Nominal access token suitable for making API requests.
128    /// Its expiry will match that of the input ID token, capped at 24h. TODO(MGMT-933): reduce this duration.
129    /// Throws NotAuthorized if the ID token is invalid or if the OIDC provider is not known.
130    #[endpoint(
131        method = POST,
132        path = "/authorization/v1/access-token",
133        name = "getAccessToken",
134        accept = conjure_http::client::StdResponseDeserializer
135    )]
136    fn get_access_token(
137        &self,
138        #[body(serializer = conjure_http::client::StdRequestSerializer)]
139        request: &super::super::super::objects::authorization::GetAccessTokenRequest,
140    ) -> Result<
141        super::super::super::objects::authorization::GetAccessTokenResponse,
142        conjure_http::private::Error,
143    >;
144    /// Given an authenticated session, provide an OIDC access token to get a Nominal access token suitable
145    /// for making API requests. Its expiry will match that of the input access token, capped at 24h. TODO(MGMT-933):
146    /// reduce this duration. Throws NotAuthorized if the access token is invalid or if the OIDC provider is not
147    /// known.
148    #[endpoint(
149        method = POST,
150        path = "/authorization/v1/refresh-access-token",
151        name = "refreshAccessToken",
152        accept = conjure_http::client::StdResponseDeserializer
153    )]
154    fn refresh_access_token(
155        &self,
156        #[body(serializer = conjure_http::client::StdRequestSerializer)]
157        request: &super::super::super::objects::authorization::RefreshAccessTokenRequest,
158    ) -> Result<
159        super::super::super::objects::authorization::RefreshAccessTokenResponse,
160        conjure_http::private::Error,
161    >;
162    /// Given an IDP issued id token, return the end session endpoint, accessed through the
163    /// .well-known/openid-configuration endpoint.
164    #[endpoint(
165        method = POST,
166        path = "/authorization/v1/get-idp-end-session-endpoint",
167        name = "getIdpEndSessionEndpoint",
168        accept = conjure_http::client::StdResponseDeserializer
169    )]
170    fn get_idp_end_session_endpoint(
171        &self,
172        #[body(serializer = conjure_http::client::StdRequestSerializer)]
173        request: &super::super::super::objects::authorization::GetIdpEndSessionEndpointRequest,
174    ) -> Result<
175        super::super::super::objects::authorization::GetIdpEndSessionEndpointResponse,
176        conjure_http::private::Error,
177    >;
178    /// Provide a long-lived API key for making API requests.
179    /// The API key is irretrievable after initial creation.
180    #[endpoint(
181        method = POST,
182        path = "/authorization/v1/api-key",
183        name = "createApiKey",
184        accept = conjure_http::client::StdResponseDeserializer
185    )]
186    fn create_api_key(
187        &self,
188        #[auth]
189        auth_: &conjure_object::BearerToken,
190        #[body(serializer = conjure_http::client::StdRequestSerializer)]
191        request: &super::super::super::objects::authorization::CreateApiKeyRequest,
192    ) -> Result<
193        super::super::super::objects::authorization::CreateApiKeyResponse,
194        conjure_http::private::Error,
195    >;
196    /// List all API keys in the organization.
197    #[endpoint(
198        method = POST,
199        path = "/authorization/v1/api-keys/org",
200        name = "listApiKeysInOrg",
201        accept = conjure_http::client::StdResponseDeserializer
202    )]
203    fn list_api_keys_in_org(
204        &self,
205        #[auth]
206        auth_: &conjure_object::BearerToken,
207        #[body(serializer = conjure_http::client::StdRequestSerializer)]
208        request: &super::super::super::objects::authorization::ListApiKeyRequest,
209    ) -> Result<
210        super::super::super::objects::authorization::ListApiKeyResponse,
211        conjure_http::private::Error,
212    >;
213    /// List all API keys for the user.
214    #[endpoint(
215        method = POST,
216        path = "/authorization/v1/api-keys/user",
217        name = "listUserApiKeys",
218        accept = conjure_http::client::StdResponseDeserializer
219    )]
220    fn list_user_api_keys(
221        &self,
222        #[auth]
223        auth_: &conjure_object::BearerToken,
224        #[body(serializer = conjure_http::client::StdRequestSerializer)]
225        request: &super::super::super::objects::authorization::ListApiKeyRequest,
226    ) -> Result<
227        super::super::super::objects::authorization::ListApiKeyResponse,
228        conjure_http::private::Error,
229    >;
230    /// Delete an API key.
231    #[endpoint(
232        method = PUT,
233        path = "/authorization/v1/api-key/{rid}/delete",
234        name = "revokeApiKey",
235        accept = conjure_http::client::conjure::EmptyResponseDeserializer
236    )]
237    fn revoke_api_key(
238        &self,
239        #[auth]
240        auth_: &conjure_object::BearerToken,
241        #[path(name = "rid", encoder = conjure_http::client::conjure::PlainEncoder)]
242        rid: &super::super::super::objects::authorization::ApiKeyRid,
243    ) -> Result<(), conjure_http::private::Error>;
244}
245/// Authorization service manages the permissions for a user
246/// to access resources.
247#[conjure_http::conjure_client(name = "AuthorizationService")]
248pub trait AsyncAuthorizationService<
249    #[response_body]
250    I: conjure_http::private::Stream<
251            Item = Result<conjure_http::private::Bytes, conjure_http::private::Error>,
252        >,
253> {
254    /// Given a set of resources, returns the set of resources that the
255    /// user is authorized to access.
256    #[endpoint(
257        method = POST,
258        path = "/authorization/v1/authorize",
259        name = "authorize",
260        accept = conjure_http::client::conjure::CollectionResponseDeserializer
261    )]
262    async fn authorize(
263        &self,
264        #[auth]
265        auth_: &conjure_object::BearerToken,
266        #[body(serializer = conjure_http::client::StdRequestSerializer)]
267        request: &super::super::super::objects::authorization::AuthorizationRequest,
268    ) -> Result<
269        std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
270        conjure_http::private::Error,
271    >;
272    /// Given a set of resources, returns the workspace that each resource belongs to. If a user
273    /// is not authorized on the resource, will omit the resource from the response.
274    #[endpoint(
275        method = POST,
276        path = "/authorization/v1/batch-get-workspace-for-resource",
277        name = "batchGetWorkspaceForResource",
278        accept = conjure_http::client::conjure::CollectionResponseDeserializer
279    )]
280    async fn batch_get_workspace_for_resource(
281        &self,
282        #[auth]
283        auth_: &conjure_object::BearerToken,
284        #[body(serializer = conjure_http::client::StdRequestSerializer)]
285        request: &std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
286    ) -> Result<
287        std::collections::BTreeMap<
288            conjure_object::ResourceIdentifier,
289            super::super::super::objects::api::rids::WorkspaceRid,
290        >,
291        conjure_http::private::Error,
292    >;
293    /// Marks a set of resources as belonging to a workspace. Either all resources are
294    /// registered or none are.
295    /// If the user is not in the workspace, this will throw.
296    /// If a resource already belongs to a different workspace, this will throw.
297    /// If a resource already belongs to this workspace, this is a no-op.
298    #[endpoint(
299        method = POST,
300        path = "/authorization/v1/register-in-workspace",
301        name = "registerInWorkspace",
302        accept = conjure_http::client::conjure::EmptyResponseDeserializer
303    )]
304    async fn register_in_workspace(
305        &self,
306        #[auth]
307        auth_: &conjure_object::BearerToken,
308        #[body(serializer = conjure_http::client::StdRequestSerializer)]
309        request: &super::super::super::objects::authorization::RegisterInWorkspaceRequest,
310    ) -> Result<(), conjure_http::private::Error>;
311    /// Given an authenticated session, this endpoint returns a HTTP 204 if the
312    /// authenticated user is an admin and HTTP 403 otherwise.
313    #[endpoint(
314        method = GET,
315        path = "/authorization/v1/checkAdmin",
316        name = "checkAdmin",
317        accept = conjure_http::client::conjure::EmptyResponseDeserializer
318    )]
319    async fn check_admin(
320        &self,
321        #[auth]
322        auth_: &conjure_object::BearerToken,
323    ) -> Result<(), conjure_http::private::Error>;
324    /// Checks if the email is allowed to register.
325    #[endpoint(
326        method = POST,
327        path = "/authorization/v1/is-email-allowed",
328        name = "isEmailAllowed",
329        accept = conjure_http::client::StdResponseDeserializer
330    )]
331    async fn is_email_allowed(
332        &self,
333        #[body(serializer = conjure_http::client::StdRequestSerializer)]
334        request: &super::super::super::objects::authorization::IsEmailAllowedRequest,
335    ) -> Result<
336        super::super::super::objects::authorization::IsEmailAllowedResponse,
337        conjure_http::private::Error,
338    >;
339    /// Checks if the email is allowed to register, following Okta "registration inline hook" API.
340    #[endpoint(
341        method = POST,
342        path = "/authorization/v1/is-email-allowed-okta",
343        name = "isEmailAllowedOkta",
344        accept = conjure_http::client::StdResponseDeserializer
345    )]
346    async fn is_email_allowed_okta(
347        &self,
348        #[body(serializer = conjure_http::client::StdRequestSerializer)]
349        request: &super::super::super::objects::authorization::OktaRegistrationRequest,
350    ) -> Result<
351        super::super::super::objects::authorization::OktaRegistrationResponse,
352        conjure_http::private::Error,
353    >;
354    /// Provides an OIDC ID token to get the orgs that the user is a member of. Throws NotAuthorized if the ID token
355    /// is invalid or if the OIDC provider is not known.
356    #[endpoint(
357        method = POST,
358        path = "/authorization/v1/user-orgs",
359        name = "getUserOrgs",
360        accept = conjure_http::client::StdResponseDeserializer
361    )]
362    async fn get_user_orgs(
363        &self,
364        #[body(serializer = conjure_http::client::StdRequestSerializer)]
365        request: &super::super::super::objects::authorization::GetUserOrgsRequest,
366    ) -> Result<
367        super::super::super::objects::authorization::GetUserOrgsResponse,
368        conjure_http::private::Error,
369    >;
370    /// Provide an OIDC ID token to get a Nominal access token suitable for making API requests.
371    /// Its expiry will match that of the input ID token, capped at 24h. TODO(MGMT-933): reduce this duration.
372    /// Throws NotAuthorized if the ID token is invalid or if the OIDC provider is not known.
373    #[endpoint(
374        method = POST,
375        path = "/authorization/v1/access-token",
376        name = "getAccessToken",
377        accept = conjure_http::client::StdResponseDeserializer
378    )]
379    async fn get_access_token(
380        &self,
381        #[body(serializer = conjure_http::client::StdRequestSerializer)]
382        request: &super::super::super::objects::authorization::GetAccessTokenRequest,
383    ) -> Result<
384        super::super::super::objects::authorization::GetAccessTokenResponse,
385        conjure_http::private::Error,
386    >;
387    /// Given an authenticated session, provide an OIDC access token to get a Nominal access token suitable
388    /// for making API requests. Its expiry will match that of the input access token, capped at 24h. TODO(MGMT-933):
389    /// reduce this duration. Throws NotAuthorized if the access token is invalid or if the OIDC provider is not
390    /// known.
391    #[endpoint(
392        method = POST,
393        path = "/authorization/v1/refresh-access-token",
394        name = "refreshAccessToken",
395        accept = conjure_http::client::StdResponseDeserializer
396    )]
397    async fn refresh_access_token(
398        &self,
399        #[body(serializer = conjure_http::client::StdRequestSerializer)]
400        request: &super::super::super::objects::authorization::RefreshAccessTokenRequest,
401    ) -> Result<
402        super::super::super::objects::authorization::RefreshAccessTokenResponse,
403        conjure_http::private::Error,
404    >;
405    /// Given an IDP issued id token, return the end session endpoint, accessed through the
406    /// .well-known/openid-configuration endpoint.
407    #[endpoint(
408        method = POST,
409        path = "/authorization/v1/get-idp-end-session-endpoint",
410        name = "getIdpEndSessionEndpoint",
411        accept = conjure_http::client::StdResponseDeserializer
412    )]
413    async fn get_idp_end_session_endpoint(
414        &self,
415        #[body(serializer = conjure_http::client::StdRequestSerializer)]
416        request: &super::super::super::objects::authorization::GetIdpEndSessionEndpointRequest,
417    ) -> Result<
418        super::super::super::objects::authorization::GetIdpEndSessionEndpointResponse,
419        conjure_http::private::Error,
420    >;
421    /// Provide a long-lived API key for making API requests.
422    /// The API key is irretrievable after initial creation.
423    #[endpoint(
424        method = POST,
425        path = "/authorization/v1/api-key",
426        name = "createApiKey",
427        accept = conjure_http::client::StdResponseDeserializer
428    )]
429    async fn create_api_key(
430        &self,
431        #[auth]
432        auth_: &conjure_object::BearerToken,
433        #[body(serializer = conjure_http::client::StdRequestSerializer)]
434        request: &super::super::super::objects::authorization::CreateApiKeyRequest,
435    ) -> Result<
436        super::super::super::objects::authorization::CreateApiKeyResponse,
437        conjure_http::private::Error,
438    >;
439    /// List all API keys in the organization.
440    #[endpoint(
441        method = POST,
442        path = "/authorization/v1/api-keys/org",
443        name = "listApiKeysInOrg",
444        accept = conjure_http::client::StdResponseDeserializer
445    )]
446    async fn list_api_keys_in_org(
447        &self,
448        #[auth]
449        auth_: &conjure_object::BearerToken,
450        #[body(serializer = conjure_http::client::StdRequestSerializer)]
451        request: &super::super::super::objects::authorization::ListApiKeyRequest,
452    ) -> Result<
453        super::super::super::objects::authorization::ListApiKeyResponse,
454        conjure_http::private::Error,
455    >;
456    /// List all API keys for the user.
457    #[endpoint(
458        method = POST,
459        path = "/authorization/v1/api-keys/user",
460        name = "listUserApiKeys",
461        accept = conjure_http::client::StdResponseDeserializer
462    )]
463    async fn list_user_api_keys(
464        &self,
465        #[auth]
466        auth_: &conjure_object::BearerToken,
467        #[body(serializer = conjure_http::client::StdRequestSerializer)]
468        request: &super::super::super::objects::authorization::ListApiKeyRequest,
469    ) -> Result<
470        super::super::super::objects::authorization::ListApiKeyResponse,
471        conjure_http::private::Error,
472    >;
473    /// Delete an API key.
474    #[endpoint(
475        method = PUT,
476        path = "/authorization/v1/api-key/{rid}/delete",
477        name = "revokeApiKey",
478        accept = conjure_http::client::conjure::EmptyResponseDeserializer
479    )]
480    async fn revoke_api_key(
481        &self,
482        #[auth]
483        auth_: &conjure_object::BearerToken,
484        #[path(name = "rid", encoder = conjure_http::client::conjure::PlainEncoder)]
485        rid: &super::super::super::objects::authorization::ApiKeyRid,
486    ) -> Result<(), conjure_http::private::Error>;
487}
488/// Authorization service manages the permissions for a user
489/// to access resources.
490#[conjure_http::conjure_client(name = "AuthorizationService", local)]
491pub trait LocalAsyncAuthorizationService<
492    #[response_body]
493    I: conjure_http::private::Stream<
494            Item = Result<conjure_http::private::Bytes, conjure_http::private::Error>,
495        >,
496> {
497    /// Given a set of resources, returns the set of resources that the
498    /// user is authorized to access.
499    #[endpoint(
500        method = POST,
501        path = "/authorization/v1/authorize",
502        name = "authorize",
503        accept = conjure_http::client::conjure::CollectionResponseDeserializer
504    )]
505    async fn authorize(
506        &self,
507        #[auth]
508        auth_: &conjure_object::BearerToken,
509        #[body(serializer = conjure_http::client::StdRequestSerializer)]
510        request: &super::super::super::objects::authorization::AuthorizationRequest,
511    ) -> Result<
512        std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
513        conjure_http::private::Error,
514    >;
515    /// Given a set of resources, returns the workspace that each resource belongs to. If a user
516    /// is not authorized on the resource, will omit the resource from the response.
517    #[endpoint(
518        method = POST,
519        path = "/authorization/v1/batch-get-workspace-for-resource",
520        name = "batchGetWorkspaceForResource",
521        accept = conjure_http::client::conjure::CollectionResponseDeserializer
522    )]
523    async fn batch_get_workspace_for_resource(
524        &self,
525        #[auth]
526        auth_: &conjure_object::BearerToken,
527        #[body(serializer = conjure_http::client::StdRequestSerializer)]
528        request: &std::collections::BTreeSet<conjure_object::ResourceIdentifier>,
529    ) -> Result<
530        std::collections::BTreeMap<
531            conjure_object::ResourceIdentifier,
532            super::super::super::objects::api::rids::WorkspaceRid,
533        >,
534        conjure_http::private::Error,
535    >;
536    /// Marks a set of resources as belonging to a workspace. Either all resources are
537    /// registered or none are.
538    /// If the user is not in the workspace, this will throw.
539    /// If a resource already belongs to a different workspace, this will throw.
540    /// If a resource already belongs to this workspace, this is a no-op.
541    #[endpoint(
542        method = POST,
543        path = "/authorization/v1/register-in-workspace",
544        name = "registerInWorkspace",
545        accept = conjure_http::client::conjure::EmptyResponseDeserializer
546    )]
547    async fn register_in_workspace(
548        &self,
549        #[auth]
550        auth_: &conjure_object::BearerToken,
551        #[body(serializer = conjure_http::client::StdRequestSerializer)]
552        request: &super::super::super::objects::authorization::RegisterInWorkspaceRequest,
553    ) -> Result<(), conjure_http::private::Error>;
554    /// Given an authenticated session, this endpoint returns a HTTP 204 if the
555    /// authenticated user is an admin and HTTP 403 otherwise.
556    #[endpoint(
557        method = GET,
558        path = "/authorization/v1/checkAdmin",
559        name = "checkAdmin",
560        accept = conjure_http::client::conjure::EmptyResponseDeserializer
561    )]
562    async fn check_admin(
563        &self,
564        #[auth]
565        auth_: &conjure_object::BearerToken,
566    ) -> Result<(), conjure_http::private::Error>;
567    /// Checks if the email is allowed to register.
568    #[endpoint(
569        method = POST,
570        path = "/authorization/v1/is-email-allowed",
571        name = "isEmailAllowed",
572        accept = conjure_http::client::StdResponseDeserializer
573    )]
574    async fn is_email_allowed(
575        &self,
576        #[body(serializer = conjure_http::client::StdRequestSerializer)]
577        request: &super::super::super::objects::authorization::IsEmailAllowedRequest,
578    ) -> Result<
579        super::super::super::objects::authorization::IsEmailAllowedResponse,
580        conjure_http::private::Error,
581    >;
582    /// Checks if the email is allowed to register, following Okta "registration inline hook" API.
583    #[endpoint(
584        method = POST,
585        path = "/authorization/v1/is-email-allowed-okta",
586        name = "isEmailAllowedOkta",
587        accept = conjure_http::client::StdResponseDeserializer
588    )]
589    async fn is_email_allowed_okta(
590        &self,
591        #[body(serializer = conjure_http::client::StdRequestSerializer)]
592        request: &super::super::super::objects::authorization::OktaRegistrationRequest,
593    ) -> Result<
594        super::super::super::objects::authorization::OktaRegistrationResponse,
595        conjure_http::private::Error,
596    >;
597    /// Provides an OIDC ID token to get the orgs that the user is a member of. Throws NotAuthorized if the ID token
598    /// is invalid or if the OIDC provider is not known.
599    #[endpoint(
600        method = POST,
601        path = "/authorization/v1/user-orgs",
602        name = "getUserOrgs",
603        accept = conjure_http::client::StdResponseDeserializer
604    )]
605    async fn get_user_orgs(
606        &self,
607        #[body(serializer = conjure_http::client::StdRequestSerializer)]
608        request: &super::super::super::objects::authorization::GetUserOrgsRequest,
609    ) -> Result<
610        super::super::super::objects::authorization::GetUserOrgsResponse,
611        conjure_http::private::Error,
612    >;
613    /// Provide an OIDC ID token to get a Nominal access token suitable for making API requests.
614    /// Its expiry will match that of the input ID token, capped at 24h. TODO(MGMT-933): reduce this duration.
615    /// Throws NotAuthorized if the ID token is invalid or if the OIDC provider is not known.
616    #[endpoint(
617        method = POST,
618        path = "/authorization/v1/access-token",
619        name = "getAccessToken",
620        accept = conjure_http::client::StdResponseDeserializer
621    )]
622    async fn get_access_token(
623        &self,
624        #[body(serializer = conjure_http::client::StdRequestSerializer)]
625        request: &super::super::super::objects::authorization::GetAccessTokenRequest,
626    ) -> Result<
627        super::super::super::objects::authorization::GetAccessTokenResponse,
628        conjure_http::private::Error,
629    >;
630    /// Given an authenticated session, provide an OIDC access token to get a Nominal access token suitable
631    /// for making API requests. Its expiry will match that of the input access token, capped at 24h. TODO(MGMT-933):
632    /// reduce this duration. Throws NotAuthorized if the access token is invalid or if the OIDC provider is not
633    /// known.
634    #[endpoint(
635        method = POST,
636        path = "/authorization/v1/refresh-access-token",
637        name = "refreshAccessToken",
638        accept = conjure_http::client::StdResponseDeserializer
639    )]
640    async fn refresh_access_token(
641        &self,
642        #[body(serializer = conjure_http::client::StdRequestSerializer)]
643        request: &super::super::super::objects::authorization::RefreshAccessTokenRequest,
644    ) -> Result<
645        super::super::super::objects::authorization::RefreshAccessTokenResponse,
646        conjure_http::private::Error,
647    >;
648    /// Given an IDP issued id token, return the end session endpoint, accessed through the
649    /// .well-known/openid-configuration endpoint.
650    #[endpoint(
651        method = POST,
652        path = "/authorization/v1/get-idp-end-session-endpoint",
653        name = "getIdpEndSessionEndpoint",
654        accept = conjure_http::client::StdResponseDeserializer
655    )]
656    async fn get_idp_end_session_endpoint(
657        &self,
658        #[body(serializer = conjure_http::client::StdRequestSerializer)]
659        request: &super::super::super::objects::authorization::GetIdpEndSessionEndpointRequest,
660    ) -> Result<
661        super::super::super::objects::authorization::GetIdpEndSessionEndpointResponse,
662        conjure_http::private::Error,
663    >;
664    /// Provide a long-lived API key for making API requests.
665    /// The API key is irretrievable after initial creation.
666    #[endpoint(
667        method = POST,
668        path = "/authorization/v1/api-key",
669        name = "createApiKey",
670        accept = conjure_http::client::StdResponseDeserializer
671    )]
672    async fn create_api_key(
673        &self,
674        #[auth]
675        auth_: &conjure_object::BearerToken,
676        #[body(serializer = conjure_http::client::StdRequestSerializer)]
677        request: &super::super::super::objects::authorization::CreateApiKeyRequest,
678    ) -> Result<
679        super::super::super::objects::authorization::CreateApiKeyResponse,
680        conjure_http::private::Error,
681    >;
682    /// List all API keys in the organization.
683    #[endpoint(
684        method = POST,
685        path = "/authorization/v1/api-keys/org",
686        name = "listApiKeysInOrg",
687        accept = conjure_http::client::StdResponseDeserializer
688    )]
689    async fn list_api_keys_in_org(
690        &self,
691        #[auth]
692        auth_: &conjure_object::BearerToken,
693        #[body(serializer = conjure_http::client::StdRequestSerializer)]
694        request: &super::super::super::objects::authorization::ListApiKeyRequest,
695    ) -> Result<
696        super::super::super::objects::authorization::ListApiKeyResponse,
697        conjure_http::private::Error,
698    >;
699    /// List all API keys for the user.
700    #[endpoint(
701        method = POST,
702        path = "/authorization/v1/api-keys/user",
703        name = "listUserApiKeys",
704        accept = conjure_http::client::StdResponseDeserializer
705    )]
706    async fn list_user_api_keys(
707        &self,
708        #[auth]
709        auth_: &conjure_object::BearerToken,
710        #[body(serializer = conjure_http::client::StdRequestSerializer)]
711        request: &super::super::super::objects::authorization::ListApiKeyRequest,
712    ) -> Result<
713        super::super::super::objects::authorization::ListApiKeyResponse,
714        conjure_http::private::Error,
715    >;
716    /// Delete an API key.
717    #[endpoint(
718        method = PUT,
719        path = "/authorization/v1/api-key/{rid}/delete",
720        name = "revokeApiKey",
721        accept = conjure_http::client::conjure::EmptyResponseDeserializer
722    )]
723    async fn revoke_api_key(
724        &self,
725        #[auth]
726        auth_: &conjure_object::BearerToken,
727        #[path(name = "rid", encoder = conjure_http::client::conjure::PlainEncoder)]
728        rid: &super::super::super::objects::authorization::ApiKeyRid,
729    ) -> Result<(), conjure_http::private::Error>;
730}