// Code generated by oagen. DO NOT EDIT.

package workos

import (
	
	
	
	
)

// SSOService handles SSO operations.
type SSOService struct {
	client *Client
}

// SSOListConnectionsParams contains the parameters for ListConnections.
type SSOListConnectionsParams struct {
	PaginationParams
	// ConnectionType is filter Connections by their type.
	ConnectionType *ConnectionsConnectionType `url:"connection_type,omitempty" json:"-"`
	// Domain is filter Connections by their associated domain.
	Domain *string `url:"domain,omitempty" json:"-"`
	// OrganizationID is filter Connections by their associated organization.
	OrganizationID *string `url:"organization_id,omitempty" json:"-"`
	// Search is searchable text to match against Connection names.
	Search *string `url:"search,omitempty" json:"-"`
}

// ListConnections
// Get a list of all of your existing connections matching the criteria specified.
func ( *SSOService) ( context.Context,  *SSOListConnectionsParams,  ...RequestOption) *Iterator[Connection] {
	return newIterator[Connection](, .client, "GET", "/connections", , "after", "data", , map[string]string{"limit": "10", "order": "desc"})
}

// GetConnection get a Connection
// Get the details of an existing connection.
func ( *SSOService) ( context.Context,  string,  ...RequestOption) (*Connection, error) {
	var  Connection
	,  := .client.request(, "GET", fmt.Sprintf("/connections/%s", url.PathEscape()), nil, nil, &, )
	if  != nil {
		return nil, 
	}
	return &, nil
}

// DeleteConnection delete a Connection
// Permanently deletes an existing connection. It cannot be undone.
func ( *SSOService) ( context.Context,  string,  ...RequestOption) error {
	,  := .client.request(, "DELETE", fmt.Sprintf("/connections/%s", url.PathEscape()), nil, nil, nil, )
	return 
}

// SSOGetAuthorizationURLParams contains the parameters for GetAuthorizationURL.
type SSOGetAuthorizationURLParams struct {
	// ProviderScopes is additional scopes to request from the identity provider. Applicable when using OAuth or OpenID Connect connections.
	ProviderScopes []string `url:"provider_scopes,omitempty" json:"-"`
	// ProviderQueryParams is key/value pairs of query parameters to pass to the OAuth provider. Only applicable when using OAuth connections.
	ProviderQueryParams map[string]string `url:"provider_query_params,omitempty" json:"-"`
	// Domain is deprecated. Use `connection` or `organization` instead. Used to initiate SSO for a connection by domain. The domain must be associated with a connection in your WorkOS environment.
	//
	// Deprecated: this parameter is deprecated.
	Domain *string `url:"domain,omitempty" json:"-"`
	// Provider is used to initiate OAuth authentication with various providers.
	Provider *SSOProvider `url:"provider,omitempty" json:"-"`
	// RedirectURI is where to redirect the user after they complete the authentication process. You must use one of the redirect URIs configured via the [Redirects](https://dashboard.workos.com/redirects) page on the dashboard.
	RedirectURI string `url:"redirect_uri" json:"-"`
	// State is an optional parameter that can be used to encode arbitrary information to help restore application state between redirects. If included, the redirect URI received from WorkOS will contain the exact `state` that was passed.
	State *string `url:"state,omitempty" json:"-"`
	// Connection is used to initiate SSO for a connection. The value should be a WorkOS connection ID.
	// You can persist the WorkOS connection ID with application user or team identifiers. WorkOS will use the connection indicated by the connection parameter to direct the user to the corresponding IdP for authentication.
	Connection *string `url:"connection,omitempty" json:"-"`
	// Organization is used to initiate SSO for an organization. The value should be a WorkOS organization ID.
	// You can persist the WorkOS organization ID with application user or team identifiers. WorkOS will use the organization ID to determine the appropriate connection and the IdP to direct the user to for authentication.
	Organization *string `url:"organization,omitempty" json:"-"`
	// DomainHint is can be used to pre-fill the domain field when initiating authentication with Microsoft OAuth or with a Google SAML connection type.
	DomainHint *string `url:"domain_hint,omitempty" json:"-"`
	// LoginHint is can be used to pre-fill the username/email address field of the IdP sign-in page for the user, if you know their username ahead of time. Currently supported for OAuth, OpenID Connect, Okta, Entra ID, and custom SAML connections.
	LoginHint *string `url:"login_hint,omitempty" json:"-"`
	// Nonce is a random string generated by the client that is used to mitigate replay attacks.
	Nonce *string `url:"nonce,omitempty" json:"-"`
}

// GetAuthorizationURL initiate SSO
// Initiates the single sign-on flow.
func ( *SSOService) ( *SSOGetAuthorizationURLParams,  ...RequestOption) string {
	 := url.Values{}
	.Set("response_type", "code")
	if .client.clientID != "" {
		.Set("client_id", .client.clientID)
	}
	if .ProviderScopes != nil {
		.Set("provider_scopes", strings.Join(.ProviderScopes, ","))
	}
	if .ProviderQueryParams != nil {
		for ,  := range .ProviderQueryParams {
			.Set(fmt.Sprintf("provider_query_params[%s]", ), fmt.Sprintf("%v", ))
		}
	}
	if .Domain != nil {
		.Set("domain", *.Domain)
	}
	if .Provider != nil {
		.Set("provider", fmt.Sprintf("%v", *.Provider))
	}
	.Set("redirect_uri", .RedirectURI)
	if .State != nil {
		.Set("state", *.State)
	}
	if .Connection != nil {
		.Set("connection", *.Connection)
	}
	if .Organization != nil {
		.Set("organization", *.Organization)
	}
	if .DomainHint != nil {
		.Set("domain_hint", *.DomainHint)
	}
	if .LoginHint != nil {
		.Set("login_hint", *.LoginHint)
	}
	if .Nonce != nil {
		.Set("nonce", *.Nonce)
	}
	return .client.buildURL("/sso/authorize", , )
}

// SSOGetLogoutURLParams contains the parameters for GetLogoutURL.
type SSOGetLogoutURLParams struct {
	// Token is the logout token returned from the [Logout Authorize](https://workos.com/docs/reference/sso/logout/authorize) endpoint.
	Token string `url:"token" json:"-"`
}

// GetLogoutURL logout Redirect
// Logout allows to sign out a user from your application by triggering the identity provider sign out flow. This `GET` endpoint should be a redirection, since the identity provider user will be identified in the browser session.
// Before redirecting to this endpoint, you need to generate a short-lived logout token using the [Logout Authorize](https://workos.com/docs/reference/sso/logout/authorize) endpoint.
func ( *SSOService) ( *SSOGetLogoutURLParams,  ...RequestOption) string {
	 := url.Values{}
	.Set("token", .Token)
	return .client.buildURL("/sso/logout", , )
}

// SSOAuthorizeLogoutParams contains the parameters for AuthorizeLogout.
type SSOAuthorizeLogoutParams struct {
	// ProfileID is the unique ID of the profile to log out.
	ProfileID string `json:"profile_id" url:"-"`
}

// AuthorizeLogout logout Authorize
// You should call this endpoint from your server to generate a logout token which is required for the [Logout Redirect](https://workos.com/docs/reference/sso/logout) endpoint.
func ( *SSOService) ( context.Context,  *SSOAuthorizeLogoutParams,  ...RequestOption) (*SSOLogoutAuthorizeResponse, error) {
	var  SSOLogoutAuthorizeResponse
	,  := .client.request(, "POST", "/sso/logout/authorize", nil, , &, )
	if  != nil {
		return nil, 
	}
	return &, nil
}

// GetProfile get a User Profile
// Exchange an access token for a user's [Profile](https://workos.com/docs/reference/sso/profile). Because this profile is returned in the [Get a Profile and Token endpoint](https://workos.com/docs/reference/sso/profile/get-profile-and-token) your application usually does not need to call this endpoint. It is available for any authentication flows that require an additional endpoint to retrieve a user's profile.
func ( *SSOService) ( context.Context,  ...RequestOption) (*Profile, error) {
	var  Profile
	,  := .client.request(, "GET", "/sso/profile", nil, nil, &, )
	if  != nil {
		return nil, 
	}
	return &, nil
}

// SSOGetProfileAndTokenParams contains the parameters for GetProfileAndToken.
type SSOGetProfileAndTokenParams struct {
	// Code is the authorization code received from the authorization callback.
	Code string `json:"code" url:"-"`
}

// getProfileAndTokenBody is the JSON request body for GetProfileAndToken.
type getProfileAndTokenBody struct {
	GrantType    string `json:"grant_type"`
	Code         string `json:"code"`
	ClientID     string `json:"client_id,omitempty"`
	ClientSecret string `json:"client_secret,omitempty"`
}

// GetProfileAndToken get a Profile and Token
// Get an access token along with the user [Profile](https://workos.com/docs/reference/sso/profile) using the code passed to your [Redirect URI](https://workos.com/docs/reference/sso/get-authorization-url/redirect-uri).
func ( *SSOService) ( context.Context,  *SSOGetProfileAndTokenParams,  ...RequestOption) (*SSOTokenResponse, error) {
	 := getProfileAndTokenBody{
		GrantType: "authorization_code",
		Code:      .Code,
	}
	.ClientID = .client.clientID
	.ClientSecret = .client.apiKey
	var  SSOTokenResponse
	,  := .client.request(, "POST", "/sso/token", , , &, )
	if  != nil {
		return nil, 
	}
	return &, nil
}