Descope

Enhancements
* **Access key descriptions and permitted IPs list**: Access key descriptions can now be set - both from the console as well as the SDK. This also applies for permitted IPs (the source IP that is used by the access key upon request) - which supports both single IP addresses as well as CIDRs.
* **Application sign-out URL**: We've added an option to configure a specific application sign-out URL using the `logout_redirect_url` param in SAML related functions. This is useful when Descope is your IdP, and you want to sign a user out of Descope when they sign out from their SP.
* **User interaction override**: With the `force_authentication` flag in applications, you can force end user to interact in a specific way with Descope (as IdP), regardless of the SP's settings.

Bug fixes
* **Audit timestamps weren't datetimes**: the `from` and `to` audit parameters were fixed to be returned as proper datetime (timestamp) objects.

Enhancements
* **Custom audit events**: We've added the function `create_event` to our `audit` object, that allows you to generate your own custom audit events. You can also create your custom audit event to provide different data than that provided by Descope.
* **Option to automatically delete related users/access keys when deleting their associated tenant**: We've added an option to handle auto-deletion of 'orphaned' users and access keys when their last tenant is deleted. When deleting a tenant, you can use the new `cascade` flag to indicate that if part of the tenant's users/access keys are left with no tenant association - they will also be deleted from the project.
* **ReBAC relationship checker**: We added a new function `what_can_target_access_with_relation` to check what resources a user has access, per the application's ReBAC schema. Search is recursive.
* **TOTP seed migration**: When batch importing users into Descope, you can specify collecting their TOTP seed as part of the migration. If provided in the data, that seed will now be associated with the user and the next authentication will be seamless.
* **Force refresh of OAuth/OIDC provider token**: Current refresh of provider token is based on its expiration time. There are some cases in which the provider doesn't return the expiration, and for that we aded the `forceRefresh` parameter when using the `user_get_provider_token` function - to force refreshing the provider token.

Enhancements
* **OTP via voice**: In addition to sending OTP via SMS or email - we now support a third delivery method - voice call, with the `DeliveryMethod.VOICE` option.

Enhancements
* **Custom claims for access keys**: You can define custom claims that will be added upon creation or exchange of access key tokens. See our example on how to use it in the exchange process in our [README](https://github.com/descope/python-sdk?tab=readme-ov-file#manage-access-keys).
* **Search over roles**: We've added a new `search` function roles, to allow easy searching over them. This function works both for project level roles as well as tenant level roles (depending on the used filter).

Breaking changes
* **Set an active password for a user**: You can set a new active password for a user, with the `set_active_password` function , which they can then use to sign in. It will be applied with the project's password expiration settings, after which the user will have to update it to their own.
Notice that we deprecated the `set_password` function, and now offer a `set_temporary_password` function instead. The functionality is the same as before (automatically expires the password, making the user reset it upon first authentication) - we just wanted to make sure it's clearer!

Enhancements
* **Tenant-level roles**: Tenants can require having their own set of roles on top of the default roles provided in your application. For that, we enhanced existing roles function (`create`, `update`, `delete`) to support association with a specific `tenant_id`.
* **User impersonation**: Using the `impersonate` function, you can decide which user you would want to temporarily sign in on behalf of. Please make sure to read our SDK's [README](https://github.com/descope/python-sdk?tab=readme-ov-file#impersonate) on impersonation, as well as our [KB article](https://docs.descope.com/knowledgebase/general/userimpersonation/) on the topic to fully understand this feature and how to securely use it.

Enhancements
* **Support Bcrypt and Firebase encoding**: Some systems encode passwords with the Bcrypt hashing mechanism, so we added support for importing those hashes into Descope using the InviteBatch function. We also added support for the Firebase hashing mechanism.
* **User authentication activity log**: Using the new `history` command, you can find out more information (such as IP address, country, etc) on your users' authentications. Read more about this in the SDK's [README](https://github.com/descope/python-sdk?tab=readme-ov-file#history).
* **Associate an access key with a specific user**: We've added the `user_id` parameter to the access key `create` function, so that upon creation that key will be associated with the user. This means that if the user's status is change (for example - the user is disabled) - then the access key's status changes accordingly (gets deactivated).