Descope

Enhancements
* 😮 **Tenant SSO - supporting SAML and OIDC**: We've recently expanded our tenant SSO support to both SAML and OIDC configurations, so we created a set of generic SSO commands that replace the existing SAML ones.
Using the dedicated `SSOSAMLSettings`, `SSOSAMLSettingsByMetadata ` and `SSOOIDCSettings` objects, along with their matching functions, you can define a tenant's SSO configuration settings.
This also means that dedicated SAML authentication commands are now deprecated, and we encourage you to update your code to use the new commands:
* `saml.exchange_token` >> `sso.exchange_token`
* `saml.start` >> `sso.start`
* **Use external information in email/text message templates**: Just like custom flow inputs, you can now provide custom template inputs that can be added to the email/text message template upon runtime. For example, you can choose to pass the user's IP into the template, to present upon verification.
* **Applications management**: Applications, also known as SSO Applications, are used to integrate with an application using SAML or OIDC. Under the `sso_application` object, you can find an option to create, load, update and delete applications in a specific project. Find out more about applications in our [documentation](https://docs.descope.com/manage/idpapplications/).
* **Associate an application to a user**: You can decide to associate one or more application to a user, thus controlling which of your users has access to those apps. If the user doesn't have access - no JWT will be generated and the authentication to that application will fail.
* **Delete a flow**: Using the `delete_flows` function, you can delete one or more flows.
* **Free search and sorting in users**: Two new parameters were added to the `search_all` users function: `text` will allow searching any text value in all user attributes; `sort` will allow sorting the returned values alphabetically by attribute name.
* **Get recent changes in Authz schema definition**: We added the `get_modified` authz function, to be able to understand which new targets and resources were created or updated since a certain time.

Breaking changes
* **Support multiple domains for tenant**: There's an option to automatically associated a user to a tenant based on the user's email domain. Sometimes the same tenant can 'accept' multiple domains - so that's supported now!
Please notice that this breaks compilation - considering this value is now an array and not a string.

Enhancements
* **Appending user login IDs**: We've added the option to assign multiple login IDs to a user, using the `additional_login_ids` parameter, upon creation and/or invitation of the user.
* **First, middle and last names of a user**: We added system attributes for first (`given_name`), middle (`middle_name`) and last (`family_name`) of a user.
* **Control audience claim in access keys**: With the new `audience` parameter in the `exchange_access_key` function - you can control the `aud` claim in the JWT that's created for the access key.
* **Set the user's roles**: We now support the option to set an existing user's roles. Instead of fetching existing roles, removing all of them and adding new ones 'from scratch' - use the `set_roles` user function.
* **Check roles or permissions of a user**: Check if the user has at least one of the roles in a provided list, using the `get_matched_roles` function. This also applies for checking permissions (`get_matched_permissions`), and also for checking the existence on a project level and a specific tenant level (`get_matched_tenant_roles` , `get_matched_tenant_permissions`).
* **Batch user invitation**: You can now use the `invite_batch` function to add multiple users to your project.
* **Remove a user's passkey login IDs**: Using the `remove_all_passkeys` management function, the Descoper can decide to remove all passkeys associated with a specific user.
* **Delete a user by its user ID**: Support to delete a user by its userId property, using the new `delete_by_user_id` function.

Bug fixes
* **Support embedded delivery method and login options in test users**: Some functionalities were left out from the test users' support, so we made sure those are quickly added.

Enhancements
* **ReBAC support**: Descope now supports an advanced and more elaborate concept of authorization, known as ReBAC. ReBAC, Relation-Based Access Control, allows defining the user's permissions based on its relationship to various objects, using a directed graph of connections between them. Read more in our [README](https://github.com/descope/python-sdk#manage-rebac-authz).
* **Search users by email or phone**: We enabled the option to search over the user email and phone attributes - regardless if those are used as Login IDs or not.
* **Flask decorators as extra package**: We've added Flask as an extra package to the SDK. This means that it is not installed by default, but only when setting the relevant flag appropriately, and installing all relevant Flask dependencies.
* **Search over tenants**: Using the `search_all` tenants command, you can now search for all tenants based on their attribute values, such as name, self-provisioning domains, custom attributes and more.
* **Logout all user sessions**: Descopers can now decide to terminate a specific user's sessions across existing devices, using the management SDK. You can do so by providing the user's Login ID (`logout_user_by_user_id`) or their User ID (`logout_user`).
* **Invitation of users using their phone number**: If needed, upon inviting a user - you can configure that the invitation is sent via SMS using the sendSMS boolean flag.
* **Cloning a project**: Projects can be programmatically cloned using the new `clone` project command. Note that this action is supported for pro and enterprise licensed customers.
* **README enhancements**: Making our README more informative and full of examples for better explainability!

Bug fixes
* **Improved exception type catches**: To provide as much information as we can on token validation exceptions, we've changed our existing encapsulated errors to be more specific.

Enhancements
* **Setting email and phone verification status upon creation**: When creating a new user, you can now control whether the email and/or phone of that user are verified or not.
* **Setting the Invitation URL via SDK**: Using the new `invite_url` parameter, you can define a specific invitation URL when inviting a new user, that will override the default invitation URL set in your project's settings.

Enhancements
* **Password Replace return value**: We're now returning the JWT's response in the `password.replace` function, so that the session and refresh JWTs can be utilized (for example, in flows).
* **OIDC JWT validation support**: For OIDC JWT validation, we've added the option to pass the `audience` value to all validation functions (such as `validation_session`). That value will be compared to the `aud` claim in the JWT, so to make sure those are aligned. This is a must when using OIDC.

Enhancements
* **Embedded links**: We now support the option of generating an embedded link. Using the `generate_embedded_link` function, the Descoper can now generate a link that contains a user's token, thus requiring only verification to finalize the authentication.
⚠️ Please notice that this feature needs to be turned on in the console, as it's considered an advanced feature that requires extra planning and attention when used. Make sure only permitted personnel use it, and that it is audited appropriately in the relevant places.
* **Search by user status**: We've added the option to search over user `statuses` using the `search_all` function.