feat(core,schemas): add CRUD for consent organization resource scopes

packages/console/src/pages/ApplicationDetails/ApplicationDetailsContent/Permissions/ApplicationScopesAssignmentModal/constants.ts

@@ -10,6 +10,11 @@
     title: 'application_details.permissions.api_resource',
     key: ApplicationUserConsentScopeType.ResourceScopes,
   },
+  [ApplicationUserConsentScopeType.OrganizationResourceScopes]: {
+    // TODO @xiaoyijun: update the title
+    title: 'application_details.permissions.api_resource',
+    key: ApplicationUserConsentScopeType.OrganizationResourceScopes,
+  },
   [ApplicationUserConsentScopeType.OrganizationScopes]: {
     title: 'application_details.permissions.organization',
     key: ApplicationUserConsentScopeType.OrganizationScopes,

packages/console/src/pages/ApplicationDetails/ApplicationDetailsContent/Permissions/ApplicationScopesAssignmentModal/use-application-scopes-assignment.ts

@@ -72,6 +72,8 @@
       [ApplicationUserConsentScopeType.UserScopes]: userScopesAssignment,
       [ApplicationUserConsentScopeType.OrganizationScopes]: organizationScopesAssignment,
       [ApplicationUserConsentScopeType.ResourceScopes]: resourceScopesAssignment,
+      // TODO @xiaoyijun: Replace with correct scopes
+      [ApplicationUserConsentScopeType.OrganizationResourceScopes]: resourceScopesAssignment,
     }),
     [organizationScopesAssignment, resourceScopesAssignment, userScopesAssignment]
   );

packages/core/src/libraries/application.ts

@@ -32,6 +32,7 @@
     applications: {
       findApplicationById,
       userConsentOrganizationScopes,
+      userConsentOrganizationResourceScopes,
       userConsentResourceScopes,
       userConsentUserScopes,
     },
@@ -76,16 +77,20 @@
     {
       organizationScopes = [],
       resourceScopes = [],
+      organizationResourceScopes = [],
     }: {
       organizationScopes?: string[];
       resourceScopes?: string[];
+      organizationResourceScopes?: string[];
     },
     tenantId: string
   ) => {
-    const [organizationScopesData, resourceScopesData] = await Promise.all([
-      organizationScopesQuery.findByIds(organizationScopes),
-      findScopesByIds(resourceScopes),
-    ]);
+    const [organizationScopesData, resourceScopesData, organizationResourceScopesData] =
+      await Promise.all([
+        organizationScopesQuery.findByIds(organizationScopes),
+        findScopesByIds(resourceScopes),
+        findScopesByIds(organizationResourceScopes),
+      ]);
 
     const invalidOrganizationScopes = organizationScopes.filter(
       (scope) => !organizationScopesData.some(({ id }) => id === scope)
@@ -95,22 +100,28 @@
       (scope) => !resourceScopesData.some(({ id }) => id === scope)
     );
 
+    const invalidOrganizationResourceScopes = organizationResourceScopes.filter(
+      (scope) => !organizationResourceScopesData.some(({ id }) => id === scope)
+    );
+
     // Assert that all scopes exist, return the missing ones
     assertThat(
-      invalidOrganizationScopes.length === 0 && invalidResourceScopes.length === 0,
+      invalidOrganizationScopes.length === 0 &&
+        invalidResourceScopes.length === 0 &&
+        invalidOrganizationResourceScopes.length === 0,
       new RequestError(
         {
           code: 'application.user_consent_scopes_not_found',
           status: 422,
         },
-        { invalidOrganizationScopes, invalidResourceScopes }
+        { invalidOrganizationScopes, invalidResourceScopes, invalidOrganizationResourceScopes }
       )
     );
 
     const managementApiResourceIndicator = getManagementApiResourceIndicator(tenantId);
 
     const managementApiScopes = await findScopesByIdsAndResourceIndicator(
-      resourceScopes,
+      [...resourceScopes, ...organizationResourceScopes],
       managementApiResourceIndicator
     );
 
@@ -129,10 +140,12 @@
     {
       organizationScopes,
       resourceScopes,
+      organizationResourceScopes,
       userScopes,
     }: {
       organizationScopes?: string[];
       resourceScopes?: string[];
+      organizationResourceScopes?: string[];
       userScopes?: string[];
     }
   ) => {
@@ -148,6 +161,12 @@
       );
     }
 
+    if (organizationResourceScopes) {
+      await userConsentOrganizationResourceScopes.insert(
+        ...organizationResourceScopes.map<[string, string]>((scope) => [applicationId, scope])
+      );
+    }
+
     if (userScopes) {
       await Promise.all(
         userScopes.map(async (userScope) =>
@@ -181,6 +200,21 @@
     );
   };
 
+  const getApplicationUserConsentOrganizationResourceScopes = async (applicationId: string) => {
+    const [, scopes] = await userConsentOrganizationResourceScopes.getEntities(Scopes, {
+      applicationId,
+    });
+
+    const groupedScopes = groupResourceScopesByResourceId(scopes);
+
+    return Promise.all(
+      groupedScopes.map(async ({ resourceId, scopes }) => ({
+        resource: await findResourceById(resourceId),
+        scopes,
+      }))
+    );
+  };
+
   const getApplicationUserConsentScopes = async (applicationId: string) =>
     userConsentUserScopes.findAllByApplicationId(applicationId);
 
@@ -198,6 +232,10 @@
         await userConsentResourceScopes.delete({ applicationId, scopeId });
         break;
       }
+      case ApplicationUserConsentScopeType.OrganizationResourceScopes: {
+        await userConsentOrganizationResourceScopes.delete({ applicationId, scopeId });
+        break;
+      }
       case ApplicationUserConsentScopeType.UserScopes: {
         await userConsentUserScopes.deleteByApplicationIdAndScopeId(applicationId, scopeId);
         break;
@@ -250,6 +288,7 @@
     assignApplicationUserConsentScopes,
     getApplicationUserConsentOrganizationScopes,
     getApplicationUserConsentResourceScopes,
+    getApplicationUserConsentOrganizationResourceScopes,
     getApplicationUserConsentScopes,
     deleteApplicationUserConsentScopesByTypeAndScopeId,
     validateUserConsentOrganizationMembership,

packages/core/src/queries/application-user-consent-scopes.ts

@@ -2,6 +2,7 @@ import { type UserScope } from '@logto/core-kit';
 import {
   ApplicationUserConsentOrganizationScopes,
   ApplicationUserConsentResourceScopes,
+  ApplicationUserConsentOrganizationResourceScopes,
   ApplicationUserConsentUserScopes,
   Applications,
   OrganizationScopes,
@@ -32,6 +33,15 @@ export class ApplicationUserConsentResourceScopeQueries extends TwoRelationsQuer
   }
 }
 
+export class ApplicationUserConsentOrganizationResourceScopeQueries extends TwoRelationsQueries<
+  typeof Applications,
+  typeof Scopes
+> {
+  constructor(pool: CommonQueryMethods) {
+    super(pool, ApplicationUserConsentOrganizationResourceScopes.table, Applications, Scopes);
+  }
+}
+
 export const createApplicationUserConsentUserScopeQueries = (pool: CommonQueryMethods) => {
   const insert = buildInsertIntoWithPool(pool)(ApplicationUserConsentUserScopes, {
     onConflict: { ignore: true },

packages/core/src/queries/application.ts

@@ -15,6 +15,7 @@ import type { OmitAutoSetFields } from '#src/utils/sql.js';
 
 import ApplicationUserConsentOrganizationsQuery from './application-user-consent-organizations.js';
 import {
+  ApplicationUserConsentOrganizationResourceScopeQueries,
   ApplicationUserConsentOrganizationScopeQueries,
   ApplicationUserConsentResourceScopeQueries,
   createApplicationUserConsentUserScopeQueries,
@@ -253,6 +254,8 @@ export const createApplicationQueries = (pool: CommonQueryMethods) => {
     deleteApplicationById,
     userConsentOrganizationScopes: new ApplicationUserConsentOrganizationScopeQueries(pool),
     userConsentResourceScopes: new ApplicationUserConsentResourceScopeQueries(pool),
+    userConsentOrganizationResourceScopes:
+      new ApplicationUserConsentOrganizationResourceScopeQueries(pool),
     userConsentUserScopes: createApplicationUserConsentUserScopeQueries(pool),
     userConsentOrganizations: new ApplicationUserConsentOrganizationsQuery(pool),
   };

packages/core/src/routes/applications/application-user-consent-scope.openapi.json

@@ -15,6 +15,9 @@
                   "resourceScopes": {
                     "description": "A list of resource scope id to assign to the application. Throws error if any given resource scope is not found."
                   },
+                  "organizationResourceScopes": {
+                    "description": "A list of organization resource scope id to assign to the application. Throws error if any given resource scope is not found."
+                  },
                   "userScopes": {
                     "description": "A list of user scope enum value to assign to the application."
                   }
@@ -51,6 +54,9 @@
                     "resourceScopes": {
                       "description": "A list of resource scope details grouped by resource id assigned to the application."
                     },
+                    "organizationResourceScopes": {
+                      "description": "A list of organization resource scope details grouped by resource id assigned to the application."
+                    },
                     "userScopes": {
                       "description": "A list of user scope enum value assigned to the application."
                     }

packages/core/src/routes/applications/application-user-consent-scope.ts

@@ -5,6 +5,7 @@
 } from '@logto/schemas';
 import { object, string, nativeEnum } from 'zod';
 
+import { EnvSet } from '#src/env-set/index.js';
 import koaGuard from '#src/middleware/koa-guard.js';
 
 import type { ManagementApiRouter, RouterInitArgs } from '../types.js';
@@ -24,6 +25,7 @@
           assignApplicationUserConsentScopes,
           getApplicationUserConsentOrganizationScopes,
           getApplicationUserConsentResourceScopes,
+          getApplicationUserConsentOrganizationResourceScopes,
           getApplicationUserConsentScopes,
           deleteApplicationUserConsentScopesByTypeAndScopeId,
         },
@@ -40,6 +42,7 @@
       body: object({
         organizationScopes: string().array().optional(),
         resourceScopes: string().array().optional(),
+        organizationResourceScopes: string().array().optional(),
         userScopes: nativeEnum(UserScope).array().optional(),
       }),
       status: [201, 404, 422],
@@ -50,11 +53,15 @@
         body,
       } = ctx.guard;
 
+      // TODO @wangsijie: Remove this when feature is enabled in production
+      const { organizationResourceScopes, ...rest } = body;
+      const theBody = EnvSet.values.isDevFeaturesEnabled ? body : rest;
+
       await validateThirdPartyApplicationById(applicationId);
 
-      await validateApplicationUserConsentScopes(body, tenantId);
+      await validateApplicationUserConsentScopes(theBody, tenantId);
 
-      await assignApplicationUserConsentScopes(applicationId, body);
+      await assignApplicationUserConsentScopes(applicationId, theBody);
 
       ctx.status = 201;
 
@@ -68,7 +75,9 @@
       params: object({
         applicationId: string(),
       }),
-      response: applicationUserConsentScopesResponseGuard,
+      response: EnvSet.values.isDevFeaturesEnabled
+        ? applicationUserConsentScopesResponseGuard
+        : applicationUserConsentScopesResponseGuard.omit({ organizationResourceScopes: true }),
       status: [200, 404],
     }),
     async (ctx, next) => {
@@ -77,17 +86,26 @@
       await findApplicationById(applicationId);
 
       // Note: The following queries will return full data schema, we rely on the response guard to filter out the fields we don't need.
-      const [organizationScopes, resourceScopes, userScopes] = await Promise.all([
-        getApplicationUserConsentOrganizationScopes(applicationId),
-        getApplicationUserConsentResourceScopes(applicationId),
-        getApplicationUserConsentScopes(applicationId),
-      ]);
-
-      ctx.body = {
-        organizationScopes,
-        resourceScopes,
-        userScopes,
-      };
+      const [organizationScopes, resourceScopes, organizationResourceScopes, userScopes] =
+        await Promise.all([
+          getApplicationUserConsentOrganizationScopes(applicationId),
+          getApplicationUserConsentResourceScopes(applicationId),
+          getApplicationUserConsentOrganizationResourceScopes(applicationId),
+          getApplicationUserConsentScopes(applicationId),
+        ]);
+
+      ctx.body = EnvSet.values.isDevFeaturesEnabled
+        ? {
+            organizationScopes,
+            resourceScopes,
+            organizationResourceScopes,
+            userScopes,
+          }
+        : {
+            organizationScopes,
+            resourceScopes,
+            userScopes,
+          };
 
       return next();
     }

packages/integration-tests/src/api/application-user-consent-scope.ts

@@ -11,6 +11,7 @@ export const assignUserConsentScopes = async (
   payload: {
     organizationScopes?: string[];
     resourceScopes?: string[];
+    organizationResourceScopes?: string[];
     userScopes?: UserScope[];
   }
 ) => authedAdminApi.post(`applications/${applicationId}/user-consent-scopes`, { json: payload });