add Embedded Wallet OAUTH credential to additional credential flow#362
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
This stack of pull requests is managed by Graphite. Learn more about stacking. |
✱ Stainless preview buildsThis PR will update the kotlin openapi python typescript Edit this comment to update them. They will appear in their respective SDK's changelogs. ✅ grid-openapi studio · code · diff
✅ grid-typescript studio · code · diff
✅ grid-python studio · code · diff
✅ grid-kotlin studio · code · diff
This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push. |
DhruvPareek
changed the title
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_auth_credential_verify
branch
from
e4e2996 to
79c6d70
Compare
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_additional-credential_challenge_flow
branch
from
11c0058 to
392386f
Compare
Greptile SummaryThis PR extends Confidence Score: 5/5This PR is safe to merge — it is a clean, additive OpenAPI schema extension with no breaking changes. All changes are strictly additive and follow the existing EMAIL_OTP pattern exactly. Schema structure, discriminator mapping, Stainless SDK registration, and generated bundle diffs are all consistent. No logic or correctness issues found. No files require special attention.
|
| Filename | Overview |
|---|---|
| openapi/components/schemas/auth/OauthCredentialAdditionalChallenge.yaml | New schema combining base challenge fields and the OAUTH discriminator; correctly mirrors EmailOtpCredentialAdditionalChallenge.yaml structure. |
| openapi/components/schemas/auth/OauthCredentialAdditionalChallengeFields.yaml | New discriminator-narrowing schema; type: OAUTH enum correctly constrains the base schema's type field — consistent with EmailOtpCredentialAdditionalChallengeFields pattern. |
| openapi/components/schemas/auth/AuthCredentialAdditionalChallengeOneOf.yaml | Added OAUTH variant to oneOf list and discriminator mapping; correctly extends the existing EMAIL_OTP entry. |
| openapi/paths/auth/auth_credentials.yaml | Added 202 OAuth example; shape matches schema (type, payloadToSign, requestId, expiresAt) with no extraneous fields. |
| .stainless/stainless.yml | Registers OauthCredentialAdditionalChallenge and OauthCredentialAdditionalChallengeFields in the SDK resource map, consistent with how EMAIL_OTP variants are registered. |
| openapi.yaml | Generated bundle reflecting all source YAML changes; correctly in sync with openapi/ source files. |
| mintlify/openapi.yaml | Generated Mintlify bundle; identical changes to root openapi.yaml, correctly in sync. |
Sequence Diagram
sequenceDiagram
participant Client
participant API as POST /auth/credentials
Client->>API: {type: OAUTH, accountId, oidcToken}
API-->>Client: 202 {type: OAUTH, payloadToSign, requestId, expiresAt}
Note over Client: Sign payloadToSign with<br/>session private key of<br/>existing verified credential
Client->>API: Retry + Grid-Wallet-Signature + Request-Id headers
API-->>Client: 201 {AuthMethod}
Reviews (1): Last reviewed commit: "feat: add OAUTH branch to additional-cre..." | Re-trigger Greptile
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_auth_credential_verify
branch
from
79c6d70 to
a72bd51
Compare
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_additional-credential_challenge_flow
branch
from
392386f to
2d4cd48
Compare
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_auth_credential_verify
branch
from
a72bd51 to
d5f7e4e
Compare
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_additional-credential_challenge_flow
branch
from
2d4cd48 to
f824b91
Compare
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_auth_credential_verify
branch
from
d5f7e4e to
c9cea18
Compare
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_additional-credential_challenge_flow
branch
from
f824b91 to
6fea7a8
Compare
Adds the OAUTH branch to `AuthCredentialAdditionalChallengeOneOf`, letting platforms register a second (or third, etc.) OAuth credential on an internal account that already has one. Completes the "add another credential" challenge/retry pattern for OAuth, matching the EMAIL_OTP flow already in the stack.
**Flow**
1. `POST /auth/credentials` with `{ type: "OAUTH", accountId, oidcToken }` on an account that already has a credential.
2. Response is 202 with `{ type: "OAUTH", payloadToSign, requestId, expiresAt }`.
3. Client signs `payloadToSign` with the session private key of an existing verified credential on the same internal account and retries the request with `Grid-Wallet-Signature` + `Request-Id` headers.
4. Signed retry returns 201 with the created `AuthMethod`.
**Schemas added**
- `OauthCredentialAdditionalChallengeFields` — `{ type: "OAUTH" }` (variant single-value enum on `type`; no analogue to the `email` field on the EMAIL_OTP variant — providers are not distinguished at the challenge level).
- `OauthCredentialAdditionalChallenge` — `allOf(AuthCredentialAdditionalChallenge, OauthCredentialAdditionalChallengeFields)`; wire shape is `{ type, payloadToSign, requestId, expiresAt }` (signing fields inherited from the base).
**Wire-up**
- `AuthCredentialAdditionalChallengeOneOf.yaml` discriminator map extended with `OAUTH → OauthCredentialAdditionalChallenge`.
- OAuth example added to the 202 response on `POST /auth/credentials`.
- `.stainless/stainless.yml` registers the two new schemas under `auth.credentials`.
**Notes**
- Multiple OAuth credentials per internal account are allowed (no `OAUTH_CREDENTIAL_ALREADY_EXISTS`); this PR documents the concrete wire shape Grid returns when the client hits that branch.
- Final PR in the OAuth sub-stack on top of `04-20-feat_sign_embedded_wallet_transfers_with_grid-wallet-signature_on__quotes_execute`; together with the two prior PRs it covers create, verify, and additional-credential registration for OAuth.
- Bundled `openapi.yaml` and `mintlify/openapi.yaml` regenerated via `make build`.
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_additional-credential_challenge_flow
branch
from
6fea7a8 to
d2405af
Compare
DhruvPareek
force-pushed
the
04-21-feat_add_oauth_branch_to_auth_credential_verify
branch
from
c9cea18 to
4f27563
Compare
1 participant
Adds the OAUTH branch to
AuthCredentialAdditionalChallengeOneOf, letting platforms register a second (or third, etc.) OAuth credential on an internal account that already has one. Completes the "add another credential" challenge/retry pattern for OAuth, matching the EMAIL_OTP flow already in the stack.Flow
POST /auth/credentialswith{ type: "OAUTH", accountId, oidcToken }on an account that already has a credential.{ type: "OAUTH", payloadToSign, requestId, expiresAt }.payloadToSignwith the session private key of an existing verified credential on the same internal account and retries the request withGrid-Wallet-Signature+Request-Idheaders.AuthMethod.Schemas added
OauthCredentialAdditionalChallengeFields—{ type: "OAUTH" }(variant single-value enum ontype; no analogue to theemailfield on the EMAIL_OTP variant — providers are not distinguished at the challenge level).OauthCredentialAdditionalChallenge—allOf(AuthCredentialAdditionalChallenge, OauthCredentialAdditionalChallengeFields); wire shape is{ type, payloadToSign, requestId, expiresAt }(signing fields inherited from the base).AuthCredentialAdditionalChallengeOneOf.yamldiscriminator map extended withOAUTH → OauthCredentialAdditionalChallenge.