Merge pull request #3606 from Infisical/oidc-groups-claim-handle-string

improvement(oidc-group-membership-mapping): Update OIDC group claims to handle single group string

backend/src/@types/fastify.d.ts

@@ -68,6 +68,7 @@ import { TIdentityJwtAuthServiceFactory } from "@app/services/identity-jwt-auth/
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { TIdentityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
 import { TAllowedFields } from "@app/services/identity-ldap-auth/identity-ldap-auth-types";
+import { TIdentityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
@@ -209,6 +210,7 @@ declare module "fastify" {
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
+      identityOciAuth: TIdentityOciAuthServiceFactory;
       identityOidcAuth: TIdentityOidcAuthServiceFactory;
       identityJwtAuth: TIdentityJwtAuthServiceFactory;
       identityLdapAuth: TIdentityLdapAuthServiceFactory;

backend/src/@types/knex.d.ts

@@ -119,6 +119,9 @@ import {
   TIdentityMetadata,
   TIdentityMetadataInsert,
   TIdentityMetadataUpdate,
+  TIdentityOciAuths,
+  TIdentityOciAuthsInsert,
+  TIdentityOciAuthsUpdate,
   TIdentityOidcAuths,
   TIdentityOidcAuthsInsert,
   TIdentityOidcAuthsUpdate,
@@ -738,6 +741,11 @@ declare module "knex/types/tables" {
       TIdentityAzureAuthsInsert,
       TIdentityAzureAuthsUpdate
     >;
+    [TableName.IdentityOciAuth]: KnexOriginal.CompositeTableType<
+      TIdentityOciAuths,
+      TIdentityOciAuthsInsert,
+      TIdentityOciAuthsUpdate
+    >;
     [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
       TIdentityOidcAuths,
       TIdentityOidcAuthsInsert,

backend/src/db/migrations/20250508210717_identity-oci-auth.ts

@@ -0,0 +1,30 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityOciAuth))) {
+    await knex.schema.createTable(TableName.IdentityOciAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.timestamps(true, true, true);
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("type").notNullable();
+
+      t.string("tenancyOcid").notNullable();
+      t.string("allowedUsernames").nullable();
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.IdentityOciAuth);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityOciAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityOciAuth);
+}

backend/src/db/schemas/identity-oci-auths.ts

@@ -0,0 +1,26 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityOciAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  identityId: z.string().uuid(),
+  type: z.string(),
+  tenancyOcid: z.string(),
+  allowedUsernames: z.string().nullable().optional()
+});
+
+export type TIdentityOciAuths = z.infer<typeof IdentityOciAuthsSchema>;
+export type TIdentityOciAuthsInsert = Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityOciAuthsUpdate = Partial<Omit<z.input<typeof IdentityOciAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -37,6 +37,7 @@ export * from "./identity-gcp-auths";
 export * from "./identity-jwt-auths";
 export * from "./identity-kubernetes-auths";
 export * from "./identity-metadata";
+export * from "./identity-oci-auths";
 export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";

backend/src/db/schemas/models.ts

@@ -79,6 +79,7 @@ export enum TableName {
   IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
   IdentityAwsAuth = "identity_aws_auths",
+  IdentityOciAuth = "identity_oci_auths",
   IdentityOidcAuth = "identity_oidc_auths",
   IdentityJwtAuth = "identity_jwt_auths",
   IdentityLdapAuth = "identity_ldap_auths",
@@ -233,6 +234,7 @@ export enum IdentityAuthMethod {
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
+  OCI_AUTH = "oci-auth",
   OIDC_AUTH = "oidc-auth",
   JWT_AUTH = "jwt-auth",
   LDAP_AUTH = "ldap-auth"

backend/src/ee/routes/v1/ssh-certificate-template-router.ts

@@ -97,7 +97,7 @@ export const registerSshCertificateTemplateRouter = async (server: FastifyZodPro
           allowCustomKeyIds: z.boolean().describe(SSH_CERTIFICATE_TEMPLATES.CREATE.allowCustomKeyIds)
         })
         .refine((data) => ms(data.maxTTL) >= ms(data.ttl), {
-          message: "Max TLL must be greater than or equal to TTL",
+          message: "Max TTL must be greater than or equal to TTL",
           path: ["maxTTL"]
         }),
       response: {

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -162,6 +162,12 @@ export enum EventType {
   REVOKE_IDENTITY_AWS_AUTH = "revoke-identity-aws-auth",
   GET_IDENTITY_AWS_AUTH = "get-identity-aws-auth",
 
+  LOGIN_IDENTITY_OCI_AUTH = "login-identity-oci-auth",
+  ADD_IDENTITY_OCI_AUTH = "add-identity-oci-auth",
+  UPDATE_IDENTITY_OCI_AUTH = "update-identity-oci-auth",
+  REVOKE_IDENTITY_OCI_AUTH = "revoke-identity-oci-auth",
+  GET_IDENTITY_OCI_AUTH = "get-identity-oci-auth",
+
   LOGIN_IDENTITY_AZURE_AUTH = "login-identity-azure-auth",
   ADD_IDENTITY_AZURE_AUTH = "add-identity-azure-auth",
   UPDATE_IDENTITY_AZURE_AUTH = "update-identity-azure-auth",
@@ -1009,6 +1015,55 @@ interface GetIdentityAwsAuthEvent {
   };
 }
 
+interface LoginIdentityOciAuthEvent {
+  type: EventType.LOGIN_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    identityOciAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityOciAuthEvent {
+  type: EventType.ADD_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    tenancyOcid: string;
+    allowedUsernames: string | null;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface DeleteIdentityOciAuthEvent {
+  type: EventType.REVOKE_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface UpdateIdentityOciAuthEvent {
+  type: EventType.UPDATE_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+    tenancyOcid?: string;
+    allowedUsernames: string | null;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityOciAuthEvent {
+  type: EventType.GET_IDENTITY_OCI_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface LoginIdentityAzureAuthEvent {
   type: EventType.LOGIN_IDENTITY_AZURE_AUTH;
   metadata: {
@@ -2914,6 +2969,11 @@ export type Event =
   | UpdateIdentityAwsAuthEvent
   | GetIdentityAwsAuthEvent
   | DeleteIdentityAwsAuthEvent
+  | LoginIdentityOciAuthEvent
+  | AddIdentityOciAuthEvent
+  | UpdateIdentityOciAuthEvent
+  | GetIdentityOciAuthEvent
+  | DeleteIdentityOciAuthEvent
   | LoginIdentityAzureAuthEvent
   | AddIdentityAzureAuthEvent
   | DeleteIdentityAzureAuthEvent

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -714,13 +714,15 @@ export const oidcConfigServiceFactory = ({
           }
         }
 
+        const groups = typeof claims.groups === "string" ? [claims.groups] : (claims.groups as string[] | undefined);
+
         oidcLogin({
           email: claims.email,
           externalId: claims.sub,
           firstName: claims.given_name ?? "",
           lastName: claims.family_name ?? "",
           orgId: org.id,
-          groups: claims.groups as string[] | undefined,
+          groups,
           callbackPort,
           manageGroupMemberships: oidcCfg.manageGroupMemberships
         })

backend/src/ee/services/permission/default-roles.ts

@@ -126,7 +126,6 @@ const buildAdminPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
       ProjectPermissionSecretActions.DescribeSecret,
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Create,
@@ -207,7 +206,6 @@ const buildMemberPermissionRules = () => {
 
   can(
     [
-      ProjectPermissionSecretActions.DescribeAndReadValue,
       ProjectPermissionSecretActions.DescribeSecret,
       ProjectPermissionSecretActions.ReadValue,
       ProjectPermissionSecretActions.Edit,
@@ -386,9 +384,10 @@ const buildMemberPermissionRules = () => {
 const buildViewerPermissionRules = () => {
   const { can, rules } = new AbilityBuilder<MongoAbility<ProjectPermissionSet>>(createMongoAbility);
 
-  can(ProjectPermissionSecretActions.DescribeAndReadValue, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSub.Secrets);
-  can(ProjectPermissionSecretActions.ReadValue, ProjectPermissionSub.Secrets);
+  can(
+    [ProjectPermissionSecretActions.DescribeSecret, ProjectPermissionSecretActions.ReadValue],
+    ProjectPermissionSub.Secrets
+  );
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretFolders);
   can(ProjectPermissionDynamicSecretActions.ReadRootCredential, ProjectPermissionSub.DynamicSecrets);
   can(ProjectPermissionActions.Read, ProjectPermissionSub.SecretImports);

backend/src/lib/api-docs/constants.ts

@@ -14,6 +14,7 @@ export enum ApiDocsTags {
   UniversalAuth = "Universal Auth",
   GcpAuth = "GCP Auth",
   AwsAuth = "AWS Auth",
+  OciAuth = "OCI Auth",
   AzureAuth = "Azure Auth",
   KubernetesAuth = "Kubernetes Auth",
   JwtAuth = "JWT Auth",
@@ -271,6 +272,40 @@ export const AWS_AUTH = {
   }
 } as const;
 
+export const OCI_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login.",
+    userOcid: "The OCID of the user attempting login.",
+    headers: "The headers of the signed request."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    tenancyOcid: "The OCID of your tenancy.",
+    allowedUsernames:
+      "The comma-separated list of trusted OCI account usernames that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    tenancyOcid: "The OCID of your tenancy.",
+    allowedUsernames:
+      "The comma-separated list of trusted OCI account usernames that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The new lifetime for an access token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an access token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke the auth method for."
+  }
+} as const;
+
 export const AZURE_AUTH = {
   LOGIN: {
     identityId: "The ID of the identity to login."
@@ -2109,6 +2144,7 @@ export const SecretSyncs = {
     const destinationName = SECRET_SYNC_NAME_MAP[destination];
     return {
       initialSyncBehavior: `Specify how Infisical should resolve the initial sync to the ${destinationName} destination.`,
+      keySchema: `Specify the format to use for structuring secret keys in the ${destinationName} destination.`,
       disableSecretDeletion: `Enable this flag to prevent removal of secrets from the ${destinationName} destination when syncing.`
     };
   },

backend/src/server/routes/index.ts

@@ -162,6 +162,8 @@ import { identityKubernetesAuthDALFactory } from "@app/services/identity-kuberne
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
 import { identityLdapAuthDALFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-dal";
 import { identityLdapAuthServiceFactory } from "@app/services/identity-ldap-auth/identity-ldap-auth-service";
+import { identityOciAuthDALFactory } from "@app/services/identity-oci-auth/identity-oci-auth-dal";
+import { identityOciAuthServiceFactory } from "@app/services/identity-oci-auth/identity-oci-auth-service";
 import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-dal";
 import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
@@ -355,6 +357,7 @@ export const registerRoutes = async (
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
   const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
   const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
+  const identityOciAuthDAL = identityOciAuthDALFactory(db);
   const identityOidcAuthDAL = identityOidcAuthDALFactory(db);
   const identityJwtAuthDAL = identityJwtAuthDALFactory(db);
   const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
@@ -1451,6 +1454,14 @@ export const registerRoutes = async (
     licenseService
   });
 
+  const identityOciAuthService = identityOciAuthServiceFactory({
+    identityAccessTokenDAL,
+    identityOciAuthDAL,
+    identityOrgMembershipDAL,
+    licenseService,
+    permissionService
+  });
+
   const identityOidcAuthService = identityOidcAuthServiceFactory({
     identityOidcAuthDAL,
     identityOrgMembershipDAL,
@@ -1737,6 +1748,7 @@ export const registerRoutes = async (
     identityGcpAuth: identityGcpAuthService,
     identityAwsAuth: identityAwsAuthService,
     identityAzureAuth: identityAzureAuthService,
+    identityOciAuth: identityOciAuthService,
     identityOidcAuth: identityOidcAuthService,
     identityJwtAuth: identityJwtAuthService,
     identityLdapAuth: identityLdapAuthService,

backend/src/server/routes/v1/identity-oci-auth-router.ts

@@ -0,0 +1,338 @@
+import { z } from "zod";
+
+import { IdentityOciAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { ApiDocsTags, OCI_AUTH } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import { validateTenancy, validateUsernames } from "@app/services/identity-oci-auth/identity-oci-auth-validators";
+import { isSuperAdmin } from "@app/services/super-admin/super-admin-fns";
+
+export const registerIdentityOciAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/oci-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Login with OCI Auth",
+      body: z.object({
+        identityId: z.string().trim().describe(OCI_AUTH.LOGIN.identityId),
+        userOcid: z.string().trim().describe(OCI_AUTH.LOGIN.userOcid),
+        headers: z
+          .object({
+            authorization: z.string(),
+            host: z.string(),
+            "x-date": z.string()
+          })
+          .describe(OCI_AUTH.LOGIN.headers)
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityOciAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityOciAuth.login(req.body);
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityOciAuthId: identityOciAuth.id
+          }
+        }
+      });
+
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityOciAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityOciAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/oci-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Attach OCI Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(OCI_AUTH.ATTACH.identityId)
+      }),
+      body: z
+        .object({
+          tenancyOcid: validateTenancy.describe(OCI_AUTH.ATTACH.tenancyOcid),
+          allowedUsernames: validateUsernames.describe(OCI_AUTH.ATTACH.allowedUsernames),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(OCI_AUTH.ATTACH.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(0)
+            .max(315360000)
+            .default(2592000)
+            .describe(OCI_AUTH.ATTACH.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .min(1)
+            .max(315360000)
+            .default(2592000)
+            .describe(OCI_AUTH.ATTACH.accessTokenMaxTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OCI_AUTH.ATTACH.accessTokenNumUsesLimit)
+        })
+        .refine(
+          (val) => val.accessTokenTTL <= val.accessTokenMaxTTL,
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityOciAuth: IdentityOciAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOciAuth = await server.services.identityOciAuth.attachOciAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId,
+        isActorSuperAdmin: isSuperAdmin(req.auth)
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOciAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId,
+            tenancyOcid: identityOciAuth.tenancyOcid,
+            allowedUsernames: identityOciAuth.allowedUsernames || null,
+            accessTokenTTL: identityOciAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityOciAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityOciAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityOciAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityOciAuth };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/oci-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Update OCI Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(OCI_AUTH.UPDATE.identityId)
+      }),
+      body: z
+        .object({
+          tenancyOcid: validateTenancy.describe(OCI_AUTH.UPDATE.tenancyOcid),
+          allowedUsernames: validateUsernames.describe(OCI_AUTH.UPDATE.allowedUsernames),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .optional()
+            .describe(OCI_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(OCI_AUTH.UPDATE.accessTokenTTL),
+          accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(OCI_AUTH.UPDATE.accessTokenNumUsesLimit),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .max(315360000)
+            .min(0)
+            .optional()
+            .describe(OCI_AUTH.UPDATE.accessTokenMaxTTL)
+        })
+        .refine(
+          (val) => (val.accessTokenMaxTTL && val.accessTokenTTL ? val.accessTokenTTL <= val.accessTokenMaxTTL : true),
+          "Access Token TTL cannot be greater than Access Token Max TTL."
+        ),
+      response: {
+        200: z.object({
+          identityOciAuth: IdentityOciAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOciAuth = await server.services.identityOciAuth.updateOciAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId,
+        allowedUsernames: req.body.allowedUsernames || null
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOciAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId,
+            tenancyOcid: identityOciAuth.tenancyOcid,
+            allowedUsernames: identityOciAuth.allowedUsernames || null,
+            accessTokenTTL: identityOciAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityOciAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityOciAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityOciAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityOciAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/oci-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Retrieve OCI Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(OCI_AUTH.RETRIEVE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityOciAuth: IdentityOciAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOciAuth = await server.services.identityOciAuth.getOciAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOciAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId
+          }
+        }
+      });
+      return { identityOciAuth };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/oci-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      hide: false,
+      tags: [ApiDocsTags.OciAuth],
+      description: "Delete OCI Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(OCI_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityOciAuth: IdentityOciAuthsSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOciAuth = await server.services.identityOciAuth.revokeIdentityOciAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOciAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_OCI_AUTH,
+          metadata: {
+            identityId: identityOciAuth.identityId
+          }
+        }
+      });
+
+      return { identityOciAuth };
+    }
+  });
+};

backend/src/server/routes/v1/index.ts

@@ -20,6 +20,7 @@ import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityJwtAuthRouter } from "./identity-jwt-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
 import { registerIdentityLdapAuthRouter } from "./identity-ldap-auth-router";
+import { registerIdentityOciAuthRouter } from "./identity-oci-auth-router";
 import { registerIdentityOidcAuthRouter } from "./identity-oidc-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityTokenAuthRouter } from "./identity-token-auth-router";
@@ -63,6 +64,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
       await authRouter.register(registerIdentityAccessTokenRouter);
       await authRouter.register(registerIdentityAwsAuthRouter);
       await authRouter.register(registerIdentityAzureAuthRouter);
+      await authRouter.register(registerIdentityOciAuthRouter);
       await authRouter.register(registerIdentityOidcAuthRouter);
       await authRouter.register(registerIdentityJwtAuthRouter);
       await authRouter.register(registerIdentityLdapAuthRouter);

backend/src/server/routes/v1/project-router.ts

@@ -511,7 +511,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       const workspace = await server.services.project.updateAuditLogsRetention({
         actorId: req.permission.id,

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -36,6 +36,7 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
           `${TableName.Identity}.id`,
           `${TableName.IdentityKubernetesAuth}.identityId`
         )
+        .leftJoin(TableName.IdentityOciAuth, `${TableName.Identity}.id`, `${TableName.IdentityOciAuth}.identityId`)
         .leftJoin(TableName.IdentityOidcAuth, `${TableName.Identity}.id`, `${TableName.IdentityOidcAuth}.identityId`)
         .leftJoin(TableName.IdentityTokenAuth, `${TableName.Identity}.id`, `${TableName.IdentityTokenAuth}.identityId`)
         .leftJoin(TableName.IdentityJwtAuth, `${TableName.Identity}.id`, `${TableName.IdentityJwtAuth}.identityId`)
@@ -46,6 +47,7 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAwsAuth).as("accessTokenTrustedIpsAws"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAzureAuth).as("accessTokenTrustedIpsAzure"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityKubernetesAuth).as("accessTokenTrustedIpsK8s"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityOciAuth).as("accessTokenTrustedIpsOci"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityOidcAuth).as("accessTokenTrustedIpsOidc"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityTokenAuth).as("accessTokenTrustedIpsToken"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityJwtAuth).as("accessTokenTrustedIpsJwt"),
@@ -63,6 +65,7 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
         trustedIpsAwsAuth: doc.accessTokenTrustedIpsAws,
         trustedIpsAzureAuth: doc.accessTokenTrustedIpsAzure,
         trustedIpsKubernetesAuth: doc.accessTokenTrustedIpsK8s,
+        trustedIpsOciAuth: doc.accessTokenTrustedIpsOci,
         trustedIpsOidcAuth: doc.accessTokenTrustedIpsOidc,
         trustedIpsAccessTokenAuth: doc.accessTokenTrustedIpsToken,
         trustedIpsAccessJwtAuth: doc.accessTokenTrustedIpsJwt,

backend/src/services/identity-access-token/identity-access-token-service.ts

@@ -182,6 +182,7 @@ export const identityAccessTokenServiceFactory = ({
       [IdentityAuthMethod.UNIVERSAL_AUTH]: identityAccessToken.trustedIpsUniversalAuth,
       [IdentityAuthMethod.GCP_AUTH]: identityAccessToken.trustedIpsGcpAuth,
       [IdentityAuthMethod.AWS_AUTH]: identityAccessToken.trustedIpsAwsAuth,
+      [IdentityAuthMethod.OCI_AUTH]: identityAccessToken.trustedIpsOciAuth,
       [IdentityAuthMethod.AZURE_AUTH]: identityAccessToken.trustedIpsAzureAuth,
       [IdentityAuthMethod.KUBERNETES_AUTH]: identityAccessToken.trustedIpsKubernetesAuth,
       [IdentityAuthMethod.OIDC_AUTH]: identityAccessToken.trustedIpsOidcAuth,

backend/src/services/identity-oci-auth/identity-oci-auth-dal.ts

@@ -0,0 +1,9 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityOciAuthDALFactory = ReturnType<typeof identityOciAuthDALFactory>;
+
+export const identityOciAuthDALFactory = (db: TDbClient) => {
+  return ormify(db, TableName.IdentityOciAuth);
+};

backend/src/services/identity-oci-auth/identity-oci-auth-service.ts

@@ -0,0 +1,368 @@
+/* eslint-disable @typescript-eslint/no-unsafe-assignment */
+import { ForbiddenError } from "@casl/ability";
+import { AxiosError } from "axios";
+import jwt from "jsonwebtoken";
+import RE2 from "re2";
+
+import { IdentityAuthMethod } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionIdentityActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import {
+  constructPermissionErrorMessage,
+  validatePrivilegeChangeOperation
+} from "@app/ee/services/permission/permission-fns";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { getConfig } from "@app/lib/config/env";
+import { request } from "@app/lib/config/request";
+import { BadRequestError, NotFoundError, PermissionBoundaryError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+import { logger } from "@app/lib/logger";
+
+import { ActorType, AuthTokenType } from "../auth/auth-type";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { validateIdentityUpdateForSuperAdminPrivileges } from "../super-admin/super-admin-fns";
+import { TIdentityOciAuthDALFactory } from "./identity-oci-auth-dal";
+import {
+  TAttachOciAuthDTO,
+  TGetOciAuthDTO,
+  TLoginOciAuthDTO,
+  TOciGetUserResponse,
+  TRevokeOciAuthDTO,
+  TUpdateOciAuthDTO
+} from "./identity-oci-auth-types";
+
+type TIdentityOciAuthServiceFactoryDep = {
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
+  identityOciAuthDAL: Pick<TIdentityOciAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+};
+
+export type TIdentityOciAuthServiceFactory = ReturnType<typeof identityOciAuthServiceFactory>;
+
+export const identityOciAuthServiceFactory = ({
+  identityAccessTokenDAL,
+  identityOciAuthDAL,
+  identityOrgMembershipDAL,
+  licenseService,
+  permissionService
+}: TIdentityOciAuthServiceFactoryDep) => {
+  const login = async ({ identityId, headers, userOcid }: TLoginOciAuthDTO) => {
+    const identityOciAuth = await identityOciAuthDAL.findOne({ identityId });
+    if (!identityOciAuth) {
+      throw new NotFoundError({ message: "OCI auth method not found for identity, did you configure OCI auth?" });
+    }
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId: identityOciAuth.identityId });
+
+    // Validate OCI host format. Ensures that the host is in "identity.<region>.oraclecloud.com" format.
+    if (!headers.host || !new RE2("^identity\\.([a-z]{2}-[a-z]+-[1-9])\\.oraclecloud\\.com$").test(headers.host)) {
+      throw new BadRequestError({
+        message: "Invalid OCI host format. Expected format: identity.<region>.oraclecloud.com"
+      });
+    }
+
+    const { data } = await request
+      .get<TOciGetUserResponse>(`https://${headers.host}/20160918/users/${userOcid}`, {
+        headers
+      })
+      .catch((err: AxiosError) => {
+        logger.error(err.response, "OciIdentityLogin: Failed to authenticate with Oracle Cloud");
+        throw err;
+      });
+
+    if (data.compartmentId !== identityOciAuth.tenancyOcid) {
+      throw new UnauthorizedError({
+        message: "Access denied: OCI account isn't part of tenancy."
+      });
+    }
+
+    if (identityOciAuth.allowedUsernames) {
+      const isAccountAllowed = identityOciAuth.allowedUsernames.split(",").some((name) => name.trim() === data.name);
+
+      if (!isAccountAllowed)
+        throw new UnauthorizedError({
+          message: "Access denied: OCI account username not allowed."
+        });
+    }
+
+    // Generate the token
+    const identityAccessToken = await identityOciAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityOciAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityOciAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityOciAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityOciAuth.accessTokenNumUsesLimit,
+          authMethod: IdentityAuthMethod.OCI_AUTH
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityOciAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      Number(identityAccessToken.accessTokenTTL) === 0
+        ? undefined
+        : {
+            expiresIn: Number(identityAccessToken.accessTokenTTL)
+          }
+    );
+
+    return {
+      identityOciAuth,
+      accessToken,
+      identityAccessToken,
+      identityMembershipOrg
+    };
+  };
+
+  const attachOciAuth = async ({
+    identityId,
+    tenancyOcid,
+    allowedUsernames,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId,
+    isActorSuperAdmin
+  }: TAttachOciAuthDTO) => {
+    await validateIdentityUpdateForSuperAdminPrivileges(identityId, isActorSuperAdmin);
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.OCI_AUTH)) {
+      throw new BadRequestError({
+        message: "Failed to add OCI Auth to already configured identity"
+      });
+    }
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const identityOciAuth = await identityOciAuthDAL.transaction(async (tx) => {
+      const doc = await identityOciAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          type: "iam",
+          tenancyOcid,
+          allowedUsernames,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityOciAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const updateOciAuth = async ({
+    identityId,
+    tenancyOcid,
+    allowedUsernames,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateOciAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.OCI_AUTH)) {
+      throw new NotFoundError({
+        message: "The identity does not have OCI Auth attached"
+      });
+    }
+
+    const identityOciAuth = await identityOciAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityOciAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityOciAuth.accessTokenTTL) > (accessTokenMaxTTL || identityOciAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updatedOciAuth = await identityOciAuthDAL.updateById(identityOciAuth.id, {
+      tenancyOcid,
+      allowedUsernames,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    });
+
+    return { ...updatedOciAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const getOciAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetOciAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.OCI_AUTH)) {
+      throw new BadRequestError({
+        message: "The identity does not have OCI Auth attached"
+      });
+    }
+
+    const ociIdentityAuth = await identityOciAuthDAL.findOne({ identityId });
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Read, OrgPermissionSubjects.Identity);
+    return { ...ociIdentityAuth, orgId: identityMembershipOrg.orgId };
+  };
+
+  const revokeIdentityOciAuth = async ({
+    identityId,
+    actorId,
+    actor,
+    actorAuthMethod,
+    actorOrgId
+  }: TRevokeOciAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) throw new NotFoundError({ message: `Failed to find identity with ID ${identityId}` });
+    if (!identityMembershipOrg.identity.authMethods.includes(IdentityAuthMethod.OCI_AUTH)) {
+      throw new BadRequestError({
+        message: "The identity does not have OCI auth"
+      });
+    }
+    const { permission, membership } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionIdentityActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    const permissionBoundary = validatePrivilegeChangeOperation(
+      membership.shouldUseNewPrivilegeSystem,
+      OrgPermissionIdentityActions.RevokeAuth,
+      OrgPermissionSubjects.Identity,
+      permission,
+      rolePermission
+    );
+
+    if (!permissionBoundary.isValid)
+      throw new PermissionBoundaryError({
+        message: constructPermissionErrorMessage(
+          "Failed to revoke OCI auth of identity with more privileged role",
+          membership.shouldUseNewPrivilegeSystem,
+          OrgPermissionIdentityActions.RevokeAuth,
+          OrgPermissionSubjects.Identity
+        ),
+        details: { missingPermissions: permissionBoundary.missingPermissions }
+      });
+
+    const revokedIdentityOciAuth = await identityOciAuthDAL.transaction(async (tx) => {
+      const deletedOciAuth = await identityOciAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.OCI_AUTH }, tx);
+
+      return { ...deletedOciAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+    return revokedIdentityOciAuth;
+  };
+
+  return {
+    login,
+    attachOciAuth,
+    updateOciAuth,
+    getOciAuth,
+    revokeIdentityOciAuth
+  };
+};

backend/src/services/identity-oci-auth/identity-oci-auth-types.ts

@@ -0,0 +1,53 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TLoginOciAuthDTO = {
+  identityId: string;
+  userOcid: string;
+  headers: {
+    authorization: string;
+    host: string;
+    "x-date": string;
+  };
+};
+
+export type TAttachOciAuthDTO = {
+  identityId: string;
+  tenancyOcid: string;
+  allowedUsernames: string | null;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+  isActorSuperAdmin?: boolean;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateOciAuthDTO = {
+  identityId: string;
+  tenancyOcid: string;
+  allowedUsernames: string | null;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetOciAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TRevokeOciAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TOciGetUserResponse = {
+  email: string;
+  emailVerified: boolean;
+  timeModified: string;
+  isMfaActivated: boolean;
+  id: string;
+  compartmentId: string;
+  name: string;
+  timeCreated: string;
+  freeformTags: { [key: string]: string };
+  lifecycleState: string;
+};

backend/src/services/identity-oci-auth/identity-oci-auth-validators.ts

@@ -0,0 +1,32 @@
+import RE2 from "re2";
+import { z } from "zod";
+
+const usernameSchema = z
+  .string()
+  .min(1, "Username cannot be empty")
+  .refine((val) => new RE2("^[a-zA-Z0-9._@-]+$").test(val), "Invalid OCI username format");
+export const validateUsernames = z
+  .string()
+  .trim()
+  .max(500, "Input exceeds the maximum limit of 500 characters")
+  .nullish()
+  .transform((val) => {
+    if (!val) return [];
+    return val
+      .split(",")
+      .map((s) => s.trim())
+      .filter(Boolean);
+  })
+  .refine((arr) => arr.every((name) => usernameSchema.safeParse(name).success), {
+    message: "One or more usernames are invalid"
+  })
+  .transform((arr) => (arr.length > 0 ? arr.join(", ") : null));
+
+export const validateTenancy = z
+  .string()
+  .trim()
+  .min(1, "Tenancy OCID cannot be empty.")
+  .refine(
+    (val) => new RE2("^ocid1\\.tenancy\\.oc1\\..+$").test(val),
+    "Invalid Tenancy OCID format. Must start with ocid1.tenancy.oc1."
+  );

backend/src/services/identity-project/identity-project-dal.ts

@@ -8,6 +8,7 @@ import {
   TIdentityAzureAuths,
   TIdentityGcpAuths,
   TIdentityKubernetesAuths,
+  TIdentityOciAuths,
   TIdentityOidcAuths,
   TIdentityTokenAuths,
   TIdentityUniversalAuths
@@ -66,6 +67,11 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           `${TableName.IdentityProjectMembership}.identityId`,
           `${TableName.IdentityKubernetesAuth}.identityId`
         )
+        .leftJoin(
+          TableName.IdentityOciAuth,
+          `${TableName.IdentityProjectMembership}.identityId`,
+          `${TableName.IdentityOciAuth}.identityId`
+        )
         .leftJoin(
           TableName.IdentityOidcAuth,
           `${TableName.IdentityProjectMembership}.identityId`,
@@ -107,6 +113,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
           db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
           db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth)
@@ -270,6 +277,11 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           `${TableName.Identity}.id`,
           `${TableName.IdentityKubernetesAuth}.identityId`
         )
+        .leftJoin<TIdentityOciAuths>(
+          TableName.IdentityOciAuth,
+          `${TableName.Identity}.id`,
+          `${TableName.IdentityOciAuth}.identityId`
+        )
         .leftJoin<TIdentityOidcAuths>(
           TableName.IdentityOidcAuth,
           `${TableName.Identity}.id`,
@@ -309,6 +321,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
           db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
           db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth)
@@ -336,6 +349,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           awsId,
           gcpId,
           kubernetesId,
+          ociId,
           oidcId,
           azureId,
           tokenId,
@@ -356,6 +370,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
               awsId,
               gcpId,
               kubernetesId,
+              ociId,
               oidcId,
               azureId,
               tokenId

backend/src/services/identity/identity-fns.ts

@@ -5,6 +5,7 @@ export const buildAuthMethods = ({
   gcpId,
   awsId,
   kubernetesId,
+  ociId,
   oidcId,
   azureId,
   tokenId,
@@ -15,6 +16,7 @@ export const buildAuthMethods = ({
   gcpId?: string;
   awsId?: string;
   kubernetesId?: string;
+  ociId?: string;
   oidcId?: string;
   azureId?: string;
   tokenId?: string;
@@ -26,6 +28,7 @@ export const buildAuthMethods = ({
     ...[gcpId ? IdentityAuthMethod.GCP_AUTH : null],
     ...[awsId ? IdentityAuthMethod.AWS_AUTH : null],
     ...[kubernetesId ? IdentityAuthMethod.KUBERNETES_AUTH : null],
+    ...[ociId ? IdentityAuthMethod.OCI_AUTH : null],
     ...[oidcId ? IdentityAuthMethod.OIDC_AUTH : null],
     ...[azureId ? IdentityAuthMethod.AZURE_AUTH : null],
     ...[tokenId ? IdentityAuthMethod.TOKEN_AUTH : null],

backend/src/services/identity/identity-org-dal.ts

@@ -8,6 +8,7 @@ import {
   TIdentityGcpAuths,
   TIdentityJwtAuths,
   TIdentityKubernetesAuths,
+  TIdentityOciAuths,
   TIdentityOidcAuths,
   TIdentityOrgMemberships,
   TIdentityTokenAuths,
@@ -62,6 +63,11 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           `${TableName.IdentityOrgMembership}.identityId`,
           `${TableName.IdentityKubernetesAuth}.identityId`
         )
+        .leftJoin<TIdentityOciAuths>(
+          TableName.IdentityOciAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityOciAuth}.identityId`
+        )
         .leftJoin<TIdentityOidcAuths>(
           TableName.IdentityOidcAuth,
           `${TableName.IdentityOrgMembership}.identityId`,
@@ -95,6 +101,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
           db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
           db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth),
@@ -186,6 +193,11 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           "paginatedIdentity.identityId",
           `${TableName.IdentityKubernetesAuth}.identityId`
         )
+        .leftJoin<TIdentityOciAuths>(
+          TableName.IdentityOciAuth,
+          "paginatedIdentity.identityId",
+          `${TableName.IdentityOciAuth}.identityId`
+        )
         .leftJoin<TIdentityOidcAuths>(
           TableName.IdentityOidcAuth,
           "paginatedIdentity.identityId",
@@ -226,6 +238,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
           db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
           db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth),
@@ -269,6 +282,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           gcpId,
           jwtId,
           kubernetesId,
+          ociId,
           oidcId,
           azureId,
           tokenId,
@@ -301,6 +315,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
               awsId,
               gcpId,
               kubernetesId,
+              ociId,
               oidcId,
               azureId,
               tokenId,
@@ -401,6 +416,11 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           `${TableName.IdentityOrgMembership}.identityId`,
           `${TableName.IdentityKubernetesAuth}.identityId`
         )
+        .leftJoin(
+          TableName.IdentityOciAuth,
+          `${TableName.IdentityOrgMembership}.identityId`,
+          `${TableName.IdentityOciAuth}.identityId`
+        )
         .leftJoin(
           TableName.IdentityOidcAuth,
           `${TableName.IdentityOrgMembership}.identityId`,
@@ -441,6 +461,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           db.ref("id").as("gcpId").withSchema(TableName.IdentityGcpAuth),
           db.ref("id").as("awsId").withSchema(TableName.IdentityAwsAuth),
           db.ref("id").as("kubernetesId").withSchema(TableName.IdentityKubernetesAuth),
+          db.ref("id").as("ociId").withSchema(TableName.IdentityOciAuth),
           db.ref("id").as("oidcId").withSchema(TableName.IdentityOidcAuth),
           db.ref("id").as("azureId").withSchema(TableName.IdentityAzureAuth),
           db.ref("id").as("tokenId").withSchema(TableName.IdentityTokenAuth),
@@ -485,6 +506,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
           gcpId,
           jwtId,
           kubernetesId,
+          ociId,
           oidcId,
           azureId,
           tokenId,
@@ -517,6 +539,7 @@ export const identityOrgDALFactory = (db: TDbClient) => {
               awsId,
               gcpId,
               kubernetesId,
+              ociId,
               oidcId,
               azureId,
               tokenId,

backend/src/services/secret-sync/aws-parameter-store/aws-parameter-store-sync-fns.ts

@@ -2,6 +2,7 @@ import AWS, { AWSError } from "aws-sdk";
 
 import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 import { TAwsParameterStoreSyncWithCredentials } from "./aws-parameter-store-sync-types";
@@ -389,6 +390,9 @@ export const AwsParameterStoreSyncFns = {
     for (const entry of Object.entries(awsParameterStoreSecretsRecord)) {
       const [key, parameter] = entry;
 
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, syncOptions.keySchema)) continue;
+
       if (!(key in secretMap) || !secretMap[key].value) {
         parametersToDelete.push(parameter);
       }

backend/src/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-fns.ts

@@ -27,6 +27,7 @@ import {
 import { getAwsConnectionConfig } from "@app/services/app-connection/aws/aws-connection-fns";
 import { AwsSecretsManagerSyncMappingBehavior } from "@app/services/secret-sync/aws-secrets-manager/aws-secrets-manager-sync-enums";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 import { TAwsSecretsManagerSyncWithCredentials } from "./aws-secrets-manager-sync-types";
@@ -399,6 +400,9 @@ export const AwsSecretsManagerSyncFns = {
       if (syncOptions.disableSecretDeletion) return;
 
       for await (const secretKey of Object.keys(awsSecretsRecord)) {
+        // eslint-disable-next-line no-continue
+        if (!matchesSchema(secretKey, syncOptions.keySchema)) continue;
+
         if (!(secretKey in secretMap) || !secretMap[secretKey].value) {
           try {
             await deleteSecret(client, secretKey);

backend/src/services/secret-sync/azure-app-configuration/azure-app-configuration-sync-fns.ts

@@ -7,6 +7,7 @@ import { TAppConnectionDALFactory } from "@app/services/app-connection/app-conne
 import { getAzureConnectionAccessToken } from "@app/services/app-connection/azure-key-vault";
 import { isAzureKeyVaultReference } from "@app/services/integration-auth/integration-sync-secret-fns";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 import { TAzureAppConfigurationSyncWithCredentials } from "./azure-app-configuration-sync-types";
@@ -139,6 +140,9 @@ export const azureAppConfigurationSyncFactory = ({
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const key of Object.keys(azureAppConfigSecrets)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+
       const azureSecret = azureAppConfigSecrets[key];
       if (
         !(key in secretMap) ||

backend/src/services/secret-sync/azure-key-vault/azure-key-vault-sync-fns.ts

@@ -5,6 +5,7 @@ import { request } from "@app/lib/config/request";
 import { TAppConnectionDALFactory } from "@app/services/app-connection/app-connection-dal";
 import { getAzureConnectionAccessToken } from "@app/services/app-connection/azure-key-vault";
 import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 import { SecretSyncError } from "../secret-sync-errors";
@@ -192,7 +193,9 @@ export const azureKeyVaultSyncFactory = ({ kmsService, appConnectionDAL }: TAzur
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const deleteSecretKey of deleteSecrets.filter(
-      (secret) => !setSecrets.find((setSecret) => setSecret.key === secret)
+      (secret) =>
+        matchesSchema(secret, secretSync.syncOptions.keySchema) &&
+        !setSecrets.find((setSecret) => setSecret.key === secret)
     )) {
       await request.delete(`${secretSync.destinationConfig.vaultBaseUrl}/secrets/${deleteSecretKey}?api-version=7.3`, {
         headers: {

backend/src/services/secret-sync/camunda/camunda-sync-fns.ts

@@ -12,6 +12,7 @@ import {
   TCamundaSyncWithCredentials
 } from "@app/services/secret-sync/camunda/camunda-sync-types";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 
 import { TSecretMap } from "../secret-sync-types";
 
@@ -116,6 +117,9 @@ export const camundaSyncFactory = ({ kmsService, appConnectionDAL }: TCamundaSec
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const secret of Object.keys(camundaSecrets)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(secret, secretSync.syncOptions.keySchema)) continue;
+
       if (!(secret in secretMap) || !secretMap[secret].value) {
         try {
           await deleteCamundaSecret({

backend/src/services/secret-sync/databricks/databricks-sync-fns.ts

@@ -11,6 +11,7 @@ import {
   TDatabricksSyncWithCredentials
 } from "@app/services/secret-sync/databricks/databricks-sync-types";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 
 import { TSecretMap } from "../secret-sync-types";
@@ -115,6 +116,9 @@ export const databricksSyncFactory = ({ kmsService, appConnectionDAL }: TDatabri
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const secret of databricksSecretKeys) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(secret.key, secretSync.syncOptions.keySchema)) continue;
+
       if (!(secret.key in secretMap)) {
         await deleteDatabricksSecrets({
           key: secret.key,

backend/src/services/secret-sync/gcp/gcp-sync-fns.ts

@@ -4,6 +4,7 @@ import { request } from "@app/lib/config/request";
 import { logger } from "@app/lib/logger";
 import { getGcpConnectionAuthToken } from "@app/services/app-connection/gcp";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 
 import { SecretSyncError } from "../secret-sync-errors";
 import { TSecretMap } from "../secret-sync-types";
@@ -153,6 +154,9 @@ export const GcpSyncFns = {
     }
 
     for await (const key of Object.keys(gcpSecrets)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+
       try {
         if (!(key in secretMap) || !secretMap[key].value) {
           // eslint-disable-next-line no-continue

backend/src/services/secret-sync/github/github-sync-fns.ts

@@ -4,6 +4,7 @@ import sodium from "libsodium-wrappers";
 import { getGitHubClient } from "@app/services/app-connection/github";
 import { GitHubSyncScope, GitHubSyncVisibility } from "@app/services/secret-sync/github/github-sync-enums";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
@@ -222,6 +223,9 @@ export const GithubSyncFns = {
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const encryptedSecret of encryptedSecrets) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(encryptedSecret.name, secretSync.syncOptions.keySchema)) continue;
+
       if (!(encryptedSecret.name in secretMap)) {
         await deleteSecret(client, secretSync, encryptedSecret);
       }

backend/src/services/secret-sync/hc-vault/hc-vault-sync-fns.ts

@@ -11,6 +11,7 @@ import {
   TPostHCVaultVariable
 } from "@app/services/secret-sync/hc-vault/hc-vault-sync-types";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 const listHCVaultVariables = async ({ instanceUrl, namespace, mount, accessToken, path }: THCVaultListVariables) => {
@@ -68,7 +69,7 @@ export const HCVaultSyncFns = {
     const {
       connection,
       destinationConfig: { mount, path },
-      syncOptions: { disableSecretDeletion }
+      syncOptions: { disableSecretDeletion, keySchema }
     } = secretSync;
 
     const { namespace } = connection.credentials;
@@ -95,6 +96,9 @@ export const HCVaultSyncFns = {
     if (disableSecretDeletion) return;
 
     for await (const [key] of Object.entries(variables)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, keySchema)) continue;
+
       if (!(key in secretMap)) {
         delete variables[key];
         tainted = true;

backend/src/services/secret-sync/humanitec/humanitec-sync-fns.ts

@@ -2,6 +2,7 @@ import { request } from "@app/lib/config/request";
 import { logger } from "@app/lib/logger";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { SECRET_SYNC_NAME_MAP } from "@app/services/secret-sync/secret-sync-maps";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
@@ -199,6 +200,9 @@ export const HumanitecSyncFns = {
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const humanitecSecret of humanitecSecrets) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(humanitecSecret.key, secretSync.syncOptions.keySchema)) continue;
+
       if (!secretMap[humanitecSecret.key]) {
         await deleteSecret(secretSync, humanitecSecret);
       }

backend/src/services/secret-sync/oci-vault/oci-vault-sync-fns.ts

@@ -11,6 +11,7 @@ import {
   TUpdateOCIVaultVariable
 } from "@app/services/secret-sync/oci-vault/oci-vault-sync-types";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 const listOCIVaultVariables = async ({ provider, compartmentId, vaultId, onlyActive }: TOCIVaultListVariables) => {
@@ -211,6 +212,9 @@ export const OCIVaultSyncFns = {
 
     // Update and delete secrets
     for await (const [key, variable] of Object.entries(variables)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+
       // Only update / delete active secrets
       if (variable.lifecycleState === vault.models.SecretSummary.LifecycleState.Active) {
         if (key in secretMap && secretMap[key].value.length > 0) {

backend/src/services/secret-sync/secret-sync-fns.ts

@@ -1,4 +1,5 @@
 import { AxiosError } from "axios";
+import RE2 from "re2";
 
 import {
   AWS_PARAMETER_STORE_SYNC_LIST_OPTION,
@@ -61,45 +62,63 @@ type TSyncSecretDeps = {
   kmsService: Pick<TKmsServiceFactory, "createCipherPairWithDataKey">;
 };
 
-// const addAffixes = (secretSync: TSecretSyncWithCredentials, unprocessedSecretMap: TSecretMap) => {
-//   let secretMap = { ...unprocessedSecretMap };
-//
-//   const { appendSuffix, prependPrefix } = secretSync.syncOptions;
-//
-//   if (appendSuffix || prependPrefix) {
-//     secretMap = {};
-//     Object.entries(unprocessedSecretMap).forEach(([key, value]) => {
-//       secretMap[`${prependPrefix || ""}${key}${appendSuffix || ""}`] = value;
-//     });
-//   }
-//
-//   return secretMap;
-// };
-//
-// const stripAffixes = (secretSync: TSecretSyncWithCredentials, unprocessedSecretMap: TSecretMap) => {
-//   let secretMap = { ...unprocessedSecretMap };
-//
-//   const { appendSuffix, prependPrefix } = secretSync.syncOptions;
-//
-//   if (appendSuffix || prependPrefix) {
-//     secretMap = {};
-//     Object.entries(unprocessedSecretMap).forEach(([key, value]) => {
-//       let processedKey = key;
-//
-//       if (prependPrefix && processedKey.startsWith(prependPrefix)) {
-//         processedKey = processedKey.slice(prependPrefix.length);
-//       }
-//
-//       if (appendSuffix && processedKey.endsWith(appendSuffix)) {
-//         processedKey = processedKey.slice(0, -appendSuffix.length);
-//       }
-//
-//       secretMap[processedKey] = value;
-//     });
-//   }
-//
-//   return secretMap;
-// };
+// Add schema to secret keys
+const addSchema = (unprocessedSecretMap: TSecretMap, schema?: string): TSecretMap => {
+  if (!schema) return unprocessedSecretMap;
+
+  const processedSecretMap: TSecretMap = {};
+
+  for (const [key, value] of Object.entries(unprocessedSecretMap)) {
+    const newKey = new RE2("{{secretKey}}").replace(schema, key);
+    processedSecretMap[newKey] = value;
+  }
+
+  return processedSecretMap;
+};
+
+// Strip schema from secret keys
+const stripSchema = (unprocessedSecretMap: TSecretMap, schema?: string): TSecretMap => {
+  if (!schema) return unprocessedSecretMap;
+
+  const [prefix, suffix] = schema.split("{{secretKey}}");
+
+  const strippedMap: TSecretMap = {};
+
+  for (const [key, value] of Object.entries(unprocessedSecretMap)) {
+    if (!key.startsWith(prefix) || !key.endsWith(suffix)) {
+      // eslint-disable-next-line no-continue
+      continue;
+    }
+
+    const strippedKey = key.slice(prefix.length, key.length - suffix.length);
+    strippedMap[strippedKey] = value;
+  }
+
+  return strippedMap;
+};
+
+// Checks if a key matches a schema
+export const matchesSchema = (key: string, schema?: string): boolean => {
+  if (!schema) return true;
+
+  const [prefix, suffix] = schema.split("{{secretKey}}");
+  if (prefix === undefined || suffix === undefined) return true;
+
+  return key.startsWith(prefix) && key.endsWith(suffix);
+};
+
+// Filter only for secrets with keys that match the schema
+const filterForSchema = (secretMap: TSecretMap, schema?: string): TSecretMap => {
+  const filteredMap: TSecretMap = {};
+
+  for (const [key, value] of Object.entries(secretMap)) {
+    if (matchesSchema(key, schema)) {
+      filteredMap[key] = value;
+    }
+  }
+
+  return filteredMap;
+};
 
 export const SecretSyncFns = {
   syncSecrets: (
@@ -107,51 +126,51 @@ export const SecretSyncFns = {
     secretMap: TSecretMap,
     { kmsService, appConnectionDAL }: TSyncSecretDeps
   ): Promise<void> => {
-    // const affixedSecretMap = addAffixes(secretSync, secretMap);
+    const schemaSecretMap = addSchema(secretMap, secretSync.syncOptions.keySchema);
 
     switch (secretSync.destination) {
       case SecretSync.AWSParameterStore:
-        return AwsParameterStoreSyncFns.syncSecrets(secretSync, secretMap);
+        return AwsParameterStoreSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.AWSSecretsManager:
-        return AwsSecretsManagerSyncFns.syncSecrets(secretSync, secretMap);
+        return AwsSecretsManagerSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.GitHub:
-        return GithubSyncFns.syncSecrets(secretSync, secretMap);
+        return GithubSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.GCPSecretManager:
-        return GcpSyncFns.syncSecrets(secretSync, secretMap);
+        return GcpSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.AzureKeyVault:
         return azureKeyVaultSyncFactory({
           appConnectionDAL,
           kmsService
-        }).syncSecrets(secretSync, secretMap);
+        }).syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.AzureAppConfiguration:
         return azureAppConfigurationSyncFactory({
           appConnectionDAL,
           kmsService
-        }).syncSecrets(secretSync, secretMap);
+        }).syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Databricks:
         return databricksSyncFactory({
           appConnectionDAL,
           kmsService
-        }).syncSecrets(secretSync, secretMap);
+        }).syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Humanitec:
-        return HumanitecSyncFns.syncSecrets(secretSync, secretMap);
+        return HumanitecSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.TerraformCloud:
-        return TerraformCloudSyncFns.syncSecrets(secretSync, secretMap);
+        return TerraformCloudSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Camunda:
         return camundaSyncFactory({
           appConnectionDAL,
           kmsService
-        }).syncSecrets(secretSync, secretMap);
+        }).syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Vercel:
-        return VercelSyncFns.syncSecrets(secretSync, secretMap);
+        return VercelSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.Windmill:
-        return WindmillSyncFns.syncSecrets(secretSync, secretMap);
+        return WindmillSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.HCVault:
-        return HCVaultSyncFns.syncSecrets(secretSync, secretMap);
+        return HCVaultSyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.TeamCity:
-        return TeamCitySyncFns.syncSecrets(secretSync, secretMap);
+        return TeamCitySyncFns.syncSecrets(secretSync, schemaSecretMap);
       case SecretSync.OCIVault:
-        return OCIVaultSyncFns.syncSecrets(secretSync, secretMap);
+        return OCIVaultSyncFns.syncSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for sync secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`
@@ -226,59 +245,58 @@ export const SecretSyncFns = {
         );
     }
 
-    return secretMap;
-    // return stripAffixes(secretSync, secretMap);
+    return stripSchema(filterForSchema(secretMap), secretSync.syncOptions.keySchema);
   },
   removeSecrets: (
     secretSync: TSecretSyncWithCredentials,
     secretMap: TSecretMap,
     { kmsService, appConnectionDAL }: TSyncSecretDeps
   ): Promise<void> => {
-    // const affixedSecretMap = addAffixes(secretSync, secretMap);
+    const schemaSecretMap = addSchema(secretMap, secretSync.syncOptions.keySchema);
 
     switch (secretSync.destination) {
       case SecretSync.AWSParameterStore:
-        return AwsParameterStoreSyncFns.removeSecrets(secretSync, secretMap);
+        return AwsParameterStoreSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.AWSSecretsManager:
-        return AwsSecretsManagerSyncFns.removeSecrets(secretSync, secretMap);
+        return AwsSecretsManagerSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.GitHub:
-        return GithubSyncFns.removeSecrets(secretSync, secretMap);
+        return GithubSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.GCPSecretManager:
-        return GcpSyncFns.removeSecrets(secretSync, secretMap);
+        return GcpSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.AzureKeyVault:
         return azureKeyVaultSyncFactory({
           appConnectionDAL,
           kmsService
-        }).removeSecrets(secretSync, secretMap);
+        }).removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.AzureAppConfiguration:
         return azureAppConfigurationSyncFactory({
           appConnectionDAL,
           kmsService
-        }).removeSecrets(secretSync, secretMap);
+        }).removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Databricks:
         return databricksSyncFactory({
           appConnectionDAL,
           kmsService
-        }).removeSecrets(secretSync, secretMap);
+        }).removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Humanitec:
-        return HumanitecSyncFns.removeSecrets(secretSync, secretMap);
+        return HumanitecSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.TerraformCloud:
-        return TerraformCloudSyncFns.removeSecrets(secretSync, secretMap);
+        return TerraformCloudSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Camunda:
         return camundaSyncFactory({
           appConnectionDAL,
           kmsService
-        }).removeSecrets(secretSync, secretMap);
+        }).removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Vercel:
-        return VercelSyncFns.removeSecrets(secretSync, secretMap);
+        return VercelSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.Windmill:
-        return WindmillSyncFns.removeSecrets(secretSync, secretMap);
+        return WindmillSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.HCVault:
-        return HCVaultSyncFns.removeSecrets(secretSync, secretMap);
+        return HCVaultSyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.TeamCity:
-        return TeamCitySyncFns.removeSecrets(secretSync, secretMap);
+        return TeamCitySyncFns.removeSecrets(secretSync, schemaSecretMap);
       case SecretSync.OCIVault:
-        return OCIVaultSyncFns.removeSecrets(secretSync, secretMap);
+        return OCIVaultSyncFns.removeSecrets(secretSync, schemaSecretMap);
       default:
         throw new Error(
           `Unhandled sync destination for remove secrets fns: ${(secretSync as TSecretSyncWithCredentials).destination}`

backend/src/services/secret-sync/secret-sync-schemas.ts

@@ -1,3 +1,4 @@
+import RE2 from "re2";
 import { AnyZodObject, z } from "zod";
 
 import { SecretSyncsSchema } from "@app/db/schemas/secret-syncs";
@@ -24,6 +25,14 @@ const BaseSyncOptionsSchema = <T extends AnyZodObject | undefined = undefined>({
       ? z.nativeEnum(SecretSyncInitialSyncBehavior)
       : z.literal(SecretSyncInitialSyncBehavior.OverwriteDestination)
     ).describe(SecretSyncs.SYNC_OPTIONS(destination).initialSyncBehavior),
+    keySchema: z
+      .string()
+      .optional()
+      .refine((val) => !val || new RE2(/^(?:[a-zA-Z0-9\-/]*)(?:\{\{secretKey\}\})(?:[a-zA-Z0-9\-/]*)$/).test(val), {
+        message:
+          "Key schema must include one {{secretKey}} and only contain letters, numbers, dashes, slashes, and the {{secretKey}} placeholder."
+      })
+      .describe(SecretSyncs.SYNC_OPTIONS(destination).keySchema),
     disableSecretDeletion: z.boolean().optional().describe(SecretSyncs.SYNC_OPTIONS(destination).disableSecretDeletion)
   });
 

backend/src/services/secret-sync/teamcity/teamcity-sync-fns.ts

@@ -1,6 +1,7 @@
 import { request } from "@app/lib/config/request";
 import { getTeamCityInstanceUrl } from "@app/services/app-connection/teamcity";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 import {
   TDeleteTeamCityVariable,
@@ -125,6 +126,9 @@ export const TeamCitySyncFns = {
     const variables = await listTeamCityVariables({ instanceUrl, accessToken, project, buildConfig });
 
     for await (const [key, variable] of Object.entries(variables)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, secretSync.syncOptions.keySchema)) continue;
+
       if (!(key in secretMap)) {
         try {
           await deleteTeamCityVariable({

backend/src/services/secret-sync/terraform-cloud/terraform-cloud-sync-fns.ts

@@ -4,6 +4,7 @@ import { AxiosResponse } from "axios";
 import { request } from "@app/lib/config/request";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 import { SECRET_SYNC_NAME_MAP } from "../secret-sync-maps";
@@ -231,6 +232,9 @@ export const TerraformCloudSyncFns = {
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for (const terraformCloudVariable of terraformCloudVariables) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(terraformCloudVariable.key, secretSync.syncOptions.keySchema)) continue;
+
       if (!Object.prototype.hasOwnProperty.call(secretMap, terraformCloudVariable.key)) {
         await deleteVariable(secretSync, terraformCloudVariable);
       }

backend/src/services/secret-sync/vercel/vercel-sync-fns.ts

@@ -2,6 +2,7 @@
 import { request } from "@app/lib/config/request";
 import { IntegrationUrls } from "@app/services/integration-auth/integration-list";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import { TSecretMap } from "@app/services/secret-sync/secret-sync-types";
 
 import { VercelEnvironmentType } from "./vercel-sync-enums";
@@ -290,6 +291,9 @@ export const VercelSyncFns = {
     if (secretSync.syncOptions.disableSecretDeletion) return;
 
     for await (const vercelSecret of vercelSecrets) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(vercelSecret.key, secretSync.syncOptions.keySchema)) continue;
+
       if (!secretMap[vercelSecret.key]) {
         await deleteSecret(secretSync, vercelSecret);
       }

backend/src/services/secret-sync/windmill/windmill-sync-fns.ts

@@ -1,6 +1,7 @@
 import { request } from "@app/lib/config/request";
 import { getWindmillInstanceUrl } from "@app/services/app-connection/windmill";
 import { SecretSyncError } from "@app/services/secret-sync/secret-sync-errors";
+import { matchesSchema } from "@app/services/secret-sync/secret-sync-fns";
 import {
   TDeleteWindmillVariable,
   TPostWindmillVariable,
@@ -128,7 +129,7 @@ export const WindmillSyncFns = {
     const {
       connection,
       destinationConfig: { path },
-      syncOptions: { disableSecretDeletion }
+      syncOptions: { disableSecretDeletion, keySchema }
     } = secretSync;
 
     // url needs to be lowercase
@@ -169,6 +170,9 @@ export const WindmillSyncFns = {
     if (disableSecretDeletion) return;
 
     for await (const [key, variable] of Object.entries(variables)) {
+      // eslint-disable-next-line no-continue
+      if (!matchesSchema(key, keySchema)) continue;
+
       if (!(key in secretMap)) {
         try {
           await deleteWindmillVariable({

docs/api-reference/endpoints/oci-auth/attach.mdx

@@ -0,0 +1,4 @@
+---
+title: "Attach"
+openapi: "POST /api/v1/auth/oci-auth/identities/{identityId}"
+---

docs/api-reference/endpoints/oci-auth/login.mdx

@@ -0,0 +1,4 @@
+---
+title: "Login"
+openapi: "POST /api/v1/auth/oci-auth/login"
+---

docs/api-reference/endpoints/oci-auth/retrieve.mdx

@@ -0,0 +1,4 @@
+---
+title: "Retrieve"
+openapi: "GET /api/v1/auth/oci-auth/identities/{identityId}"
+---

docs/api-reference/endpoints/oci-auth/revoke.mdx

@@ -0,0 +1,4 @@
+---
+title: "Revoke"
+openapi: "DELETE /api/v1/auth/oci-auth/identities/{identityId}"
+---

docs/api-reference/endpoints/oci-auth/update.mdx

@@ -0,0 +1,4 @@
+---
+title: "Update"
+openapi: "PATCH /api/v1/auth/oci-auth/identities/{identityId}"
+---

docs/api-reference/overview/authentication.mdx

@@ -13,17 +13,17 @@ To interact with the Infisical API, you will need to obtain an access token. Fol
 <AccordionGroup>
 <Accordion title="Why can I not create, read, update, or delete an identity?">
   There are a few reasons for why this might happen:
-  
+
   - You have insufficient organization permissions to create, read, update, delete identities.
   - The identity you are trying to read, update, or delete is more privileged than yourself.
   - The role you are trying to create an identity for or update an identity to is more privileged than yours.
 </Accordion>
 <Accordion title="Why is the Infisical API rejecting my identity credentials?">
   There are a few reasons for why this might happen:
-  
+
   - The client secret or access token has expired.
-  - The identity is insufficently permissioned to interact with the resources you wish to access.
+  - The identity is insufficiently permissioned to interact with the resources you wish to access.
   - You are attempting to access a `/raw` secrets endpoint that requires your project to disable E2EE.
   - The client secret/access token is being used from an untrusted IP.
 </Accordion>
-</AccordionGroup>
+</AccordionGroup>

docs/documentation/getting-started/api.mdx

@@ -10,15 +10,15 @@ In this brief, we'll explore how to fetch a secret back from a project on [Infis
     <Step title="Create a project with a secret">
         To create a project, head to your Organization Overview and press **Add New Project**; we'll call the project **Demo App**.
         ![create project](../../images/getting-started/api/org-create-project-1.png)
-        
+
         ![create project](../../images/getting-started/api/org-create-project-2.png)
-        
+
         Next, let's head to the **Development** environment of the project and add a secret `FOO=BAR` to it.
-        
+
         ![explore project env](../../images/getting-started/api/project-explore-env.png)
-        
+
         ![create secret](../../images/getting-started/api/project-create-secret.png)
-        
+
         ![project dashboard](../../images/getting-started/api/project-dashboard.png)
 
         <Note>
@@ -29,13 +29,13 @@ In this brief, we'll explore how to fetch a secret back from a project on [Infis
         Next, we need to create an identity to represent your application. To create one, head to your Organization Settings > Access Control > Machine Identities and press **Create identity**.
 
         ![identities organization](../../images/platform/identities/identities-org.png)
-        
+
         When creating an identity, you specify an organization level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > Organization Roles.
-        
+
         ![identities organization create](../../images/platform/identities/identities-org-create.png)
-        
+
         Once you've created an identity, you'll be prompted to configure the **Universal Auth** authentication method for it.
-        
+
         ![identities organization create auth method](../../images/platform/identities/identities-org-create-auth-method.png)
 
     </Step>
@@ -44,7 +44,7 @@ In this brief, we'll explore how to fetch a secret back from a project on [Infis
         of the identity and a **Client Secret** for it; you can think of these credentials akin to a username
         and password used to authenticate with the Infisical API. With that, press on the key icon on the identity to generate a **Client Secret**
         for it.
-        
+
         ![identities client secret create](../../images/platform/identities/identities-org-client-secret.png)
         ![identities client secret create](../../images/platform/identities/identities-org-client-secret-create-1.png)
         ![identities client secret create](../../images/platform/identities/identities-org-client-secret-create-2.png)
@@ -55,14 +55,14 @@ In this brief, we'll explore how to fetch a secret back from a project on [Infis
         Next, select the identity you want to add to the project and the role you want to assign it.
 
         ![identities project](../../images/platform/identities/identities-project.png)
-        
+
         ![identities project create](../../images/platform/identities/identities-project-create.png)
     </Step>
     <Step title="Get an access token for the Infisical API">
         To access the Infisical API as the identity, you should first perform a login operation
         that is to exchange the **Client ID** and **Client Secret** of the identity for an access token
         by making a request to the `/api/v1/auth/universal-auth/login` endpoint.
-        
+
         #### Sample request
 
         ```
@@ -71,9 +71,9 @@ In this brief, we'll explore how to fetch a secret back from a project on [Infis
         --data-urlencode 'clientSecret=<client_secret>' \
         --data-urlencode 'clientId=<client_id>'
         ```
-        
+
         #### Sample response
-        
+
         ```
         {
         "accessToken": "...",
@@ -83,9 +83,9 @@ In this brief, we'll explore how to fetch a secret back from a project on [Infis
         ```
 
         Next, we can use the access token to authenticate with the [Infisical API](/api-reference/overview/introduction) to read/write secrets
-        
+
         <Note>
-        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
         the default TTL is `7200` seconds which can be adjusted.
 
         If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
@@ -96,12 +96,12 @@ In this brief, we'll explore how to fetch a secret back from a project on [Infis
         Finally, you can fetch the secret `FOO=BAR` back from **Step 1** by including the access token in the previous step in another request to the `/api/v3/secrets/raw/{secretName}` endpoint.
 
         ### Sample request
-        
+
         ```
         curl --location --request GET 'http://localhost:8080/api/v3/secrets/raw/FOO?workspaceId=657830d579cfc8415d06ce5b&environment=dev' \
             --header 'Authorization: Bearer <access_token>'
         ```
-        
+
         ### Sample response
 
         ```
@@ -118,11 +118,11 @@ In this brief, we'll explore how to fetch a secret back from a project on [Infis
             }
         }
         ```
-        
+
         Note that you can fetch a list of secrets back by making a request to the `/api/v3/secrets/raw` endpoint.
     </Step>
 </Steps>
 
 See also:
 
-- [API Reference](/api-reference/overview/introduction)
+- [API Reference](/api-reference/overview/introduction)

docs/documentation/platform/identities/aws-auth.mdx

@@ -311,7 +311,7 @@ access the Infisical API using the AWS Auth authentication method.
         </Tip>
 
         <Note>
-        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
         the default TTL is `7200` seconds which can be adjusted.
 
         If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,

docs/documentation/platform/identities/azure-auth.mdx

@@ -173,7 +173,7 @@ access the Infisical API using the Azure Auth authentication method.
             We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using Azure Auth as they handle the authentication process including retrieving the client access token.
         </Tip>
         <Note>
-        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
         the default TTL is `7200` seconds which can be adjusted.
         If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
         a new access token should be obtained by performing another login operation.

docs/documentation/platform/identities/gcp-auth.mdx

@@ -168,7 +168,7 @@ access the Infisical API using the GCP ID Token authentication method.
             We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
         </Tip>
         <Note>
-        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
         the default TTL is `7200` seconds which can be adjusted.
         If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
         a new access token should be obtained by performing another login operation.
@@ -179,7 +179,7 @@ access the Infisical API using the GCP ID Token authentication method.
 
   </Tab>
 <Tab title="GCP IAM Auth">
-  
+
     ## Diagram
 
     The following sequence diagram illustrates the GCP IAM Auth workflow for authenticating GCP IAM service accounts with Infisical.
@@ -352,7 +352,7 @@ access the Infisical API using the GCP IAM authentication method.
             We recommend using one of Infisical's clients like SDKs or the Infisical Agent to authenticate with Infisical using GCP IAM Auth as they handle the authentication process including generating the signed JWT token.
         </Tip>
         <Note>
-        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
         the default TTL is `7200` seconds which can be adjusted.
         If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
         a new access token should be obtained by performing another login operation.
@@ -361,5 +361,5 @@ access the Infisical API using the GCP IAM authentication method.
 
 </Steps>
   </Tab>
-  
+
 </Tabs>

docs/documentation/platform/identities/kubernetes-auth.mdx

@@ -56,7 +56,7 @@ In the following steps, we explore how to create and use identities for your app
     <Step title="Obtaining the token reviewer JWT for Infisical">
 				<Tabs>
 					<Tab title="Option 1: Reviewer JWT Token">
-        
+
         <Note>
         **When to use this option**: Choose this approach when you want centralized authentication management. Only one service account needs special permissions, and your application service accounts remain unchanged.
         </Note>
@@ -190,7 +190,7 @@ In the following steps, we explore how to create and use identities for your app
     Here's some more guidance on each field:
 
     - Kubernetes Host / Base Kubernetes API URL: The host string, host:port pair, or URL to the base of the Kubernetes API server. This can usually be obtained by running `kubectl cluster-info`.
-    - Token Reviewer JWT: A long-lived service account JWT token for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) to validate other service account JWT tokens submitted by applications/pods. This is the JWT token obtained from step 1.5(Reviewer Tab). If omitted, the client's own JWT will be used instead, which requires the client to have the `system:auth-delegator` ClusterRole binding. 
+    - Token Reviewer JWT: A long-lived service account JWT token for Infisical to access the [TokenReview API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) to validate other service account JWT tokens submitted by applications/pods. This is the JWT token obtained from step 1.5(Reviewer Tab). If omitted, the client's own JWT will be used instead, which requires the client to have the `system:auth-delegator` ClusterRole binding.
       This is shown in step 1, option 2.
     - Allowed Service Account Names: A comma-separated list of trusted service account names that are allowed to authenticate with Infisical.
     - Allowed Namespaces: A comma-separated list of trusted namespaces that service accounts must belong to authenticate with Infisical.
@@ -257,7 +257,7 @@ In the following steps, we explore how to create and use identities for your app
     </Tip>
 
     <Note>
-    Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+    Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
     the default TTL is `7200` seconds which can be adjusted.
 
     If an identity access token exceeds its max ttl, it can no longer authenticate with the Infisical API. In this case,
@@ -280,7 +280,7 @@ In the following steps, we explore how to create and use identities for your app
   There are a few reasons for why this might happen:
 
 - The access token has expired.
-- The identity is insufficently permissioned to interact with the resources you wish to access.
+- The identity is insufficiently permissioned to interact with the resources you wish to access.
 - The client access token is being used from an untrusted IP.
 
 </Accordion>

docs/documentation/platform/identities/oci-auth.mdx

@@ -0,0 +1,212 @@
+---
+title: OCI Auth
+description: "Learn how to authenticate with Infisical using OCI user accounts."
+---
+
+**OCI Auth** is an OCI-native authentication method that verifies Oracle Cloud Infrastructure users through signature validation, allowing secure access to Infisical resources.
+
+## Diagram
+
+The following sequence diagram illustrates the OCI Auth workflow for authenticating OCI users with Infisical.
+
+```mermaid
+sequenceDiagram
+  participant Client
+  participant Infisical
+  participant OCI
+
+  Note over Client,Client: Step 1: Sign user identity request
+
+  Note over Client,Infisical: Step 2: Login Operation
+  Client->>Infisical: Send signed request details to /api/v1/auth/oci-auth/login
+
+  Note over Infisical,OCI: Step 3: Request verification
+  Infisical->>OCI: Forward signed request
+  OCI-->>Infisical: Return user details
+
+  Note over Infisical: Step 4: Identity property validation
+  Infisical->>Client: Return short-lived access token
+
+  Note over Client,Infisical: Step 5: Access Infisical API with token
+  Client->>Infisical: Make authenticated requests using the short-lived access token
+```
+
+## Concept
+
+At a high level, Infisical authenticates an OCI user by verifying its identity and checking that it meets specific requirements (e.g., its username is authorized, its part of a tenancy) at the `/api/v1/auth/oci-auth/login` endpoint. If successful,
+then Infisical returns a short-lived access token that can be used to make authenticated requests to the Infisical API.
+
+To be more specific:
+1. The client [signs](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/signingrequests.htm) a `/20160918/users/{userId}` request using an OCI user's [private key](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#Required_Keys_and_OCIDs); this is done using the [OCI SDK](https://infisical.com/docs/documentation/platform/identities/oci-auth#accessing-the-infisical-api-with-the-identity) or API.
+2. The client sends the signed request's headers and their user OCID to Infisical at the `/api/v1/auth/oci-auth/login` endpoint.
+3. Infisical reconstructs the request and sends it to OCI via the [Get User](https://docs.oracle.com/en/engineered-systems/private-cloud-appliance/3.0-latest/ceapi/op-20160918-users-user_id-get.html) endpoint for verification and obtains the identity associated with the OCI user.
+4. Infisical checks the user's properties against set criteria such as **Allowed Usernames** and **Tenancy OCID**.
+5. If all checks pass, Infisical returns a short-lived access token that the client can use to make authenticated requests to the Infisical API.
+
+## Prerequisite
+
+In order to sign requests, you must have an OCI user with credentials such as the private key. If you're unaware of how to create a user and obtain the needed credentials, expand the menu below.
+
+<Accordion title="Creating an OCI user">
+    <Steps>
+        <Step title="Search for 'Domains' and click as shown">
+            ![Search Domains](/images/app-connections/oci/search-domains.png)
+        </Step>
+        <Step title="Select domain">
+            Select the domain in which you want to create the Infisical user account.
+
+            ![Select Domain](/images/app-connections/oci/select-domain.png)
+        </Step>
+        <Step title="Navigate to 'Users'">
+            ![Select Users](/images/app-connections/oci/select-users.png)
+        </Step>
+        <Step title="Click 'Create user'">
+            ![Click Create User](/images/app-connections/oci/click-create-user.png)
+        </Step>
+        <Step title="Create user">
+            The name, email, and username can be anything.
+
+            ![Create User](/images/app-connections/oci/create-user.png)
+        </Step>
+        <Step title="Navigate to 'API keys'">
+            After you've created a user, you'll be redirected to the user's page. Navigate to 'API keys'.
+
+            ![Select API Keys](/images/app-connections/oci/select-api-keys.png)
+        </Step>
+        <Step title="Add API key">
+            Click on 'Add API key' and then download or import the private key. After you've obtained the private key, click 'Add'.
+
+            ![Add API Key](/images/app-connections/oci/add-api-key.png)
+
+            <Note>
+              At the end of the downloaded private key file, you'll see `OCI_API_KEY`. This is not apart of the private key, and should not be included when you use the private key to sign requests.
+            </Note>
+
+        </Step>
+        <Step title="Store configuration">
+            After creating the API key, you'll be shown a modal with relevant information. Save the highlighted values (and the private key) for later steps.
+
+            ![User Info](/images/app-connections/oci/user-info.png)
+        </Step>
+    </Steps>
+</Accordion>
+
+## Guide
+
+In the following steps, we explore how to create and use identities for your workloads and applications on OCI to
+access the Infisical API using the OCI request signing authentication method.
+
+### Creating an identity
+
+To create an identity, head to your Organization Settings > Access Control > [Identities](https://app.infisical.com/organization/access-management?selectedTab=identities) and press **Create identity**.
+
+![identities organization](/images/platform/identities/identities-org.png)
+
+When creating an identity, you specify an organization-level [role](/documentation/platform/role-based-access-controls) for it to assume; you can configure roles in Organization Settings > Access Control > [Organization Roles](https://app.infisical.com/organization/access-management?selectedTab=roles).
+
+![identities organization create](/images/platform/identities/identities-org-create.png)
+
+Input some details for your new identity:
+- **Name (required):** A friendly name for the identity.
+- **Role (required):** A role from the [**Organization Roles**](https://app.infisical.com/organization/access-management?selectedTab=roles) tab for the identity to assume. The organization role assigned will determine what organization-level resources this identity can have access to.
+
+Once you've created an identity, you'll be redirected to a page where you can manage the identity.
+
+![identities page](/images/platform/identities/identities-page.png)
+
+Since the identity has been configured with [Universal Auth](https://infisical.com/docs/documentation/platform/identities/universal-auth) by default, you should reconfigure it to use OCI Auth instead. To do this, click the cog next to **Universal Auth** and then select **Delete** in the options dropdown.
+
+![identities press cog](/images/platform/identities/identities-press-cog.png)
+
+![identities page remove default auth](/images/platform/identities/identities-page-remove-default-auth.png)
+
+Now create a new OCI Auth Method.
+
+![identities create oci auth method](/images/platform/identities/identities-org-create-oci-auth-method.png)
+
+Here's some information about each field:
+- **Tenancy OCID:** The OCID of your tenancy. All users authenticating must be part of this Tenancy.
+- **Allowed Usernames:** A comma-separated list of trusted OCI users that are allowed to authenticate with Infisical.
+- **Access Token TTL (default is `2592000` equivalent to 30 days):** The lifetime for an access token in seconds. This value will be referenced at renewal time.
+- **Access Token Max TTL (default is `2592000` equivalent to 30 days):** The maximum lifetime for an access token in seconds. This value will be referenced at renewal time.
+- **Access Token Max Number of Uses (default is `0`):** The maximum number of times that an access token can be used; a value of `0` implies an infinite number of uses.
+- **Access Token Trusted IPs:** The IPs or CIDR ranges that access tokens can be used from. By default, each token is given the `0.0.0.0/0`, allowing usage from any network address.
+
+### Adding an identity to a project
+
+In order to allow an identity to access project-level resources such as secrets, you must add it to the relevant projects.
+
+To do this, head over to the project you want to add the identity to and navigate to Project Settings > Access Control > Machine Identities and press **Add Identity**.
+
+![identities project](/images/platform/identities/identities-project.png)
+
+Select the identity you want to add to the project and the project-level role you want it to assume. The project role given to the identity will determine what project-level resources this identity can access.
+
+![identities project create](/images/platform/identities/identities-project-create.png)
+
+### Accessing the Infisical API with the identity
+
+To access the Infisical API as the identity, you need to construct a signed [Get User](https://docs.oracle.com/en/engineered-systems/private-cloud-appliance/3.0-latest/ceapi/op-20160918-users-user_id-get.html) request using [OCI Signature v1](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/signingrequests.htm#Request_Signatures) and then make a request to the `/api/v1/auth/oci-auth/login` endpoint passing the signed header data and user OCID.
+
+Below is an example of how you can authenticate with Infisical using the `oci-sdk` for NodeJS.
+
+```typescript
+import { common } from "oci-sdk";
+
+// Change these credentials to match your OCI user
+const tenancyId = "ocid1.tenancy.oc1..example";
+const userId = "ocid1.user.oc1..example";
+const fingerprint = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00";
+const region = "us-ashburn-1";
+const privateKey = "..."; // Must be PEM format
+
+const provider = new common.SimpleAuthenticationDetailsProvider(
+  tenancyId,
+  userId,
+  fingerprint,
+  privateKey,
+  null,
+  common.Region.fromRegionId(region),
+);
+
+// Build request
+const headers = new Headers({
+  host: `identity.${region}.oraclecloud.com`,
+});
+
+const request: common.HttpRequest = {
+  method: "GET",
+  uri: `/20160918/users/${userId}`,
+  headers,
+  body: null,
+};
+
+// Sign request
+const signer = new common.DefaultRequestSigner(provider);
+await signer.signHttpRequest(request);
+
+// Forward signed request to Infisical
+const requestAsJson = {
+  identityId: "2dd11664-68e3-471d-b366-907206ab1bff",
+  userOcid: userId,
+  headers: Object.fromEntries(request.headers.entries()),
+};
+
+const res = await fetch("https://app.infisical.com/api/v1/auth/oci-auth/login", {
+  method: "POST",
+  headers: {
+    "Content-Type": "application/json",
+  },
+  body: JSON.stringify(requestAsJson),
+});
+
+const json = await res.json();
+
+console.log("Infisical Response:", json);
+```
+
+<Note>
+    Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation; the default TTL is `7200` seconds, which can be adjusted.
+
+    If an identity access token expires, it can no longer access the Infisical API. A new access token should be obtained by performing another login operation.
+</Note>

docs/documentation/platform/identities/oidc-auth/circleci.mdx

@@ -163,7 +163,7 @@ In the following steps, we explore how to create and use identities to access th
         }
         ```
         <Note>
-            Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+            Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
             the default TTL is `7200` seconds which can be adjusted.
 
             If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,

docs/documentation/platform/identities/oidc-auth/general.mdx

@@ -159,7 +159,7 @@ In the following steps, we explore how to create and use identities to access th
         </Tip>
 
         <Note>
-        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
         the default TTL is `7200` seconds which can be adjusted.
 
         If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,

docs/documentation/platform/identities/oidc-auth/github.mdx

@@ -159,7 +159,7 @@ In the following steps, we explore how to create and use identities to access th
         </Tip>
 
         <Note>
-        Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+        Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
         the default TTL is `7200` seconds which can be adjusted.
 
         If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,

docs/documentation/platform/identities/token-auth.mdx

@@ -77,9 +77,9 @@ using the Token Auth authentication method.
 
   </Step>
   <Step title="Creating a Token">
-    In order to use the identity with Token Auth, you'll need to create an (access) token; you can think of this token akin 
+    In order to use the identity with Token Auth, you'll need to create an (access) token; you can think of this token akin
     to an API Key used to authenticate with the Infisical API. With that, press **Create Token**.
-    
+
     ![identities client secret create](/images/platform/identities/identities-token-auth-create-1.png)
 
     ![identities client secret create](/images/platform/identities/identities-token-auth-create-2.png)
@@ -106,7 +106,7 @@ using the Token Auth authentication method.
     to authenticate with the [Infisical API](/api-reference/overview/introduction).
 
     <Note>
-      Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+      Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
       the default TTL is `7200` seconds which can be adjusted in the Token Auth configuration.
 
       If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
@@ -121,14 +121,14 @@ using the Token Auth authentication method.
 <AccordionGroup>
 <Accordion title="Why is the Infisical API rejecting my access token?">
   There are a few reasons for why this might happen:
-  
+
   - The access token has expired. If this is the case, you should obtain a new access token or consider extending the token's TTL.
-  - The identity is insufficently permissioned to interact with the resources you wish to access.
+  - The identity is insufficiently permissioned to interact with the resources you wish to access.
   - The access token is being used from an untrusted IP.
 </Accordion>
 <Accordion title="What is access token renewal and TTL/Max TTL?">
   A identity access token can have a time-to-live (TTL) or incremental lifetime after which it expires.
-  
+
   In certain cases, you may want to extend the lifespan of an access token; to do so, you must set a max TTL parameter.
 
 A token can be renewed any number of times where each call to renew it can extend the token's lifetime by increments of the access token's TTL.

docs/documentation/platform/identities/universal-auth.mdx

@@ -84,15 +84,15 @@ using the Universal Auth authentication method.
   <Step title="Creating a Client Secret">
     In order to use the identity, you'll need the non-sensitive **Client ID**
     of the identity and a **Client Secret** for it; you can think of these credentials akin to a username
-    and password used to authenticate with the Infisical API. 
+    and password used to authenticate with the Infisical API.
     With that, press **Create Client Secret**.
-    
+
     ![identities client secret create](/images/platform/identities/identities-universal-auth-create-1.png)
     ![identities client secret create](/images/platform/identities/identities-universal-auth-create-2.png)
     ![identities client secret create](/images/platform/identities/identities-universal-auth-create-3.png)
-    
+
     Feel free to input any (optional) details for the **Client Secret** configuration:
-    
+
     - Description: A description for the **Client Secret**.
     - TTL (default is `0`): The time-to-live for the **Client Secret**. By default, the TTL will be set to 0 which implies that the **Client Secret** will never expire; a value of `0` implies an infinite lifetime.
     - Max Number of Uses (default is `0`): The maximum number of times that the **Client Secret** can be used together with the **Client ID** to get back an access token; a value of `0` implies infinite number of uses.
@@ -113,10 +113,10 @@ using the Universal Auth authentication method.
     To access the Infisical API as the identity, you should first perform a login operation
     that is to exchange the **Client ID** and **Client Secret** of the identity for an access token
     by making a request to the `/api/v1/auth/universal-auth/login` endpoint.
-    
+
     <Tip>
       Choose the correct base URL based on your region:
-      
+
       - For Infisical Cloud US users: `https://app.infisical.com`
       - For Infisical Cloud EU users: `https://eu.infisical.com`
     </Tip>
@@ -144,7 +144,7 @@ using the Universal Auth authentication method.
     Next, you can use the access token to authenticate with the [Infisical API](/api-reference/overview/introduction)
 
     <Note>
-      Each identity access token has a time-to-live (TLL) which you can infer from the response of the login operation;
+      Each identity access token has a time-to-live (TTL) which you can infer from the response of the login operation;
       the default TTL is `7200` seconds which can be adjusted in the Universal Auth configuration.
 
       If an identity access token expires, it can no longer authenticate with the Infisical API. In this case,
@@ -159,14 +159,14 @@ using the Universal Auth authentication method.
 <AccordionGroup>
 <Accordion title="Why is the Infisical API rejecting my identity credentials?">
   There are a few reasons for why this might happen:
-  
+
   - The client secret or access token has expired.
-  - The identity is insufficently permissioned to interact with the resources you wish to access.
+  - The identity is insufficiently permissioned to interact with the resources you wish to access.
   - The client secret/access token is being used from an untrusted IP.
 </Accordion>
 <Accordion title="What is access token renewal and TTL/Max TTL?">
   A identity access token can have a time-to-live (TTL) or incremental lifetime after which it expires.
-  
+
   In certain cases, you may want to extend the lifespan of an access token; to do so, you must set a max TTL parameter.
 
 A token can be renewed any number of times where each call to renew it can extend the token's lifetime by increments of the access token's TTL.

docs/documentation/platform/secret-rotation/aws-iam-user-secret.mdx

@@ -182,10 +182,10 @@ In the following steps, we explore the end-to-end workflow for setting up this s
 
 <AccordionGroup>
   <Accordion title="Why are my AWS IAM credentials not rotating?">
-    There are a few reasons for why this might happen: 
+    There are a few reasons for why this might happen:
 	- The strategy configuration is invalid (e.g. the managing IAM user's credentials are incorrect, the target AWS region is incorrect, etc.)
-	- The managing IAM user is insufficently permissioned to rotate the credentials of the target IAM user. For instance, you may have setup
+	- The managing IAM user is insufficiently permissioned to rotate the credentials of the target IAM user. For instance, you may have setup
 	[paths](https://aws.amazon.com/blogs/security/optimize-aws-administration-with-iam-paths/) for the managing IAM user and the policy does not have the necessary
-    permissions to rotate the credentials. 
+    permissions to rotate the credentials.
   </Accordion>
 </AccordionGroup>

docs/documentation/platform/sso/general-oidc/group-membership-mapping.mdx

@@ -0,0 +1,55 @@
+---
+title: "General OIDC Group Membership Mapping"
+sidebarTitle: "Group Membership Mapping"
+description: "Learn how to sync OIDC group members to matching groups in Infisical."
+---
+
+You can have Infisical automatically sync group
+memberships between your OIDC provider and Infisical by configuring a `groups` claim on your provider tokens.
+When a user logs in via OIDC, they will be added to Infisical groups that are present in their OIDC `groups` claim,
+and removed from any Infisical groups not present in the claim.
+
+<Info>
+    When enabled, manual
+    management of Infisical group memberships will be disabled.
+</Info>
+
+<Warning>
+    Group membership changes in your OIDC provider only sync with Infisical when a
+    user logs in via OIDC. For example, if you remove a user from a group in your OIDC provider,
+    this change will not be reflected in Infisical until their next OIDC login.
+    To ensure this behavior, Infisical recommends enabling Enforce OIDC SSO in the OIDC settings.
+</Warning>
+
+
+<Steps>
+    <Step title="Configure a groups claim in your OIDC provider">
+       To enable OIDC Group Membership Mapping, you must configure a `groups` claim in your OIDC provider.
+
+        Add a `groups` property with a list of the user's OIDC group names to your token.
+
+        Example of expected token payload:
+        ```json
+        {
+            // "email": "john@provider.com",
+            // "given_name": "John",
+            // ...other claims
+            "groups": ["Billing Group", "Sales Group"]
+        }
+        ```
+
+        <Note>
+            Setup varies between OIDC providers. Please refer to your OIDC provider's documentation for more information.
+        </Note>
+    </Step>
+    <Step title="Setup groups in Infisical and enable OIDC Group Membership Mapping">
+        2.1. In Infisical, create any groups you would like to sync users to. Make sure the name of the Infisical group is an exact match of the OIDC group name.
+        ![OIDC general infisical group](/images/sso/keycloak-oidc/group-membership-mapping/create-infisical-group.png)
+
+        2.2. Next, enable **OIDC Group Membership Mapping** on the **Single Sign-On (SSO)** page under the **General** tab.
+        ![OIDC general enable group membership mapping](/images/sso/keycloak-oidc/group-membership-mapping/enable-group-membership-mapping.png)
+
+        2.3. The next time a user logs in they will be synced to their matching OIDC groups.
+        ![OIDC general synced users](/images/sso/keycloak-oidc/group-membership-mapping/synced-users.png)
+    </Step>
+</Steps>

docs/documentation/platform/sso/general-oidc/overview.mdx

@@ -1,5 +1,6 @@
 ---
 title: "General OIDC"
+sidebarTitle: "Overview"
 description: "Learn how to configure OIDC for Infisical SSO with any OIDC-compliant identity provider"
 ---
 
@@ -29,7 +30,7 @@ Prerequisites:
    </Step>
    <Step title="Finish configuring OIDC in Infisical">
       2.1. Back in Infisical, head to the **Single Sign-On (SSO)** page and select the **General** tab. Select **Connect** for **OIDC**.
-      ![OIDC SSO Connect](../../../images/sso/connect-oidc.png)
+      ![OIDC SSO Connect](../../../../images/sso/connect-oidc.png)
 
       2.2. You can configure OIDC either through the Discovery URL (Recommended) or by inputting custom endpoints.
 
@@ -39,10 +40,10 @@ Prerequisites:
       Note that the Discovery Document URL typically takes the form: `https://<idp-domain>/.well-known/openid-configuration`.
       </Note>
 
-      ![OIDC general discovery config](../../../images/sso/general-oidc/discovery-oidc-form.png)
+      ![OIDC general discovery config](../../../../images/sso/general-oidc/discovery-oidc-form.png)
 
       To configure OIDC via the custom endpoints, set the **Configuration Type** field to **Custom** and input the required endpoint fields.
-      ![OIDC general custom config](../../../images/sso/general-oidc/custom-oidc-form.png)
+      ![OIDC general custom config](../../../../images/sso/general-oidc/custom-oidc-form.png)
 
       2.3. Select the appropriate JWT signature algorithm for your IdP. Currently, the supported options are RS256, RS512, HS256, and EdDSA.
 
@@ -55,7 +56,7 @@ Prerequisites:
      <Step title="Enable OIDC SSO in Infisical">
       Enabling OIDC SSO allows members in your organization to log into Infisical via the configured Identity Provider
 
-      ![OIDC general enable OIDC](../../../images/sso/general-oidc/org-oidc-enable.png)
+      ![OIDC general enable OIDC](../../../../images/sso/general-oidc/org-oidc-enable.png)
     </Step>
 
     <Step title="Enforce OIDC SSO in Infisical">

docs/integrations/cloud/heroku.mdx

@@ -22,11 +22,11 @@ description: "How to sync secrets from Infisical to Heroku"
       </Step>
       <Step title="Start integration">
         Select which Infisical environment secrets you want to sync to which Heroku app and press create integration to start syncing secrets to Heroku.
-        
+
         ![integrations heroku](../../images/integrations/heroku/integrations-heroku-create.png)
 
         Here's some guidance on each field:
-        
+
         - Project Environment: The environment in the current Infisical project from which you want to sync secrets from.
         - Secrets Path: The path in the current Infisical project from which you want to sync secrets from such as `/` (for secrets that do not reside in a folder) or `/foo/bar` (for secrets nested in a folder, in this case a folder called `bar` in another folder called `foo`).
         - Heroku App: The application in Heroku that you want to sync secrets to.
@@ -34,7 +34,7 @@ description: "How to sync secrets from Infisical to Heroku"
           - **No Import - Overwrite all values in Heroku**: Sync secrets and overwrite any existing secrets in Heroku.
           - **Import - Prefer values from Infisical**: Import secrets from Heroku to Infisical; if a secret with the same name already exists in Infisical, do nothing. Afterwards, sync secrets to Heroku.
           - **Import - Prefer values from Heroku**: Import secrets from Heroku to Infisical; if a secret with the same name already exists in Infisical, replace its value with the one from Heroku. Afterwards, sync secrets to Heroku.
-        
+
         ![integrations heroku](../../images/integrations/heroku/integrations-heroku.png)
       </Step>
     </Steps>
@@ -46,27 +46,26 @@ description: "How to sync secrets from Infisical to Heroku"
       <Step title="Create an API client in Heroku">
         Navigate to your user Account settings > Applications to create a new API client.
 
-        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-settings.png) 
-        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-applications.png) 
-        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-new-app.png) 
-        
+        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-settings.png)
+        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-applications.png)
+        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-new-app.png)
+
           Create the API client. As part of the form, set the **OAuth callback URL** to `https://your-domain.com/integrations/heroku/oauth2/callback`.
 
-        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-new-app-form.png) 
+        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-new-app-form.png)
       </Step>
       <Step title="Add your Heroku API client credentials to Infisical">
         Obtain the **Client ID** and **Client Secret** for your Heroku API client.
-        
-        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-credentials.png) 
-        
+
+        ![integrations Heroku config](../../images/integrations/heroku/integrations-heroku-config-credentials.png)
+
         Back in your Infisical instance, add two new environment variables for the credentials of your Heroku API client.
 
         - `CLIENT_ID_HEROKU`: The **Client ID** of your Heroku API client.
         - `CLIENT_SECRET_HEROKU`: The **Client Secret** of your Heroku API client.
-        
+
         Once added, restart your Infisical instance and use the Heroku integration.
       </Step>
     </Steps>
   </Tab>
 </Tabs>
-

docs/integrations/frameworks/pulumi.mdx

@@ -0,0 +1,14 @@
+---
+title: "Pulumi"
+description: "Using Infisical with Pulumi via the Terraform Bridge"
+---
+
+Infisical can be integrated with Pulumi by leveraging Pulumi’s [Terraform Bridge](https://www.pulumi.com/blog/any-terraform-provider/), 
+which allows Terraform providers to be used seamlessly within Pulumi projects. This enables infrastructure and platform teams to manage Infisical secrets and resources 
+using Pulumi’s familiar programming languages (including TypeScript, Python, Go, and C#), without any change to existing workflows.
+
+The Terraform Bridge wraps the [Infisical Terraform provider](/integrations/frameworks/terraform) and exposes its resources (such as `infisical_secret`, `infisical_project`, and `infisical_service_token`) 
+in a Pulumi-compatible interface. This makes it easy to integrate secret management directly into Pulumi-based IaC pipelines, ensuring secrets stay in sync with 
+the rest of your cloud infrastructure. Authentication is handled through the same methods as Terraform: using environment variables such as `INFISICAL_TOKEN` and `INFISICAL_SITE_URL`.
+
+By bridging the Infisical provider, teams using Pulumi can adopt secure, centralized secrets management without compromising on their toolchain or language preferences.

docs/integrations/secret-syncs/aws-parameter-store.mdx

@@ -40,6 +40,10 @@ description: "Learn how to configure an AWS Parameter Store Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Parameter Store when keys conflict.
                 - **Import Secrets (Prioritize AWS Parameter Store)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Parameter Store over Infisical when keys conflict.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **KMS Key**: The AWS KMS key ID or alias to encrypt parameters with.
             - **Tags**: Optional resource tags to add to parameters synced by Infisical.
             - **Sync Secret Metadata as Resource Tags**: If enabled, metadata attached to secrets will be added as resource tags to parameters synced by Infisical.

docs/integrations/secret-syncs/aws-secrets-manager.mdx

@@ -43,6 +43,10 @@ description: "Learn how to configure an AWS Secrets Manager Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
                 - **Import Secrets (Prioritize AWS Secrets Manager)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **KMS Key**: The AWS KMS key ID or alias to encrypt secrets with.
             - **Tags**: Optional tags to add to secrets synced by Infisical.
             - **Sync Secret Metadata as Tags**: If enabled, metadata attached to secrets will be added as tags to secrets synced by Infisical.

docs/integrations/secret-syncs/azure-app-configuration.mdx

@@ -48,7 +48,10 @@ description: "Learn how to configure an Azure App Configuration Sync for Infisic
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
                 - **Import Secrets (Prioritize Azure App Configuration)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
-
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/azure-key-vault.mdx

@@ -51,6 +51,10 @@ description: "Learn how to configure a Azure Key Vault Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Secrets Manager when keys conflict.
                 - **Import Secrets (Prioritize Azure Key Vault)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Secrets Manager over Infisical when keys conflict.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/camunda.mdx

@@ -39,6 +39,10 @@ description: "Learn how to configure a Camunda Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Camunda when keys conflict.
                 - **Import Secrets (Prioritize Camunda)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Camunda over Infisical when keys conflict.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/databricks.mdx

@@ -46,6 +46,10 @@ description: "Learn how to configure a Databricks Sync for Infisical."
                 <Note>
                     Databricks does not support importing secrets.
                 </Note>
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/gcp-secret-manager.mdx

@@ -42,6 +42,10 @@ description: "Learn how to configure a GCP Secret Manager Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over GCP Secret Manager when keys conflict.
                 - **Import Secrets (Prioritize GCP Secret Manager)**: Imports secrets from the destination endpoint before syncing, prioritizing values from GCP Secret Manager over Infisical when keys conflict.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/github.mdx

@@ -62,6 +62,10 @@ description: "Learn how to configure a GitHub Sync for Infisical."
                 <Note>
                     GitHub does not support importing secrets.
                 </Note>
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/hashicorp-vault.mdx

@@ -54,6 +54,10 @@ description: "Learn how to configure a Hashicorp Vault Sync for Infisical."
                     - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                     - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Hashicorp Vault when keys conflict.
                     - **Import Secrets (Prioritize Hashicorp Vault)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Hashicorp Vault over Infisical when keys conflict.
+                - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+                <Note>
+                    We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+                </Note>
                 - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
                 - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
             </Step>

docs/integrations/secret-syncs/humanitec.mdx

@@ -55,6 +55,10 @@ description: "Learn how to configure a Humanitec Sync for Infisical."
                 <Note>
                     Humanitec does not support importing secrets.
                 </Note>
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/oci-vault.mdx

@@ -47,10 +47,13 @@ description: "Learn how to configure an Oracle Cloud Infrastructure Vault Sync f
                 ![Configure Sync Options](/images/secret-syncs/oci-vault/configure-sync-options.png)
 
                 - **Initial Sync Behavior**: Determines how Infisical should resolve the initial sync.
-                - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
-                - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over OCI Vault when keys conflict.
-                - **Import Secrets (Prioritize OCI Vault)**: Imports secrets from the destination endpoint before syncing, prioritizing values from OCI Vault over Infisical when keys conflict.
-
+                    - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
+                    - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over OCI Vault when keys conflict.
+                    - **Import Secrets (Prioritize OCI Vault)**: Imports secrets from the destination endpoint before syncing, prioritizing values from OCI Vault over Infisical when keys conflict.
+                - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+                <Note>
+                    We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+                </Note>
                 - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
                 - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
             </Step>

docs/integrations/secret-syncs/overview.mdx

@@ -93,4 +93,28 @@ via the UI or API for the third-party service you intend to sync secrets to.
 <Note>
     Infisical is continuously expanding it's Secret Sync third-party service support. If the service you need isn't available,
     you can still use our Native Integrations in the interim, or contact us at team@infisical.com to make a request .
-</Note>
+</Note>
+
+## Key Schemas
+
+Key Schemas let you control how Infisical names your secret keys when syncing to external destinations. This makes it clear which secrets are managed by Infisical and prevents accidental changes to unrelated secrets.
+
+A Key Schema adds a prefix, suffix, or format to your secrets before they reach the destination.
+
+This example demonstrates key behavior if the schema was set to `INFISICAL_{{secretKey}}`:
+
+<div align="center">
+    ```mermaid
+    graph LR
+        A[SECRET_1] --> T["Syncs as"] --> B[INFISICAL_SECRET_1]
+
+        style A fill:#E6F4FF,stroke:#0096D6,stroke-width:2px,color:black,rx:15px
+        style B fill:#F4FFE6,stroke:#96D600,stroke-width:2px,color:black,rx:15px
+        style T fill:#FFF2B2,stroke:#E6C34A,stroke-width:2px,color:black,rx:2px,font-size:12px
+
+    ```
+</div>
+
+<Note>
+    When importing secrets from the destination into infisical, the schema is stripped from imported secret keys.
+</Note>

docs/integrations/secret-syncs/teamcity.mdx

@@ -48,7 +48,10 @@ description: "Learn how to configure a TeamCity Sync for Infisical."
                 <Note>
                     Infisical only syncs secrets from within the target scope; inherited secrets will not be imported.
                 </Note>
-
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/terraform-cloud.mdx

@@ -56,6 +56,10 @@ description: "Learn how to configure a Terraform Cloud Sync for Infisical."
                 <Note>
                     Terraform Cloud does not support importing secrets.
                 </Note>
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/vercel.mdx

@@ -43,6 +43,10 @@ description: "Learn how to configure a Vercel Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Vercel when keys conflict.
                 - **Import Secrets (Prioritize Vercel)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Vercel over Infisical when keys conflict.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/integrations/secret-syncs/windmill.mdx

@@ -44,6 +44,10 @@ description: "Learn how to configure a Windmill Sync for Infisical."
                 - **Overwrite Destination Secrets**: Removes any secrets at the destination endpoint not present in Infisical.
                 - **Import Secrets (Prioritize Infisical)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Infisical over Windmill when keys conflict.
                 - **Import Secrets (Prioritize Windmill)**: Imports secrets from the destination endpoint before syncing, prioritizing values from Windmill over Infisical when keys conflict.
+            - **Key Schema**: Template that determines how secret names are transformed when syncing, using `{{secretKey}}` as a placeholder for the original secret name.
+            <Note>
+                We highly recommend using a Key Schema to ensure that Infisical only manages the specific keys you intend, keeping everything else untouched.
+            </Note>
             - **Auto-Sync Enabled**: If enabled, secrets will automatically be synced from the source location when changes occur. Disable to enforce manual syncing only.
             - **Disable Secret Deletion**: If enabled, Infisical will not remove secrets from the sync destination. Enable this option if you intend to manage some secrets manually outside of Infisical.
 

docs/mint.json

@@ -266,14 +266,25 @@
                 "documentation/platform/sso/google-saml",
                 "documentation/platform/sso/auth0-saml",
                 {
-                  "group": "Keycloak OIDC",
+                  "group": "OIDC",
                   "pages": [
-                    "documentation/platform/sso/keycloak-oidc/overview",
-                    "documentation/platform/sso/keycloak-oidc/group-membership-mapping"
+                    {
+                      "group": "Keycloak OIDC",
+                      "pages": [
+                        "documentation/platform/sso/keycloak-oidc/overview",
+                        "documentation/platform/sso/keycloak-oidc/group-membership-mapping"
+                      ]
+                    },
+                    "documentation/platform/sso/auth0-oidc",
+                    {
+                      "group": "General OIDC",
+                      "pages": [
+                        "documentation/platform/sso/general-oidc/overview",
+                        "documentation/platform/sso/general-oidc/group-membership-mapping"
+                      ]
+                    }
                   ]
-                },
-                "documentation/platform/sso/auth0-oidc",
-                "documentation/platform/sso/general-oidc"
+                }
               ]
             },
             {
@@ -300,14 +311,14 @@
         {
           "group": "Machine Identities",
           "pages": [
+            "documentation/platform/identities/aws-auth",
+            "documentation/platform/identities/azure-auth",
+            "documentation/platform/identities/gcp-auth",
+            "documentation/platform/identities/jwt-auth",
+            "documentation/platform/identities/kubernetes-auth",
+            "documentation/platform/identities/oci-auth",
             "documentation/platform/identities/token-auth",
             "documentation/platform/identities/universal-auth",
-            "documentation/platform/identities/kubernetes-auth",
-            "documentation/platform/identities/gcp-auth",
-            "documentation/platform/identities/azure-auth",
-            "documentation/platform/identities/aws-auth",
-            "documentation/platform/identities/jwt-auth",
-
             {
               "group": "OIDC Auth",
               "pages": [
@@ -350,7 +361,8 @@
           "group": "Linux Package",
           "pages": [
             "self-hosting/deployment-options/native/linux-package/installation",
-            "self-hosting/deployment-options/native/linux-package/commands-configuration"
+            "self-hosting/deployment-options/native/linux-package/commands-configuration",
+            "self-hosting/deployment-options/linux-upgrade"
           ]
         },
         "self-hosting/guides/upgrading-infisical",
@@ -445,6 +457,7 @@
           ]
         },
         "integrations/frameworks/terraform",
+        "integrations/frameworks/pulumi",
         "integrations/platforms/ansible",
         "integrations/platforms/apache-airflow"
       ]
@@ -698,6 +711,16 @@
             "api-reference/endpoints/aws-auth/revoke"
           ]
         },
+        {
+          "group": "OCI Auth",
+          "pages": [
+            "api-reference/endpoints/oci-auth/login",
+            "api-reference/endpoints/oci-auth/attach",
+            "api-reference/endpoints/oci-auth/retrieve",
+            "api-reference/endpoints/oci-auth/update",
+            "api-reference/endpoints/oci-auth/revoke"
+          ]
+        },
         {
           "group": "Azure Auth",
           "pages": [

docs/self-hosting/deployment-options/linux-upgrade.mdx

@@ -0,0 +1,390 @@
+---
+title: "Upgrading"
+description: "How to upgrade Infisical deployment using linux package"
+---
+
+This guide explains how to upgrade Infisical Linux package installations to newer versions. 
+The Infisical Linux package includes only the Infisical service component itself, as PostgreSQL and Redis databases are managed separately. 
+Upgrades for PostgreSQL and Redis are not covered in this guide as they depend on your specific database deployment method.
+
+## Upgrade Options
+
+There are two primary methods to upgrade Infisical:
+
+1. **Standard Upgrade (with brief downtime)**: The simplest approach that briefly takes Infisical offline during the upgrade.
+2. **Minimal-Downtime Upgrade**: For multi-node deployments where high availability is required.
+
+## Before You Begin
+
+### Checking Your Current Version
+
+Before upgrading, note your current Infisical version:
+
+```bash
+cat /opt/infisical-core/version-manifest.txt
+```
+
+Look for `infisical` component. This will be the version of Infisical currently installed.
+
+### Prerequisites
+
+- Verify that your PostgreSQL and Redis instances are up and running
+- Back up your PostgreSQL database before proceeding with any upgrade
+- Review release notes for the version you're upgrading to
+
+### Creating a Database Backup
+
+We strongly recommend backing up your database before upgrading. 
+Your backup approach may look different depending on how you configured PostgreSQL and whether it's self-managed or using a managed service. 
+Here is a sample of how you would perform a manual backup:
+
+```bash
+# Example PostgreSQL backup command (adjust parameters as needed)
+pg_dump -U <username> -h <db-host> -d <db-name> > infisical_backup.sql
+```
+
+### Database Migrations During Upgrade
+
+By default, Infisical runs database migrations automatically on startup.  
+
+- It uses database locks to ensure only one instance runs migrations at a time
+- Other instances will wait for the lock to be released before continuing startup
+- This prevents race conditions and database conflicts
+
+## Standard Upgrade (with Downtime)
+
+This method is suitable for single-node deployments or situations where a brief downtime is acceptable.
+
+<Steps>
+  <Step title="Stop the Infisical service">
+   ```bash
+   infisical-ctl stop
+   ```
+  </Step>
+  <Step title="Upgrade the Infisical package">
+To upgrade to the latest version:
+
+<Tabs>
+  <Tab title="Debian/Ubuntu">
+   ```bash
+   sudo apt-get update && sudo apt-get install -y infisical-core
+   ```
+  </Tab>
+  <Tab title="RHEL/CentOS/Amazon Linux">
+   ```bash
+   sudo yum update infisical-core
+   ```
+  </Tab>
+</Tabs>
+
+To upgrade to a specific version:
+   
+<Tabs>
+  <Tab title="Debian/Ubuntu">
+   ```bash
+   sudo apt-get install -y infisical-core=<version>
+   ```
+  </Tab>
+  <Tab title="RHEL/CentOS/Amazon Linux">
+   ```bash
+   sudo yum install infisical-core-<version>
+   ```
+  </Tab>
+</Tabs>
+
+  </Step>
+  <Step title="Apply configuration changes">
+   ```bash
+   infisical-ctl reconfigure
+   ```
+  </Step>
+
+  <Step title="Start Infisical">
+   ```bash
+   infisical-ctl start
+   ```
+  </Step>
+
+  <Step title="Verify the upgrade">
+   ```bash
+   infisical-ctl status
+   ```
+
+   Check the logs for any issues:
+   ```bash
+   infisical-ctl tail
+   ```
+  </Step>
+</Steps>
+
+## Minimal-Downtime Upgrade
+
+For multi-node setups where you need to maintain availability during upgrades, follow this procedure. This approach requires at least two Infisical nodes behind a load balancer.
+
+### Understanding Traffic Draining
+
+"Draining" a server means gracefully removing it from the pool of active servers without disrupting existing connections. When you drain a server:
+
+1. The load balancer stops sending new requests to the server
+2. Existing connections are allowed to complete naturally
+3. Once all connections finish, the server can be safely taken offline for maintenance
+
+This approach ensures users/machines do not experience sudden connection errors during the upgrade process.
+
+### Preparing for the Upgrade
+
+1. **Designate a deploy node**: Choose any single node that will run migrations. This node will be upgraded first.
+
+2. **Configure your load balancer**: Ensure your load balancer can perform health checks against Infisical's `api/status` endpoint.
+
+### Upgrade Process
+
+#### On the deploy node:
+
+<Steps>
+<Step title="Drain traffic from the node">
+   
+Drain the traffic on this node gracefully. You can do this in a number of ways depending on the load balancer you have configured. 
+Approaches for some common load balancers are provided below:
+
+<Tabs>
+   <Tab title="NGINX">
+      If using NGINX as a load balancer, you can remove the server from the upstream pool temporarily:
+      ```bash
+      # Edit your NGINX configuration to comment out or remove the server
+      sudo nano /path/to/your/nginx-config.conf
+      
+      # Reload NGINX to apply changes
+      sudo nginx -s reload
+      ```
+   </Tab>
+   <Tab title="HAProxy">
+      If using HAProxy, you can put the server in maintenance mode:
+      ```bash
+      # Using the HAProxy socket command
+      echo "disable server infisical_backend/infisical-node1" | socat stdio /var/lib/haproxy/stats
+      ```
+   </Tab>
+   <Tab title="AWS ALB/ELB">
+      Deregister the instance from the load balancer using the AWS console or CLI
+   </Tab>
+   <Tab title="Other load balancers">
+      Follow your load balancer's documentation for instructions on draining procedure
+   </Tab>
+</Tabs>
+</Step>
+
+<Step title="Verify no new traffic is arriving">
+Verify no new traffic is arriving before proceeding with the upgrade.
+</Step>
+
+<Step title="Stop Infisical on this node">
+```bash
+infisical-ctl stop
+```
+</Step>
+
+<Step title="Upgrade the Infisical package">
+   
+To upgrade to the latest version:
+
+<Tabs>
+  <Tab title="Debian/Ubuntu">
+   ```bash
+   sudo apt-get update && sudo apt-get install -y infisical-core
+   ```
+  </Tab>
+  <Tab title="RHEL/CentOS/Amazon Linux">
+   ```bash
+   sudo yum update infisical-core
+   ```
+  </Tab>
+</Tabs>
+
+To upgrade to a specific version:
+   
+<Tabs>
+  <Tab title="Debian/Ubuntu">
+   ```bash
+   sudo apt-get install -y infisical-core=<version>
+   ```
+  </Tab>
+  <Tab title="RHEL/CentOS/Amazon Linux">
+   ```bash
+   sudo yum install infisical-core-<version>
+   ```
+  </Tab>
+</Tabs>
+</Step>
+
+<Step title="Apply configuration and start the service">
+```bash
+infisical-ctl reconfigure
+```
+</Step>
+
+<Step title="Verify the upgrade and migration success">
+```bash
+infisical-ctl tail
+```
+Look for successful migration messages in the logs.
+</Step>
+
+<Step title="Return this node to load balancer pool">
+Re-enable the server in your load balancer using the same method you used to remove it.
+</Step>
+</Steps>
+
+#### On all remaining nodes (one at a time):
+
+<Steps>
+<Step title="Drain traffic from the node">
+Follow the same draining procedure as described for the deploy node:
+   
+- Remove the server from your load balancer's active pool
+- Wait for existing connections to complete
+- Verify the node is no longer receiving traffic
+</Step>
+
+<Step title="Stop Infisical on this node">
+```bash
+infisical-ctl stop
+```
+</Step>
+
+<Step title="Upgrade the Infisical package">
+To upgrade to the latest version:
+
+<Tabs>
+  <Tab title="Debian/Ubuntu">
+   ```bash
+   sudo apt-get update && sudo apt-get install -y infisical-core
+   ```
+  </Tab>
+  <Tab title="RHEL/CentOS/Amazon Linux">
+   ```bash
+   sudo yum update infisical-core
+   ```
+  </Tab>
+</Tabs>
+
+To upgrade to a specific version:
+   
+<Tabs>
+  <Tab title="Debian/Ubuntu">
+   ```bash
+   sudo apt-get install -y infisical-core=<version>
+   ```
+  </Tab>
+  <Tab title="RHEL/CentOS/Amazon Linux">
+   ```bash
+   sudo yum install infisical-core-<version>
+   ```
+  </Tab>
+</Tabs>
+</Step>
+
+<Step title="Apply configuration and start the service">
+```bash
+infisical-ctl reconfigure
+```
+</Step>
+
+<Step title="Verify the upgrade success">
+```bash
+infisical-ctl status
+infisical-ctl tail
+```
+</Step>
+
+<Step title="Wait for service to be fully operational">
+- Check logs to ensure the service has started successfully
+- Verify it can connect to the database and Redis
+</Step>
+
+<Step title="Return the node to service">
+Re-enable the server in your load balancer using the same method you used to remove it.
+</Step>
+
+<Step title="Verify traffic is flowing correctly">
+Check logs and monitoring to ensure traffic is flowing correctly.
+</Step>
+
+<Step title="Repeat for each remaining node">
+Repeat steps 1-7 for each remaining node, one at a time.
+</Step>
+
+<Step title="Verify application functionality">
+After all nodes are upgraded, verify that the application is functioning correctly:
+- Test core functionality
+- Check logs for any errors
+</Step>
+</Steps>
+
+## Rolling Back
+
+If you need to roll back to a previous version of Infisical, follow steps below.
+
+<Steps>
+<Step title="Stop the Infisical service">
+```bash
+infisical-ctl stop
+```
+</Step>
+
+<Step title="Install the previous version">
+For Debian/Ubuntu:
+```bash
+sudo apt-get install -y infisical-core=<previous-version>
+```
+
+For RHEL/CentOS/Amazon Linux:
+```bash
+sudo yum downgrade infisical-core-<previous-version>
+```
+</Step>
+
+<Step title="Restore your database from backup">
+Restore your Postgres/Redis database from backup.
+</Step>
+
+<Step title="Start the service">
+```bash
+infisical-ctl reconfigure
+```
+</Step>
+
+<Step title="Verify the rollback">
+```bash
+infisical-ctl status
+```
+</Step>
+</Steps>
+
+## Troubleshooting
+
+<AccordionGroup>
+<Accordion title="Migration Issues">
+If you encounter database migration issues:
+
+1. Check the logs:
+   ```bash
+   infisical-ctl tail
+   ```
+
+2. Ensure the database user has sufficient privileges to create/modify tables.
+
+3. If migrations fail repeatedly, consider restoring from the backup you took prior to upgrading. 
+
+</Accordion>
+
+<Accordion title="Service Won't Start After Upgrade">
+1. Check for configuration errors:
+   ```bash
+   infisical-ctl tail
+   infisical-ctl status
+   ```
+
+2. Verify all required environment variables are set in your `/etc/infisical/infisical.rb` file.
+</Accordion>
+</AccordionGroup>

docs/self-hosting/guides/custom-certificates.mdx

@@ -4,19 +4,19 @@ description: "Learn how to configure Infisical with custom certificates"
 ---
 
 By default, the Infisical Docker image includes certificates from well-known public certificate authorities.
-However, some integrations with Infisical may need to communicate with your internal services that use private certificate authorities. 
+However, some integrations with Infisical may need to communicate with your internal services that use private certificate authorities.
 To configure trust for custom certificates, follow these steps. This is particularly useful for connecting Infisical with self-hosted services like GitLab.
 
 ## Prerequisites
 
 - Docker
 - Standalone [Infisical image](https://hub.docker.com/r/infisical/infisical)
-- Certificate public key `.pem` files
+- Certificate public key `.crt` files
 
 ## Setup
 
-1. Place all your public key `.pem` files into a single directory.
-2. Mount the directory containing the `.pem` files to the `usr/local/share/ca-certificates/` path in the Infisical container.
+1. Place all your public key `.crt` files into a single directory.
+2. Mount the directory containing the `.crt` files to the `/usr/local/share/ca-certificates/` path in the Infisical container.
 3. Set the following environment variable on your Infisical container:
    ```
    NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt

frontend/src/components/secret-syncs/SecretSyncImportSecretsModal.tsx

@@ -44,7 +44,9 @@ const Content = ({ secretSync, onComplete }: ContentProps) => {
     handleSubmit,
     control,
     formState: { isSubmitting, isDirty }
-  } = useForm<TFormData>({ resolver: zodResolver(FormSchema) });
+  } = useForm<TFormData>({
+    resolver: zodResolver(FormSchema)
+  });
 
   const triggerImportSecrets = useTriggerSecretSyncImportSecrets();
 

frontend/src/components/secret-syncs/forms/SecretSyncOptionsFields/SecretSyncOptionsFields.tsx

@@ -1,9 +1,13 @@
 import { ReactNode } from "react";
 import { Controller, useFormContext } from "react-hook-form";
-import { faQuestionCircle, faTriangleExclamation } from "@fortawesome/free-solid-svg-icons";
+import {
+  faCircleInfo,
+  faQuestionCircle,
+  faTriangleExclamation
+} from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 
-import { FormControl, Select, SelectItem, Switch, Tooltip } from "@app/components/v2";
+import { FormControl, Input, Select, SelectItem, Switch, Tooltip } from "@app/components/v2";
 import { SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP, SECRET_SYNC_MAP } from "@app/helpers/secretSyncs";
 import { SecretSync, useSecretSyncOption } from "@app/hooks/api/secretSyncs";
 
@@ -122,6 +126,45 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
           )}
         </>
       )}
+      <Controller
+        render={({ field: { value, onChange }, fieldState: { error } }) => (
+          <FormControl
+            tooltipClassName="max-w-md"
+            tooltipText="When a secret is synced, its key will be injected into the key schema before it reaches the destination. This is useful for organization."
+            isError={Boolean(error)}
+            isOptional
+            errorText={error?.message}
+            label="Key Schema"
+            helperText={
+              <Tooltip
+                className="max-w-md"
+                content={
+                  <span>
+                    We highly recommend using a{" "}
+                    <a
+                      href="https://infisical.com/docs/integrations/secret-syncs/overview#key-schemas"
+                      target="_blank"
+                    >
+                      Key Schema
+                    </a>{" "}
+                    to ensure that Infisical only manages the specific keys you intend, keeping
+                    everything else untouched.
+                  </span>
+                }
+              >
+                <div>
+                  <span>Infisical strongly advises setting a Key Schema</span>{" "}
+                  <FontAwesomeIcon icon={faCircleInfo} className="text-mineshaft-400" />
+                </div>
+              </Tooltip>
+            }
+          >
+            <Input value={value} onChange={onChange} placeholder="INFISICAL_{{secretKey}}" />
+          </FormControl>
+        )}
+        control={control}
+        name="syncOptions.keySchema"
+      />
       {AdditionalSyncOptionsFieldsComponent}
       <Controller
         control={control}
@@ -161,34 +204,6 @@ export const SecretSyncOptionsFields = ({ hideInitialSync }: Props) => {
           );
         }}
       />
-      {/* <Controller
-        render={({ field: { value, onChange }, fieldState: { error } }) => (
-          <FormControl
-            isError={Boolean(error)}
-            isOptional
-            errorText={error?.message}
-            label="Prepend Prefix"
-          >
-            <Input className="uppercase" value={value} onChange={onChange} placeholder="INF_" />
-          </FormControl>
-        )}
-        control={control}
-        name="syncOptions.prependPrefix"
-      />
-      <Controller
-        render={({ field: { value, onChange }, fieldState: { error } }) => (
-          <FormControl
-            isError={Boolean(error)}
-            isOptional
-            errorText={error?.message}
-            label="Append Suffix"
-          >
-            <Input className="uppercase" value={value} onChange={onChange} placeholder="_INF" />
-          </FormControl>
-        )}
-        control={control}
-        name="syncOptions.appendSuffix"
-      /> */}
     </>
   );
 };

frontend/src/components/secret-syncs/forms/SecretSyncReviewFields/SecretSyncReviewFields.tsx

@@ -41,11 +41,7 @@ export const SecretSyncReviewFields = () => {
     connection,
     environment,
     secretPath,
-    syncOptions: {
-      // appendSuffix, prependPrefix,
-      disableSecretDeletion,
-      initialSyncBehavior
-    },
+    syncOptions: { disableSecretDeletion, initialSyncBehavior, keySchema },
     destination,
     isAutoSyncEnabled
   } = watch();
@@ -137,8 +133,7 @@ export const SecretSyncReviewFields = () => {
           <GenericFieldLabel label="Initial Sync Behavior">
             {SECRET_SYNC_INITIAL_SYNC_BEHAVIOR_MAP[initialSyncBehavior](destinationName).name}
           </GenericFieldLabel>
-          {/* <SecretSyncLabel label="Prepend Prefix">{prependPrefix}</SecretSyncLabel>
-          <SecretSyncLabel label="Append Suffix">{appendSuffix}</SecretSyncLabel> */}
+          <GenericFieldLabel label="Key Schema">{keySchema}</GenericFieldLabel>
           {AdditionalSyncOptionsFieldsComponent}
           {disableSecretDeletion && (
             <GenericFieldLabel label="Secret Deletion">

frontend/src/components/secret-syncs/forms/schemas/base-secret-sync-schema.ts

@@ -8,18 +8,17 @@ export const BaseSecretSyncSchema = <T extends AnyZodObject | undefined = undefi
 ) => {
   const baseSyncOptionsSchema = z.object({
     initialSyncBehavior: z.nativeEnum(SecretSyncInitialSyncBehavior),
-    disableSecretDeletion: z.boolean().optional().default(false)
-    // scott: removed temporarily for evaluation of template formatting
-    // prependPrefix: z
-    //   .string()
-    //   .trim()
-    //   .transform((str) => str.toUpperCase())
-    //   .optional(),
-    // appendSuffix: z
-    //   .string()
-    //   .trim()
-    //   .transform((str) => str.toUpperCase())
-    //   .optional()
+    disableSecretDeletion: z.boolean().optional().default(false),
+    keySchema: z
+      .string()
+      .optional()
+      .refine(
+        (val) => !val || /^(?:[a-zA-Z0-9\-/]*)(?:\{\{secretKey\}\})(?:[a-zA-Z0-9\-/]*)$/.test(val),
+        {
+          message:
+            "Key schema must include one {{secretKey}} and only contain letters, numbers, dashes, slashes, and the {{secretKey}} placeholder."
+        }
+      )
   });
 
   const syncOptionsSchema = additionalSyncOptions

frontend/src/hooks/api/identities/constants.tsx

@@ -7,6 +7,7 @@ export const identityAuthToNameMap: { [I in IdentityAuthMethod]: string } = {
   [IdentityAuthMethod.GCP_AUTH]: "GCP Auth",
   [IdentityAuthMethod.AWS_AUTH]: "AWS Auth",
   [IdentityAuthMethod.AZURE_AUTH]: "Azure Auth",
+  [IdentityAuthMethod.OCI_AUTH]: "OCI Auth",
   [IdentityAuthMethod.OIDC_AUTH]: "OIDC Auth",
   [IdentityAuthMethod.LDAP_AUTH]: "LDAP Auth",
   [IdentityAuthMethod.JWT_AUTH]: "JWT Auth"

frontend/src/hooks/api/identities/enums.tsx

@@ -5,6 +5,7 @@ export enum IdentityAuthMethod {
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",
   AZURE_AUTH = "azure-auth",
+  OCI_AUTH = "oci-auth",
   OIDC_AUTH = "oidc-auth",
   LDAP_AUTH = "ldap-auth",
   JWT_AUTH = "jwt-auth"

frontend/src/hooks/api/identities/mutations.tsx

@@ -11,6 +11,7 @@ import {
   AddIdentityJwtAuthDTO,
   AddIdentityKubernetesAuthDTO,
   AddIdentityLdapAuthDTO,
+  AddIdentityOciAuthDTO,
   AddIdentityOidcAuthDTO,
   AddIdentityTokenAuthDTO,
   AddIdentityUniversalAuthDTO,
@@ -27,6 +28,7 @@ import {
   DeleteIdentityJwtAuthDTO,
   DeleteIdentityKubernetesAuthDTO,
   DeleteIdentityLdapAuthDTO,
+  DeleteIdentityOciAuthDTO,
   DeleteIdentityOidcAuthDTO,
   DeleteIdentityTokenAuthDTO,
   DeleteIdentityUniversalAuthClientSecretDTO,
@@ -39,6 +41,7 @@ import {
   IdentityJwtAuth,
   IdentityKubernetesAuth,
   IdentityLdapAuth,
+  IdentityOciAuth,
   IdentityOidcAuth,
   IdentityTokenAuth,
   IdentityUniversalAuth,
@@ -51,6 +54,7 @@ import {
   UpdateIdentityJwtAuthDTO,
   UpdateIdentityKubernetesAuthDTO,
   UpdateIdentityLdapAuthDTO,
+  UpdateIdentityOciAuthDTO,
   UpdateIdentityOidcAuthDTO,
   UpdateIdentityTokenAuthDTO,
   UpdateIdentityUniversalAuthDTO,
@@ -452,6 +456,101 @@ export const useDeleteIdentityAwsAuth = () => {
   });
 };
 
+export const useAddIdentityOciAuth = () => {
+  const queryClient = useQueryClient();
+  return useMutation<IdentityOciAuth, object, AddIdentityOciAuthDTO>({
+    mutationFn: async ({
+      identityId,
+      tenancyOcid,
+      allowedUsernames,
+      accessTokenTTL,
+      accessTokenMaxTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps
+    }) => {
+      const {
+        data: { identityOciAuth }
+      } = await apiRequest.post<{ identityOciAuth: IdentityOciAuth }>(
+        `/api/v1/auth/oci-auth/identities/${identityId}`,
+        {
+          tenancyOcid,
+          allowedUsernames,
+          accessTokenTTL,
+          accessTokenMaxTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps
+        }
+      );
+
+      return identityOciAuth;
+    },
+    onSuccess: (_, { identityId, organizationId }) => {
+      queryClient.invalidateQueries({
+        queryKey: organizationKeys.getOrgIdentityMemberships(organizationId)
+      });
+      queryClient.invalidateQueries({ queryKey: identitiesKeys.getIdentityById(identityId) });
+      queryClient.invalidateQueries({ queryKey: identitiesKeys.getIdentityOciAuth(identityId) });
+    }
+  });
+};
+
+export const useUpdateIdentityOciAuth = () => {
+  const queryClient = useQueryClient();
+  return useMutation<IdentityOciAuth, object, UpdateIdentityOciAuthDTO>({
+    mutationFn: async ({
+      identityId,
+      tenancyOcid,
+      allowedUsernames,
+      accessTokenTTL,
+      accessTokenMaxTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps
+    }) => {
+      const {
+        data: { identityOciAuth }
+      } = await apiRequest.patch<{ identityOciAuth: IdentityOciAuth }>(
+        `/api/v1/auth/oci-auth/identities/${identityId}`,
+        {
+          tenancyOcid,
+          allowedUsernames,
+          accessTokenTTL,
+          accessTokenMaxTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps
+        }
+      );
+
+      return identityOciAuth;
+    },
+    onSuccess: (_, { identityId, organizationId }) => {
+      queryClient.invalidateQueries({
+        queryKey: organizationKeys.getOrgIdentityMemberships(organizationId)
+      });
+      queryClient.invalidateQueries({ queryKey: identitiesKeys.getIdentityById(identityId) });
+      queryClient.invalidateQueries({ queryKey: identitiesKeys.getIdentityOciAuth(identityId) });
+    }
+  });
+};
+
+export const useDeleteIdentityOciAuth = () => {
+  const queryClient = useQueryClient();
+  return useMutation<IdentityOciAuth, object, DeleteIdentityOciAuthDTO>({
+    mutationFn: async ({ identityId }) => {
+      const {
+        data: { identityOciAuth }
+      } = await apiRequest.delete(`/api/v1/auth/oci-auth/identities/${identityId}`);
+      return identityOciAuth;
+    },
+    onSuccess: (_, { organizationId, identityId }) => {
+      queryClient.invalidateQueries({
+        queryKey: organizationKeys.getOrgIdentityMemberships(organizationId)
+      });
+      queryClient.invalidateQueries({ queryKey: identitiesKeys.getIdentityById(identityId) });
+      queryClient.invalidateQueries({ queryKey: identitiesKeys.getIdentityOciAuth(identityId) });
+    }
+  });
+};
+
 export const useUpdateIdentityOidcAuth = () => {
   const queryClient = useQueryClient();
   return useMutation<IdentityOidcAuth, object, UpdateIdentityOidcAuthDTO>({

frontend/src/hooks/api/identities/queries.tsx

@@ -14,6 +14,7 @@ import {
   IdentityLdapAuth,
   IdentityMembership,
   IdentityMembershipOrg,
+  IdentityOciAuth,
   IdentityOidcAuth,
   IdentityTokenAuth,
   IdentityUniversalAuth,
@@ -32,6 +33,7 @@ export const identitiesKeys = {
   getIdentityGcpAuth: (identityId: string) => [{ identityId }, "identity-gcp-auth"] as const,
   getIdentityOidcAuth: (identityId: string) => [{ identityId }, "identity-oidc-auth"] as const,
   getIdentityAwsAuth: (identityId: string) => [{ identityId }, "identity-aws-auth"] as const,
+  getIdentityOciAuth: (identityId: string) => [{ identityId }, "identity-oci-auth"] as const,
   getIdentityAzureAuth: (identityId: string) => [{ identityId }, "identity-azure-auth"] as const,
   getIdentityTokenAuth: (identityId: string) => [{ identityId }, "identity-token-auth"] as const,
   getIdentityJwtAuth: (identityId: string) => [{ identityId }, "identity-jwt-auth"] as const,
@@ -170,6 +172,27 @@ export const useGetIdentityAwsAuth = (
   });
 };
 
+export const useGetIdentityOciAuth = (
+  identityId: string,
+  options?: TReactQueryOptions["options"]
+) => {
+  return useQuery({
+    queryKey: identitiesKeys.getIdentityOciAuth(identityId),
+    queryFn: async () => {
+      const {
+        data: { identityOciAuth }
+      } = await apiRequest.get<{ identityOciAuth: IdentityOciAuth }>(
+        `/api/v1/auth/oci-auth/identities/${identityId}`
+      );
+      return identityOciAuth;
+    },
+    staleTime: 0,
+    gcTime: 0,
+    ...options,
+    enabled: Boolean(identityId) && (options?.enabled ?? true)
+  });
+};
+
 export const useGetIdentityAzureAuth = (
   identityId: string,
   options?: TReactQueryOptions["options"]