Update ruby.mdx

chore(docs): typo in url

backend/package.json

@@ -106,6 +106,7 @@
   },
   "dependencies": {
     "@aws-sdk/client-iam": "^3.525.0",
+    "@aws-sdk/client-kms": "^3.609.0",
     "@aws-sdk/client-secrets-manager": "^3.504.0",
     "@aws-sdk/client-sts": "^3.600.0",
     "@casl/ability": "^6.5.0",
@@ -125,8 +126,8 @@
     "@peculiar/asn1-schema": "^2.3.8",
     "@peculiar/x509": "^1.10.0",
     "@serdnam/pino-cloudwatch-transport": "^1.0.4",
-    "@team-plain/typescript-sdk": "^4.6.1",
     "@sindresorhus/slugify": "1.1.0",
+    "@team-plain/typescript-sdk": "^4.6.1",
     "@ucast/mongo2js": "^1.3.4",
     "ajv": "^8.12.0",
     "argon2": "^0.31.2",
@@ -148,6 +149,7 @@
     "jmespath": "^0.16.0",
     "jsonwebtoken": "^9.0.2",
     "jsrp": "^0.2.4",
+    "jwks-rsa": "^3.1.0",
     "knex": "^3.0.1",
     "ldapjs": "^3.0.7",
     "libsodium-wrappers": "^0.7.13",

backend/src/@types/fastify.d.ts

@@ -9,6 +9,7 @@ import { TAuditLogStreamServiceFactory } from "@app/ee/services/audit-log-stream
 import { TCertificateAuthorityCrlServiceFactory } from "@app/ee/services/certificate-authority-crl/certificate-authority-crl-service";
 import { TDynamicSecretServiceFactory } from "@app/ee/services/dynamic-secret/dynamic-secret-service";
 import { TDynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { TExternalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { TGroupServiceFactory } from "@app/ee/services/group/group-service";
 import { TIdentityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { TLdapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
@@ -41,6 +42,7 @@ import { TIdentityAwsAuthServiceFactory } from "@app/services/identity-aws-auth/
 import { TIdentityAzureAuthServiceFactory } from "@app/services/identity-azure-auth/identity-azure-auth-service";
 import { TIdentityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { TIdentityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
+import { TIdentityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { TIdentityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
 import { TIdentityTokenAuthServiceFactory } from "@app/services/identity-token-auth/identity-token-auth-service";
 import { TIdentityUaServiceFactory } from "@app/services/identity-ua/identity-ua-service";
@@ -135,6 +137,7 @@ declare module "fastify" {
       identityGcpAuth: TIdentityGcpAuthServiceFactory;
       identityAwsAuth: TIdentityAwsAuthServiceFactory;
       identityAzureAuth: TIdentityAzureAuthServiceFactory;
+      identityOidcAuth: TIdentityOidcAuthServiceFactory;
       accessApprovalPolicy: TAccessApprovalPolicyServiceFactory;
       accessApprovalRequest: TAccessApprovalRequestServiceFactory;
       secretApprovalPolicy: TSecretApprovalPolicyServiceFactory;
@@ -161,6 +164,7 @@ declare module "fastify" {
       secretSharing: TSecretSharingServiceFactory;
       rateLimit: TRateLimitServiceFactory;
       userEngagement: TUserEngagementServiceFactory;
+      externalKms: TExternalKmsServiceFactory;
     };
     // this is exclusive use for middlewares in which we need to inject data
     // everywhere else access using service layer

backend/src/@types/knex.d.ts

@@ -59,6 +59,9 @@ import {
   TDynamicSecrets,
   TDynamicSecretsInsert,
   TDynamicSecretsUpdate,
+  TExternalKms,
+  TExternalKmsInsert,
+  TExternalKmsUpdate,
   TGitAppInstallSessions,
   TGitAppInstallSessionsInsert,
   TGitAppInstallSessionsUpdate,
@@ -92,6 +95,9 @@ import {
   TIdentityKubernetesAuths,
   TIdentityKubernetesAuthsInsert,
   TIdentityKubernetesAuthsUpdate,
+  TIdentityOidcAuths,
+  TIdentityOidcAuthsInsert,
+  TIdentityOidcAuthsUpdate,
   TIdentityOrgMemberships,
   TIdentityOrgMembershipsInsert,
   TIdentityOrgMembershipsUpdate,
@@ -122,6 +128,9 @@ import {
   TIntegrations,
   TIntegrationsInsert,
   TIntegrationsUpdate,
+  TInternalKms,
+  TInternalKmsInsert,
+  TInternalKmsUpdate,
   TKmsKeys,
   TKmsKeysInsert,
   TKmsKeysUpdate,
@@ -483,6 +492,11 @@ declare module "knex/types/tables" {
       TIdentityAzureAuthsInsert,
       TIdentityAzureAuthsUpdate
     >;
+    [TableName.IdentityOidcAuth]: KnexOriginal.CompositeTableType<
+      TIdentityOidcAuths,
+      TIdentityOidcAuthsInsert,
+      TIdentityOidcAuthsUpdate
+    >;
     [TableName.IdentityUaClientSecret]: KnexOriginal.CompositeTableType<
       TIdentityUaClientSecrets,
       TIdentityUaClientSecretsInsert,
@@ -648,6 +662,8 @@ declare module "knex/types/tables" {
       TKmsRootConfigInsert,
       TKmsRootConfigUpdate
     >;
+    [TableName.InternalKms]: KnexOriginal.CompositeTableType<TInternalKms, TInternalKmsInsert, TInternalKmsUpdate>;
+    [TableName.ExternalKms]: KnexOriginal.CompositeTableType<TExternalKms, TExternalKmsInsert, TExternalKmsUpdate>;
     [TableName.KmsKey]: KnexOriginal.CompositeTableType<TKmsKeys, TKmsKeysInsert, TKmsKeysUpdate>;
     [TableName.KmsKeyVersion]: KnexOriginal.CompositeTableType<
       TKmsKeyVersions,

backend/src/db/migrations/20240708100026_external-kms.ts

@@ -0,0 +1,256 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+
+import { TableName } from "../schemas";
+
+const createInternalKmsTableAndBackfillData = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+
+  // building the internal kms table by filling from old kms table
+  if (doesOldKmsKeyTableExist && !doesInternalKmsTableExist) {
+    await knex.schema.createTable(TableName.InternalKms, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.binary("encryptedKey").notNullable();
+      tb.string("encryptionAlgorithm").notNullable();
+      tb.integer("version").defaultTo(1).notNullable();
+      tb.uuid("kmsKeyId").unique().notNullable();
+      tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+    });
+
+    // copy the old kms and backfill
+    const oldKmsKey = await knex(TableName.KmsKey).select("version", "encryptedKey", "encryptionAlgorithm", "id");
+    if (oldKmsKey.length) {
+      await knex(TableName.InternalKms).insert(
+        oldKmsKey.map((el) => ({
+          encryptionAlgorithm: el.encryptionAlgorithm,
+          encryptedKey: el.encryptedKey,
+          kmsKeyId: el.id,
+          version: el.version
+        }))
+      );
+    }
+  }
+};
+
+const renameKmsKeyVersionTableAsInternalKmsKeyVersion = async (knex: Knex) => {
+  const doesOldKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.KmsKeyVersion);
+  const doesNewKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.InternalKmsKeyVersion);
+
+  if (doesOldKmsKeyVersionTableExist && !doesNewKmsKeyVersionTableExist) {
+    // because we haven't started using versioning for kms thus no data exist
+    await knex.schema.renameTable(TableName.KmsKeyVersion, TableName.InternalKmsKeyVersion);
+    const hasKmsKeyIdColumn = await knex.schema.hasColumn(TableName.InternalKmsKeyVersion, "kmsKeyId");
+    const hasInternalKmsIdColumn = await knex.schema.hasColumn(TableName.InternalKmsKeyVersion, "internalKmsId");
+
+    await knex.schema.alterTable(TableName.InternalKmsKeyVersion, (tb) => {
+      if (hasKmsKeyIdColumn) tb.dropColumn("kmsKeyId");
+      if (!hasInternalKmsIdColumn) {
+        tb.uuid("internalKmsId").notNullable();
+        tb.foreign("internalKmsId").references("id").inTable(TableName.InternalKms).onDelete("CASCADE");
+      }
+    });
+  }
+};
+
+const createExternalKmsKeyTable = async (knex: Knex) => {
+  const doesExternalKmsServiceExist = await knex.schema.hasTable(TableName.ExternalKms);
+  if (!doesExternalKmsServiceExist) {
+    await knex.schema.createTable(TableName.ExternalKms, (tb) => {
+      tb.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      tb.string("provider").notNullable();
+      tb.binary("encryptedProviderInputs").notNullable();
+      tb.string("status");
+      tb.string("statusDetails");
+      tb.uuid("kmsKeyId").unique().notNullable();
+      tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+    });
+  }
+};
+
+const removeNonRequiredFieldsFromKmsKeyTableAndBackfillRequiredData = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+
+  // building the internal kms table by filling from old kms table
+  if (doesOldKmsKeyTableExist) {
+    const hasSlugColumn = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+    const hasEncryptedKeyColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptedKey");
+    const hasEncryptionAlgorithmColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptionAlgorithm");
+    const hasVersionColumn = await knex.schema.hasColumn(TableName.KmsKey, "version");
+    const hasTimestamps = await knex.schema.hasColumn(TableName.KmsKey, "createdAt");
+    const hasProjectId = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
+    const hasOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (!hasSlugColumn) tb.string("slug", 32);
+      if (hasEncryptedKeyColumn) tb.dropColumn("encryptedKey");
+      if (hasEncryptionAlgorithmColumn) tb.dropColumn("encryptionAlgorithm");
+      if (hasVersionColumn) tb.dropColumn("version");
+      if (!hasTimestamps) tb.timestamps(true, true, true);
+    });
+
+    // backfill all org id in kms key because its gonna be changed to non nullable
+    if (hasProjectId && hasOrgId) {
+      await knex(TableName.KmsKey)
+        .whereNull("orgId")
+        .update({
+          // eslint-disable-next-line
+          // @ts-ignore because generate schema happens after this
+          orgId: knex(TableName.Project)
+            .select("orgId")
+            .where("id", knex.raw("??", [`${TableName.KmsKey}.projectId`]))
+        });
+    }
+
+    // backfill slugs in kms
+    const missingSlugs = await knex(TableName.KmsKey).whereNull("slug").select("id");
+    if (missingSlugs.length) {
+      await knex(TableName.KmsKey)
+        // eslint-disable-next-line
+        // @ts-ignore because generate schema happens after this
+        .insert(missingSlugs.map(({ id }) => ({ id, slug: slugify(alphaNumericNanoId(8).toLowerCase()) })))
+        .onConflict("id")
+        .merge();
+    }
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (hasOrgId) tb.uuid("orgId").notNullable().alter();
+      tb.string("slug", 32).notNullable().alter();
+      if (hasProjectId) tb.dropColumn("projectId");
+      if (hasOrgId) tb.unique(["orgId", "slug"]);
+    });
+  }
+};
+
+/*
+ * The goal for this migration is split the existing kms key into three table
+ * the kms-key table would be a container table that contains
+ * the internal kms key table and external kms table
+ */
+export async function up(knex: Knex): Promise<void> {
+  await createInternalKmsTableAndBackfillData(knex);
+  await renameKmsKeyVersionTableAsInternalKmsKeyVersion(knex);
+  await removeNonRequiredFieldsFromKmsKeyTableAndBackfillRequiredData(knex);
+  await createExternalKmsKeyTable(knex);
+
+  const doesOrgKmsKeyExist = await knex.schema.hasColumn(TableName.Organization, "kmsDefaultKeyId");
+  if (!doesOrgKmsKeyExist) {
+    await knex.schema.alterTable(TableName.Organization, (tb) => {
+      tb.uuid("kmsDefaultKeyId").nullable();
+      tb.foreign("kmsDefaultKeyId").references("id").inTable(TableName.KmsKey);
+    });
+  }
+
+  const doesProjectKmsSecretManagerKeyExist = await knex.schema.hasColumn(TableName.Project, "kmsSecretManagerKeyId");
+  if (!doesProjectKmsSecretManagerKeyExist) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.uuid("kmsSecretManagerKeyId").nullable();
+      tb.foreign("kmsSecretManagerKeyId").references("id").inTable(TableName.KmsKey);
+    });
+  }
+}
+
+const renameInternalKmsKeyVersionBackToKmsKeyVersion = async (knex: Knex) => {
+  const doesInternalKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.InternalKmsKeyVersion);
+  const doesKmsKeyVersionTableExist = await knex.schema.hasTable(TableName.KmsKeyVersion);
+  if (doesInternalKmsKeyVersionTableExist && !doesKmsKeyVersionTableExist) {
+    // because we haven't started using versioning for kms thus no data exist
+    await knex.schema.renameTable(TableName.InternalKmsKeyVersion, TableName.KmsKeyVersion);
+    const hasInternalKmsIdColumn = await knex.schema.hasColumn(TableName.KmsKeyVersion, "internalKmsId");
+    const hasKmsKeyIdColumn = await knex.schema.hasColumn(TableName.KmsKeyVersion, "kmsKeyId");
+
+    await knex.schema.alterTable(TableName.KmsKeyVersion, (tb) => {
+      if (hasInternalKmsIdColumn) tb.dropColumn("internalKmsId");
+      if (!hasKmsKeyIdColumn) {
+        tb.uuid("kmsKeyId").notNullable();
+        tb.foreign("kmsKeyId").references("id").inTable(TableName.KmsKey).onDelete("CASCADE");
+      }
+    });
+  }
+};
+
+const bringBackKmsKeyFields = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesOldKmsKeyTableExist && doesInternalKmsTableExist) {
+    const hasSlug = await knex.schema.hasColumn(TableName.KmsKey, "slug");
+    const hasEncryptedKeyColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptedKey");
+    const hasEncryptionAlgorithmColumn = await knex.schema.hasColumn(TableName.KmsKey, "encryptionAlgorithm");
+    const hasVersionColumn = await knex.schema.hasColumn(TableName.KmsKey, "version");
+    const hasNullableOrgId = await knex.schema.hasColumn(TableName.KmsKey, "orgId");
+    const hasProjectIdColumn = await knex.schema.hasColumn(TableName.KmsKey, "projectId");
+
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      if (!hasEncryptedKeyColumn) tb.binary("encryptedKey");
+      if (!hasEncryptionAlgorithmColumn) tb.string("encryptionAlgorithm");
+      if (!hasVersionColumn) tb.integer("version").defaultTo(1);
+      if (hasNullableOrgId) tb.uuid("orgId").nullable().alter();
+      if (!hasProjectIdColumn) {
+        tb.string("projectId");
+        tb.foreign("projectId").references("id").inTable(TableName.Project).onDelete("CASCADE");
+      }
+      if (hasSlug) tb.dropColumn("slug");
+    });
+  }
+};
+
+const backfillKmsKeyFromInternalKmsTable = async (knex: Knex) => {
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesInternalKmsTableExist && doesOldKmsKeyTableExist) {
+    // backfill kms key with internal kms data
+    await knex(TableName.KmsKey).update({
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      encryptedKey: knex(TableName.InternalKms)
+        .select("encryptedKey")
+        .where("kmsKeyId", knex.raw("??", [`${TableName.KmsKey}.id`])),
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      encryptionAlgorithm: knex(TableName.InternalKms)
+        .select("encryptionAlgorithm")
+        .where("kmsKeyId", knex.raw("??", [`${TableName.KmsKey}.id`])),
+      // eslint-disable-next-line
+      // @ts-ignore because generate schema happens after this
+      projectId: knex(TableName.Project)
+        .select("id")
+        .where("kmsCertificateKeyId", knex.raw("??", [`${TableName.KmsKey}.id`]))
+    });
+  }
+};
+
+export async function down(knex: Knex): Promise<void> {
+  const doesOrgKmsKeyExist = await knex.schema.hasColumn(TableName.Organization, "kmsDefaultKeyId");
+  if (doesOrgKmsKeyExist) {
+    await knex.schema.alterTable(TableName.Organization, (tb) => {
+      tb.dropColumn("kmsDefaultKeyId");
+    });
+  }
+
+  const doesProjectKmsSecretManagerKeyExist = await knex.schema.hasColumn(TableName.Project, "kmsSecretManagerKeyId");
+  if (doesProjectKmsSecretManagerKeyExist) {
+    await knex.schema.alterTable(TableName.Project, (tb) => {
+      tb.dropColumn("kmsSecretManagerKeyId");
+    });
+  }
+
+  await renameInternalKmsKeyVersionBackToKmsKeyVersion(knex);
+  await bringBackKmsKeyFields(knex);
+  await backfillKmsKeyFromInternalKmsTable(knex);
+
+  const doesOldKmsKeyTableExist = await knex.schema.hasTable(TableName.KmsKey);
+  if (doesOldKmsKeyTableExist) {
+    await knex.schema.alterTable(TableName.KmsKey, (tb) => {
+      tb.binary("encryptedKey").notNullable().alter();
+      tb.string("encryptionAlgorithm").notNullable().alter();
+    });
+  }
+
+  const doesInternalKmsTableExist = await knex.schema.hasTable(TableName.InternalKms);
+  if (doesInternalKmsTableExist) await knex.schema.dropTable(TableName.InternalKms);
+
+  const doesExternalKmsServiceExist = await knex.schema.hasTable(TableName.ExternalKms);
+  if (doesExternalKmsServiceExist) await knex.schema.dropTable(TableName.ExternalKms);
+}

backend/src/db/migrations/20240710045107_identity-oidc-auth.ts

@@ -0,0 +1,34 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.IdentityOidcAuth))) {
+    await knex.schema.createTable(TableName.IdentityOidcAuth, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.bigInteger("accessTokenTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenMaxTTL").defaultTo(7200).notNullable();
+      t.bigInteger("accessTokenNumUsesLimit").defaultTo(0).notNullable();
+      t.jsonb("accessTokenTrustedIps").notNullable();
+      t.uuid("identityId").notNullable().unique();
+      t.foreign("identityId").references("id").inTable(TableName.Identity).onDelete("CASCADE");
+      t.string("oidcDiscoveryUrl").notNullable();
+      t.text("encryptedCaCert").notNullable();
+      t.string("caCertIV").notNullable();
+      t.string("caCertTag").notNullable();
+      t.string("boundIssuer").notNullable();
+      t.string("boundAudiences").notNullable();
+      t.jsonb("boundClaims").notNullable();
+      t.string("boundSubject");
+      t.timestamps(true, true, true);
+    });
+
+    await createOnUpdateTrigger(knex, TableName.IdentityOidcAuth);
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.IdentityOidcAuth);
+  await dropOnUpdateTrigger(knex, TableName.IdentityOidcAuth);
+}

backend/src/db/migrations/20240715113110_org-membership-active-status.ts

@@ -0,0 +1,25 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.OrgMembership)) {
+    const doesUserIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "userId");
+    const doesOrgIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "orgId");
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.boolean("isActive").notNullable().defaultTo(true);
+      if (doesUserIdExist && doesOrgIdExist) t.index(["userId", "orgId"]);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.OrgMembership)) {
+    const doesUserIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "userId");
+    const doesOrgIdExist = await knex.schema.hasColumn(TableName.OrgMembership, "orgId");
+    await knex.schema.alterTable(TableName.OrgMembership, (t) => {
+      t.dropColumn("isActive");
+      if (doesUserIdExist && doesOrgIdExist) t.dropIndex(["userId", "orgId"]);
+    });
+  }
+}

backend/src/db/migrations/20240717184929_add-enforcement-level-secrets-policies.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { EnforcementLevel } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
+      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalPolicy, "enforcementLevel");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalPolicy, (table) => {
+      table.dropColumn("enforcementLevel");
+    });
+  }
+}

backend/src/db/migrations/20240717194958_add-enforcement-level-access-policies.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { EnforcementLevel } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
+      table.string("enforcementLevel", 10).notNullable().defaultTo(EnforcementLevel.Hard);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.AccessApprovalPolicy, "enforcementLevel");
+  if (hasColumn) {
+    await knex.schema.table(TableName.AccessApprovalPolicy, (table) => {
+      table.dropColumn("enforcementLevel");
+    });
+  }
+}

backend/src/db/migrations/20240718170955_add-access-secret-sharing.ts

@@ -0,0 +1,23 @@
+import { Knex } from "knex";
+
+import { SecretSharingAccessType } from "@app/lib/types";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretSharing, (table) => {
+      table.string("accessType").notNullable().defaultTo(SecretSharingAccessType.Anyone);
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretSharing, "accessType");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretSharing, (table) => {
+      table.dropColumn("accessType");
+    });
+  }
+}

backend/src/db/migrations/20240719182539_add-bypass-reason-secret-approval-requets.ts

@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
+  if (!hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
+      table.string("bypassReason").nullable();
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const hasColumn = await knex.schema.hasColumn(TableName.SecretApprovalRequest, "bypassReason");
+  if (hasColumn) {
+    await knex.schema.table(TableName.SecretApprovalRequest, (table) => {
+      table.dropColumn("bypassReason");
+    });
+  }
+}

backend/src/db/schemas/access-approval-policies.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { EnforcementLevel } from "@app/lib/types";
+
 import { TImmutableDBKeys } from "./models";
 
 export const AccessApprovalPoliciesSchema = z.object({
@@ -14,7 +16,8 @@ export const AccessApprovalPoliciesSchema = z.object({
   secretPath: z.string().nullable().optional(),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
 });
 
 export type TAccessApprovalPolicies = z.infer<typeof AccessApprovalPoliciesSchema>;

backend/src/db/schemas/external-kms.ts

@@ -0,0 +1,23 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const ExternalKmsSchema = z.object({
+  id: z.string().uuid(),
+  provider: z.string(),
+  encryptedProviderInputs: zodBuffer,
+  status: z.string().nullable().optional(),
+  statusDetails: z.string().nullable().optional(),
+  kmsKeyId: z.string().uuid()
+});
+
+export type TExternalKms = z.infer<typeof ExternalKmsSchema>;
+export type TExternalKmsInsert = Omit<z.input<typeof ExternalKmsSchema>, TImmutableDBKeys>;
+export type TExternalKmsUpdate = Partial<Omit<z.input<typeof ExternalKmsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/identity-oidc-auths.ts

@@ -0,0 +1,31 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const IdentityOidcAuthsSchema = z.object({
+  id: z.string().uuid(),
+  accessTokenTTL: z.coerce.number().default(7200),
+  accessTokenMaxTTL: z.coerce.number().default(7200),
+  accessTokenNumUsesLimit: z.coerce.number().default(0),
+  accessTokenTrustedIps: z.unknown(),
+  identityId: z.string().uuid(),
+  oidcDiscoveryUrl: z.string(),
+  encryptedCaCert: z.string(),
+  caCertIV: z.string(),
+  caCertTag: z.string(),
+  boundIssuer: z.string(),
+  boundAudiences: z.string(),
+  boundClaims: z.unknown(),
+  boundSubject: z.string().nullable().optional(),
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TIdentityOidcAuths = z.infer<typeof IdentityOidcAuthsSchema>;
+export type TIdentityOidcAuthsInsert = Omit<z.input<typeof IdentityOidcAuthsSchema>, TImmutableDBKeys>;
+export type TIdentityOidcAuthsUpdate = Partial<Omit<z.input<typeof IdentityOidcAuthsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/index.ts

@@ -17,6 +17,7 @@ export * from "./certificate-secrets";
 export * from "./certificates";
 export * from "./dynamic-secret-leases";
 export * from "./dynamic-secrets";
+export * from "./external-kms";
 export * from "./git-app-install-sessions";
 export * from "./git-app-org";
 export * from "./group-project-membership-roles";
@@ -28,6 +29,7 @@ export * from "./identity-aws-auths";
 export * from "./identity-azure-auths";
 export * from "./identity-gcp-auths";
 export * from "./identity-kubernetes-auths";
+export * from "./identity-oidc-auths";
 export * from "./identity-org-memberships";
 export * from "./identity-project-additional-privilege";
 export * from "./identity-project-membership-role";
@@ -38,6 +40,7 @@ export * from "./identity-universal-auths";
 export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
+export * from "./internal-kms";
 export * from "./kms-key-versions";
 export * from "./kms-keys";
 export * from "./kms-root-config";

backend/src/db/schemas/internal-kms-key-version.ts

@@ -0,0 +1,21 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const InternalKmsKeyVersionSchema = z.object({
+  id: z.string().uuid(),
+  encryptedKey: zodBuffer,
+  version: z.number(),
+  internalKmsId: z.string().uuid()
+});
+
+export type TInternalKmsKeyVersion = z.infer<typeof InternalKmsKeyVersionSchema>;
+export type TInternalKmsKeyVersionInsert = Omit<z.input<typeof InternalKmsKeyVersionSchema>, TImmutableDBKeys>;
+export type TInternalKmsKeyVersionUpdate = Partial<Omit<z.input<typeof InternalKmsKeyVersionSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/internal-kms.ts

@@ -0,0 +1,22 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const InternalKmsSchema = z.object({
+  id: z.string().uuid(),
+  encryptedKey: zodBuffer,
+  encryptionAlgorithm: z.string(),
+  version: z.number().default(1),
+  kmsKeyId: z.string().uuid()
+});
+
+export type TInternalKms = z.infer<typeof InternalKmsSchema>;
+export type TInternalKmsInsert = Omit<z.input<typeof InternalKmsSchema>, TImmutableDBKeys>;
+export type TInternalKmsUpdate = Partial<Omit<z.input<typeof InternalKmsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/kms-keys.ts

@@ -5,20 +5,17 @@
 
 import { z } from "zod";
 
-import { zodBuffer } from "@app/lib/zod";
-
 import { TImmutableDBKeys } from "./models";
 
 export const KmsKeysSchema = z.object({
   id: z.string().uuid(),
-  encryptedKey: zodBuffer,
-  encryptionAlgorithm: z.string(),
-  version: z.number().default(1),
   description: z.string().nullable().optional(),
   isDisabled: z.boolean().default(false).nullable().optional(),
   isReserved: z.boolean().default(true).nullable().optional(),
-  projectId: z.string().nullable().optional(),
+  orgId: z.string().uuid(),
-  orgId: z.string().uuid().nullable().optional()
+  createdAt: z.date(),
+  updatedAt: z.date(),
+  slug: z.string()
 });
 
 export type TKmsKeys = z.infer<typeof KmsKeysSchema>;

backend/src/db/schemas/models.ts

@@ -60,6 +60,7 @@ export enum TableName {
   IdentityAzureAuth = "identity_azure_auths",
   IdentityUaClientSecret = "identity_ua_client_secrets",
   IdentityAwsAuth = "identity_aws_auths",
+  IdentityOidcAuth = "identity_oidc_auths",
   IdentityOrgMembership = "identity_org_memberships",
   IdentityProjectMembership = "identity_project_memberships",
   IdentityProjectMembershipRole = "identity_project_membership_role",
@@ -95,6 +96,10 @@ export enum TableName {
   // KMS Service
   KmsServerRootConfig = "kms_root_config",
   KmsKey = "kms_keys",
+  ExternalKms = "external_kms",
+  InternalKms = "internal_kms",
+  InternalKmsKeyVersion = "internal_kms_key_version",
+  // @depreciated
   KmsKeyVersion = "kms_key_versions"
 }
 
@@ -167,5 +172,6 @@ export enum IdentityAuthMethod {
   KUBERNETES_AUTH = "kubernetes-auth",
   GCP_AUTH = "gcp-auth",
   AWS_AUTH = "aws-auth",
-  AZURE_AUTH = "azure-auth"
+  AZURE_AUTH = "azure-auth",
+  OIDC_AUTH = "oidc-auth"
 }

backend/src/db/schemas/org-memberships.ts

@@ -17,7 +17,8 @@ export const OrgMembershipsSchema = z.object({
   userId: z.string().uuid().nullable().optional(),
   orgId: z.string().uuid(),
   roleId: z.string().uuid().nullable().optional(),
-  projectFavorites: z.string().array().nullable().optional()
+  projectFavorites: z.string().array().nullable().optional(),
+  isActive: z.boolean()
 });
 
 export type TOrgMemberships = z.infer<typeof OrgMembershipsSchema>;

backend/src/db/schemas/organizations.ts

@@ -15,7 +15,8 @@ export const OrganizationsSchema = z.object({
   createdAt: z.date(),
   updatedAt: z.date(),
   authEnforced: z.boolean().default(false).nullable().optional(),
-  scimEnabled: z.boolean().default(false).nullable().optional()
+  scimEnabled: z.boolean().default(false).nullable().optional(),
+  kmsDefaultKeyId: z.string().uuid().nullable().optional()
 });
 
 export type TOrganizations = z.infer<typeof OrganizationsSchema>;

backend/src/db/schemas/projects.ts

@@ -19,7 +19,8 @@ export const ProjectsSchema = z.object({
   upgradeStatus: z.string().nullable().optional(),
   pitVersionLimit: z.number().default(10),
   kmsCertificateKeyId: z.string().uuid().nullable().optional(),
-  auditLogsRetentionDays: z.number().nullable().optional()
+  auditLogsRetentionDays: z.number().nullable().optional(),
+  kmsSecretManagerKeyId: z.string().uuid().nullable().optional()
 });
 
 export type TProjects = z.infer<typeof ProjectsSchema>;

backend/src/db/schemas/secret-approval-policies.ts

@@ -14,7 +14,8 @@ export const SecretApprovalPoliciesSchema = z.object({
   approvals: z.number().default(1),
   envId: z.string().uuid(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  enforcementLevel: z.string().default("hard")
 });
 
 export type TSecretApprovalPolicies = z.infer<typeof SecretApprovalPoliciesSchema>;

backend/src/db/schemas/secret-approval-requests.ts

@@ -15,6 +15,7 @@ export const SecretApprovalRequestsSchema = z.object({
   conflicts: z.unknown().nullable().optional(),
   slug: z.string(),
   folderId: z.string().uuid(),
+  bypassReason: z.string().nullable().optional(),
   createdAt: z.date(),
   updatedAt: z.date(),
   isReplicated: z.boolean().nullable().optional(),

backend/src/db/schemas/secret-sharing.ts

@@ -5,6 +5,8 @@
 
 import { z } from "zod";
 
+import { SecretSharingAccessType } from "@app/lib/types";
+
 import { TImmutableDBKeys } from "./models";
 
 export const SecretSharingSchema = z.object({
@@ -16,6 +18,7 @@ export const SecretSharingSchema = z.object({
   expiresAt: z.date(),
   userId: z.string().uuid().nullable().optional(),
   orgId: z.string().uuid().nullable().optional(),
+  accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization),
   createdAt: z.date(),
   updatedAt: z.date(),
   expiresAfterViews: z.number().nullable().optional()

backend/src/db/seeds/2-org.ts

@@ -29,7 +29,8 @@ export async function seed(knex: Knex): Promise<void> {
       role: OrgMembershipRole.Admin,
       orgId: org.id,
       status: OrgMembershipStatus.Accepted,
-      userId: user.id
+      userId: user.id,
+      isActive: true
     }
   ]);
 }

backend/src/ee/routes/v1/access-approval-policy-router.ts

@@ -1,6 +1,7 @@
 import { nanoid } from "nanoid";
 import { z } from "zod";
 
+import { EnforcementLevel } from "@app/lib/types";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -17,7 +18,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
           secretPath: z.string().trim().default("/"),
           environment: z.string(),
           approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
+          approvals: z.number().min(1).default(1),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
         })
         .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],
@@ -38,7 +40,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         ...req.body,
         projectSlug: req.body.projectSlug,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
+        enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
     }
@@ -115,7 +118,8 @@ export const registerAccessApprovalPolicyRouter = async (server: FastifyZodProvi
             .optional()
             .transform((val) => (val === "" ? "/" : val)),
           approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
+          approvals: z.number().min(1).default(1),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
         })
         .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],

backend/src/ee/routes/v1/access-approval-request-router.ts

@@ -99,7 +99,8 @@ export const registerAccessApprovalRequestRouter = async (server: FastifyZodProv
               approvals: z.number(),
               approvers: z.string().array(),
               secretPath: z.string().nullish(),
-              envId: z.string()
+              envId: z.string(),
+              enforcementLevel: z.string()
             }),
             reviewers: z
               .object({

backend/src/ee/routes/v1/external-kms-router.ts

@@ -0,0 +1,190 @@
+import { z } from "zod";
+
+import { ExternalKmsSchema, KmsKeysSchema } from "@app/db/schemas";
+import {
+  ExternalKmsAwsSchema,
+  ExternalKmsInputSchema,
+  ExternalKmsInputUpdateSchema
+} from "@app/ee/services/external-kms/providers/model";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+
+const sanitizedExternalSchema = KmsKeysSchema.extend({
+  external: ExternalKmsSchema.pick({
+    id: true,
+    status: true,
+    statusDetails: true,
+    provider: true
+  })
+});
+
+const sanitizedExternalSchemaForGetById = KmsKeysSchema.extend({
+  external: ExternalKmsSchema.pick({
+    id: true,
+    status: true,
+    statusDetails: true,
+    provider: true
+  }).extend({
+    providerInput: ExternalKmsAwsSchema
+  })
+});
+
+export const registerExternalKmsRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        slug: z.string().min(1).trim().toLowerCase().optional(),
+        description: z.string().min(1).trim().optional(),
+        provider: ExternalKmsInputSchema
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.create({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.body.slug,
+        provider: req.body.provider,
+        description: req.body.description
+      });
+      return { externalKms };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string().trim().min(1)
+      }),
+      body: z.object({
+        slug: z.string().min(1).trim().toLowerCase().optional(),
+        description: z.string().min(1).trim().optional(),
+        provider: ExternalKmsInputUpdateSchema
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.updateById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.body.slug,
+        provider: req.body.provider,
+        description: req.body.description,
+        id: req.params.id
+      });
+      return { externalKms };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/:id",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.deleteById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+      return { externalKms };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        id: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchemaForGetById
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.findById({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+      return { externalKms };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/slug/:slug",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        slug: z.string().trim().min(1)
+      }),
+      response: {
+        200: z.object({
+          externalKms: sanitizedExternalSchemaForGetById
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const externalKms = await server.services.externalKms.findBySlug({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        slug: req.params.slug
+      });
+      return { externalKms };
+    }
+  });
+};

backend/src/ee/routes/v1/org-role-router.ts

@@ -52,6 +52,36 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:organizationId/roles/:roleId",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      params: z.object({
+        organizationId: z.string().trim(),
+        roleId: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          role: OrgRolesSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const role = await server.services.orgRole.getRole(
+        req.permission.id,
+        req.params.organizationId,
+        req.params.roleId,
+        req.permission.authMethod,
+        req.permission.orgId
+      );
+      return { role };
+    }
+  });
+
   server.route({
     method: "PATCH",
     url: "/:organizationId/roles/:roleId",
@@ -69,7 +99,7 @@ export const registerOrgRoleRouter = async (server: FastifyZodProvider) => {
           .trim()
           .optional()
           .refine(
-            (val) => typeof val === "undefined" || Object.keys(OrgMembershipRole).includes(val),
+            (val) => typeof val !== "undefined" && !Object.keys(OrgMembershipRole).includes(val),
             "Please choose a different slug, the slug you have entered is reserved."
           )
           .refine((val) => typeof val === "undefined" || slugify(val) === val, {

backend/src/ee/routes/v1/scim-router.ts

@@ -186,7 +186,13 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
             })
           ),
           displayName: z.string().trim(),
-          active: z.boolean()
+          active: z.boolean(),
+          groups: z.array(
+            z.object({
+              value: z.string().trim(),
+              display: z.string().trim()
+            })
+          )
         })
       }
     },
@@ -344,7 +350,12 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
               schemas: z.array(z.string()),
               id: z.string().trim(),
               displayName: z.string().trim(),
-              members: z.array(z.any()).length(0),
+              members: z.array(
+                z.object({
+                  value: z.string(),
+                  display: z.string()
+                })
+              ),
               meta: z.object({
                 resourceType: z.string().trim()
               })
@@ -417,7 +428,7 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
         displayName: z.string().trim(),
         members: z.array(
           z.object({
-            value: z.string(), // infisical orgMembershipId
+            value: z.string(),
             display: z.string()
           })
         )
@@ -475,10 +486,13 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
             }),
             z.object({
               op: z.literal("add"),
-              value: z.object({
+              path: z.string().trim(),
-                value: z.string().trim(),
+              value: z.array(
-                display: z.string().trim().optional()
+                z.object({
-              })
+                  value: z.string().trim(),
+                  display: z.string().trim().optional()
+                })
+              )
             })
           ])
         )
@@ -569,7 +583,13 @@ export const registerScimRouter = async (server: FastifyZodProvider) => {
             })
           ),
           displayName: z.string().trim(),
-          active: z.boolean()
+          active: z.boolean(),
+          groups: z.array(
+            z.object({
+              value: z.string().trim(),
+              display: z.string().trim()
+            })
+          )
         })
       }
     },

backend/src/ee/routes/v1/secret-approval-policy-router.ts

@@ -2,6 +2,7 @@ import { nanoid } from "nanoid";
 import { z } from "zod";
 
 import { removeTrailingSlash } from "@app/lib/fn";
+import { EnforcementLevel } from "@app/lib/types";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { sapPubSchema } from "@app/server/routes/sanitizedSchemas";
@@ -24,11 +25,13 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
             .string()
             .optional()
             .nullable()
+            .default("/")
             .transform((val) => (val ? removeTrailingSlash(val) : val)),
-          approverUserIds: z.string().array().min(1),
+          approvers: z.string().array().min(1),
-          approvals: z.number().min(1).default(1)
+          approvals: z.number().min(1).default(1),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).default(EnforcementLevel.Hard)
         })
-        .refine((data) => data.approvals <= data.approverUserIds.length, {
+        .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],
           message: "The number of approvals should be lower than the number of approvers."
         }),
@@ -47,7 +50,8 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
         actorOrgId: req.permission.orgId,
         projectId: req.body.workspaceId,
         ...req.body,
-        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`
+        name: req.body.name ?? `${req.body.environment}-${nanoid(3)}`,
+        enforcementLevel: req.body.enforcementLevel
       });
       return { approval };
     }
@@ -66,15 +70,17 @@ export const registerSecretApprovalPolicyRouter = async (server: FastifyZodProvi
       body: z
         .object({
           name: z.string().optional(),
-          approverUserIds: z.string().array().min(1),
+          approvers: z.string().array().min(1),
           approvals: z.number().min(1).default(1),
           secretPath: z
             .string()
             .optional()
             .nullable()
             .transform((val) => (val ? removeTrailingSlash(val) : val))
+            .transform((val) => (val === "" ? "/" : val)),
+          enforcementLevel: z.nativeEnum(EnforcementLevel).optional()
         })
-        .refine((data) => data.approvals <= data.approverUserIds.length, {
+        .refine((data) => data.approvals <= data.approvers.length, {
           path: ["approvals"],
           message: "The number of approvals should be lower than the number of approvers."
         }),

backend/src/ee/routes/v1/secret-approval-request-router.ts

@@ -49,7 +49,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
               name: z.string(),
               approvals: z.number(),
               approvers: z.string().array(),
-              secretPath: z.string().optional().nullable()
+              secretPath: z.string().optional().nullable(),
+              enforcementLevel: z.string()
             }),
             committerUser: approvalRequestUser,
             commits: z.object({ op: z.string(), secretId: z.string().nullable().optional() }).array(),
@@ -116,6 +117,9 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
       params: z.object({
         id: z.string()
       }),
+      body: z.object({
+        bypassReason: z.string().optional()
+      }),
       response: {
         200: z.object({
           approval: SecretApprovalRequestsSchema
@@ -129,7 +133,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
         actor: req.permission.type,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId,
-        approvalId: req.params.id
+        approvalId: req.params.id,
+        bypassReason: req.body.bypassReason
       });
       return { approval };
     }
@@ -248,7 +253,8 @@ export const registerSecretApprovalRequestRouter = async (server: FastifyZodProv
                 name: z.string(),
                 approvals: z.number(),
                 approvers: approvalRequestUser.array(),
-                secretPath: z.string().optional().nullable()
+                secretPath: z.string().optional().nullable(),
+                enforcementLevel: z.string()
               }),
               environment: z.string(),
               statusChangedByUser: approvalRequestUser.optional(),

backend/src/ee/services/access-approval-policy/access-approval-policy-service.ts

@@ -47,7 +47,8 @@ export const accessApprovalPolicyServiceFactory = ({
     approvals,
     approvers,
     projectSlug,
-    environment
+    environment,
+    enforcementLevel
   }: TCreateAccessApprovalPolicy) => {
     const project = await projectDAL.findProjectBySlug(projectSlug, actorOrgId);
     if (!project) throw new BadRequestError({ message: "Project not found" });
@@ -94,7 +95,8 @@ export const accessApprovalPolicyServiceFactory = ({
           envId: env.id,
           approvals,
           secretPath,
-          name
+          name,
+          enforcementLevel
         },
         tx
       );
@@ -143,7 +145,8 @@ export const accessApprovalPolicyServiceFactory = ({
     actor,
     actorOrgId,
     actorAuthMethod,
-    approvals
+    approvals,
+    enforcementLevel
   }: TUpdateAccessApprovalPolicy) => {
     const accessApprovalPolicy = await accessApprovalPolicyDAL.findById(policyId);
     if (!accessApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
@@ -163,7 +166,8 @@ export const accessApprovalPolicyServiceFactory = ({
         {
           approvals,
           secretPath,
-          name
+          name,
+          enforcementLevel
         },
         tx
       );

backend/src/ee/services/access-approval-policy/access-approval-policy-types.ts

@@ -1,4 +1,4 @@
-import { TProjectPermission } from "@app/lib/types";
+import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 import { ActorAuthMethod } from "@app/services/auth/auth-type";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
@@ -20,6 +20,7 @@ export type TCreateAccessApprovalPolicy = {
   approvers: string[];
   projectSlug: string;
   name: string;
+  enforcementLevel: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateAccessApprovalPolicy = {
@@ -28,6 +29,7 @@ export type TUpdateAccessApprovalPolicy = {
   approvers?: string[];
   secretPath?: string;
   name?: string;
+  enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteAccessApprovalPolicy = {

backend/src/ee/services/access-approval-request/access-approval-request-dal.ts

@@ -48,6 +48,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
           db.ref("name").withSchema(TableName.AccessApprovalPolicy).as("policyName"),
           db.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
           db.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
+          db.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("envId").withSchema(TableName.AccessApprovalPolicy).as("policyEnvId")
         )
 
@@ -98,6 +99,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             name: doc.policyName,
             approvals: doc.policyApprovals,
             secretPath: doc.policySecretPath,
+            enforcementLevel: doc.policyEnforcementLevel,
             envId: doc.policyEnvId
           },
           privilege: doc.privilegeId
@@ -165,6 +167,7 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("projectId").withSchema(TableName.Environment),
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.AccessApprovalPolicy).as("policySecretPath"),
+        tx.ref("enforcementLevel").withSchema(TableName.AccessApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("approvals").withSchema(TableName.AccessApprovalPolicy).as("policyApprovals"),
         tx.ref("approverId").withSchema(TableName.AccessApprovalPolicyApprover)
       );
@@ -184,7 +187,8 @@ export const accessApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
+            secretPath: el.policySecretPath,
+            enforcementLevel: el.policyEnforcementLevel
           }
         }),
         childrenMapper: [

backend/src/ee/services/audit-log/audit-log-types.ts

@@ -45,6 +45,7 @@ export enum EventType {
   CREATE_SECRETS = "create-secrets",
   UPDATE_SECRET = "update-secret",
   UPDATE_SECRETS = "update-secrets",
+  MOVE_SECRETS = "move-secrets",
   DELETE_SECRET = "delete-secret",
   DELETE_SECRETS = "delete-secrets",
   GET_WORKSPACE_KEY = "get-workspace-key",
@@ -78,6 +79,11 @@ export enum EventType {
   UPDATE_IDENTITY_KUBENETES_AUTH = "update-identity-kubernetes-auth",
   GET_IDENTITY_KUBERNETES_AUTH = "get-identity-kubernetes-auth",
   REVOKE_IDENTITY_KUBERNETES_AUTH = "revoke-identity-kubernetes-auth",
+  LOGIN_IDENTITY_OIDC_AUTH = "login-identity-oidc-auth",
+  ADD_IDENTITY_OIDC_AUTH = "add-identity-oidc-auth",
+  UPDATE_IDENTITY_OIDC_AUTH = "update-identity-oidc-auth",
+  GET_IDENTITY_OIDC_AUTH = "get-identity-oidc-auth",
+  REVOKE_IDENTITY_OIDC_AUTH = "revoke-identity-oidc-auth",
   CREATE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "create-identity-universal-auth-client-secret",
   REVOKE_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRET = "revoke-identity-universal-auth-client-secret",
   GET_IDENTITY_UNIVERSAL_AUTH_CLIENT_SECRETS = "get-identity-universal-auth-client-secret",
@@ -100,6 +106,7 @@ export enum EventType {
   CREATE_ENVIRONMENT = "create-environment",
   UPDATE_ENVIRONMENT = "update-environment",
   DELETE_ENVIRONMENT = "delete-environment",
+  GET_ENVIRONMENT = "get-environment",
   ADD_WORKSPACE_MEMBER = "add-workspace-member",
   ADD_BATCH_WORKSPACE_MEMBER = "add-workspace-members",
   REMOVE_WORKSPACE_MEMBER = "remove-workspace-member",
@@ -235,6 +242,17 @@ interface UpdateSecretBatchEvent {
   };
 }
 
+interface MoveSecretsEvent {
+  type: EventType.MOVE_SECRETS;
+  metadata: {
+    sourceEnvironment: string;
+    sourceSecretPath: string;
+    destinationEnvironment: string;
+    destinationSecretPath: string;
+    secretIds: string[];
+  };
+}
+
 interface DeleteSecretEvent {
   type: EventType.DELETE_SECRET;
   metadata: {
@@ -749,6 +767,63 @@ interface GetIdentityAzureAuthEvent {
   };
 }
 
+interface LoginIdentityOidcAuthEvent {
+  type: EventType.LOGIN_IDENTITY_OIDC_AUTH;
+  metadata: {
+    identityId: string;
+    identityOidcAuthId: string;
+    identityAccessTokenId: string;
+  };
+}
+
+interface AddIdentityOidcAuthEvent {
+  type: EventType.ADD_IDENTITY_OIDC_AUTH;
+  metadata: {
+    identityId: string;
+    oidcDiscoveryUrl: string;
+    caCert: string;
+    boundIssuer: string;
+    boundAudiences: string;
+    boundClaims: Record<string, string>;
+    boundSubject: string;
+    accessTokenTTL: number;
+    accessTokenMaxTTL: number;
+    accessTokenNumUsesLimit: number;
+    accessTokenTrustedIps: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface DeleteIdentityOidcAuthEvent {
+  type: EventType.REVOKE_IDENTITY_OIDC_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
+interface UpdateIdentityOidcAuthEvent {
+  type: EventType.UPDATE_IDENTITY_OIDC_AUTH;
+  metadata: {
+    identityId: string;
+    oidcDiscoveryUrl?: string;
+    caCert?: string;
+    boundIssuer?: string;
+    boundAudiences?: string;
+    boundClaims?: Record<string, string>;
+    boundSubject?: string;
+    accessTokenTTL?: number;
+    accessTokenMaxTTL?: number;
+    accessTokenNumUsesLimit?: number;
+    accessTokenTrustedIps?: Array<TIdentityTrustedIp>;
+  };
+}
+
+interface GetIdentityOidcAuthEvent {
+  type: EventType.GET_IDENTITY_OIDC_AUTH;
+  metadata: {
+    identityId: string;
+  };
+}
+
 interface CreateEnvironmentEvent {
   type: EventType.CREATE_ENVIRONMENT;
   metadata: {
@@ -757,6 +832,13 @@ interface CreateEnvironmentEvent {
   };
 }
 
+interface GetEnvironmentEvent {
+  type: EventType.GET_ENVIRONMENT;
+  metadata: {
+    id: string;
+  };
+}
+
 interface UpdateEnvironmentEvent {
   type: EventType.UPDATE_ENVIRONMENT;
   metadata: {
@@ -1097,6 +1179,7 @@ export type Event =
   | CreateSecretBatchEvent
   | UpdateSecretEvent
   | UpdateSecretBatchEvent
+  | MoveSecretsEvent
   | DeleteSecretEvent
   | DeleteSecretBatchEvent
   | GetWorkspaceKeyEvent
@@ -1149,7 +1232,13 @@ export type Event =
   | DeleteIdentityAzureAuthEvent
   | UpdateIdentityAzureAuthEvent
   | GetIdentityAzureAuthEvent
+  | LoginIdentityOidcAuthEvent
+  | AddIdentityOidcAuthEvent
+  | DeleteIdentityOidcAuthEvent
+  | UpdateIdentityOidcAuthEvent
+  | GetIdentityOidcAuthEvent
   | CreateEnvironmentEvent
+  | GetEnvironmentEvent
   | UpdateEnvironmentEvent
   | DeleteEnvironmentEvent
   | AddWorkspaceMemberEvent

backend/src/ee/services/certificate-authority-crl/certificate-authority-crl-service.ts

@@ -17,7 +17,7 @@ type TCertificateAuthorityCrlServiceFactoryDep = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "decrypt" | "generateKmsKey">;
+  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -68,11 +68,11 @@ export const certificateAuthorityCrlServiceFactory = ({
       kmsService
     });
 
-    const decryptedCrl = await kmsService.decrypt({
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
-      kmsId: keyId,
+      kmsId: keyId
-      cipherTextBlob: caCrl.encryptedCrl
     });
 
+    const decryptedCrl = kmsDecryptor({ cipherTextBlob: caCrl.encryptedCrl });
     const crl = new x509.X509Crl(decryptedCrl);
 
     const base64crl = crl.toString("base64");

backend/src/ee/services/external-kms/external-kms-dal.ts

@@ -0,0 +1,47 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { TableName, TKmsKeys } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TExternalKmsDALFactory = ReturnType<typeof externalKmsDALFactory>;
+
+export const externalKmsDALFactory = (db: TDbClient) => {
+  const externalKmsOrm = ormify(db, TableName.ExternalKms);
+
+  const find = async (filter: Partial<TKmsKeys>, tx?: Knex) => {
+    try {
+      const result = await (tx || db.replicaNode())(TableName.ExternalKms)
+        .join(TableName.KmsKey, `${TableName.KmsKey}.id`, `${TableName.ExternalKms}.kmsKeyId`)
+        .where(filter)
+        .select(selectAllTableCols(TableName.KmsKey))
+        .select(
+          db.ref("id").withSchema(TableName.ExternalKms).as("externalKmsId"),
+          db.ref("provider").withSchema(TableName.ExternalKms).as("externalKmsProvider"),
+          db.ref("encryptedProviderInputs").withSchema(TableName.ExternalKms).as("externalKmsEncryptedProviderInput"),
+          db.ref("status").withSchema(TableName.ExternalKms).as("externalKmsStatus"),
+          db.ref("statusDetails").withSchema(TableName.ExternalKms).as("externalKmsStatusDetails")
+        );
+
+      return result.map((el) => ({
+        id: el.id,
+        description: el.description,
+        isDisabled: el.isDisabled,
+        isReserved: el.isReserved,
+        orgId: el.orgId,
+        slug: el.slug,
+        externalKms: {
+          id: el.externalKmsId,
+          provider: el.externalKmsProvider,
+          status: el.externalKmsStatus,
+          statusDetails: el.externalKmsStatusDetails
+        }
+      }));
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find" });
+    }
+  };
+
+  return { ...externalKmsOrm, find };
+};

backend/src/ee/services/external-kms/external-kms-service.ts

@@ -0,0 +1,309 @@
+import { ForbiddenError } from "@casl/ability";
+import slugify from "@sindresorhus/slugify";
+
+import { BadRequestError } from "@app/lib/errors";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { TKmsKeyDALFactory } from "@app/services/kms/kms-key-dal";
+import { TKmsServiceFactory } from "@app/services/kms/kms-service";
+
+import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
+import { TPermissionServiceFactory } from "../permission/permission-service";
+import { TExternalKmsDALFactory } from "./external-kms-dal";
+import {
+  TCreateExternalKmsDTO,
+  TDeleteExternalKmsDTO,
+  TGetExternalKmsByIdDTO,
+  TGetExternalKmsBySlugDTO,
+  TListExternalKmsDTO,
+  TUpdateExternalKmsDTO
+} from "./external-kms-types";
+import { AwsKmsProviderFactory } from "./providers/aws-kms";
+import { ExternalKmsAwsSchema, KmsProviders } from "./providers/model";
+
+type TExternalKmsServiceFactoryDep = {
+  externalKmsDAL: TExternalKmsDALFactory;
+  kmsService: Pick<TKmsServiceFactory, "getOrgKmsKeyId" | "encryptWithKmsKey" | "decryptWithKmsKey">;
+  kmsDAL: Pick<TKmsKeyDALFactory, "create" | "updateById" | "findById" | "deleteById" | "findOne">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+};
+
+export type TExternalKmsServiceFactory = ReturnType<typeof externalKmsServiceFactory>;
+
+export const externalKmsServiceFactory = ({
+  externalKmsDAL,
+  permissionService,
+  kmsService,
+  kmsDAL
+}: TExternalKmsServiceFactoryDep) => {
+  const create = async ({
+    provider,
+    description,
+    actor,
+    slug,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }: TCreateExternalKmsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+    const kmsSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
+
+    let sanitizedProviderInput = "";
+    switch (provider.type) {
+      case KmsProviders.Aws:
+        {
+          const externalKms = await AwsKmsProviderFactory({ inputs: provider.inputs });
+          await externalKms.validateConnection();
+          // if missing kms key this generate a new kms key id and returns new provider input
+          const newProviderInput = await externalKms.generateInputKmsKey();
+          sanitizedProviderInput = JSON.stringify(newProviderInput);
+        }
+        break;
+      default:
+        throw new BadRequestError({ message: "external kms provided is invalid" });
+    }
+
+    const orgKmsKeyId = await kmsService.getOrgKmsKeyId(actorOrgId);
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: orgKmsKeyId
+    });
+    const { cipherTextBlob: encryptedProviderInputs } = kmsEncryptor({
+      plainText: Buffer.from(sanitizedProviderInput, "utf8")
+    });
+
+    const externalKms = await externalKmsDAL.transaction(async (tx) => {
+      const kms = await kmsDAL.create(
+        {
+          isReserved: false,
+          description,
+          slug: kmsSlug,
+          orgId: actorOrgId
+        },
+        tx
+      );
+      const externalKmsCfg = await externalKmsDAL.create(
+        {
+          provider: provider.type,
+          encryptedProviderInputs,
+          kmsKeyId: kms.id
+        },
+        tx
+      );
+      return { ...kms, external: externalKmsCfg };
+    });
+
+    return externalKms;
+  };
+
+  const updateById = async ({
+    provider,
+    description,
+    actor,
+    id: kmsId,
+    slug,
+    actorId,
+    actorOrgId,
+    actorAuthMethod
+  }: TUpdateExternalKmsDTO) => {
+    const kmsDoc = await kmsDAL.findById(kmsId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      kmsDoc.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+    const kmsSlug = slug ? slugify(slug) : undefined;
+
+    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
+    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+
+    const orgDefaultKmsId = await kmsService.getOrgKmsKeyId(kmsDoc.orgId);
+    let sanitizedProviderInput = "";
+    if (provider) {
+      const kmsDecryptor = await kmsService.decryptWithKmsKey({
+        kmsId: orgDefaultKmsId
+      });
+      const decryptedProviderInputBlob = kmsDecryptor({
+        cipherTextBlob: externalKmsDoc.encryptedProviderInputs
+      });
+
+      switch (provider.type) {
+        case KmsProviders.Aws:
+          {
+            const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
+              JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+            );
+            const updatedProviderInput = { ...decryptedProviderInput, ...provider.inputs };
+            const externalKms = await AwsKmsProviderFactory({ inputs: updatedProviderInput });
+            await externalKms.validateConnection();
+            sanitizedProviderInput = JSON.stringify(updatedProviderInput);
+          }
+          break;
+        default:
+          throw new BadRequestError({ message: "external kms provided is invalid" });
+      }
+    }
+
+    let encryptedProviderInputs: Buffer | undefined;
+    if (sanitizedProviderInput) {
+      const kmsEncryptor = await kmsService.encryptWithKmsKey({
+        kmsId: orgDefaultKmsId
+      });
+      const { cipherTextBlob } = kmsEncryptor({
+        plainText: Buffer.from(sanitizedProviderInput, "utf8")
+      });
+      encryptedProviderInputs = cipherTextBlob;
+    }
+
+    const externalKms = await externalKmsDAL.transaction(async (tx) => {
+      const kms = await kmsDAL.updateById(
+        kmsDoc.id,
+        {
+          description,
+          slug: kmsSlug
+        },
+        tx
+      );
+      if (encryptedProviderInputs) {
+        const externalKmsCfg = await externalKmsDAL.updateById(
+          externalKmsDoc.id,
+          {
+            encryptedProviderInputs
+          },
+          tx
+        );
+        return { ...kms, external: externalKmsCfg };
+      }
+      return { ...kms, external: externalKmsDoc };
+    });
+
+    return externalKms;
+  };
+
+  const deleteById = async ({ actor, id: kmsId, actorId, actorOrgId, actorAuthMethod }: TDeleteExternalKmsDTO) => {
+    const kmsDoc = await kmsDAL.findById(kmsId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      kmsDoc.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
+    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
+    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+
+    const externalKms = await externalKmsDAL.transaction(async (tx) => {
+      const kms = await kmsDAL.deleteById(kmsDoc.id, tx);
+      return { ...kms, external: externalKmsDoc };
+    });
+
+    return externalKms;
+  };
+
+  const list = async ({ actor, actorId, actorOrgId, actorAuthMethod }: TListExternalKmsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      actorOrgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
+    const externalKmsDocs = await externalKmsDAL.find({ orgId: actorOrgId });
+
+    return externalKmsDocs;
+  };
+
+  const findById = async ({ actor, actorId, actorOrgId, actorAuthMethod, id: kmsId }: TGetExternalKmsByIdDTO) => {
+    const kmsDoc = await kmsDAL.findById(kmsId);
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      kmsDoc.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
+    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
+    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+
+    const orgDefaultKmsId = await kmsService.getOrgKmsKeyId(kmsDoc.orgId);
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: orgDefaultKmsId
+    });
+    const decryptedProviderInputBlob = kmsDecryptor({
+      cipherTextBlob: externalKmsDoc.encryptedProviderInputs
+    });
+    switch (externalKmsDoc.provider) {
+      case KmsProviders.Aws: {
+        const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
+          JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+        );
+        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
+      }
+      default:
+        throw new BadRequestError({ message: "external kms provided is invalid" });
+    }
+  };
+
+  const findBySlug = async ({
+    actor,
+    actorId,
+    actorOrgId,
+    actorAuthMethod,
+    slug: kmsSlug
+  }: TGetExternalKmsBySlugDTO) => {
+    const kmsDoc = await kmsDAL.findOne({ slug: kmsSlug, orgId: actorOrgId });
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      kmsDoc.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Settings);
+
+    const externalKmsDoc = await externalKmsDAL.findOne({ kmsKeyId: kmsDoc.id });
+    if (!externalKmsDoc) throw new BadRequestError({ message: "External kms not found" });
+
+    const orgDefaultKmsId = await kmsService.getOrgKmsKeyId(kmsDoc.orgId);
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: orgDefaultKmsId
+    });
+    const decryptedProviderInputBlob = kmsDecryptor({
+      cipherTextBlob: externalKmsDoc.encryptedProviderInputs
+    });
+
+    switch (externalKmsDoc.provider) {
+      case KmsProviders.Aws: {
+        const decryptedProviderInput = await ExternalKmsAwsSchema.parseAsync(
+          JSON.parse(decryptedProviderInputBlob.toString("utf8"))
+        );
+        return { ...kmsDoc, external: { ...externalKmsDoc, providerInput: decryptedProviderInput } };
+      }
+      default:
+        throw new BadRequestError({ message: "external kms provided is invalid" });
+    }
+  };
+
+  return {
+    create,
+    updateById,
+    deleteById,
+    list,
+    findById,
+    findBySlug
+  };
+};

backend/src/ee/services/external-kms/external-kms-types.ts

@@ -0,0 +1,30 @@
+import { TOrgPermission } from "@app/lib/types";
+
+import { TExternalKmsInputSchema, TExternalKmsInputUpdateSchema } from "./providers/model";
+
+export type TCreateExternalKmsDTO = {
+  slug?: string;
+  description?: string;
+  provider: TExternalKmsInputSchema;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TUpdateExternalKmsDTO = {
+  id: string;
+  slug?: string;
+  description?: string;
+  provider?: TExternalKmsInputUpdateSchema;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TDeleteExternalKmsDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TListExternalKmsDTO = Omit<TOrgPermission, "orgId">;
+
+export type TGetExternalKmsByIdDTO = {
+  id: string;
+} & Omit<TOrgPermission, "orgId">;
+
+export type TGetExternalKmsBySlugDTO = {
+  slug: string;
+} & Omit<TOrgPermission, "orgId">;

backend/src/ee/services/external-kms/providers/aws-kms.ts

@@ -0,0 +1,102 @@
+import { CreateKeyCommand, DecryptCommand, DescribeKeyCommand, EncryptCommand, KMSClient } from "@aws-sdk/client-kms";
+import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
+import { randomUUID } from "crypto";
+
+import { ExternalKmsAwsSchema, KmsAwsCredentialType, TExternalKmsAwsSchema, TExternalKmsProviderFns } from "./model";
+
+const getAwsKmsClient = async (providerInputs: TExternalKmsAwsSchema) => {
+  if (providerInputs.credential.type === KmsAwsCredentialType.AssumeRole) {
+    const awsCredential = providerInputs.credential.data;
+    const stsClient = new STSClient({
+      region: providerInputs.awsRegion
+    });
+    const command = new AssumeRoleCommand({
+      RoleArn: awsCredential.assumeRoleArn,
+      RoleSessionName: `infisical-kms-${randomUUID()}`,
+      DurationSeconds: 900, // 15mins
+      ExternalId: awsCredential.externalId
+    });
+    const response = await stsClient.send(command);
+    if (!response.Credentials?.AccessKeyId || !response.Credentials?.SecretAccessKey)
+      throw new Error("Failed to assume role");
+
+    const kmsClient = new KMSClient({
+      region: providerInputs.awsRegion,
+      credentials: {
+        accessKeyId: response.Credentials.AccessKeyId,
+        secretAccessKey: response.Credentials.SecretAccessKey,
+        sessionToken: response.Credentials.SessionToken,
+        expiration: response.Credentials.Expiration
+      }
+    });
+    return kmsClient;
+  }
+  const awsCredential = providerInputs.credential.data;
+  const kmsClient = new KMSClient({
+    region: providerInputs.awsRegion,
+    credentials: {
+      accessKeyId: awsCredential.accessKey,
+      secretAccessKey: awsCredential.secretKey
+    }
+  });
+  return kmsClient;
+};
+
+type AwsKmsProviderArgs = {
+  inputs: unknown;
+};
+type TAwsKmsProviderFactoryReturn = TExternalKmsProviderFns & {
+  generateInputKmsKey: () => Promise<TExternalKmsAwsSchema>;
+};
+
+export const AwsKmsProviderFactory = async ({ inputs }: AwsKmsProviderArgs): Promise<TAwsKmsProviderFactoryReturn> => {
+  const providerInputs = await ExternalKmsAwsSchema.parseAsync(inputs);
+  const awsClient = await getAwsKmsClient(providerInputs);
+
+  const generateInputKmsKey = async () => {
+    if (providerInputs.kmsKeyId) return providerInputs;
+
+    const command = new CreateKeyCommand({ Tags: [{ TagKey: "author", TagValue: "infisical" }] });
+    const kmsKey = await awsClient.send(command);
+    if (!kmsKey.KeyMetadata?.KeyId) throw new Error("Failed to generate kms key");
+
+    return { ...providerInputs, kmsKeyId: kmsKey.KeyMetadata?.KeyId };
+  };
+
+  const validateConnection = async () => {
+    const command = new DescribeKeyCommand({
+      KeyId: providerInputs.kmsKeyId
+    });
+    const isConnected = await awsClient.send(command).then(() => true);
+    return isConnected;
+  };
+
+  const encrypt = async (data: Buffer) => {
+    const command = new EncryptCommand({
+      KeyId: providerInputs.kmsKeyId,
+      Plaintext: data
+    });
+    const encryptionCommand = await awsClient.send(command);
+    if (!encryptionCommand.CiphertextBlob) throw new Error("encryption failed");
+
+    return { encryptedBlob: Buffer.from(encryptionCommand.CiphertextBlob) };
+  };
+
+  const decrypt = async (encryptedBlob: Buffer) => {
+    const command = new DecryptCommand({
+      KeyId: providerInputs.kmsKeyId,
+      CiphertextBlob: encryptedBlob
+    });
+    const decryptionCommand = await awsClient.send(command);
+    if (!decryptionCommand.Plaintext) throw new Error("decryption failed");
+
+    return { data: Buffer.from(decryptionCommand.Plaintext) };
+  };
+
+  return {
+    generateInputKmsKey,
+    validateConnection,
+    encrypt,
+    decrypt
+  };
+};

backend/src/ee/services/external-kms/providers/model.ts

@@ -0,0 +1,61 @@
+import { z } from "zod";
+
+export enum KmsProviders {
+  Aws = "aws"
+}
+
+export enum KmsAwsCredentialType {
+  AssumeRole = "assume-role",
+  AccessKey = "access-key"
+}
+
+export const ExternalKmsAwsSchema = z.object({
+  credential: z
+    .discriminatedUnion("type", [
+      z.object({
+        type: z.literal(KmsAwsCredentialType.AccessKey),
+        data: z.object({
+          accessKey: z.string().trim().min(1).describe("AWS user account access key"),
+          secretKey: z.string().trim().min(1).describe("AWS user account secret key")
+        })
+      }),
+      z.object({
+        type: z.literal(KmsAwsCredentialType.AssumeRole),
+        data: z.object({
+          assumeRoleArn: z.string().trim().min(1).describe("AWS user role to be assumed by infisical"),
+          externalId: z
+            .string()
+            .trim()
+            .min(1)
+            .optional()
+            .describe("AWS assume role external id for furthur security in authentication")
+        })
+      })
+    ])
+    .describe("AWS credential information to connect"),
+  awsRegion: z.string().min(1).trim().describe("AWS region to connect"),
+  kmsKeyId: z
+    .string()
+    .trim()
+    .optional()
+    .describe("A pre existing AWS KMS key id to be used for encryption. If not provided a kms key will be generated.")
+});
+export type TExternalKmsAwsSchema = z.infer<typeof ExternalKmsAwsSchema>;
+
+// The root schema of the JSON
+export const ExternalKmsInputSchema = z.discriminatedUnion("type", [
+  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema })
+]);
+export type TExternalKmsInputSchema = z.infer<typeof ExternalKmsInputSchema>;
+
+export const ExternalKmsInputUpdateSchema = z.discriminatedUnion("type", [
+  z.object({ type: z.literal(KmsProviders.Aws), inputs: ExternalKmsAwsSchema.partial() })
+]);
+export type TExternalKmsInputUpdateSchema = z.infer<typeof ExternalKmsInputUpdateSchema>;
+
+// generic function shared by all provider
+export type TExternalKmsProviderFns = {
+  validateConnection: () => Promise<boolean>;
+  encrypt: (data: Buffer) => Promise<{ encryptedBlob: Buffer }>;
+  decrypt: (encryptedBlob: Buffer) => Promise<{ data: Buffer }>;
+};

backend/src/ee/services/group/user-group-membership-dal.ts

@@ -162,11 +162,60 @@ export const userGroupMembershipDALFactory = (db: TDbClient) => {
     }
   };
 
+  const findGroupMembershipsByUserIdInOrg = async (userId: string, orgId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.UserGroupMembership)
+        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+        .join(TableName.OrgMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.OrgMembership}.userId`)
+        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.UserGroupMembership}.userId`, userId)
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .select(
+          db.ref("id").withSchema(TableName.UserGroupMembership),
+          db.ref("groupId").withSchema(TableName.UserGroupMembership),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
+          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
+          db.ref("lastName").withSchema(TableName.Users).as("lastName")
+        );
+
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find group memberships by user id in org" });
+    }
+  };
+
+  const findGroupMembershipsByGroupIdInOrg = async (groupId: string, orgId: string) => {
+    try {
+      const docs = await db
+        .replicaNode()(TableName.UserGroupMembership)
+        .join(TableName.Groups, `${TableName.UserGroupMembership}.groupId`, `${TableName.Groups}.id`)
+        .join(TableName.OrgMembership, `${TableName.UserGroupMembership}.userId`, `${TableName.OrgMembership}.userId`)
+        .join(TableName.Users, `${TableName.UserGroupMembership}.userId`, `${TableName.Users}.id`)
+        .where(`${TableName.Groups}.id`, groupId)
+        .where(`${TableName.Groups}.orgId`, orgId)
+        .select(
+          db.ref("id").withSchema(TableName.UserGroupMembership),
+          db.ref("groupId").withSchema(TableName.UserGroupMembership),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("id").withSchema(TableName.OrgMembership).as("orgMembershipId"),
+          db.ref("firstName").withSchema(TableName.Users).as("firstName"),
+          db.ref("lastName").withSchema(TableName.Users).as("lastName")
+        );
+      return docs;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find group memberships by group id in org" });
+    }
+  };
+
   return {
     ...userGroupMembershipOrm,
     filterProjectsByUserMembership,
     findUserGroupMembershipsInProject,
     findGroupMembersNotInProject,
-    deletePendingUserGroupMembershipsByUserIds
+    deletePendingUserGroupMembershipsByUserIds,
+    findGroupMembershipsByUserIdInOrg,
+    findGroupMembershipsByGroupIdInOrg
   };
 };

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -449,7 +449,8 @@ export const ldapConfigServiceFactory = ({
               userId: userAlias.userId,
               orgId,
               role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Accepted
+              status: OrgMembershipStatus.Accepted,
+              isActive: true
             },
             tx
           );
@@ -534,7 +535,8 @@ export const ldapConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
             },
             tx
           );

backend/src/ee/services/license/licence-fns.ts

@@ -38,7 +38,8 @@ export const getDefaultOnPremFeatures = (): TFeatureSet => ({
   has_used_trial: true,
   secretApproval: false,
   secretRotation: true,
-  caCrl: false
+  caCrl: false,
+  instanceUserManagement: false
 });
 
 export const setupLicenceRequestWithStore = (baseURL: string, refreshUrl: string, licenseKey: string) => {

backend/src/ee/services/license/license-service.ts

@@ -218,6 +218,8 @@ export const licenseServiceFactory = ({
     } else if (instanceType === InstanceType.EnterpriseOnPrem) {
       const usedSeats = await licenseDAL.countOfOrgMembers(null, tx);
       const usedIdentitySeats = await licenseDAL.countOrgUsersAndIdentities(null, tx);
+      onPremFeatures.membersUsed = usedSeats;
+      onPremFeatures.identitiesUsed = usedIdentitySeats;
       await licenseServerOnPremApi.request.patch(`/api/license/v1/license`, {
         usedSeats,
         usedIdentitySeats

backend/src/ee/services/license/license-types.ts

@@ -30,9 +30,9 @@ export type TFeatureSet = {
   workspacesUsed: 0;
   dynamicSecret: false;
   memberLimit: null;
-  membersUsed: 0;
+  membersUsed: number;
   identityLimit: null;
-  identitiesUsed: 0;
+  identitiesUsed: number;
   environmentLimit: null;
   environmentsUsed: 0;
   secretVersioning: true;
@@ -56,6 +56,7 @@ export type TFeatureSet = {
   secretApproval: false;
   secretRotation: true;
   caCrl: false;
+  instanceUserManagement: false;
 };
 
 export type TOrgPlansTableDTO = {

backend/src/ee/services/oidc/oidc-config-service.ts

@@ -193,7 +193,8 @@ export const oidcConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
             },
             tx
           );
@@ -266,7 +267,8 @@ export const oidcConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
             },
             tx
           );

backend/src/ee/services/permission/permission-service.ts

@@ -109,6 +109,9 @@ export const permissionServiceFactory = ({
     authMethod: ActorAuthMethod,
     userOrgId?: string
   ) => {
+    // when token is scoped, ensure the passed org id is same as user org id
+    if (userOrgId && userOrgId !== orgId)
+      throw new BadRequestError({ message: "Invalid user token. Scoped to different organization." });
     const membership = await permissionDAL.getOrgPermission(userId, orgId);
     if (!membership) throw new UnauthorizedError({ name: "User not in org" });
     if (membership.role === OrgMembershipRole.Custom && !membership.permissions) {

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -370,7 +370,8 @@ export const samlConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: foundUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
             },
             tx
           );
@@ -457,7 +458,8 @@ export const samlConfigServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: newUser.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
             },
             tx
           );

backend/src/ee/services/scim/scim-fns.ts

@@ -32,12 +32,19 @@ export const parseScimFilter = (filterToParse: string | undefined) => {
   return { [attributeName]: parsedValue.replace(/"/g, "") };
 };
 
+export function extractScimValueFromPath(path: string): string | null {
+  const regex = /members\[value eq "([^"]+)"\]/;
+  const match = path.match(regex);
+  return match ? match[1] : null;
+}
+
 export const buildScimUser = ({
   orgMembershipId,
   username,
   email,
   firstName,
   lastName,
+  groups = [],
   active
 }: {
   orgMembershipId: string;
@@ -45,6 +52,10 @@ export const buildScimUser = ({
   email?: string | null;
   firstName: string;
   lastName: string;
+  groups?: {
+    value: string;
+    display: string;
+  }[];
   active: boolean;
 }): TScimUser => {
   const scimUser = {
@@ -67,7 +78,7 @@ export const buildScimUser = ({
         ]
       : [],
     active,
-    groups: [],
+    groups,
     meta: {
       resourceType: "User",
       location: null

backend/src/ee/services/scim/scim-service.ts

@@ -2,13 +2,14 @@ import { ForbiddenError } from "@casl/ability";
 import slugify from "@sindresorhus/slugify";
 import jwt from "jsonwebtoken";
 
-import { OrgMembershipRole, OrgMembershipStatus, TableName, TGroups, TOrgMemberships, TUsers } from "@app/db/schemas";
+import { OrgMembershipRole, OrgMembershipStatus, TableName, TOrgMemberships, TUsers } from "@app/db/schemas";
 import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
 import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TScimDALFactory } from "@app/ee/services/scim/scim-dal";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError, ScimRequestError, UnauthorizedError } from "@app/lib/errors";
+import { logger } from "@app/lib/logger";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
 import { TOrgPermission } from "@app/lib/types";
 import { AuthTokenType } from "@app/services/auth/auth-type";
@@ -30,7 +31,14 @@ import { UserAliasType } from "@app/services/user-alias/user-alias-types";
 import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
-import { buildScimGroup, buildScimGroupList, buildScimUser, buildScimUserList, parseScimFilter } from "./scim-fns";
+import {
+  buildScimGroup,
+  buildScimGroupList,
+  buildScimUser,
+  buildScimUserList,
+  extractScimValueFromPath,
+  parseScimFilter
+} from "./scim-fns";
 import {
   TCreateScimGroupDTO,
   TCreateScimTokenDTO,
@@ -44,6 +52,7 @@ import {
   TListScimUsers,
   TListScimUsersDTO,
   TReplaceScimUserDTO,
+  TScimGroup,
   TScimTokenJwtPayload,
   TUpdateScimGroupNamePatchDTO,
   TUpdateScimGroupNamePutDTO,
@@ -61,17 +70,23 @@ type TScimServiceFactoryDep = {
     TOrgDALFactory,
     "createMembership" | "findById" | "findMembership" | "deleteMembershipById" | "transaction" | "updateMembershipById"
   >;
-  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "find" | "findOne" | "create" | "updateById" | "findById">;
   projectDAL: Pick<TProjectDALFactory, "find" | "findProjectGhostUser">;
   projectMembershipDAL: Pick<TProjectMembershipDALFactory, "find" | "delete" | "findProjectMembershipsByUserId">;
   groupDAL: Pick<
     TGroupDALFactory,
-    "create" | "findOne" | "findAllGroupMembers" | "update" | "delete" | "findGroups" | "transaction"
+    "create" | "findOne" | "findAllGroupMembers" | "delete" | "findGroups" | "transaction" | "updateById" | "update"
   >;
   groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
   userGroupMembershipDAL: Pick<
     TUserGroupMembershipDALFactory,
-    "find" | "transaction" | "insertMany" | "filterProjectsByUserMembership" | "delete"
+    | "find"
+    | "transaction"
+    | "insertMany"
+    | "filterProjectsByUserMembership"
+    | "delete"
+    | "findGroupMembershipsByUserIdInOrg"
+    | "findGroupMembershipsByGroupIdInOrg"
   >;
   projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
   projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
@@ -197,14 +212,14 @@ export const scimServiceFactory = ({
       findOpts
     );
 
-    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email }) =>
+    const scimUsers = users.map(({ id, externalId, username, firstName, lastName, email, isActive }) =>
       buildScimUser({
         orgMembershipId: id ?? "",
         username: externalId ?? username,
         firstName: firstName ?? "",
         lastName: lastName ?? "",
         email,
-        active: true
+        active: isActive
       })
     );
 
@@ -240,13 +255,22 @@ export const scimServiceFactory = ({
         status: 403
       });
 
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(
+      membership.userId,
+      orgId
+    );
+
     return buildScimUser({
       orgMembershipId: membership.id,
       username: membership.externalId ?? membership.username,
       email: membership.email ?? "",
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
-      active: true
+      active: membership.isActive,
+      groups: groupMembershipsInOrg.map((group) => ({
+        value: group.groupId,
+        display: group.groupName
+      }))
     });
   };
 
@@ -296,7 +320,8 @@ export const scimServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
             },
             tx
           );
@@ -364,7 +389,8 @@ export const scimServiceFactory = ({
               inviteEmail: email,
               orgId,
               role: OrgMembershipRole.Member,
-              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited, // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
+              isActive: true
             },
             tx
           );
@@ -401,7 +427,7 @@ export const scimServiceFactory = ({
       firstName: createdUser.firstName as string,
       lastName: createdUser.lastName as string,
       email: createdUser.email ?? "",
-      active: true
+      active: createdOrgMembership.isActive
     });
   };
 
@@ -445,14 +471,8 @@ export const scimServiceFactory = ({
     });
 
     if (!active) {
-      await deleteOrgMembershipFn({
+      await orgMembershipDAL.updateById(membership.id, {
-        orgMembershipId: membership.id,
+        isActive: false
-        orgId: membership.orgId,
-        orgDAL,
-        projectMembershipDAL,
-        projectKeyDAL,
-        userAliasDAL,
-        licenseService
       });
     }
 
@@ -491,17 +511,14 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    if (!active) {
+    await orgMembershipDAL.updateById(membership.id, {
-      await deleteOrgMembershipFn({
+      isActive: active
-        orgMembershipId: membership.id,
+    });
-        orgId: membership.orgId,
+
-        orgDAL,
+    const groupMembershipsInOrg = await userGroupMembershipDAL.findGroupMembershipsByUserIdInOrg(
-        projectMembershipDAL,
+      membership.userId,
-        projectKeyDAL,
+      orgId
-        userAliasDAL,
+    );
-        licenseService
-      });
-    }
 
     return buildScimUser({
       orgMembershipId: membership.id,
@@ -509,7 +526,11 @@ export const scimServiceFactory = ({
       email: membership.email,
       firstName: membership.firstName as string,
       lastName: membership.lastName as string,
-      active
+      active,
+      groups: groupMembershipsInOrg.map((group) => ({
+        value: group.groupId,
+        display: group.groupName
+      }))
     });
   };
 
@@ -577,13 +598,20 @@ export const scimServiceFactory = ({
       }
     );
 
-    const scimGroups = groups.map((group) =>
+    const scimGroups: TScimGroup[] = [];
-      buildScimGroup({
+
+    for await (const group of groups) {
+      const members = await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(group.id, orgId);
+      const scimGroup = buildScimGroup({
         groupId: group.id,
         name: group.name,
-        members: [] // does this need to be populated?
+        members: members.map((member) => ({
-      })
+          value: member.orgMembershipId,
-    );
+          display: `${member.firstName ?? ""} ${member.lastName ?? ""}`
+        }))
+      });
+      scimGroups.push(scimGroup);
+    }
 
     return buildScimGroupList({
       scimGroups,
@@ -817,7 +845,6 @@ export const scimServiceFactory = ({
     });
   };
 
-  // TODO: add support for add/remove op
   const updateScimGroupNamePatch = async ({ groupId, orgId, operations }: TUpdateScimGroupNamePatchDTO) => {
     const plan = await licenseService.getPlan(orgId);
     if (!plan.groups)
@@ -840,27 +867,64 @@ export const scimServiceFactory = ({
         status: 403
       });
 
-    let group: TGroups | undefined;
+    let group = await groupDAL.findOne({
+      id: groupId,
+      orgId
+    });
+
+    if (!group) {
+      throw new ScimRequestError({
+        detail: "Group Not Found",
+        status: 404
+      });
+    }
+
     for await (const operation of operations) {
       switch (operation.op) {
         case "replace": {
-          await groupDAL.update(
+          group = await groupDAL.updateById(group.id, {
-            {
+            name: operation.value.displayName
-              id: groupId,
+          });
-              orgId
-            },
-            {
-              name: operation.value.displayName
-            }
-          );
           break;
         }
         case "add": {
-          // TODO
+          try {
+            const orgMemberships = await orgMembershipDAL.find({
+              $in: {
+                id: operation.value.map((member) => member.value)
+              }
+            });
+
+            await addUsersToGroupByUserIds({
+              group,
+              userIds: orgMemberships.map((membership) => membership.userId as string),
+              userDAL,
+              userGroupMembershipDAL,
+              orgDAL,
+              groupProjectDAL,
+              projectKeyDAL,
+              projectDAL,
+              projectBotDAL
+            });
+          } catch {
+            logger.info("Repeat SCIM user-group add operation");
+          }
+
           break;
         }
         case "remove": {
-          // TODO
+          const orgMembershipId = extractScimValueFromPath(operation.path);
+          if (!orgMembershipId) throw new ScimRequestError({ detail: "Invalid path value", status: 400 });
+          const orgMembership = await orgMembershipDAL.findById(orgMembershipId);
+          if (!orgMembership) throw new ScimRequestError({ detail: "Org Membership Not Found", status: 400 });
+          await removeUsersFromGroupByUserIds({
+            group,
+            userIds: [orgMembership.userId as string],
+            userDAL,
+            userGroupMembershipDAL,
+            groupProjectDAL,
+            projectKeyDAL
+          });
           break;
         }
         default: {
@@ -872,17 +936,15 @@ export const scimServiceFactory = ({
       }
     }
 
-    if (!group) {
+    const members = await userGroupMembershipDAL.findGroupMembershipsByGroupIdInOrg(group.id, orgId);
-      throw new ScimRequestError({
-        detail: "Group Not Found",
-        status: 404
-      });
-    }
 
     return buildScimGroup({
       groupId: group.id,
       name: group.name,
-      members: []
+      members: members.map((member) => ({
+        value: member.orgMembershipId,
+        display: `${member.firstName ?? ""} ${member.lastName ?? ""}`
+      }))
     });
   };
 

backend/src/ee/services/scim/scim-types.ts

@@ -125,10 +125,11 @@ type TRemoveOp = {
 
 type TAddOp = {
   op: "add";
+  path: string;
   value: {
     value: string;
     display?: string;
-  };
+  }[];
 };
 
 export type TDeleteScimGroupDTO = {
@@ -157,7 +158,10 @@ export type TScimUser = {
     type: string;
   }[];
   active: boolean;
-  groups: string[];
+  groups: {
+    value: string;
+    display: string;
+  }[];
   meta: {
     resourceType: string;
     location: null;

backend/src/ee/services/secret-approval-policy/secret-approval-policy-service.ts

@@ -45,12 +45,13 @@ export const secretApprovalPolicyServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     approvals,
-    approverUserIds,
+    approvers,
     projectId,
     secretPath,
-    environment
+    environment,
+    enforcementLevel
   }: TCreateSapDTO) => {
-    if (approvals > approverUserIds.length)
+    if (approvals > approvers.length)
       throw new BadRequestError({ message: "Approvals cannot be greater than approvers" });
 
     const { permission } = await permissionService.getProjectPermission(
@@ -73,12 +74,13 @@ export const secretApprovalPolicyServiceFactory = ({
           envId: env.id,
           approvals,
           secretPath,
-          name
+          name,
+          enforcementLevel
         },
         tx
       );
       await secretApprovalPolicyApproverDAL.insertMany(
-        approverUserIds.map((approverUserId) => ({
+        approvers.map((approverUserId) => ({
           approverUserId,
           policyId: doc.id
         })),
@@ -90,7 +92,7 @@ export const secretApprovalPolicyServiceFactory = ({
   };
 
   const updateSecretApprovalPolicy = async ({
-    approverUserIds,
+    approvers,
     secretPath,
     name,
     actorId,
@@ -98,7 +100,8 @@ export const secretApprovalPolicyServiceFactory = ({
     actorOrgId,
     actorAuthMethod,
     approvals,
-    secretPolicyId
+    secretPolicyId,
+    enforcementLevel
   }: TUpdateSapDTO) => {
     const secretApprovalPolicy = await secretApprovalPolicyDAL.findById(secretPolicyId);
     if (!secretApprovalPolicy) throw new BadRequestError({ message: "Secret approval policy not found" });
@@ -118,14 +121,15 @@ export const secretApprovalPolicyServiceFactory = ({
         {
           approvals,
           secretPath,
-          name
+          name,
+          enforcementLevel
         },
         tx
       );
-      if (approverUserIds) {
+      if (approvers) {
         await secretApprovalPolicyApproverDAL.delete({ policyId: doc.id }, tx);
         await secretApprovalPolicyApproverDAL.insertMany(
-          approverUserIds.map((approverUserId) => ({
+          approvers.map((approverUserId) => ({
             approverUserId,
             policyId: doc.id
           })),

backend/src/ee/services/secret-approval-policy/secret-approval-policy-types.ts

@@ -1,20 +1,22 @@
-import { TProjectPermission } from "@app/lib/types";
+import { EnforcementLevel, TProjectPermission } from "@app/lib/types";
 
 export type TCreateSapDTO = {
   approvals: number;
   secretPath?: string | null;
   environment: string;
-  approverUserIds: string[];
+  approvers: string[];
   projectId: string;
   name: string;
+  enforcementLevel: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TUpdateSapDTO = {
   secretPolicyId: string;
   approvals?: number;
   secretPath?: string | null;
-  approverUserIds: string[];
+  approvers: string[];
   name?: string;
+  enforcementLevel?: EnforcementLevel;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TDeleteSapDTO = {

backend/src/ee/services/secret-approval-request/secret-approval-request-dal.ts

@@ -94,6 +94,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
         tx.ref("projectId").withSchema(TableName.Environment),
         tx.ref("slug").withSchema(TableName.Environment).as("environment"),
         tx.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
+        tx.ref("envId").withSchema(TableName.SecretApprovalPolicy).as("policyEnvId"),
+        tx.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
         tx.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals")
       );
 
@@ -128,7 +130,9 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
+            secretPath: el.policySecretPath,
+            enforcementLevel: el.policyEnforcementLevel,
+            envId: el.policyEnvId
           }
         }),
         childrenMapper: [
@@ -282,6 +286,7 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             `DENSE_RANK() OVER (partition by ${TableName.Environment}."projectId" ORDER BY ${TableName.SecretApprovalRequest}."id" DESC) as rank`
           ),
           db.ref("secretPath").withSchema(TableName.SecretApprovalPolicy).as("policySecretPath"),
+          db.ref("enforcementLevel").withSchema(TableName.SecretApprovalPolicy).as("policyEnforcementLevel"),
           db.ref("approvals").withSchema(TableName.SecretApprovalPolicy).as("policyApprovals"),
           db.ref("approverUserId").withSchema(TableName.SecretApprovalPolicyApprover),
           db.ref("email").withSchema("committerUser").as("committerUserEmail"),
@@ -308,7 +313,8 @@ export const secretApprovalRequestDALFactory = (db: TDbClient) => {
             id: el.policyId,
             name: el.policyName,
             approvals: el.policyApprovals,
-            secretPath: el.policySecretPath
+            secretPath: el.policySecretPath,
+            enforcementLevel: el.policyEnforcementLevel
           },
           committerUser: {
             userId: el.committerUserId,

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -7,13 +7,16 @@ import {
   SecretType,
   TSecretApprovalRequestsSecretsInsert
 } from "@app/db/schemas";
+import { getConfig } from "@app/lib/config/env";
 import { decryptSymmetric128BitHexKeyUTF8 } from "@app/lib/crypto";
 import { BadRequestError, UnauthorizedError } from "@app/lib/errors";
 import { groupBy, pick, unique } from "@app/lib/fn";
 import { alphaNumericNanoId } from "@app/lib/nanoid";
+import { EnforcementLevel } from "@app/lib/types";
 import { ActorType } from "@app/services/auth/auth-type";
 import { TProjectDALFactory } from "@app/services/project/project-dal";
 import { TProjectBotServiceFactory } from "@app/services/project-bot/project-bot-service";
+import { TProjectEnvDALFactory } from "@app/services/project-env/project-env-dal";
 import { TSecretDALFactory } from "@app/services/secret/secret-dal";
 import {
   fnSecretBlindIndexCheck,
@@ -30,6 +33,8 @@ import { TSecretVersionTagDALFactory } from "@app/services/secret/secret-version
 import { TSecretBlindIndexDALFactory } from "@app/services/secret-blind-index/secret-blind-index-dal";
 import { TSecretFolderDALFactory } from "@app/services/secret-folder/secret-folder-dal";
 import { TSecretTagDALFactory } from "@app/services/secret-tag/secret-tag-dal";
+import { SmtpTemplates, TSmtpService } from "@app/services/smtp/smtp-service";
+import { TUserDALFactory } from "@app/services/user/user-dal";
 
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { ProjectPermissionActions, ProjectPermissionSub } from "../permission/project-permission";
@@ -62,8 +67,11 @@ type TSecretApprovalRequestServiceFactoryDep = {
   snapshotService: Pick<TSecretSnapshotServiceFactory, "performSnapshot">;
   secretVersionDAL: Pick<TSecretVersionDALFactory, "findLatestVersionMany" | "insertMany">;
   secretVersionTagDAL: Pick<TSecretVersionTagDALFactory, "insertMany">;
-  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus">;
+  projectDAL: Pick<TProjectDALFactory, "checkProjectUpgradeStatus" | "findProjectById">;
   secretQueueService: Pick<TSecretQueueFactory, "syncSecrets" | "removeSecretReminder">;
+  smtpService: Pick<TSmtpService, "sendMail">;
+  userDAL: Pick<TUserDALFactory, "find" | "findOne">;
+  projectEnvDAL: Pick<TProjectEnvDALFactory, "findOne">;
 };
 
 export type TSecretApprovalRequestServiceFactory = ReturnType<typeof secretApprovalRequestServiceFactory>;
@@ -82,7 +90,10 @@ export const secretApprovalRequestServiceFactory = ({
   snapshotService,
   secretVersionDAL,
   secretQueueService,
-  projectBotService
+  projectBotService,
+  smtpService,
+  userDAL,
+  projectEnvDAL
 }: TSecretApprovalRequestServiceFactoryDep) => {
   const requestCount = async ({ projectId, actor, actorId, actorOrgId, actorAuthMethod }: TApprovalRequestCountDTO) => {
     if (actor === ActorType.SERVICE) throw new BadRequestError({ message: "Cannot use service token" });
@@ -257,7 +268,8 @@ export const secretApprovalRequestServiceFactory = ({
     actor,
     actorId,
     actorOrgId,
-    actorAuthMethod
+    actorAuthMethod,
+    bypassReason
   }: TMergeSecretApprovalRequestDTO) => {
     const secretApprovalRequest = await secretApprovalRequestDAL.findById(approvalId);
     if (!secretApprovalRequest) throw new BadRequestError({ message: "Secret approval request not found" });
@@ -289,7 +301,10 @@ export const secretApprovalRequestServiceFactory = ({
         ({ userId: approverId }) => reviewers[approverId.toString()] === ApprovalStatus.APPROVED
       ).length;
 
-    if (!hasMinApproval) throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
+    const isSoftEnforcement = secretApprovalRequest.policy.enforcementLevel === EnforcementLevel.Soft;
+
+    if (!hasMinApproval && !isSoftEnforcement)
+      throw new BadRequestError({ message: "Doesn't have minimum approvals needed" });
     const secretApprovalSecrets = await secretApprovalRequestSecretDAL.findByRequestId(secretApprovalRequest.id);
     if (!secretApprovalSecrets) throw new BadRequestError({ message: "No secrets found" });
 
@@ -466,7 +481,8 @@ export const secretApprovalRequestServiceFactory = ({
           conflicts: JSON.stringify(conflicts),
           hasMerged: true,
           status: RequestState.Closed,
-          statusChangedByUserId: actorId
+          statusChangedByUserId: actorId,
+          bypassReason
         },
         tx
       );
@@ -485,6 +501,35 @@ export const secretApprovalRequestServiceFactory = ({
       actorId,
       actor
     });
+
+    if (isSoftEnforcement) {
+      const cfg = getConfig();
+      const project = await projectDAL.findProjectById(projectId);
+      const env = await projectEnvDAL.findOne({ id: policy.envId });
+      const requestedByUser = await userDAL.findOne({ id: actorId });
+      const approverUsers = await userDAL.find({
+        $in: {
+          id: policy.approvers.map((approver: { userId: string }) => approver.userId)
+        }
+      });
+
+      await smtpService.sendMail({
+        recipients: approverUsers.filter((approver) => approver.email).map((approver) => approver.email!),
+        subjectLine: "Infisical Secret Change Policy Bypassed",
+
+        substitutions: {
+          projectName: project.name,
+          requesterFullName: `${requestedByUser.firstName} ${requestedByUser.lastName}`,
+          requesterEmail: requestedByUser.email,
+          bypassReason,
+          secretPath: policy.secretPath,
+          environment: env.name,
+          approvalUrl: `${cfg.SITE_URL}/project/${project.id}/approval`
+        },
+        template: SmtpTemplates.AccessSecretRequestBypassed
+      });
+    }
+
     return mergeStatus;
   };
 

backend/src/ee/services/secret-approval-request/secret-approval-request-types.ts

@@ -39,6 +39,7 @@ export type TGenerateSecretApprovalRequestDTO = {
 
 export type TMergeSecretApprovalRequestDTO = {
   approvalId: string;
+  bypassReason?: string;
 } & Omit<TProjectPermission, "projectId">;
 
 export type TStatusChangeDTO = {

backend/src/lib/api-docs/constants.ts

@@ -70,13 +70,13 @@ export const UNIVERSAL_AUTH = {
       "The maximum number of times that an access token can be used; a value of 0 implies infinite number of uses."
   },
   RETRIEVE: {
-    identityId: "The ID of the identity to retrieve."
+    identityId: "The ID of the identity to retrieve the auth method for."
   },
   REVOKE: {
-    identityId: "The ID of the identity to revoke."
+    identityId: "The ID of the identity to revoke the auth method for."
   },
   UPDATE: {
-    identityId: "The ID of the identity to update.",
+    identityId: "The ID of the identity to update the auth method for.",
     clientSecretTrustedIps: "The new list of IPs or CIDR ranges that the Client Secret can be used from.",
     accessTokenTrustedIps: "The new list of IPs or CIDR ranges that access tokens can be used from.",
     accessTokenTTL: "The new lifetime for an access token in seconds.",
@@ -119,26 +119,228 @@ export const AWS_AUTH = {
       "The base64-encoded body of the signed request. Most likely, the base64-encoding of Action=GetCallerIdentity&Version=2011-06-15.",
     iamRequestHeaders: "The base64-encoded headers of the sts:GetCallerIdentity signed request."
   },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    allowedPrincipalArns:
+      "The comma-separated list of trusted IAM principal ARNs that are allowed to authenticate with Infisical.",
+    allowedAccountIds:
+      "The comma-separated list of trusted AWS account IDs that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
+    stsEndpoint: "The endpoint URL for the AWS STS API.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    allowedPrincipalArns:
+      "The new comma-separated list of trusted IAM principal ARNs that are allowed to authenticate with Infisical.",
+    allowedAccountIds:
+      "The new comma-separated list of trusted AWS account IDs that are allowed to authenticate with Infisical.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
+    stsEndpoint: "The new endpoint URL for the AWS STS API.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
   REVOKE: {
-    identityId: "The ID of the identity to revoke."
+    identityId: "The ID of the identity to revoke the auth method for."
   }
 } as const;
 
 export const AZURE_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    tenantId: "The tenant ID for the Azure AD organization.",
+    resource: "The resource URL for the application registered in Azure AD.",
+    allowedServicePrincipalIds:
+      "The comma-separated list of Azure AD service principal IDs that are allowed to authenticate with Infisical.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    tenantId: "The new tenant ID for the Azure AD organization.",
+    resource: "The new resource URL for the application registered in Azure AD.",
+    allowedServicePrincipalIds:
+      "The new comma-separated list of Azure AD service principal IDs that are allowed to authenticate with Infisical.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
   REVOKE: {
-    identityId: "The ID of the identity to revoke."
+    identityId: "The ID of the identity to revoke the auth method for."
   }
 } as const;
 
 export const GCP_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    allowedServiceAccounts:
+      "The comma-separated list of trusted service account emails corresponding to the GCE resource(s) allowed to authenticate with Infisical.",
+    allowedProjects:
+      "The comma-separated list of trusted GCP projects that the GCE instance must belong to authenticate with Infisical.",
+    allowedZones:
+      "The comma-separated list of trusted zones that the GCE instances must belong to authenticate with Infisical.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    allowedServiceAccounts:
+      "The new comma-separated list of trusted service account emails corresponding to the GCE resource(s) allowed to authenticate with Infisical.",
+    allowedProjects:
+      "The new comma-separated list of trusted GCP projects that the GCE instance must belong to authenticate with Infisical.",
+    allowedZones:
+      "The new comma-separated list of trusted zones that the GCE instances must belong to authenticate with Infisical.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
   REVOKE: {
-    identityId: "The ID of the identity to revoke."
+    identityId: "The ID of the identity to revoke the auth method for."
   }
 } as const;
 
 export const KUBERNETES_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    kubernetesHost: "The host string, host:port pair, or URL to the base of the Kubernetes API server.",
+    caCert: "The PEM-encoded CA cert for the Kubernetes API server.",
+    tokenReviewerJwt:
+      "The long-lived service account JWT token for Infisical to access the TokenReview API to validate other service account JWT tokens submitted by applications/pods.",
+    allowedNamespaces:
+      "The comma-separated list of trusted namespaces that service accounts must belong to authenticate with Infisical.",
+    allowedNames: "The comma-separated list of trusted service account names that can authenticate with Infisical.",
+    allowedAudience:
+      "The optional audience claim that the service account JWT token must have to authenticate with Infisical.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    kubernetesHost: "The new host string, host:port pair, or URL to the base of the Kubernetes API server.",
+    caCert: "The new PEM-encoded CA cert for the Kubernetes API server.",
+    tokenReviewerJwt:
+      "The new long-lived service account JWT token for Infisical to access the TokenReview API to validate other service account JWT tokens submitted by applications/pods.",
+    allowedNamespaces:
+      "The new comma-separated list of trusted namespaces that service accounts must belong to authenticate with Infisical.",
+    allowedNames: "The new comma-separated list of trusted service account names that can authenticate with Infisical.",
+    allowedAudience:
+      "The new optional audience claim that the service account JWT token must have to authenticate with Infisical.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
   REVOKE: {
-    identityId: "The ID of the identity to revoke."
+    identityId: "The ID of the identity to revoke the auth method for."
+  }
+} as const;
+
+export const TOKEN_AUTH = {
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke the auth method for."
+  },
+  GET_TOKENS: {
+    identityId: "The ID of the identity to list token metadata for.",
+    offset: "The offset to start from. If you enter 10, it will start from the 10th token.",
+    limit: "The number of tokens to return"
+  },
+  CREATE_TOKEN: {
+    identityId: "The ID of the identity to create the token for.",
+    name: "The name of the token to create"
+  },
+  UPDATE_TOKEN: {
+    tokenId: "The ID of the token to update metadata for",
+    name: "The name of the token to update to"
+  },
+  REVOKE_TOKEN: {
+    tokenId: "The ID of the token to revoke"
+  }
+} as const;
+
+export const OIDC_AUTH = {
+  LOGIN: {
+    identityId: "The ID of the identity to login."
+  },
+  ATTACH: {
+    identityId: "The ID of the identity to attach the configuration onto.",
+    oidcDiscoveryUrl: "The URL used to retrieve the OpenID Connect configuration from the identity provider.",
+    caCert: "The PEM-encoded CA cert for establishing secure communication with the Identity Provider endpoints.",
+    boundIssuer: "The unique identifier of the identity provider issuing the JWT.",
+    boundAudiences: "The list of intended recipients.",
+    boundClaims: "The attributes that should be present in the JWT for it to be valid.",
+    boundSubject: "The expected principal that is the subject of the JWT.",
+    accessTokenTrustedIps: "The IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The maximum number of times that an access token can be used."
+  },
+  UPDATE: {
+    identityId: "The ID of the identity to update the auth method for.",
+    oidcDiscoveryUrl: "The new URL used to retrieve the OpenID Connect configuration from the identity provider.",
+    caCert: "The new PEM-encoded CA cert for establishing secure communication with the Identity Provider endpoints.",
+    boundIssuer: "The new unique identifier of the identity provider issuing the JWT.",
+    boundAudiences: "The new list of intended recipients.",
+    boundClaims: "The new attributes that should be present in the JWT for it to be valid.",
+    boundSubject: "The new expected principal that is the subject of the JWT.",
+    accessTokenTrustedIps: "The new IPs or CIDR ranges that access tokens can be used from.",
+    accessTokenTTL: "The new lifetime for an acccess token in seconds.",
+    accessTokenMaxTTL: "The new maximum lifetime for an acccess token in seconds.",
+    accessTokenNumUsesLimit: "The new maximum number of times that an access token can be used."
+  },
+  RETRIEVE: {
+    identityId: "The ID of the identity to retrieve the auth method for."
+  },
+  REVOKE: {
+    identityId: "The ID of the identity to revoke the auth method for."
   }
 } as const;
 
@@ -146,10 +348,15 @@ export const ORGANIZATIONS = {
   LIST_USER_MEMBERSHIPS: {
     organizationId: "The ID of the organization to get memberships from."
   },
+  GET_USER_MEMBERSHIP: {
+    organizationId: "The ID of the organization to get the membership for.",
+    membershipId: "The ID of the membership to get."
+  },
   UPDATE_USER_MEMBERSHIP: {
     organizationId: "The ID of the organization to update the membership for.",
     membershipId: "The ID of the membership to update.",
-    role: "The new role of the membership."
+    role: "The new role of the membership.",
+    isActive: "The active status of the membership"
   },
   DELETE_USER_MEMBERSHIP: {
     organizationId: "The ID of the organization to delete the membership from.",
@@ -303,6 +510,10 @@ export const ENVIRONMENTS = {
   DELETE: {
     workspaceId: "The ID of the project to delete the environment from.",
     id: "The ID of the environment to delete."
+  },
+  GET: {
+    workspaceId: "The ID of the project the environment belongs to.",
+    id: "The ID of the environment to fetch."
   }
 } as const;
 
@@ -313,6 +524,9 @@ export const FOLDERS = {
     path: "The path to list folders from.",
     directory: "The directory to list folders from. (Deprecated in favor of path)"
   },
+  GET_BY_ID: {
+    folderId: "The id of the folder to get details."
+  },
   CREATE: {
     workspaceId: "The ID of the project to create the folder in.",
     environment: "The slug of the environment to create the folder in.",

backend/src/lib/types/index.ts

@@ -42,3 +42,13 @@ export type RequiredKeys<T> = {
 }[keyof T];
 
 export type PickRequired<T> = Pick<T, RequiredKeys<T>>;
+
+export enum EnforcementLevel {
+  Hard = "hard",
+  Soft = "soft"
+}
+
+export enum SecretSharingAccessType {
+  Anyone = "anyone",
+  Organization = "organization"
+}

backend/src/server/routes/index.ts

@@ -22,6 +22,8 @@ import { buildDynamicSecretProviders } from "@app/ee/services/dynamic-secret/pro
 import { dynamicSecretLeaseDALFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-dal";
 import { dynamicSecretLeaseQueueServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-queue";
 import { dynamicSecretLeaseServiceFactory } from "@app/ee/services/dynamic-secret-lease/dynamic-secret-lease-service";
+import { externalKmsDALFactory } from "@app/ee/services/external-kms/external-kms-dal";
+import { externalKmsServiceFactory } from "@app/ee/services/external-kms/external-kms-service";
 import { groupDALFactory } from "@app/ee/services/group/group-dal";
 import { groupServiceFactory } from "@app/ee/services/group/group-service";
 import { userGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
@@ -102,6 +104,8 @@ import { identityGcpAuthDALFactory } from "@app/services/identity-gcp-auth/ident
 import { identityGcpAuthServiceFactory } from "@app/services/identity-gcp-auth/identity-gcp-auth-service";
 import { identityKubernetesAuthDALFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-dal";
 import { identityKubernetesAuthServiceFactory } from "@app/services/identity-kubernetes-auth/identity-kubernetes-auth-service";
+import { identityOidcAuthDALFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-dal";
+import { identityOidcAuthServiceFactory } from "@app/services/identity-oidc-auth/identity-oidc-auth-service";
 import { identityProjectDALFactory } from "@app/services/identity-project/identity-project-dal";
 import { identityProjectMembershipRoleDALFactory } from "@app/services/identity-project/identity-project-membership-role-dal";
 import { identityProjectServiceFactory } from "@app/services/identity-project/identity-project-service";
@@ -114,7 +118,8 @@ import { integrationDALFactory } from "@app/services/integration/integration-dal
 import { integrationServiceFactory } from "@app/services/integration/integration-service";
 import { integrationAuthDALFactory } from "@app/services/integration-auth/integration-auth-dal";
 import { integrationAuthServiceFactory } from "@app/services/integration-auth/integration-auth-service";
-import { kmsDALFactory } from "@app/services/kms/kms-dal";
+import { internalKmsDALFactory } from "@app/services/kms/internal-kms-dal";
+import { kmskeyDALFactory } from "@app/services/kms/kms-key-dal";
 import { kmsRootConfigDALFactory } from "@app/services/kms/kms-root-config-dal";
 import { kmsServiceFactory } from "@app/services/kms/kms-service";
 import { incidentContactDALFactory } from "@app/services/org/incident-contacts-dal";
@@ -242,6 +247,7 @@ export const registerRoutes = async (
   const identityUaClientSecretDAL = identityUaClientSecretDALFactory(db);
   const identityAwsAuthDAL = identityAwsAuthDALFactory(db);
   const identityGcpAuthDAL = identityGcpAuthDALFactory(db);
+  const identityOidcAuthDAL = identityOidcAuthDALFactory(db);
   const identityAzureAuthDAL = identityAzureAuthDALFactory(db);
 
   const auditLogDAL = auditLogDALFactory(db);
@@ -285,7 +291,9 @@ export const registerRoutes = async (
   const dynamicSecretDAL = dynamicSecretDALFactory(db);
   const dynamicSecretLeaseDAL = dynamicSecretLeaseDALFactory(db);
 
-  const kmsDAL = kmsDALFactory(db);
+  const kmsDAL = kmskeyDALFactory(db);
+  const internalKmsDAL = internalKmsDALFactory(db);
+  const externalKmsDAL = externalKmsDALFactory(db);
   const kmsRootConfigDAL = kmsRootConfigDALFactory(db);
 
   const permissionService = permissionServiceFactory({
@@ -299,7 +307,16 @@ export const registerRoutes = async (
   const kmsService = kmsServiceFactory({
     kmsRootConfigDAL,
     keyStore,
-    kmsDAL
+    kmsDAL,
+    internalKmsDAL,
+    orgDAL,
+    projectDAL
+  });
+  const externalKmsService = externalKmsServiceFactory({
+    kmsDAL,
+    kmsService,
+    permissionService,
+    externalKmsDAL
   });
 
   const trustedIpService = trustedIpServiceFactory({
@@ -328,7 +345,7 @@ export const registerRoutes = async (
     permissionService,
     secretApprovalPolicyDAL
   });
-  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL });
+  const tokenService = tokenServiceFactory({ tokenDAL: authTokenDAL, userDAL, orgMembershipDAL });
 
   const samlService = samlConfigServiceFactory({
     permissionService,
@@ -440,6 +457,7 @@ export const registerRoutes = async (
     tokenService,
     projectDAL,
     projectMembershipDAL,
+    orgMembershipDAL,
     projectKeyDAL,
     smtpService,
     userDAL,
@@ -466,7 +484,8 @@ export const registerRoutes = async (
     authService: loginService,
     serverCfgDAL: superAdminDAL,
     orgService,
-    keyStore
+    keyStore,
+    licenseService
   });
   const rateLimitService = rateLimitServiceFactory({
     rateLimitDAL,
@@ -641,7 +660,8 @@ export const registerRoutes = async (
   const webhookService = webhookServiceFactory({
     permissionService,
     webhookDAL,
-    projectEnvDAL
+    projectEnvDAL,
+    projectDAL
   });
 
   const secretTagService = secretTagServiceFactory({ secretTagDAL, permissionService });
@@ -709,12 +729,16 @@ export const registerRoutes = async (
     secretQueueService,
     secretImportDAL,
     projectEnvDAL,
-    projectBotService
+    projectBotService,
+    secretApprovalPolicyService,
+    secretApprovalRequestDAL,
+    secretApprovalRequestSecretDAL
   });
 
   const secretSharingService = secretSharingServiceFactory({
     permissionService,
-    secretSharingDAL
+    secretSharingDAL,
+    orgDAL
   });
 
   const secretApprovalRequestService = secretApprovalRequestServiceFactory({
@@ -731,7 +755,10 @@ export const registerRoutes = async (
     secretApprovalRequestDAL,
     snapshotService,
     secretVersionTagDAL,
-    secretQueueService
+    secretQueueService,
+    smtpService,
+    userDAL,
+    projectEnvDAL
   });
 
   const accessApprovalPolicyService = accessApprovalPolicyServiceFactory({
@@ -885,6 +912,16 @@ export const registerRoutes = async (
     licenseService
   });
 
+  const identityOidcAuthService = identityOidcAuthServiceFactory({
+    identityOidcAuthDAL,
+    identityOrgMembershipDAL,
+    identityAccessTokenDAL,
+    identityDAL,
+    permissionService,
+    licenseService,
+    orgBotDAL
+  });
+
   const dynamicSecretProviders = buildDynamicSecretProviders();
   const dynamicSecretQueueService = dynamicSecretLeaseQueueServiceFactory({
     queueService,
@@ -988,6 +1025,7 @@ export const registerRoutes = async (
     identityGcpAuth: identityGcpAuthService,
     identityAwsAuth: identityAwsAuthService,
     identityAzureAuth: identityAzureAuthService,
+    identityOidcAuth: identityOidcAuthService,
     accessApprovalPolicy: accessApprovalPolicyService,
     accessApprovalRequest: accessApprovalRequestService,
     secretApprovalPolicy: secretApprovalPolicyService,
@@ -1012,7 +1050,8 @@ export const registerRoutes = async (
     projectUserAdditionalPrivilege: projectUserAdditionalPrivilegeService,
     identityProjectAdditionalPrivilege: identityProjectAdditionalPrivilegeService,
     secretSharing: secretSharingService,
-    userEngagement: userEngagementService
+    userEngagement: userEngagementService,
+    externalKms: externalKmsService
   });
 
   const cronJobs: CronJob[] = [];

backend/src/server/routes/v1/identity-aws-iam-auth-router.ts

@@ -77,35 +77,45 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(AWS_AUTH.ATTACH.identityId)
       }),
       body: z.object({
-        stsEndpoint: z.string().trim().min(1).default("https://sts.amazonaws.com/"),
+        stsEndpoint: z
-        allowedPrincipalArns: validatePrincipalArns,
+          .string()
-        allowedAccountIds: validateAccountIds,
+          .trim()
+          .min(1)
+          .default("https://sts.amazonaws.com/")
+          .describe(AWS_AUTH.ATTACH.stsEndpoint),
+        allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.ATTACH.allowedPrincipalArns),
+        allowedAccountIds: validateAccountIds.describe(AWS_AUTH.ATTACH.allowedAccountIds),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(AWS_AUTH.ATTACH.accessTokenTrustedIps),
         accessTokenTTL: z
           .number()
           .int()
           .min(1)
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
+          .describe(AWS_AUTH.ATTACH.accessTokenTTL),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+          .describe(AWS_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AWS_AUTH.ATTACH.accessTokenNumUsesLimit)
       }),
       response: {
         200: z.object({
@@ -160,28 +170,31 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(AWS_AUTH.UPDATE.identityId)
       }),
       body: z.object({
-        stsEndpoint: z.string().trim().min(1).optional(),
+        stsEndpoint: z.string().trim().min(1).optional().describe(AWS_AUTH.UPDATE.stsEndpoint),
-        allowedPrincipalArns: validatePrincipalArns,
+        allowedPrincipalArns: validatePrincipalArns.describe(AWS_AUTH.UPDATE.allowedPrincipalArns),
-        allowedAccountIds: validateAccountIds,
+        allowedAccountIds: validateAccountIds.describe(AWS_AUTH.UPDATE.allowedAccountIds),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .optional(),
+          .optional()
-        accessTokenTTL: z.number().int().min(0).optional(),
+          .describe(AWS_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AWS_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AWS_AUTH.UPDATE.accessTokenNumUsesLimit),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
           .optional()
+          .describe(AWS_AUTH.UPDATE.accessTokenMaxTTL)
       }),
       response: {
         200: z.object({
@@ -236,7 +249,7 @@ export const registerIdentityAwsAuthRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(AWS_AUTH.RETRIEVE.identityId)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-azure-auth-router.ts

@@ -19,7 +19,7 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
     schema: {
       description: "Login with Azure Auth",
       body: z.object({
-        identityId: z.string(),
+        identityId: z.string().describe(AZURE_AUTH.LOGIN.identityId),
         jwt: z.string()
       }),
       response: {
@@ -72,35 +72,40 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(AZURE_AUTH.LOGIN.identityId)
       }),
       body: z.object({
-        tenantId: z.string().trim(),
+        tenantId: z.string().trim().describe(AZURE_AUTH.ATTACH.tenantId),
-        resource: z.string().trim(),
+        resource: z.string().trim().describe(AZURE_AUTH.ATTACH.resource),
-        allowedServicePrincipalIds: validateAzureAuthField,
+        allowedServicePrincipalIds: validateAzureAuthField.describe(AZURE_AUTH.ATTACH.allowedServicePrincipalIds),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(AZURE_AUTH.ATTACH.accessTokenTrustedIps),
         accessTokenTTL: z
           .number()
           .int()
           .min(1)
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
+          .describe(AZURE_AUTH.ATTACH.accessTokenTTL),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+          .describe(AZURE_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(AZURE_AUTH.ATTACH.accessTokenNumUsesLimit)
       }),
       response: {
         200: z.object({
@@ -154,28 +159,33 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(AZURE_AUTH.UPDATE.identityId)
       }),
       body: z.object({
-        tenantId: z.string().trim().optional(),
+        tenantId: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.tenantId),
-        resource: z.string().trim().optional(),
+        resource: z.string().trim().optional().describe(AZURE_AUTH.UPDATE.resource),
-        allowedServicePrincipalIds: validateAzureAuthField.optional(),
+        allowedServicePrincipalIds: validateAzureAuthField
+          .optional()
+          .describe(AZURE_AUTH.UPDATE.allowedServicePrincipalIds),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .optional(),
+          .optional()
-        accessTokenTTL: z.number().int().min(0).optional(),
+          .describe(AZURE_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(AZURE_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(AZURE_AUTH.UPDATE.accessTokenNumUsesLimit),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
           .optional()
+          .describe(AZURE_AUTH.UPDATE.accessTokenMaxTTL)
       }),
       response: {
         200: z.object({
@@ -229,7 +239,7 @@ export const registerIdentityAzureAuthRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(AZURE_AUTH.RETRIEVE.identityId)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-gcp-auth-router.ts

@@ -19,7 +19,7 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
     schema: {
       description: "Login with GCP Auth",
       body: z.object({
-        identityId: z.string(),
+        identityId: z.string().describe(GCP_AUTH.LOGIN.identityId),
         jwt: z.string()
       }),
       response: {
@@ -72,36 +72,41 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(GCP_AUTH.ATTACH.identityId)
       }),
       body: z.object({
         type: z.enum(["iam", "gce"]),
-        allowedServiceAccounts: validateGcpAuthField,
+        allowedServiceAccounts: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedServiceAccounts),
-        allowedProjects: validateGcpAuthField,
+        allowedProjects: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedProjects),
-        allowedZones: validateGcpAuthField,
+        allowedZones: validateGcpAuthField.describe(GCP_AUTH.ATTACH.allowedZones),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(GCP_AUTH.ATTACH.accessTokenTrustedIps),
         accessTokenTTL: z
           .number()
           .int()
           .min(1)
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
+          .describe(GCP_AUTH.ATTACH.accessTokenTTL),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+          .describe(GCP_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(GCP_AUTH.ATTACH.accessTokenNumUsesLimit)
       }),
       response: {
         200: z.object({
@@ -157,29 +162,32 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(GCP_AUTH.UPDATE.identityId)
       }),
       body: z.object({
         type: z.enum(["iam", "gce"]).optional(),
-        allowedServiceAccounts: validateGcpAuthField.optional(),
+        allowedServiceAccounts: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedServiceAccounts),
-        allowedProjects: validateGcpAuthField.optional(),
+        allowedProjects: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedProjects),
-        allowedZones: validateGcpAuthField.optional(),
+        allowedZones: validateGcpAuthField.optional().describe(GCP_AUTH.UPDATE.allowedZones),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .optional(),
+          .optional()
-        accessTokenTTL: z.number().int().min(0).optional(),
+          .describe(GCP_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(GCP_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(GCP_AUTH.UPDATE.accessTokenNumUsesLimit),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
           .optional()
+          .describe(GCP_AUTH.UPDATE.accessTokenMaxTTL)
       }),
       response: {
         200: z.object({
@@ -235,7 +243,7 @@ export const registerIdentityGcpAuthRouter = async (server: FastifyZodProvider)
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(GCP_AUTH.RETRIEVE.identityId)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-kubernetes-auth-router.ts

@@ -30,7 +30,7 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
     schema: {
       description: "Login with Kubernetes Auth",
       body: z.object({
-        identityId: z.string().trim(),
+        identityId: z.string().trim().describe(KUBERNETES_AUTH.LOGIN.identityId),
         jwt: z.string().trim()
       }),
       response: {
@@ -85,38 +85,48 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
         }
       ],
       params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(KUBERNETES_AUTH.ATTACH.identityId)
       }),
       body: z.object({
-        kubernetesHost: z.string().trim().min(1),
+        kubernetesHost: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.kubernetesHost),
-        caCert: z.string().trim().default(""),
+        caCert: z.string().trim().default("").describe(KUBERNETES_AUTH.ATTACH.caCert),
-        tokenReviewerJwt: z.string().trim().min(1),
+        tokenReviewerJwt: z.string().trim().min(1).describe(KUBERNETES_AUTH.ATTACH.tokenReviewerJwt),
-        allowedNamespaces: z.string(), // TODO: validation
+        allowedNamespaces: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNamespaces), // TODO: validation
-        allowedNames: z.string(),
+        allowedNames: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedNames),
-        allowedAudience: z.string(),
+        allowedAudience: z.string().describe(KUBERNETES_AUTH.ATTACH.allowedAudience),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(KUBERNETES_AUTH.ATTACH.accessTokenTrustedIps),
         accessTokenTTL: z
           .number()
           .int()
           .min(1)
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
+          .describe(KUBERNETES_AUTH.ATTACH.accessTokenTTL),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+          .describe(KUBERNETES_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z
+          .number()
+          .int()
+          .min(0)
+          .default(0)
+          .describe(KUBERNETES_AUTH.ATTACH.accessTokenNumUsesLimit)
       }),
       response: {
         200: z.object({
@@ -171,31 +181,45 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(KUBERNETES_AUTH.UPDATE.identityId)
       }),
       body: z.object({
-        kubernetesHost: z.string().trim().min(1).optional(),
+        kubernetesHost: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.kubernetesHost),
-        caCert: z.string().trim().optional(),
+        caCert: z.string().trim().optional().describe(KUBERNETES_AUTH.UPDATE.caCert),
-        tokenReviewerJwt: z.string().trim().min(1).optional(),
+        tokenReviewerJwt: z.string().trim().min(1).optional().describe(KUBERNETES_AUTH.UPDATE.tokenReviewerJwt),
-        allowedNamespaces: z.string().optional(), // TODO: validation
+        allowedNamespaces: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNamespaces), // TODO: validation
-        allowedNames: z.string().optional(),
+        allowedNames: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedNames),
-        allowedAudience: z.string().optional(),
+        allowedAudience: z.string().optional().describe(KUBERNETES_AUTH.UPDATE.allowedAudience),
         accessTokenTrustedIps: z
           .object({
             ipAddress: z.string().trim()
           })
           .array()
           .min(1)
-          .optional(),
+          .optional()
-        accessTokenTTL: z.number().int().min(0).optional(),
+          .describe(KUBERNETES_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(0)
+          .max(315360000)
+          .optional()
+          .describe(KUBERNETES_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z
+          .number()
+          .int()
+          .min(0)
+          .optional()
+          .describe(KUBERNETES_AUTH.UPDATE.accessTokenNumUsesLimit),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
           .optional()
+          .describe(KUBERNETES_AUTH.UPDATE.accessTokenMaxTTL)
       }),
       response: {
         200: z.object({
@@ -250,7 +274,7 @@ export const registerIdentityKubernetesRouter = async (server: FastifyZodProvide
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(KUBERNETES_AUTH.RETRIEVE.identityId)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-oidc-auth-router.ts

@@ -0,0 +1,361 @@
+import { z } from "zod";
+
+import { IdentityOidcAuthsSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { OIDC_AUTH } from "@app/lib/api-docs";
+import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
+import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
+import { AuthMode } from "@app/services/auth/auth-type";
+import { TIdentityTrustedIp } from "@app/services/identity/identity-types";
+import {
+  validateOidcAuthAudiencesField,
+  validateOidcBoundClaimsField
+} from "@app/services/identity-oidc-auth/identity-oidc-auth-validators";
+
+const IdentityOidcAuthResponseSchema = IdentityOidcAuthsSchema.omit({
+  encryptedCaCert: true,
+  caCertIV: true,
+  caCertTag: true
+}).extend({
+  caCert: z.string()
+});
+
+export const registerIdentityOidcAuthRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "POST",
+    url: "/oidc-auth/login",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Login with OIDC Auth",
+      body: z.object({
+        identityId: z.string().trim().describe(OIDC_AUTH.LOGIN.identityId),
+        jwt: z.string().trim()
+      }),
+      response: {
+        200: z.object({
+          accessToken: z.string(),
+          expiresIn: z.coerce.number(),
+          accessTokenMaxTTL: z.coerce.number(),
+          tokenType: z.literal("Bearer")
+        })
+      }
+    },
+    handler: async (req) => {
+      const { identityOidcAuth, accessToken, identityAccessToken, identityMembershipOrg } =
+        await server.services.identityOidcAuth.login({
+          identityId: req.body.identityId,
+          jwt: req.body.jwt
+        });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityMembershipOrg?.orgId,
+        event: {
+          type: EventType.LOGIN_IDENTITY_OIDC_AUTH,
+          metadata: {
+            identityId: identityOidcAuth.identityId,
+            identityAccessTokenId: identityAccessToken.id,
+            identityOidcAuthId: identityOidcAuth.id
+          }
+        }
+      });
+      return {
+        accessToken,
+        tokenType: "Bearer" as const,
+        expiresIn: identityOidcAuth.accessTokenTTL,
+        accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL
+      };
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/oidc-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Attach OIDC Auth configuration onto identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(OIDC_AUTH.ATTACH.identityId)
+      }),
+      body: z.object({
+        oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.ATTACH.oidcDiscoveryUrl),
+        caCert: z.string().trim().default("").describe(OIDC_AUTH.ATTACH.caCert),
+        boundIssuer: z.string().min(1).describe(OIDC_AUTH.ATTACH.boundIssuer),
+        boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.ATTACH.boundAudiences),
+        boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.ATTACH.boundClaims),
+        boundSubject: z.string().optional().default("").describe(OIDC_AUTH.ATTACH.boundSubject),
+        accessTokenTrustedIps: z
+          .object({
+            ipAddress: z.string().trim()
+          })
+          .array()
+          .min(1)
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(OIDC_AUTH.ATTACH.accessTokenTrustedIps),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(1)
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(OIDC_AUTH.ATTACH.accessTokenTTL),
+        accessTokenMaxTTL: z
+          .number()
+          .int()
+          .max(315360000)
+          .refine((value) => value !== 0, {
+            message: "accessTokenMaxTTL must have a non zero number"
+          })
+          .default(2592000)
+          .describe(OIDC_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.ATTACH.accessTokenNumUsesLimit)
+      }),
+      response: {
+        200: z.object({
+          identityOidcAuth: IdentityOidcAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOidcAuth = await server.services.identityOidcAuth.attachOidcAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOidcAuth.orgId,
+        event: {
+          type: EventType.ADD_IDENTITY_OIDC_AUTH,
+          metadata: {
+            identityId: identityOidcAuth.identityId,
+            oidcDiscoveryUrl: identityOidcAuth.oidcDiscoveryUrl,
+            caCert: identityOidcAuth.caCert,
+            boundIssuer: identityOidcAuth.boundIssuer,
+            boundAudiences: identityOidcAuth.boundAudiences,
+            boundClaims: identityOidcAuth.boundClaims as Record<string, string>,
+            boundSubject: identityOidcAuth.boundSubject as string,
+            accessTokenTTL: identityOidcAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityOidcAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityOidcAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return {
+        identityOidcAuth
+      };
+    }
+  });
+
+  server.route({
+    method: "PATCH",
+    url: "/oidc-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Update OIDC Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().trim().describe(OIDC_AUTH.UPDATE.identityId)
+      }),
+      body: z
+        .object({
+          oidcDiscoveryUrl: z.string().url().min(1).describe(OIDC_AUTH.UPDATE.oidcDiscoveryUrl),
+          caCert: z.string().trim().default("").describe(OIDC_AUTH.UPDATE.caCert),
+          boundIssuer: z.string().min(1).describe(OIDC_AUTH.UPDATE.boundIssuer),
+          boundAudiences: validateOidcAuthAudiencesField.describe(OIDC_AUTH.UPDATE.boundAudiences),
+          boundClaims: validateOidcBoundClaimsField.describe(OIDC_AUTH.UPDATE.boundClaims),
+          boundSubject: z.string().optional().default("").describe(OIDC_AUTH.UPDATE.boundSubject),
+          accessTokenTrustedIps: z
+            .object({
+              ipAddress: z.string().trim()
+            })
+            .array()
+            .min(1)
+            .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+            .describe(OIDC_AUTH.UPDATE.accessTokenTrustedIps),
+          accessTokenTTL: z
+            .number()
+            .int()
+            .min(1)
+            .max(315360000)
+            .refine((value) => value !== 0, {
+              message: "accessTokenTTL must have a non zero number"
+            })
+            .default(2592000)
+            .describe(OIDC_AUTH.UPDATE.accessTokenTTL),
+          accessTokenMaxTTL: z
+            .number()
+            .int()
+            .max(315360000)
+            .refine((value) => value !== 0, {
+              message: "accessTokenMaxTTL must have a non zero number"
+            })
+            .default(2592000)
+            .describe(OIDC_AUTH.UPDATE.accessTokenMaxTTL),
+
+          accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(OIDC_AUTH.UPDATE.accessTokenNumUsesLimit)
+        })
+        .partial(),
+      response: {
+        200: z.object({
+          identityOidcAuth: IdentityOidcAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOidcAuth = await server.services.identityOidcAuth.updateOidcAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        ...req.body,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOidcAuth.orgId,
+        event: {
+          type: EventType.UPDATE_IDENTITY_OIDC_AUTH,
+          metadata: {
+            identityId: identityOidcAuth.identityId,
+            oidcDiscoveryUrl: identityOidcAuth.oidcDiscoveryUrl,
+            caCert: identityOidcAuth.caCert,
+            boundIssuer: identityOidcAuth.boundIssuer,
+            boundAudiences: identityOidcAuth.boundAudiences,
+            boundClaims: identityOidcAuth.boundClaims as Record<string, string>,
+            boundSubject: identityOidcAuth.boundSubject as string,
+            accessTokenTTL: identityOidcAuth.accessTokenTTL,
+            accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL,
+            accessTokenTrustedIps: identityOidcAuth.accessTokenTrustedIps as TIdentityTrustedIp[],
+            accessTokenNumUsesLimit: identityOidcAuth.accessTokenNumUsesLimit
+          }
+        }
+      });
+
+      return { identityOidcAuth };
+    }
+  });
+
+  server.route({
+    method: "GET",
+    url: "/oidc-auth/identities/:identityId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Retrieve OIDC Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(OIDC_AUTH.RETRIEVE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityOidcAuth: IdentityOidcAuthResponseSchema
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOidcAuth = await server.services.identityOidcAuth.getOidcAuth({
+        identityId: req.params.identityId,
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOidcAuth.orgId,
+        event: {
+          type: EventType.GET_IDENTITY_OIDC_AUTH,
+          metadata: {
+            identityId: identityOidcAuth.identityId
+          }
+        }
+      });
+
+      return { identityOidcAuth };
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/oidc-auth/identities/:identityId",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    schema: {
+      description: "Delete OIDC Auth configuration on identity",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        identityId: z.string().describe(OIDC_AUTH.REVOKE.identityId)
+      }),
+      response: {
+        200: z.object({
+          identityOidcAuth: IdentityOidcAuthResponseSchema.omit({
+            caCert: true
+          })
+        })
+      }
+    },
+    handler: async (req) => {
+      const identityOidcAuth = await server.services.identityOidcAuth.revokeOidcAuth({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        identityId: req.params.identityId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: identityOidcAuth.orgId,
+        event: {
+          type: EventType.REVOKE_IDENTITY_OIDC_AUTH,
+          metadata: {
+            identityId: identityOidcAuth.identityId
+          }
+        }
+      });
+
+      return { identityOidcAuth };
+    }
+  });
+};

backend/src/server/routes/v1/identity-token-auth-router.ts

@@ -2,6 +2,7 @@ import { z } from "zod";
 
 import { IdentityAccessTokensSchema, IdentityTokenAuthsSchema } from "@app/db/schemas";
 import { EventType } from "@app/ee/services/audit-log/audit-log-types";
+import { TOKEN_AUTH } from "@app/lib/api-docs";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
@@ -23,7 +24,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(TOKEN_AUTH.ATTACH.identityId)
       }),
       body: z.object({
         accessTokenTrustedIps: z
@@ -32,23 +33,28 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
           })
           .array()
           .min(1)
-          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }]),
+          .default([{ ipAddress: "0.0.0.0/0" }, { ipAddress: "::/0" }])
+          .describe(TOKEN_AUTH.ATTACH.accessTokenTrustedIps),
         accessTokenTTL: z
           .number()
           .int()
           .min(1)
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
+          .describe(TOKEN_AUTH.ATTACH.accessTokenTTL),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
-          .default(2592000),
+          .default(2592000)
-        accessTokenNumUsesLimit: z.number().int().min(0).default(0)
+          .describe(TOKEN_AUTH.ATTACH.accessTokenMaxTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).default(0).describe(TOKEN_AUTH.ATTACH.accessTokenNumUsesLimit)
       }),
       response: {
         200: z.object({
@@ -102,7 +108,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        identityId: z.string().trim()
+        identityId: z.string().trim().describe(TOKEN_AUTH.UPDATE.identityId)
       }),
       body: z.object({
         accessTokenTrustedIps: z
@@ -111,16 +117,19 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
           })
           .array()
           .min(1)
-          .optional(),
+          .optional()
-        accessTokenTTL: z.number().int().min(0).optional(),
+          .describe(TOKEN_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenNumUsesLimit: z.number().int().min(0).optional(),
+        accessTokenTTL: z.number().int().min(0).max(315360000).optional().describe(TOKEN_AUTH.UPDATE.accessTokenTTL),
+        accessTokenNumUsesLimit: z.number().int().min(0).optional().describe(TOKEN_AUTH.UPDATE.accessTokenNumUsesLimit),
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
           .optional()
+          .describe(TOKEN_AUTH.UPDATE.accessTokenMaxTTL)
       }),
       response: {
         200: z.object({
@@ -174,7 +183,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(TOKEN_AUTH.RETRIEVE.identityId)
       }),
       response: {
         200: z.object({
@@ -221,7 +230,7 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(TOKEN_AUTH.REVOKE.identityId)
       }),
       response: {
         200: z.object({
@@ -253,15 +262,6 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
     }
   });
 
-  // proposed
-  // update token by id: PATCH /token-auth/tokens/:tokenId
-  // revoke token by id: POST /token-auth/tokens/:tokenId/revoke
-
-  // current
-  // revoke token by id: POST /token/revoke-by-id
-
-  // token-auth/identities/:identityId/tokens
-
   server.route({
     method: "POST",
     url: "/token-auth/identities/:identityId/tokens",
@@ -270,17 +270,17 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Create token for identity with Token Auth configured",
+      description: "Create token for identity with Token Auth",
       security: [
         {
           bearerAuth: []
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(TOKEN_AUTH.CREATE_TOKEN.identityId)
       }),
       body: z.object({
-        name: z.string().optional()
+        name: z.string().optional().describe(TOKEN_AUTH.CREATE_TOKEN.name)
       }),
       response: {
         200: z.object({
@@ -331,18 +331,18 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Get tokens for identity with Token Auth configured",
+      description: "Get tokens for identity with Token Auth",
       security: [
         {
           bearerAuth: []
         }
       ],
       params: z.object({
-        identityId: z.string()
+        identityId: z.string().describe(TOKEN_AUTH.GET_TOKENS.identityId)
       }),
       querystring: z.object({
-        offset: z.coerce.number().min(0).max(100).default(0),
+        offset: z.coerce.number().min(0).max(100).default(0).describe(TOKEN_AUTH.GET_TOKENS.offset),
-        limit: z.coerce.number().min(1).max(100).default(20)
+        limit: z.coerce.number().min(1).max(100).default(20).describe(TOKEN_AUTH.GET_TOKENS.limit)
       }),
       response: {
         200: z.object({
@@ -383,17 +383,17 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Update token for identity with Token Auth configured",
+      description: "Update token for identity with Token Auth",
       security: [
         {
           bearerAuth: []
         }
       ],
       params: z.object({
-        tokenId: z.string()
+        tokenId: z.string().describe(TOKEN_AUTH.UPDATE_TOKEN.tokenId)
       }),
       body: z.object({
-        name: z.string().optional()
+        name: z.string().optional().describe(TOKEN_AUTH.UPDATE_TOKEN.name)
       }),
       response: {
         200: z.object({
@@ -436,14 +436,14 @@ export const registerIdentityTokenAuthRouter = async (server: FastifyZodProvider
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     schema: {
-      description: "Revoke token for identity with Token Auth configured",
+      description: "Revoke token for identity with Token Auth",
       security: [
         {
           bearerAuth: []
         }
       ],
       params: z.object({
-        tokenId: z.string()
+        tokenId: z.string().describe(TOKEN_AUTH.REVOKE_TOKEN.tokenId)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/identity-universal-auth-router.ts

@@ -107,6 +107,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           .number()
           .int()
           .min(1)
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenTTL must have a non zero number"
           })
@@ -115,6 +116,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
@@ -196,7 +198,13 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
           .min(1)
           .optional()
           .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTrustedIps),
-        accessTokenTTL: z.number().int().min(0).optional().describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
+        accessTokenTTL: z
+          .number()
+          .int()
+          .min(0)
+          .max(315360000)
+          .optional()
+          .describe(UNIVERSAL_AUTH.UPDATE.accessTokenTTL),
         accessTokenNumUsesLimit: z
           .number()
           .int()
@@ -206,6 +214,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
         accessTokenMaxTTL: z
           .number()
           .int()
+          .max(315360000)
           .refine((value) => value !== 0, {
             message: "accessTokenMaxTTL must have a non zero number"
           })
@@ -362,7 +371,7 @@ export const registerIdentityUaRouter = async (server: FastifyZodProvider) => {
       body: z.object({
         description: z.string().trim().default("").describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.description),
         numUsesLimit: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.numUsesLimit),
-        ttl: z.number().min(0).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.ttl)
+        ttl: z.number().min(0).max(315360000).default(0).describe(UNIVERSAL_AUTH.CREATE_CLIENT_SECRET.ttl)
       }),
       response: {
         200: z.object({

backend/src/server/routes/v1/index.ts

@@ -8,6 +8,7 @@ import { registerIdentityAwsAuthRouter } from "./identity-aws-iam-auth-router";
 import { registerIdentityAzureAuthRouter } from "./identity-azure-auth-router";
 import { registerIdentityGcpAuthRouter } from "./identity-gcp-auth-router";
 import { registerIdentityKubernetesRouter } from "./identity-kubernetes-auth-router";
+import { registerIdentityOidcAuthRouter } from "./identity-oidc-auth-router";
 import { registerIdentityRouter } from "./identity-router";
 import { registerIdentityTokenAuthRouter } from "./identity-token-auth-router";
 import { registerIdentityUaRouter } from "./identity-universal-auth-router";
@@ -42,6 +43,7 @@ export const registerV1Routes = async (server: FastifyZodProvider) => {
       await authRouter.register(registerIdentityAccessTokenRouter);
       await authRouter.register(registerIdentityAwsAuthRouter);
       await authRouter.register(registerIdentityAzureAuthRouter);
+      await authRouter.register(registerIdentityOidcAuthRouter);
     },
     { prefix: "/auth" }
   );

backend/src/server/routes/v1/project-env-router.ts

@@ -9,6 +9,55 @@ import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 
 export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
+  server.route({
+    method: "GET",
+    url: "/:workspaceId/environments/:envId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Get Environment",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        workspaceId: z.string().trim().describe(ENVIRONMENTS.GET.workspaceId),
+        envId: z.string().trim().describe(ENVIRONMENTS.GET.id)
+      }),
+      response: {
+        200: z.object({
+          environment: ProjectEnvironmentsSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const environment = await server.services.projectEnv.getEnvironmentById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        projectId: req.params.workspaceId,
+        id: req.params.envId
+      });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        projectId: environment.projectId,
+        event: {
+          type: EventType.GET_ENVIRONMENT,
+          metadata: {
+            id: environment.id
+          }
+        }
+      });
+
+      return { environment };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/:workspaceId/environments",

backend/src/server/routes/v1/project-router.ts

@@ -78,6 +78,7 @@ export const registerProjectRouter = async (server: FastifyZodProvider) => {
               lastName: true,
               id: true
             }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            project: ProjectsSchema.pick({ name: true, id: true }),
             roles: z.array(
               z.object({
                 id: z.string(),

backend/src/server/routes/v1/secret-folder-router.ts

@@ -292,4 +292,39 @@ export const registerSecretFolderRouter = async (server: FastifyZodProvider) =>
       return { folders };
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/:id",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      description: "Get folder by id",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        id: z.string().trim().describe(FOLDERS.GET_BY_ID.folderId)
+      }),
+      response: {
+        200: z.object({
+          folder: SecretFoldersSchema
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.SERVICE_TOKEN, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const folder = await server.services.folder.getFolderById({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        id: req.params.id
+      });
+      return { folder };
+    }
+  });
 };

backend/src/server/routes/v1/secret-sharing-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { SecretSharingSchema } from "@app/db/schemas";
+import { SecretSharingAccessType } from "@app/lib/types";
 import {
   publicEndpointLimit,
   publicSecretShareCreationLimit,
@@ -55,14 +56,18 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
           iv: true,
           tag: true,
           expiresAt: true,
-          expiresAfterViews: true
+          expiresAfterViews: true,
+          accessType: true
+        }).extend({
+          orgName: z.string().optional()
         })
       }
     },
     handler: async (req) => {
       const sharedSecret = await req.server.services.secretSharing.getActiveSharedSecretByIdAndHashedHex(
         req.params.id,
-        req.query.hashedHex
+        req.query.hashedHex,
+        req.permission?.orgId
       );
       if (!sharedSecret) return undefined;
       return {
@@ -70,7 +75,9 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         iv: sharedSecret.iv,
         tag: sharedSecret.tag,
         expiresAt: sharedSecret.expiresAt,
-        expiresAfterViews: sharedSecret.expiresAfterViews
+        expiresAfterViews: sharedSecret.expiresAfterViews,
+        accessType: sharedSecret.accessType,
+        orgName: sharedSecret.orgName
       };
     }
   });
@@ -104,7 +111,8 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         tag,
         hashedHex,
         expiresAt: new Date(expiresAt),
-        expiresAfterViews
+        expiresAfterViews,
+        accessType: SecretSharingAccessType.Anyone
       });
       return { id: sharedSecret.id };
     }
@@ -123,7 +131,8 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         tag: z.string(),
         hashedHex: z.string(),
         expiresAt: z.string(),
-        expiresAfterViews: z.number()
+        expiresAfterViews: z.number(),
+        accessType: z.nativeEnum(SecretSharingAccessType).default(SecretSharingAccessType.Organization)
       }),
       response: {
         200: z.object({
@@ -145,7 +154,8 @@ export const registerSecretSharingRouter = async (server: FastifyZodProvider) =>
         tag,
         hashedHex,
         expiresAt: new Date(expiresAt),
-        expiresAfterViews
+        expiresAfterViews,
+        accessType: req.body.accessType
       });
       return { id: sharedSecret.id };
     }

backend/src/server/routes/v2/identity-project-router.ts

@@ -5,6 +5,7 @@ import {
   IdentitiesSchema,
   IdentityProjectMembershipsSchema,
   ProjectMembershipRole,
+  ProjectsSchema,
   ProjectUserMembershipRolesSchema
 } from "@app/db/schemas";
 import { PROJECT_IDENTITIES } from "@app/lib/api-docs";
@@ -234,7 +235,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
                   temporaryAccessEndTime: z.date().nullable().optional()
                 })
               ),
-              identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+              identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
+              project: ProjectsSchema.pick({ name: true, id: true })
             })
             .array()
         })
@@ -291,7 +293,8 @@ export const registerIdentityProjectRouter = async (server: FastifyZodProvider)
                 temporaryAccessEndTime: z.date().nullable().optional()
               })
             ),
-            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true })
+            identity: IdentitiesSchema.pick({ name: true, id: true, authMethod: true }),
+            project: ProjectsSchema.pick({ name: true, id: true })
           })
         })
       }

backend/src/server/routes/v2/organization-router.ts

@@ -1,6 +1,13 @@
 import { z } from "zod";
 
-import { OrganizationsSchema, OrgMembershipsSchema, UserEncryptionKeysSchema, UsersSchema } from "@app/db/schemas";
+import {
+  OrganizationsSchema,
+  OrgMembershipsSchema,
+  ProjectMembershipsSchema,
+  ProjectsSchema,
+  UserEncryptionKeysSchema,
+  UsersSchema
+} from "@app/db/schemas";
 import { ORGANIZATIONS } from "@app/lib/api-docs";
 import { creationLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
@@ -30,6 +37,7 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
               user: UsersSchema.pick({
                 username: true,
                 email: true,
+                isEmailVerified: true,
                 firstName: true,
                 lastName: true,
                 id: true
@@ -103,6 +111,54 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "GET",
+    url: "/:organizationId/memberships/:membershipId",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Get organization user membership",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.GET_USER_MEMBERSHIP.organizationId),
+        membershipId: z.string().trim().describe(ORGANIZATIONS.GET_USER_MEMBERSHIP.membershipId)
+      }),
+      response: {
+        200: z.object({
+          membership: OrgMembershipsSchema.merge(
+            z.object({
+              user: UsersSchema.pick({
+                username: true,
+                email: true,
+                isEmailVerified: true,
+                firstName: true,
+                lastName: true,
+                id: true
+              }).merge(z.object({ publicKey: z.string().nullable() }))
+            })
+          ).omit({ createdAt: true, updatedAt: true })
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const membership = await server.services.org.getOrgMembership({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.params.organizationId,
+        membershipId: req.params.membershipId
+      });
+      return { membership };
+    }
+  });
+
   server.route({
     method: "PATCH",
     url: "/:organizationId/memberships/:membershipId",
@@ -121,7 +177,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         membershipId: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.membershipId)
       }),
       body: z.object({
-        role: z.string().trim().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role)
+        role: z.string().trim().optional().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.role),
+        isActive: z.boolean().optional().describe(ORGANIZATIONS.UPDATE_USER_MEMBERSHIP.isActive)
       }),
       response: {
         200: z.object({
@@ -129,17 +186,17 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
         })
       }
     },
-    onRequest: verifyAuth([AuthMode.JWT, AuthMode.API_KEY, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
       if (req.auth.actor !== ActorType.USER) return;
 
       const membership = await server.services.org.updateOrgMembership({
         userId: req.permission.id,
-        role: req.body.role,
         actorAuthMethod: req.permission.authMethod,
         orgId: req.params.organizationId,
         membershipId: req.params.membershipId,
-        actorOrgId: req.permission.orgId
+        actorOrgId: req.permission.orgId,
+        ...req.body
       });
       return { membership };
     }
@@ -183,6 +240,69 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    // TODO: re-think endpoint structure in future so users only need to pass in membershipId bc organizationId is redundant
+    method: "GET",
+    url: "/:organizationId/memberships/:membershipId/project-memberships",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      description: "Get project memberships given organization membership",
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      params: z.object({
+        organizationId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.organizationId),
+        membershipId: z.string().trim().describe(ORGANIZATIONS.DELETE_USER_MEMBERSHIP.membershipId)
+      }),
+      response: {
+        200: z.object({
+          memberships: ProjectMembershipsSchema.extend({
+            user: UsersSchema.pick({
+              email: true,
+              username: true,
+              firstName: true,
+              lastName: true,
+              id: true
+            }).merge(UserEncryptionKeysSchema.pick({ publicKey: true })),
+            project: ProjectsSchema.pick({ name: true, id: true }),
+            roles: z.array(
+              z.object({
+                id: z.string(),
+                role: z.string(),
+                customRoleId: z.string().optional().nullable(),
+                customRoleName: z.string().optional().nullable(),
+                customRoleSlug: z.string().optional().nullable(),
+                isTemporary: z.boolean(),
+                temporaryMode: z.string().optional().nullable(),
+                temporaryRange: z.string().nullable().optional(),
+                temporaryAccessStartTime: z.date().nullable().optional(),
+                temporaryAccessEndTime: z.date().nullable().optional()
+              })
+            )
+          })
+            .omit({ createdAt: true, updatedAt: true })
+            .array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const memberships = await server.services.org.listProjectMembershipsByOrgMembershipId({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        orgId: req.params.organizationId,
+        orgMembershipId: req.params.membershipId
+      });
+      return { memberships };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/",

backend/src/server/routes/v3/secret-router.ts

@@ -1325,6 +1325,61 @@ export const registerSecretRouter = async (server: FastifyZodProvider) => {
     }
   });
 
+  server.route({
+    method: "POST",
+    url: "/move",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      body: z.object({
+        projectSlug: z.string().trim(),
+        sourceEnvironment: z.string().trim(),
+        sourceSecretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        destinationEnvironment: z.string().trim(),
+        destinationSecretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        secretIds: z.string().array(),
+        shouldOverwrite: z.boolean().default(false)
+      }),
+      response: {
+        200: z.object({
+          isSourceUpdated: z.boolean(),
+          isDestinationUpdated: z.boolean()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
+    handler: async (req) => {
+      const { projectId, isSourceUpdated, isDestinationUpdated } = await server.services.secret.moveSecrets({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ...req.body
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.MOVE_SECRETS,
+          metadata: {
+            sourceEnvironment: req.body.sourceEnvironment,
+            sourceSecretPath: req.body.sourceSecretPath,
+            destinationEnvironment: req.body.destinationEnvironment,
+            destinationSecretPath: req.body.destinationSecretPath,
+            secretIds: req.body.secretIds
+          }
+        }
+      });
+
+      return {
+        isSourceUpdated,
+        isDestinationUpdated
+      };
+    }
+  });
+
   server.route({
     method: "POST",
     url: "/batch",

backend/src/services/auth-token/auth-token-service.ts

@@ -4,7 +4,8 @@ import bcrypt from "bcrypt";
 
 import { TAuthTokens, TAuthTokenSessions } from "@app/db/schemas";
 import { getConfig } from "@app/lib/config/env";
-import { UnauthorizedError } from "@app/lib/errors";
+import { ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { TOrgMembershipDALFactory } from "@app/services/org-membership/org-membership-dal";
 
 import { AuthModeJwtTokenPayload } from "../auth/auth-type";
 import { TUserDALFactory } from "../user/user-dal";
@@ -14,6 +15,7 @@ import { TCreateTokenForUserDTO, TIssueAuthTokenDTO, TokenType, TValidateTokenFo
 type TAuthTokenServiceFactoryDep = {
   tokenDAL: TTokenDALFactory;
   userDAL: Pick<TUserDALFactory, "findById" | "transaction">;
+  orgMembershipDAL: Pick<TOrgMembershipDALFactory, "findOne">;
 };
 
 export type TAuthTokenServiceFactory = ReturnType<typeof tokenServiceFactory>;
@@ -67,7 +69,7 @@ export const getTokenConfig = (tokenType: TokenType) => {
   }
 };
 
-export const tokenServiceFactory = ({ tokenDAL, userDAL }: TAuthTokenServiceFactoryDep) => {
+export const tokenServiceFactory = ({ tokenDAL, userDAL, orgMembershipDAL }: TAuthTokenServiceFactoryDep) => {
   const createTokenForUser = async ({ type, userId, orgId }: TCreateTokenForUserDTO) => {
     const { token, ...tkCfg } = getTokenConfig(type);
     const appCfg = getConfig();
@@ -154,6 +156,16 @@ export const tokenServiceFactory = ({ tokenDAL, userDAL }: TAuthTokenServiceFact
     const user = await userDAL.findById(session.userId);
     if (!user || !user.isAccepted) throw new UnauthorizedError({ name: "Token user not found" });
 
+    if (token.organizationId) {
+      const orgMembership = await orgMembershipDAL.findOne({
+        userId: user.id,
+        orgId: token.organizationId
+      });
+
+      if (!orgMembership) throw new ForbiddenRequestError({ message: "User not member of organization" });
+      if (!orgMembership.isActive) throw new ForbiddenRequestError({ message: "User not active in organization" });
+    }
+
     return { user, tokenVersionId: token.tokenVersionId, orgId: token.organizationId };
   };
 

backend/src/services/certificate-authority/certificate-authority-fns.ts

@@ -75,8 +75,10 @@ export const getCaCredentials = async ({
     kmsService
   });
 
-  const decryptedPrivateKey = await kmsService.decrypt({
+  const kmsDecryptor = await kmsService.decryptWithKmsKey({
-    kmsId: keyId,
+    kmsId: keyId
+  });
+  const decryptedPrivateKey = kmsDecryptor({
     cipherTextBlob: caSecret.encryptedPrivateKey
   });
 
@@ -123,15 +125,17 @@ export const getCaCertChain = async ({
     kmsService
   });
 
-  const decryptedCaCert = await kmsService.decrypt({
+  const kmsDecryptor = await kmsService.decryptWithKmsKey({
-    kmsId: keyId,
+    kmsId: keyId
+  });
+
+  const decryptedCaCert = kmsDecryptor({
     cipherTextBlob: caCert.encryptedCertificate
   });
 
   const caCertObj = new x509.X509Certificate(decryptedCaCert);
 
-  const decryptedChain = await kmsService.decrypt({
+  const decryptedChain = kmsDecryptor({
-    kmsId: keyId,
     cipherTextBlob: caCert.encryptedCertificateChain
   });
 
@@ -168,8 +172,11 @@ export const rebuildCaCrl = async ({
     kmsService
   });
 
-  const privateKey = await kmsService.decrypt({
+  const kmsDecryptor = await kmsService.decryptWithKmsKey({
-    kmsId: keyId,
+    kmsId: keyId
+  });
+
+  const privateKey = kmsDecryptor({
     cipherTextBlob: caSecret.encryptedPrivateKey
   });
 
@@ -200,8 +207,10 @@ export const rebuildCaCrl = async ({
     signingKey: sk
   });
 
-  const { cipherTextBlob: encryptedCrl } = await kmsService.encrypt({
+  const kmsEncryptor = await kmsService.encryptWithKmsKey({
-    kmsId: keyId,
+    kmsId: keyId
+  });
+  const { cipherTextBlob: encryptedCrl } = kmsEncryptor({
     plainText: Buffer.from(new Uint8Array(crl.rawData))
   });
 

backend/src/services/certificate-authority/certificate-authority-queue.ts

@@ -25,7 +25,7 @@ type TCertificateAuthorityQueueFactoryDep = {
   certificateAuthoritySecretDAL: TCertificateAuthoritySecretDALFactory;
   certificateDAL: TCertificateDALFactory;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encrypt" | "decrypt">;
+  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
   queueService: TQueueServiceFactory;
 };
 export type TCertificateAuthorityQueueFactory = ReturnType<typeof certificateAuthorityQueueFactory>;
@@ -88,8 +88,10 @@ export const certificateAuthorityQueueFactory = ({
       kmsService
     });
 
-    const privateKey = await kmsService.decrypt({
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
-      kmsId: keyId,
+      kmsId: keyId
+    });
+    const privateKey = kmsDecryptor({
       cipherTextBlob: caSecret.encryptedPrivateKey
     });
 
@@ -120,8 +122,10 @@ export const certificateAuthorityQueueFactory = ({
       signingKey: sk
     });
 
-    const { cipherTextBlob: encryptedCrl } = await kmsService.encrypt({
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
-      kmsId: keyId,
+      kmsId: keyId
+    });
+    const { cipherTextBlob: encryptedCrl } = kmsEncryptor({
       plainText: Buffer.from(new Uint8Array(crl.rawData))
     });
 

backend/src/services/certificate-authority/certificate-authority-service.ts

@@ -53,7 +53,7 @@ type TCertificateAuthorityServiceFactoryDep = {
   certificateDAL: Pick<TCertificateDALFactory, "transaction" | "create" | "find">;
   certificateBodyDAL: Pick<TCertificateBodyDALFactory, "create">;
   projectDAL: Pick<TProjectDALFactory, "findProjectBySlug" | "findOne" | "updateById" | "findById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encrypt" | "decrypt">;
+  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
 
@@ -154,11 +154,14 @@ export const certificateAuthorityServiceFactory = ({
         tx
       );
 
-      const keyId = await getProjectKmsCertificateKeyId({
+      const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
         projectId: project.id,
         projectDAL,
         kmsService
       });
+      const kmsEncryptor = await kmsService.encryptWithKmsKey({
+        kmsId: certificateManagerKmsId
+      });
 
       if (type === CaType.ROOT) {
         // note: create self-signed cert only applicable for root CA
@@ -178,13 +181,11 @@ export const certificateAuthorityServiceFactory = ({
           ]
         });
 
-        const { cipherTextBlob: encryptedCertificate } = await kmsService.encrypt({
+        const { cipherTextBlob: encryptedCertificate } = kmsEncryptor({
-          kmsId: keyId,
           plainText: Buffer.from(new Uint8Array(cert.rawData))
         });
 
-        const { cipherTextBlob: encryptedCertificateChain } = await kmsService.encrypt({
+        const { cipherTextBlob: encryptedCertificateChain } = kmsEncryptor({
-          kmsId: keyId,
           plainText: Buffer.alloc(0)
         });
 
@@ -208,8 +209,7 @@ export const certificateAuthorityServiceFactory = ({
         signingKey: keys.privateKey
       });
 
-      const { cipherTextBlob: encryptedCrl } = await kmsService.encrypt({
+      const { cipherTextBlob: encryptedCrl } = kmsEncryptor({
-        kmsId: keyId,
         plainText: Buffer.from(new Uint8Array(crl.rawData))
       });
 
@@ -224,8 +224,7 @@ export const certificateAuthorityServiceFactory = ({
       // https://nodejs.org/api/crypto.html#static-method-keyobjectfromkey
       const skObj = KeyObject.from(keys.privateKey);
 
-      const { cipherTextBlob: encryptedPrivateKey } = await kmsService.encrypt({
+      const { cipherTextBlob: encryptedPrivateKey } = kmsEncryptor({
-        kmsId: keyId,
         plainText: skObj.export({
           type: "pkcs8",
           format: "der"
@@ -449,15 +448,17 @@ export const certificateAuthorityServiceFactory = ({
 
     const alg = keyAlgorithmToAlgCfg(ca.keyAlgorithm as CertKeyAlgorithm);
 
-    const keyId = await getProjectKmsCertificateKeyId({
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
       projectDAL,
       kmsService
     });
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
 
     const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
-    const decryptedCaCert = await kmsService.decrypt({
+    const decryptedCaCert = kmsDecryptor({
-      kmsId: keyId,
       cipherTextBlob: caCert.encryptedCertificate
     });
 
@@ -605,19 +606,20 @@ export const certificateAuthorityServiceFactory = ({
       dn: parentCertSubject
     });
 
-    const keyId = await getProjectKmsCertificateKeyId({
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
       projectDAL,
       kmsService
     });
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
 
-    const { cipherTextBlob: encryptedCertificate } = await kmsService.encrypt({
+    const { cipherTextBlob: encryptedCertificate } = kmsEncryptor({
-      kmsId: keyId,
       plainText: Buffer.from(new Uint8Array(certObj.rawData))
     });
 
-    const { cipherTextBlob: encryptedCertificateChain } = await kmsService.encrypt({
+    const { cipherTextBlob: encryptedCertificateChain } = kmsEncryptor({
-      kmsId: keyId,
       plainText: Buffer.from(certificateChain)
     });
 
@@ -682,14 +684,16 @@ export const certificateAuthorityServiceFactory = ({
     const caCert = await certificateAuthorityCertDAL.findOne({ caId: ca.id });
     if (!caCert) throw new BadRequestError({ message: "CA does not have a certificate installed" });
 
-    const keyId = await getProjectKmsCertificateKeyId({
+    const certificateManagerKmsId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
       projectDAL,
       kmsService
     });
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
+      kmsId: certificateManagerKmsId
+    });
 
-    const decryptedCaCert = await kmsService.decrypt({
+    const decryptedCaCert = kmsDecryptor({
-      kmsId: keyId,
       cipherTextBlob: caCert.encryptedCertificate
     });
 
@@ -796,8 +800,10 @@ export const certificateAuthorityServiceFactory = ({
     const skLeafObj = KeyObject.from(leafKeys.privateKey);
     const skLeaf = skLeafObj.export({ format: "pem", type: "pkcs8" }) as string;
 
-    const { cipherTextBlob: encryptedCertificate } = await kmsService.encrypt({
+    const kmsEncryptor = await kmsService.encryptWithKmsKey({
-      kmsId: keyId,
+      kmsId: certificateManagerKmsId
+    });
+    const { cipherTextBlob: encryptedCertificate } = kmsEncryptor({
       plainText: Buffer.from(new Uint8Array(leafCert.rawData))
     });
 

backend/src/services/certificate-authority/certificate-authority-types.ts

@@ -95,7 +95,7 @@ export type TGetCaCredentialsDTO = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
   certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "decrypt" | "generateKmsKey">;
+  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };
 
 export type TGetCaCertChainDTO = {
@@ -103,7 +103,7 @@ export type TGetCaCertChainDTO = {
   certificateAuthorityDAL: Pick<TCertificateAuthorityDALFactory, "findById">;
   certificateAuthorityCertDAL: Pick<TCertificateAuthorityCertDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "decrypt" | "generateKmsKey">;
+  kmsService: Pick<TKmsServiceFactory, "decryptWithKmsKey" | "generateKmsKey">;
 };
 
 export type TRebuildCaCrlDTO = {
@@ -113,7 +113,7 @@ export type TRebuildCaCrlDTO = {
   certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "transaction">;
   certificateDAL: Pick<TCertificateDALFactory, "find">;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "decrypt" | "encrypt">;
+  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "decryptWithKmsKey" | "encryptWithKmsKey">;
 };
 
 export type TRotateCaCrlTriggerDTO = {

backend/src/services/certificate/certificate-service.ts

@@ -25,7 +25,7 @@ type TCertificateServiceFactoryDep = {
   certificateAuthorityCrlDAL: Pick<TCertificateAuthorityCrlDALFactory, "update">;
   certificateAuthoritySecretDAL: Pick<TCertificateAuthoritySecretDALFactory, "findOne">;
   projectDAL: Pick<TProjectDALFactory, "findOne" | "updateById" | "findById" | "transaction">;
-  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encrypt" | "decrypt">;
+  kmsService: Pick<TKmsServiceFactory, "generateKmsKey" | "encryptWithKmsKey" | "decryptWithKmsKey">;
   permissionService: Pick<TPermissionServiceFactory, "getProjectPermission">;
 };
 
@@ -164,14 +164,16 @@ export const certificateServiceFactory = ({
 
     const certBody = await certificateBodyDAL.findOne({ certId: cert.id });
 
-    const keyId = await getProjectKmsCertificateKeyId({
+    const certificateManagerKeyId = await getProjectKmsCertificateKeyId({
       projectId: ca.projectId,
       projectDAL,
       kmsService
     });
 
-    const decryptedCert = await kmsService.decrypt({
+    const kmsDecryptor = await kmsService.decryptWithKmsKey({
-      kmsId: keyId,
+      kmsId: certificateManagerKeyId
+    });
+    const decryptedCert = kmsDecryptor({
       cipherTextBlob: certBody.encryptedCertificate
     });
 

backend/src/services/identity-access-token/identity-access-token-dal.ts

@@ -51,6 +51,18 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
             `${TableName.IdentityKubernetesAuth}.identityId`
           );
         })
+        .leftJoin(TableName.IdentityOidcAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.OIDC_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityOidcAuth}.identityId`
+          );
+        })
+        .leftJoin(TableName.IdentityTokenAuth, (qb) => {
+          qb.on(`${TableName.Identity}.authMethod`, db.raw("?", [IdentityAuthMethod.TOKEN_AUTH])).andOn(
+            `${TableName.Identity}.id`,
+            `${TableName.IdentityTokenAuth}.identityId`
+          );
+        })
         .select(selectAllTableCols(TableName.IdentityAccessToken))
         .select(
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityUniversalAuth).as("accessTokenTrustedIpsUa"),
@@ -58,6 +70,8 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAwsAuth).as("accessTokenTrustedIpsAws"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityAzureAuth).as("accessTokenTrustedIpsAzure"),
           db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityKubernetesAuth).as("accessTokenTrustedIpsK8s"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityOidcAuth).as("accessTokenTrustedIpsOidc"),
+          db.ref("accessTokenTrustedIps").withSchema(TableName.IdentityTokenAuth).as("accessTokenTrustedIpsToken"),
           db.ref("name").withSchema(TableName.Identity)
         )
         .first();
@@ -71,7 +85,9 @@ export const identityAccessTokenDALFactory = (db: TDbClient) => {
           doc.accessTokenTrustedIpsGcp ||
           doc.accessTokenTrustedIpsAws ||
           doc.accessTokenTrustedIpsAzure ||
-          doc.accessTokenTrustedIpsK8s
+          doc.accessTokenTrustedIpsK8s ||
+          doc.accessTokenTrustedIpsOidc ||
+          doc.accessTokenTrustedIpsToken
       };
     } catch (error) {
       throw new DatabaseError({ error, name: "IdAccessTokenFindOne" });

backend/src/services/identity-aws-auth/identity-aws-auth-service.ts

@@ -78,7 +78,10 @@ export const identityAwsAuthServiceFactory = ({
         .map((accountId) => accountId.trim())
         .some((accountId) => accountId === Account);
 
-      if (!isAccountAllowed) throw new UnauthorizedError();
+      if (!isAccountAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: AWS account ID not allowed."
+        });
     }
 
     if (identityAwsAuth.allowedPrincipalArns) {
@@ -94,7 +97,10 @@ export const identityAwsAuthServiceFactory = ({
           return regex.test(extractPrincipalArn(Arn));
         });
 
-      if (!isArnAllowed) throw new UnauthorizedError();
+      if (!isArnAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: AWS principal ARN not allowed."
+        });
     }
 
     const identityAccessToken = await identityAwsAuthDAL.transaction(async (tx) => {

backend/src/services/identity-azure-auth/identity-azure-auth-fns.ts

@@ -17,6 +17,7 @@ export const validateAzureIdentity = async ({
   const jwksUri = `https://login.microsoftonline.com/${tenantId}/discovery/keys`;
 
   const decodedJwt = jwt.decode(azureJwt, { complete: true }) as TDecodedAzureAuthJwt;
+
   const { kid } = decodedJwt.header;
 
   const { data }: { data: TAzureJwksUriResponse } = await axios.get(jwksUri);
@@ -27,6 +28,13 @@ export const validateAzureIdentity = async ({
 
   const publicKey = `-----BEGIN CERTIFICATE-----\n${signingKey.x5c[0]}\n-----END CERTIFICATE-----`;
 
+  // Case: This can happen when the user uses a custom resource (such as https://management.azure.com&client_id=value).
+  // In this case, the audience in the decoded JWT will not have a trailing slash, but the resource will.
+  if (!decodedJwt.payload.aud.endsWith("/") && resource.endsWith("/")) {
+    // eslint-disable-next-line no-param-reassign
+    resource = resource.slice(0, -1);
+  }
+
   return jwt.verify(azureJwt, publicKey, {
     audience: resource,
     issuer: `https://sts.windows.net/${tenantId}/`

backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts

@@ -81,7 +81,10 @@ export const identityGcpAuthServiceFactory = ({
         .map((serviceAccount) => serviceAccount.trim())
         .some((serviceAccount) => serviceAccount === gcpIdentityDetails.email);
 
-      if (!isServiceAccountAllowed) throw new UnauthorizedError();
+      if (!isServiceAccountAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP service account not allowed."
+        });
     }
 
     if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedProjects && gcpIdentityDetails.computeEngineDetails) {
@@ -92,7 +95,10 @@ export const identityGcpAuthServiceFactory = ({
         .map((project) => project.trim())
         .some((project) => project === gcpIdentityDetails.computeEngineDetails?.project_id);
 
-      if (!isProjectAllowed) throw new UnauthorizedError();
+      if (!isProjectAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP project not allowed."
+        });
     }
 
     if (identityGcpAuth.type === "gce" && identityGcpAuth.allowedZones && gcpIdentityDetails.computeEngineDetails) {
@@ -101,7 +107,10 @@ export const identityGcpAuthServiceFactory = ({
         .map((zone) => zone.trim())
         .some((zone) => zone === gcpIdentityDetails.computeEngineDetails?.zone);
 
-      if (!isZoneAllowed) throw new UnauthorizedError();
+      if (!isZoneAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: GCP zone not allowed."
+        });
     }
 
     const identityAccessToken = await identityGcpAuthDAL.transaction(async (tx) => {

backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts

@@ -139,7 +139,10 @@ export const identityKubernetesAuthServiceFactory = ({
         .map((namespace) => namespace.trim())
         .some((namespace) => namespace === targetNamespace);
 
-      if (!isNamespaceAllowed) throw new UnauthorizedError();
+      if (!isNamespaceAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s namespace not allowed."
+        });
     }
 
     if (identityKubernetesAuth.allowedNames) {
@@ -150,7 +153,10 @@ export const identityKubernetesAuthServiceFactory = ({
         .map((name) => name.trim())
         .some((name) => name === targetName);
 
-      if (!isNameAllowed) throw new UnauthorizedError();
+      if (!isNameAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s name not allowed."
+        });
     }
 
     if (identityKubernetesAuth.allowedAudience) {
@@ -159,7 +165,10 @@ export const identityKubernetesAuthServiceFactory = ({
         (audience) => audience === identityKubernetesAuth.allowedAudience
       );
 
-      if (!isAudienceAllowed) throw new UnauthorizedError();
+      if (!isAudienceAllowed)
+        throw new ForbiddenRequestError({
+          message: "Access denied: K8s audience not allowed."
+        });
     }
 
     const identityAccessToken = await identityKubernetesAuthDAL.transaction(async (tx) => {

backend/src/services/identity-oidc-auth/identity-oidc-auth-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TIdentityOidcAuthDALFactory = ReturnType<typeof identityOidcAuthDALFactory>;
+
+export const identityOidcAuthDALFactory = (db: TDbClient) => {
+  const oidcAuthOrm = ormify(db, TableName.IdentityOidcAuth);
+  return oidcAuthOrm;
+};

backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts

@@ -0,0 +1,540 @@
+import { ForbiddenError } from "@casl/ability";
+import axios from "axios";
+import https from "https";
+import jwt from "jsonwebtoken";
+import { JwksClient } from "jwks-rsa";
+
+import { IdentityAuthMethod, SecretKeyEncoding, TIdentityOidcAuthsUpdate } from "@app/db/schemas";
+import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { OrgPermissionActions, OrgPermissionSubjects } from "@app/ee/services/permission/org-permission";
+import { TPermissionServiceFactory } from "@app/ee/services/permission/permission-service";
+import { isAtLeastAsPrivileged } from "@app/lib/casl";
+import { getConfig } from "@app/lib/config/env";
+import { generateAsymmetricKeyPair } from "@app/lib/crypto";
+import {
+  decryptSymmetric,
+  encryptSymmetric,
+  generateSymmetricKey,
+  infisicalSymmetricDecrypt,
+  infisicalSymmetricEncypt
+} from "@app/lib/crypto/encryption";
+import { BadRequestError, ForbiddenRequestError, UnauthorizedError } from "@app/lib/errors";
+import { extractIPDetails, isValidIpOrCidr } from "@app/lib/ip";
+
+import { ActorType, AuthTokenType } from "../auth/auth-type";
+import { TIdentityDALFactory } from "../identity/identity-dal";
+import { TIdentityOrgDALFactory } from "../identity/identity-org-dal";
+import { TIdentityAccessTokenDALFactory } from "../identity-access-token/identity-access-token-dal";
+import { TIdentityAccessTokenJwtPayload } from "../identity-access-token/identity-access-token-types";
+import { TOrgBotDALFactory } from "../org/org-bot-dal";
+import { TIdentityOidcAuthDALFactory } from "./identity-oidc-auth-dal";
+import {
+  TAttachOidcAuthDTO,
+  TGetOidcAuthDTO,
+  TLoginOidcAuthDTO,
+  TRevokeOidcAuthDTO,
+  TUpdateOidcAuthDTO
+} from "./identity-oidc-auth-types";
+
+type TIdentityOidcAuthServiceFactoryDep = {
+  identityOidcAuthDAL: TIdentityOidcAuthDALFactory;
+  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityDAL: Pick<TIdentityDALFactory, "updateById">;
+  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
+  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
+  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
+};
+
+export type TIdentityOidcAuthServiceFactory = ReturnType<typeof identityOidcAuthServiceFactory>;
+
+export const identityOidcAuthServiceFactory = ({
+  identityOidcAuthDAL,
+  identityOrgMembershipDAL,
+  identityDAL,
+  permissionService,
+  licenseService,
+  identityAccessTokenDAL,
+  orgBotDAL
+}: TIdentityOidcAuthServiceFactoryDep) => {
+  const login = async ({ identityId, jwt: oidcJwt }: TLoginOidcAuthDTO) => {
+    const identityOidcAuth = await identityOidcAuthDAL.findOne({ identityId });
+    if (!identityOidcAuth) {
+      throw new UnauthorizedError();
+    }
+
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({
+      identityId: identityOidcAuth.identityId
+    });
+    if (!identityMembershipOrg) {
+      throw new BadRequestError({ message: "Failed to find identity" });
+    }
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) {
+      throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    }
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { encryptedCaCert, caCertIV, caCertTag } = identityOidcAuth;
+
+    let caCert = "";
+    if (encryptedCaCert && caCertIV && caCertTag) {
+      caCert = decryptSymmetric({
+        ciphertext: encryptedCaCert,
+        iv: caCertIV,
+        tag: caCertTag,
+        key
+      });
+    }
+
+    const requestAgent = new https.Agent({ ca: caCert, rejectUnauthorized: !!caCert });
+    const { data: discoveryDoc } = await axios.get<{ jwks_uri: string }>(
+      `${identityOidcAuth.oidcDiscoveryUrl}/.well-known/openid-configuration`,
+      {
+        httpsAgent: requestAgent
+      }
+    );
+    const jwksUri = discoveryDoc.jwks_uri;
+
+    const decodedToken = jwt.decode(oidcJwt, { complete: true });
+    if (!decodedToken) {
+      throw new BadRequestError({
+        message: "Invalid JWT"
+      });
+    }
+
+    const client = new JwksClient({
+      jwksUri,
+      requestAgent
+    });
+
+    const { kid } = decodedToken.header;
+    const oidcSigningKey = await client.getSigningKey(kid);
+
+    const tokenData = jwt.verify(oidcJwt, oidcSigningKey.getPublicKey(), {
+      issuer: identityOidcAuth.boundIssuer
+    }) as Record<string, string>;
+
+    if (identityOidcAuth.boundSubject) {
+      if (tokenData.sub !== identityOidcAuth.boundSubject) {
+        throw new ForbiddenRequestError({
+          message: "Access denied: OIDC subject not allowed."
+        });
+      }
+    }
+
+    if (identityOidcAuth.boundAudiences) {
+      if (!identityOidcAuth.boundAudiences.split(", ").includes(tokenData.aud)) {
+        throw new ForbiddenRequestError({
+          message: "Access denied: OIDC audience not allowed."
+        });
+      }
+    }
+
+    if (identityOidcAuth.boundClaims) {
+      Object.keys(identityOidcAuth.boundClaims).forEach((claimKey) => {
+        const claimValue = (identityOidcAuth.boundClaims as Record<string, string>)[claimKey];
+        // handle both single and multi-valued claims
+        if (!claimValue.split(", ").some((claimEntry) => tokenData[claimKey] === claimEntry)) {
+          throw new ForbiddenRequestError({
+            message: "Access denied: OIDC claim not allowed."
+          });
+        }
+      });
+    }
+
+    const identityAccessToken = await identityOidcAuthDAL.transaction(async (tx) => {
+      const newToken = await identityAccessTokenDAL.create(
+        {
+          identityId: identityOidcAuth.identityId,
+          isAccessTokenRevoked: false,
+          accessTokenTTL: identityOidcAuth.accessTokenTTL,
+          accessTokenMaxTTL: identityOidcAuth.accessTokenMaxTTL,
+          accessTokenNumUses: 0,
+          accessTokenNumUsesLimit: identityOidcAuth.accessTokenNumUsesLimit
+        },
+        tx
+      );
+      return newToken;
+    });
+
+    const appCfg = getConfig();
+    const accessToken = jwt.sign(
+      {
+        identityId: identityOidcAuth.identityId,
+        identityAccessTokenId: identityAccessToken.id,
+        authTokenType: AuthTokenType.IDENTITY_ACCESS_TOKEN
+      } as TIdentityAccessTokenJwtPayload,
+      appCfg.AUTH_SECRET,
+      {
+        expiresIn:
+          Number(identityAccessToken.accessTokenMaxTTL) === 0
+            ? undefined
+            : Number(identityAccessToken.accessTokenMaxTTL)
+      }
+    );
+
+    return { accessToken, identityOidcAuth, identityAccessToken, identityMembershipOrg };
+  };
+
+  const attachOidcAuth = async ({
+    identityId,
+    oidcDiscoveryUrl,
+    caCert,
+    boundIssuer,
+    boundAudiences,
+    boundClaims,
+    boundSubject,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TAttachOidcAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) {
+      throw new BadRequestError({ message: "Failed to find identity" });
+    }
+    if (identityMembershipOrg.identity.authMethod)
+      throw new BadRequestError({
+        message: "Failed to add OIDC Auth to already configured identity"
+      });
+
+    if (accessTokenMaxTTL > 0 && accessTokenTTL > accessTokenMaxTTL) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const orgBot = await orgBotDAL.transaction(async (tx) => {
+      const doc = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId }, tx);
+      if (doc) return doc;
+
+      const { privateKey, publicKey } = generateAsymmetricKeyPair();
+      const key = generateSymmetricKey();
+      const {
+        ciphertext: encryptedPrivateKey,
+        iv: privateKeyIV,
+        tag: privateKeyTag,
+        encoding: privateKeyKeyEncoding,
+        algorithm: privateKeyAlgorithm
+      } = infisicalSymmetricEncypt(privateKey);
+      const {
+        ciphertext: encryptedSymmetricKey,
+        iv: symmetricKeyIV,
+        tag: symmetricKeyTag,
+        encoding: symmetricKeyKeyEncoding,
+        algorithm: symmetricKeyAlgorithm
+      } = infisicalSymmetricEncypt(key);
+
+      return orgBotDAL.create(
+        {
+          name: "Infisical org bot",
+          publicKey,
+          privateKeyIV,
+          encryptedPrivateKey,
+          symmetricKeyIV,
+          symmetricKeyTag,
+          encryptedSymmetricKey,
+          symmetricKeyAlgorithm,
+          orgId: identityMembershipOrg.orgId,
+          privateKeyTag,
+          privateKeyAlgorithm,
+          privateKeyKeyEncoding,
+          symmetricKeyKeyEncoding
+        },
+        tx
+      );
+    });
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const { ciphertext: encryptedCaCert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
+
+    const identityOidcAuth = await identityOidcAuthDAL.transaction(async (tx) => {
+      const doc = await identityOidcAuthDAL.create(
+        {
+          identityId: identityMembershipOrg.identityId,
+          oidcDiscoveryUrl,
+          encryptedCaCert,
+          caCertIV,
+          caCertTag,
+          boundIssuer,
+          boundAudiences,
+          boundClaims,
+          boundSubject,
+          accessTokenMaxTTL,
+          accessTokenTTL,
+          accessTokenNumUsesLimit,
+          accessTokenTrustedIps: JSON.stringify(reformattedAccessTokenTrustedIps)
+        },
+        tx
+      );
+      await identityDAL.updateById(
+        identityMembershipOrg.identityId,
+        {
+          authMethod: IdentityAuthMethod.OIDC_AUTH
+        },
+        tx
+      );
+      return doc;
+    });
+    return { ...identityOidcAuth, orgId: identityMembershipOrg.orgId, caCert };
+  };
+
+  const updateOidcAuth = async ({
+    identityId,
+    oidcDiscoveryUrl,
+    caCert,
+    boundIssuer,
+    boundAudiences,
+    boundClaims,
+    boundSubject,
+    accessTokenTTL,
+    accessTokenMaxTTL,
+    accessTokenNumUsesLimit,
+    accessTokenTrustedIps,
+    actorId,
+    actorAuthMethod,
+    actor,
+    actorOrgId
+  }: TUpdateOidcAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) {
+      throw new BadRequestError({ message: "Failed to find identity" });
+    }
+
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.OIDC_AUTH) {
+      throw new BadRequestError({
+        message: "Failed to update OIDC Auth"
+      });
+    }
+
+    const identityOidcAuth = await identityOidcAuthDAL.findOne({ identityId });
+
+    if (
+      (accessTokenMaxTTL || identityOidcAuth.accessTokenMaxTTL) > 0 &&
+      (accessTokenTTL || identityOidcAuth.accessTokenMaxTTL) > (accessTokenMaxTTL || identityOidcAuth.accessTokenMaxTTL)
+    ) {
+      throw new BadRequestError({ message: "Access token TTL cannot be greater than max TTL" });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const plan = await licenseService.getPlan(identityMembershipOrg.orgId);
+    const reformattedAccessTokenTrustedIps = accessTokenTrustedIps?.map((accessTokenTrustedIp) => {
+      if (
+        !plan.ipAllowlisting &&
+        accessTokenTrustedIp.ipAddress !== "0.0.0.0/0" &&
+        accessTokenTrustedIp.ipAddress !== "::/0"
+      )
+        throw new BadRequestError({
+          message:
+            "Failed to add IP access range to access token due to plan restriction. Upgrade plan to add IP access range."
+        });
+      if (!isValidIpOrCidr(accessTokenTrustedIp.ipAddress))
+        throw new BadRequestError({
+          message: "The IP is not a valid IPv4, IPv6, or CIDR block"
+        });
+      return extractIPDetails(accessTokenTrustedIp.ipAddress);
+    });
+
+    const updateQuery: TIdentityOidcAuthsUpdate = {
+      oidcDiscoveryUrl,
+      boundIssuer,
+      boundAudiences,
+      boundClaims,
+      boundSubject,
+      accessTokenMaxTTL,
+      accessTokenTTL,
+      accessTokenNumUsesLimit,
+      accessTokenTrustedIps: reformattedAccessTokenTrustedIps
+        ? JSON.stringify(reformattedAccessTokenTrustedIps)
+        : undefined
+    };
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) {
+      throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    }
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    if (caCert !== undefined) {
+      const { ciphertext: encryptedCACert, iv: caCertIV, tag: caCertTag } = encryptSymmetric(caCert, key);
+      updateQuery.encryptedCaCert = encryptedCACert;
+      updateQuery.caCertIV = caCertIV;
+      updateQuery.caCertTag = caCertTag;
+    }
+
+    const updatedOidcAuth = await identityOidcAuthDAL.updateById(identityOidcAuth.id, updateQuery);
+    const updatedCACert =
+      updatedOidcAuth.encryptedCaCert && updatedOidcAuth.caCertIV && updatedOidcAuth.caCertTag
+        ? decryptSymmetric({
+            ciphertext: updatedOidcAuth.encryptedCaCert,
+            iv: updatedOidcAuth.caCertIV,
+            tag: updatedOidcAuth.caCertTag,
+            key
+          })
+        : "";
+
+    return {
+      ...updatedOidcAuth,
+      orgId: identityMembershipOrg.orgId,
+      caCert: updatedCACert
+    };
+  };
+
+  const getOidcAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TGetOidcAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) {
+      throw new BadRequestError({ message: "Failed to find identity" });
+    }
+
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.OIDC_AUTH) {
+      throw new BadRequestError({
+        message: "The identity does not have OIDC Auth attached"
+      });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Identity);
+
+    const identityOidcAuth = await identityOidcAuthDAL.findOne({ identityId });
+
+    const orgBot = await orgBotDAL.findOne({ orgId: identityMembershipOrg.orgId });
+    if (!orgBot) {
+      throw new BadRequestError({ message: "Org bot not found", name: "OrgBotNotFound" });
+    }
+
+    const key = infisicalSymmetricDecrypt({
+      ciphertext: orgBot.encryptedSymmetricKey,
+      iv: orgBot.symmetricKeyIV,
+      tag: orgBot.symmetricKeyTag,
+      keyEncoding: orgBot.symmetricKeyKeyEncoding as SecretKeyEncoding
+    });
+
+    const caCert = decryptSymmetric({
+      ciphertext: identityOidcAuth.encryptedCaCert,
+      iv: identityOidcAuth.caCertIV,
+      tag: identityOidcAuth.caCertTag,
+      key
+    });
+
+    return { ...identityOidcAuth, orgId: identityMembershipOrg.orgId, caCert };
+  };
+
+  const revokeOidcAuth = async ({ identityId, actorId, actor, actorAuthMethod, actorOrgId }: TRevokeOidcAuthDTO) => {
+    const identityMembershipOrg = await identityOrgMembershipDAL.findOne({ identityId });
+    if (!identityMembershipOrg) {
+      throw new BadRequestError({ message: "Failed to find identity" });
+    }
+
+    if (identityMembershipOrg.identity?.authMethod !== IdentityAuthMethod.OIDC_AUTH) {
+      throw new BadRequestError({
+        message: "The identity does not have OIDC auth"
+      });
+    }
+
+    const { permission } = await permissionService.getOrgPermission(
+      actor,
+      actorId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Edit, OrgPermissionSubjects.Identity);
+
+    const { permission: rolePermission } = await permissionService.getOrgPermission(
+      ActorType.IDENTITY,
+      identityMembershipOrg.identityId,
+      identityMembershipOrg.orgId,
+      actorAuthMethod,
+      actorOrgId
+    );
+
+    const hasPriviledge = isAtLeastAsPrivileged(permission, rolePermission);
+    if (!hasPriviledge) {
+      throw new ForbiddenRequestError({
+        message: "Failed to revoke OIDC auth of identity with more privileged role"
+      });
+    }
+
+    const revokedIdentityOidcAuth = await identityOidcAuthDAL.transaction(async (tx) => {
+      const deletedOidcAuth = await identityOidcAuthDAL.delete({ identityId }, tx);
+      await identityDAL.updateById(identityId, { authMethod: null }, tx);
+      return { ...deletedOidcAuth?.[0], orgId: identityMembershipOrg.orgId };
+    });
+
+    return revokedIdentityOidcAuth;
+  };
+
+  return {
+    attachOidcAuth,
+    updateOidcAuth,
+    getOidcAuth,
+    revokeOidcAuth,
+    login
+  };
+};

backend/src/services/identity-oidc-auth/identity-oidc-auth-types.ts

@@ -0,0 +1,42 @@
+import { TProjectPermission } from "@app/lib/types";
+
+export type TAttachOidcAuthDTO = {
+  identityId: string;
+  oidcDiscoveryUrl: string;
+  caCert: string;
+  boundIssuer: string;
+  boundAudiences: string;
+  boundClaims: Record<string, string>;
+  boundSubject: string;
+  accessTokenTTL: number;
+  accessTokenMaxTTL: number;
+  accessTokenNumUsesLimit: number;
+  accessTokenTrustedIps: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TUpdateOidcAuthDTO = {
+  identityId: string;
+  oidcDiscoveryUrl?: string;
+  caCert?: string;
+  boundIssuer?: string;
+  boundAudiences?: string;
+  boundClaims?: Record<string, string>;
+  boundSubject?: string;
+  accessTokenTTL?: number;
+  accessTokenMaxTTL?: number;
+  accessTokenNumUsesLimit?: number;
+  accessTokenTrustedIps?: { ipAddress: string }[];
+} & Omit<TProjectPermission, "projectId">;
+
+export type TGetOidcAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;
+
+export type TLoginOidcAuthDTO = {
+  identityId: string;
+  jwt: string;
+};
+
+export type TRevokeOidcAuthDTO = {
+  identityId: string;
+} & Omit<TProjectPermission, "projectId">;

backend/src/services/identity-oidc-auth/identity-oidc-auth-validators.ts

@@ -0,0 +1,25 @@
+import { z } from "zod";
+
+export const validateOidcAuthAudiencesField = z
+  .string()
+  .trim()
+  .default("")
+  .transform((data) => {
+    if (data === "") return "";
+    return data
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  });
+
+export const validateOidcBoundClaimsField = z.record(z.string()).transform((data) => {
+  const formattedClaims: Record<string, string> = {};
+  Object.keys(data).forEach((key) => {
+    formattedClaims[key] = data[key]
+      .split(",")
+      .map((id) => id.trim())
+      .join(", ");
+  });
+
+  return formattedClaims;
+});

backend/src/services/identity-project/identity-project-dal.ts

@@ -111,6 +111,7 @@ export const identityProjectDALFactory = (db: TDbClient) => {
     try {
       const docs = await (tx || db.replicaNode())(TableName.IdentityProjectMembership)
         .where(`${TableName.IdentityProjectMembership}.projectId`, projectId)
+        .join(TableName.Project, `${TableName.IdentityProjectMembership}.projectId`, `${TableName.Project}.id`)
         .join(TableName.Identity, `${TableName.IdentityProjectMembership}.identityId`, `${TableName.Identity}.id`)
         .where((qb) => {
           if (filter.identityId) {
@@ -149,12 +150,13 @@ export const identityProjectDALFactory = (db: TDbClient) => {
           db.ref("isTemporary").withSchema(TableName.IdentityProjectMembershipRole),
           db.ref("temporaryRange").withSchema(TableName.IdentityProjectMembershipRole),
           db.ref("temporaryAccessStartTime").withSchema(TableName.IdentityProjectMembershipRole),
-          db.ref("temporaryAccessEndTime").withSchema(TableName.IdentityProjectMembershipRole)
+          db.ref("temporaryAccessEndTime").withSchema(TableName.IdentityProjectMembershipRole),
+          db.ref("name").as("projectName").withSchema(TableName.Project)
         );
 
       const members = sqlNestRelationships({
         data: docs,
-        parentMapper: ({ identityId, identityName, identityAuthMethod, id, createdAt, updatedAt }) => ({
+        parentMapper: ({ identityId, identityName, identityAuthMethod, id, createdAt, updatedAt, projectName }) => ({
           id,
           identityId,
           createdAt,
@@ -163,6 +165,10 @@ export const identityProjectDALFactory = (db: TDbClient) => {
             id: identityId,
             name: identityName,
             authMethod: identityAuthMethod
+          },
+          project: {
+            id: projectId,
+            name: projectName
           }
         }),
         key: "id",

backend/src/services/integration-auth/integration-auth-service.ts

@@ -574,14 +574,14 @@ export const integrationAuthServiceFactory = ({
     const botKey = await projectBotService.getBotKey(integrationAuth.projectId);
     const { accessId, accessToken } = await getIntegrationAccessToken(integrationAuth, botKey);
 
-    AWS.config.update({
+    const kms = new AWS.KMS({
       region,
       credentials: {
         accessKeyId: String(accessId),
         secretAccessKey: accessToken
       }
     });
-    const kms = new AWS.KMS();
+
     const aliases = await kms.listAliases({}).promise();
 
     const keyAliases = aliases.Aliases!.filter((alias) => {

backend/src/services/kms/internal-kms-dal.ts

@@ -0,0 +1,10 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TInternalKmsDALFactory = ReturnType<typeof internalKmsDALFactory>;
+
+export const internalKmsDALFactory = (db: TDbClient) => {
+  const internalKmsOrm = ormify(db, TableName.InternalKms);
+  return internalKmsOrm;
+};

backend/src/services/kms/kms-dal.ts

@@ -1,10 +0,0 @@
-import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
-import { ormify } from "@app/lib/knex";
-
-export type TKmsDALFactory = ReturnType<typeof kmsDALFactory>;
-
-export const kmsDALFactory = (db: TDbClient) => {
-  const kmsOrm = ormify(db, TableName.KmsKey);
-  return kmsOrm;
-};

backend/src/services/kms/kms-key-dal.ts

@@ -0,0 +1,64 @@
+import { Knex } from "knex";
+
+import { TDbClient } from "@app/db";
+import { KmsKeysSchema, TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TKmsKeyDALFactory = ReturnType<typeof kmskeyDALFactory>;
+
+export const kmskeyDALFactory = (db: TDbClient) => {
+  const kmsOrm = ormify(db, TableName.KmsKey);
+
+  const findByIdWithAssociatedKms = async (id: string, tx?: Knex) => {
+    try {
+      const result = await (tx || db.replicaNode())(TableName.KmsKey)
+        .where({ [`${TableName.KmsKey}.id` as "id"]: id })
+        .leftJoin(TableName.InternalKms, `${TableName.KmsKey}.id`, `${TableName.InternalKms}.kmsKeyId`)
+        .leftJoin(TableName.ExternalKms, `${TableName.KmsKey}.id`, `${TableName.ExternalKms}.kmsKeyId`)
+        .first()
+        .select(selectAllTableCols(TableName.KmsKey))
+        .select(
+          db.ref("id").withSchema(TableName.InternalKms).as("internalKmsId"),
+          db.ref("encryptedKey").withSchema(TableName.InternalKms).as("internalKmsEncryptedKey"),
+          db.ref("encryptionAlgorithm").withSchema(TableName.InternalKms).as("internalKmsEncryptionAlgorithm"),
+          db.ref("version").withSchema(TableName.InternalKms).as("internalKmsVersion"),
+          db.ref("id").withSchema(TableName.InternalKms).as("internalKmsId")
+        )
+        .select(
+          db.ref("id").withSchema(TableName.ExternalKms).as("externalKmsId"),
+          db.ref("provider").withSchema(TableName.ExternalKms).as("externalKmsProvider"),
+          db.ref("encryptedProviderInputs").withSchema(TableName.ExternalKms).as("externalKmsEncryptedProviderInput"),
+          db.ref("status").withSchema(TableName.ExternalKms).as("externalKmsStatus"),
+          db.ref("statusDetails").withSchema(TableName.ExternalKms).as("externalKmsStatusDetails")
+        );
+
+      const data = {
+        ...KmsKeysSchema.parse(result),
+        isExternal: Boolean(result?.externalKmsId),
+        externalKms: result?.externalKmsId
+          ? {
+              id: result.externalKmsId,
+              provider: result.externalKmsProvider,
+              encryptedProviderInput: result.externalKmsEncryptedProviderInput,
+              status: result.externalKmsStatus,
+              statusDetails: result.externalKmsStatusDetails
+            }
+          : undefined,
+        internalKms: result?.internalKmsId
+          ? {
+              id: result.internalKmsId,
+              encryptedKey: result.internalKmsEncryptedKey,
+              encryptionAlgorithm: result.internalKmsEncryptionAlgorithm,
+              version: result.internalKmsVersion
+            }
+          : undefined
+      };
+      return data;
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find by id" });
+    }
+  };
+
+  return { ...kmsOrm, findByIdWithAssociatedKms };
+};

backend/src/services/kms/kms-service.ts

@@ -1,18 +1,34 @@
+import slugify from "@sindresorhus/slugify";
+import { Knex } from "knex";
+
 import { TKeyStoreFactory } from "@app/keystore/keystore";
 import { getConfig } from "@app/lib/config/env";
 import { randomSecureBytes } from "@app/lib/crypto";
 import { symmetricCipherService, SymmetricEncryption } from "@app/lib/crypto/cipher";
 import { BadRequestError } from "@app/lib/errors";
 import { logger } from "@app/lib/logger";
+import { alphaNumericNanoId } from "@app/lib/nanoid";
 
-import { TKmsDALFactory } from "./kms-dal";
+import { TOrgDALFactory } from "../org/org-dal";
+import { TProjectDALFactory } from "../project/project-dal";
+import { TInternalKmsDALFactory } from "./internal-kms-dal";
+import { TKmsKeyDALFactory } from "./kms-key-dal";
 import { TKmsRootConfigDALFactory } from "./kms-root-config-dal";
-import { TDecryptWithKmsDTO, TEncryptWithKmsDTO, TGenerateKMSDTO } from "./kms-types";
+import {
+  TDecryptWithKeyDTO,
+  TDecryptWithKmsDTO,
+  TEncryptionWithKeyDTO,
+  TEncryptWithKmsDTO,
+  TGenerateKMSDTO
+} from "./kms-types";
 
 type TKmsServiceFactoryDep = {
-  kmsDAL: TKmsDALFactory;
+  kmsDAL: TKmsKeyDALFactory;
+  projectDAL: Pick<TProjectDALFactory, "findById" | "updateById" | "transaction">;
+  orgDAL: Pick<TOrgDALFactory, "findById" | "updateById" | "transaction">;
   kmsRootConfigDAL: Pick<TKmsRootConfigDALFactory, "findById" | "create">;
   keyStore: Pick<TKeyStoreFactory, "acquireLock" | "waitTillReady" | "setItemWithExpiry">;
+  internalKmsDAL: Pick<TInternalKmsDALFactory, "create">;
 };
 
 export type TKmsServiceFactory = ReturnType<typeof kmsServiceFactory>;
@@ -25,54 +41,161 @@ const KMS_ROOT_CREATION_WAIT_TIME = 10;
 // akhilmhdh: Don't edit this value. This is measured for blob concatination in kms
 const KMS_VERSION = "v01";
 const KMS_VERSION_BLOB_LENGTH = 3;
-export const kmsServiceFactory = ({ kmsDAL, kmsRootConfigDAL, keyStore }: TKmsServiceFactoryDep) => {
+export const kmsServiceFactory = ({
+  kmsDAL,
+  kmsRootConfigDAL,
+  keyStore,
+  internalKmsDAL,
+  orgDAL,
+  projectDAL
+}: TKmsServiceFactoryDep) => {
   let ROOT_ENCRYPTION_KEY = Buffer.alloc(0);
 
   // this is used symmetric encryption
-  const generateKmsKey = async ({ scopeId, scopeType, isReserved = true, tx }: TGenerateKMSDTO) => {
+  const generateKmsKey = async ({ orgId, isReserved = true, tx, slug }: TGenerateKMSDTO) => {
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
     const kmsKeyMaterial = randomSecureBytes(32);
     const encryptedKeyMaterial = cipher.encrypt(kmsKeyMaterial, ROOT_ENCRYPTION_KEY);
+    const sanitizedSlug = slug ? slugify(slug) : slugify(alphaNumericNanoId(8).toLowerCase());
+    const dbQuery = async (db: Knex) => {
+      const kmsDoc = await kmsDAL.create(
+        {
+          slug: sanitizedSlug,
+          orgId,
+          isReserved
+        },
+        db
+      );
 
-    const { encryptedKey, ...doc } = await kmsDAL.create(
+      await internalKmsDAL.create(
-      {
+        {
-        version: 1,
+          version: 1,
-        encryptedKey: encryptedKeyMaterial,
+          encryptedKey: encryptedKeyMaterial,
-        encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
+          encryptionAlgorithm: SymmetricEncryption.AES_GCM_256,
-        isReserved,
+          kmsKeyId: kmsDoc.id
-        orgId: scopeType === "org" ? scopeId : undefined,
+        },
-        projectId: scopeType === "project" ? scopeId : undefined
+        db
-      },
+      );
-      tx
+      return kmsDoc;
-    );
+    };
+    if (tx) return dbQuery(tx);
+    const doc = await kmsDAL.transaction(async (tx2) => dbQuery(tx2));
     return doc;
   };
 
-  const encrypt = async ({ kmsId, plainText }: TEncryptWithKmsDTO) => {
+  const encryptWithKmsKey = async ({ kmsId }: Omit<TEncryptWithKmsDTO, "plainText">) => {
-    const kmsDoc = await kmsDAL.findById(kmsId);
+    const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId);
     if (!kmsDoc) throw new BadRequestError({ message: "KMS ID not found" });
     // akhilmhdh: as more encryption are added do a check here on kmsDoc.encryptionAlgorithm
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    return ({ plainText }: Pick<TEncryptWithKmsDTO, "plainText">) => {
+      const kmsKey = cipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+      const encryptedPlainTextBlob = cipher.encrypt(plainText, kmsKey);
 
-    const kmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
+      // Buffer#1 encrypted text + Buffer#2 version number
-    const encryptedPlainTextBlob = cipher.encrypt(plainText, kmsKey);
+      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
-
+      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
-    // Buffer#1 encrypted text + Buffer#2 version number
+      return { cipherTextBlob };
-    const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+    };
-    const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
-    return { cipherTextBlob };
   };
 
-  const decrypt = async ({ cipherTextBlob: versionedCipherTextBlob, kmsId }: TDecryptWithKmsDTO) => {
+  const encryptWithInputKey = async ({ key }: Omit<TEncryptionWithKeyDTO, "plainText">) => {
-    const kmsDoc = await kmsDAL.findById(kmsId);
-    if (!kmsDoc) throw new BadRequestError({ message: "KMS ID not found" });
     // akhilmhdh: as more encryption are added do a check here on kmsDoc.encryptionAlgorithm
     const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
-    const kmsKey = cipher.decrypt(kmsDoc.encryptedKey, ROOT_ENCRYPTION_KEY);
+    return ({ plainText }: Pick<TEncryptWithKmsDTO, "plainText">) => {
+      const encryptedPlainTextBlob = cipher.encrypt(plainText, key);
+      // Buffer#1 encrypted text + Buffer#2 version number
+      const versionBlob = Buffer.from(KMS_VERSION, "utf8"); // length is 3
+      const cipherTextBlob = Buffer.concat([encryptedPlainTextBlob, versionBlob]);
+      return { cipherTextBlob };
+    };
+  };
 
-    const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+  const decryptWithKmsKey = async ({ kmsId }: Omit<TDecryptWithKmsDTO, "cipherTextBlob">) => {
-    const decryptedBlob = cipher.decrypt(cipherTextBlob, kmsKey);
+    const kmsDoc = await kmsDAL.findByIdWithAssociatedKms(kmsId);
-    return decryptedBlob;
+    if (!kmsDoc) throw new BadRequestError({ message: "KMS ID not found" });
+    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+    const kmsKey = cipher.decrypt(kmsDoc.internalKms?.encryptedKey as Buffer, ROOT_ENCRYPTION_KEY);
+
+    return ({ cipherTextBlob: versionedCipherTextBlob }: Pick<TDecryptWithKmsDTO, "cipherTextBlob">) => {
+      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+      const decryptedBlob = cipher.decrypt(cipherTextBlob, kmsKey);
+      return decryptedBlob;
+    };
+  };
+
+  const decryptWithInputKey = async ({ key }: Omit<TDecryptWithKeyDTO, "cipherTextBlob">) => {
+    const cipher = symmetricCipherService(SymmetricEncryption.AES_GCM_256);
+
+    return ({ cipherTextBlob: versionedCipherTextBlob }: Pick<TDecryptWithKeyDTO, "cipherTextBlob">) => {
+      const cipherTextBlob = versionedCipherTextBlob.subarray(0, -KMS_VERSION_BLOB_LENGTH);
+      const decryptedBlob = cipher.decrypt(cipherTextBlob, key);
+      return decryptedBlob;
+    };
+  };
+
+  const getOrgKmsKeyId = async (orgId: string) => {
+    const keyId = await orgDAL.transaction(async (tx) => {
+      const org = await orgDAL.findById(orgId, tx);
+      if (!org) {
+        throw new BadRequestError({ message: "Org not found" });
+      }
+
+      if (!org.kmsDefaultKeyId) {
+        // create default kms key for certificate service
+        const key = await generateKmsKey({
+          isReserved: true,
+          orgId: org.id,
+          tx
+        });
+
+        await orgDAL.updateById(
+          org.id,
+          {
+            kmsDefaultKeyId: key.id
+          },
+          tx
+        );
+
+        return key.id;
+      }
+
+      return org.kmsDefaultKeyId;
+    });
+
+    return keyId;
+  };
+
+  const getProjectSecretManagerKmsKeyId = async (projectId: string) => {
+    const keyId = await projectDAL.transaction(async (tx) => {
+      const project = await projectDAL.findById(projectId, tx);
+      if (!project) {
+        throw new BadRequestError({ message: "Project not found" });
+      }
+
+      if (!project.kmsSecretManagerKeyId) {
+        // create default kms key for certificate service
+        const key = await generateKmsKey({
+          isReserved: true,
+          orgId: project.orgId,
+          tx
+        });
+
+        await projectDAL.updateById(
+          projectId,
+          {
+            kmsSecretManagerKeyId: key.id
+          },
+          tx
+        );
+
+        return key.id;
+      }
+
+      return project.kmsSecretManagerKeyId;
+    });
+
+    return keyId;
   };
 
   const startService = async () => {
@@ -123,7 +246,11 @@ export const kmsServiceFactory = ({ kmsDAL, kmsRootConfigDAL, keyStore }: TKmsSe
   return {
     startService,
     generateKmsKey,
-    encrypt,
+    encryptWithKmsKey,
-    decrypt
+    encryptWithInputKey,
+    decryptWithKmsKey,
+    decryptWithInputKey,
+    getOrgKmsKeyId,
+    getProjectSecretManagerKmsKeyId
   };
 };

backend/src/services/kms/kms-types.ts

@@ -1,9 +1,9 @@
 import { Knex } from "knex";
 
 export type TGenerateKMSDTO = {
-  scopeType: "project" | "org";
+  orgId: string;
-  scopeId: string;
   isReserved?: boolean;
+  slug?: string;
   tx?: Knex;
 };
 
@@ -12,7 +12,17 @@ export type TEncryptWithKmsDTO = {
   plainText: Buffer;
 };
 
+export type TEncryptionWithKeyDTO = {
+  key: Buffer;
+  plainText: Buffer;
+};
+
 export type TDecryptWithKmsDTO = {
   kmsId: string;
   cipherTextBlob: Buffer;
 };
+
+export type TDecryptWithKeyDTO = {
+  key: Buffer;
+  cipherTextBlob: Buffer;
+};

backend/src/services/org-membership/org-membership-dal.ts

@@ -1,5 +1,6 @@
 import { TDbClient } from "@app/db";
-import { TableName } from "@app/db/schemas";
+import { TableName, TUserEncryptionKeys } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
 import { ormify } from "@app/lib/knex";
 
 export type TOrgMembershipDALFactory = ReturnType<typeof orgMembershipDALFactory>;
@@ -7,7 +8,51 @@ export type TOrgMembershipDALFactory = ReturnType<typeof orgMembershipDALFactory
 export const orgMembershipDALFactory = (db: TDbClient) => {
   const orgMembershipOrm = ormify(db, TableName.OrgMembership);
 
+  const findOrgMembershipById = async (membershipId: string) => {
+    try {
+      const member = await db
+        .replicaNode()(TableName.OrgMembership)
+        .where(`${TableName.OrgMembership}.id`, membershipId)
+        .join(TableName.Users, `${TableName.OrgMembership}.userId`, `${TableName.Users}.id`)
+        .leftJoin<TUserEncryptionKeys>(
+          TableName.UserEncryptionKey,
+          `${TableName.UserEncryptionKey}.userId`,
+          `${TableName.Users}.id`
+        )
+        .select(
+          db.ref("id").withSchema(TableName.OrgMembership),
+          db.ref("inviteEmail").withSchema(TableName.OrgMembership),
+          db.ref("orgId").withSchema(TableName.OrgMembership),
+          db.ref("role").withSchema(TableName.OrgMembership),
+          db.ref("roleId").withSchema(TableName.OrgMembership),
+          db.ref("status").withSchema(TableName.OrgMembership),
+          db.ref("isActive").withSchema(TableName.OrgMembership),
+          db.ref("email").withSchema(TableName.Users),
+          db.ref("username").withSchema(TableName.Users),
+          db.ref("firstName").withSchema(TableName.Users),
+          db.ref("lastName").withSchema(TableName.Users),
+          db.ref("isEmailVerified").withSchema(TableName.Users),
+          db.ref("id").withSchema(TableName.Users).as("userId"),
+          db.ref("publicKey").withSchema(TableName.UserEncryptionKey)
+        )
+        .where({ isGhost: false }) // MAKE SURE USER IS NOT A GHOST USER
+        .first();
+
+      if (!member) return undefined;
+
+      const { email, isEmailVerified, username, firstName, lastName, userId, publicKey, ...data } = member;
+
+      return {
+        ...data,
+        user: { email, isEmailVerified, username, firstName, lastName, id: userId, publicKey }
+      };
+    } catch (error) {
+      throw new DatabaseError({ error, name: "Find org membership by id" });
+    }
+  };
+
   return {
-    ...orgMembershipOrm
+    ...orgMembershipOrm,
+    findOrgMembershipById
   };
 };