feat(api): add claims_expression parameter to sso_configurations create and update

stainless-app[bot] · stainless-app[bot] · commit d484eb4c9847 · 2026-03-30T18:57:03.000Z
diff --git a/.stats.yml b/.stats.yml
@@ -1,4 +1,4 @@
 configured_endpoints: 193
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-1de1f598d14617efe8f8a2034e5eb7bbdc802c6a51585aa90800c45c51097d1d.yml
-openapi_spec_hash: 6404715e9e40c26063077beb5fde7f2a
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/gitpod%2Fgitpod-86397010ee4d38791a16758fd0668c48c3c6c0c552e0aca553e78250eb452f97.yml
+openapi_spec_hash: 32003ebf118835677522e0d0166b8200
 config_hash: 832c76d9cd88fc815f872ad64998911a
diff --git a/src/gitpod/resources/organizations/sso_configurations.py b/src/gitpod/resources/organizations/sso_configurations.py
@@ -63,6 +63,7 @@ def create(
         issuer_url: str,
         organization_id: str,
         additional_scopes: SequenceNotStr[str] | Omit = omit,
+        claims_expression: Optional[str] | Omit = omit,
         display_name: str | Omit = omit,
         email_domain: Optional[str] | Omit = omit,
         email_domains: SequenceNotStr[str] | Omit = omit,
@@ -120,6 +121,11 @@ def create(
               during sign-in. These are appended to the default scopes (openid, email,
               profile).
 
+          claims_expression: claims_expression is an optional CEL expression evaluated against OIDC token
+              claims during login. When set, the expression must evaluate to true for the
+              login to succeed. Example:
+              `claims.email_verified && claims.email.endsWith("@example.com")`
+
           email_domain: email_domain is the domain that is allowed to sign in to the organization
 
           extra_headers: Send extra headers
@@ -139,6 +145,7 @@ def create(
                     "issuer_url": issuer_url,
                     "organization_id": organization_id,
                     "additional_scopes": additional_scopes,
+                    "claims_expression": claims_expression,
                     "display_name": display_name,
                     "email_domain": email_domain,
                     "email_domains": email_domains,
@@ -210,6 +217,7 @@ def update(
         sso_configuration_id: str,
         additional_scopes: Optional[AdditionalScopesUpdateParam] | Omit = omit,
         claims: Dict[str, str] | Omit = omit,
+        claims_expression: Optional[str] | Omit = omit,
         client_id: Optional[str] | Omit = omit,
         client_secret: Optional[str] | Omit = omit,
         display_name: Optional[str] | Omit = omit,
@@ -265,6 +273,10 @@ def update(
 
           claims: claims are key/value pairs that defines a mapping of claims issued by the IdP.
 
+          claims_expression: claims_expression is a CEL expression evaluated against OIDC token claims during
+              login. When set, the expression must evaluate to true for the login to succeed.
+              When present with an empty string, the expression is cleared.
+
           client_id: client_id is the client ID of the SSO provider
 
           client_secret: client_secret is the client secret of the SSO provider
@@ -288,6 +300,7 @@ def update(
                     "sso_configuration_id": sso_configuration_id,
                     "additional_scopes": additional_scopes,
                     "claims": claims,
+                    "claims_expression": claims_expression,
                     "client_id": client_id,
                     "client_secret": client_secret,
                     "display_name": display_name,
@@ -469,6 +482,7 @@ async def create(
         issuer_url: str,
         organization_id: str,
         additional_scopes: SequenceNotStr[str] | Omit = omit,
+        claims_expression: Optional[str] | Omit = omit,
         display_name: str | Omit = omit,
         email_domain: Optional[str] | Omit = omit,
         email_domains: SequenceNotStr[str] | Omit = omit,
@@ -526,6 +540,11 @@ async def create(
               during sign-in. These are appended to the default scopes (openid, email,
               profile).
 
+          claims_expression: claims_expression is an optional CEL expression evaluated against OIDC token
+              claims during login. When set, the expression must evaluate to true for the
+              login to succeed. Example:
+              `claims.email_verified && claims.email.endsWith("@example.com")`
+
           email_domain: email_domain is the domain that is allowed to sign in to the organization
 
           extra_headers: Send extra headers
@@ -545,6 +564,7 @@ async def create(
                     "issuer_url": issuer_url,
                     "organization_id": organization_id,
                     "additional_scopes": additional_scopes,
+                    "claims_expression": claims_expression,
                     "display_name": display_name,
                     "email_domain": email_domain,
                     "email_domains": email_domains,
@@ -616,6 +636,7 @@ async def update(
         sso_configuration_id: str,
         additional_scopes: Optional[AdditionalScopesUpdateParam] | Omit = omit,
         claims: Dict[str, str] | Omit = omit,
+        claims_expression: Optional[str] | Omit = omit,
         client_id: Optional[str] | Omit = omit,
         client_secret: Optional[str] | Omit = omit,
         display_name: Optional[str] | Omit = omit,
@@ -671,6 +692,10 @@ async def update(
 
           claims: claims are key/value pairs that defines a mapping of claims issued by the IdP.
 
+          claims_expression: claims_expression is a CEL expression evaluated against OIDC token claims during
+              login. When set, the expression must evaluate to true for the login to succeed.
+              When present with an empty string, the expression is cleared.
+
           client_id: client_id is the client ID of the SSO provider
 
           client_secret: client_secret is the client secret of the SSO provider
@@ -694,6 +719,7 @@ async def update(
                     "sso_configuration_id": sso_configuration_id,
                     "additional_scopes": additional_scopes,
                     "claims": claims,
+                    "claims_expression": claims_expression,
                     "client_id": client_id,
                     "client_secret": client_secret,
                     "display_name": display_name,
diff --git a/src/gitpod/types/organizations/sso_configuration.py b/src/gitpod/types/organizations/sso_configuration.py
@@ -35,6 +35,15 @@ class SSOConfiguration(BaseModel):
     claims: Optional[Dict[str, str]] = None
     """claims are key/value pairs that defines a mapping of claims issued by the IdP."""
 
+    claims_expression: Optional[str] = FieldInfo(alias="claimsExpression", default=None)
+    """
+    claims_expression is a CEL (Common Expression Language) expression evaluated
+    against the OIDC token claims during login. When set, the expression must
+    evaluate to true for the login to succeed. The expression has access to a
+    `claims` variable containing all token claims as a map. Example:
+    `claims.email_verified && claims.email.endsWith("@example.com")`
+    """
+
     client_id: Optional[str] = FieldInfo(alias="clientId", default=None)
     """client_id is the client ID of the OIDC application set on the IdP"""
 
diff --git a/src/gitpod/types/organizations/sso_configuration_create_params.py b/src/gitpod/types/organizations/sso_configuration_create_params.py
@@ -30,6 +30,14 @@ class SSOConfigurationCreateParams(TypedDict, total=False):
     profile).
     """
 
+    claims_expression: Annotated[Optional[str], PropertyInfo(alias="claimsExpression")]
+    """
+    claims_expression is an optional CEL expression evaluated against OIDC token
+    claims during login. When set, the expression must evaluate to true for the
+    login to succeed. Example:
+    `claims.email_verified && claims.email.endsWith("@example.com")`
+    """
+
     display_name: Annotated[str, PropertyInfo(alias="displayName")]
 
     email_domain: Annotated[Optional[str], PropertyInfo(alias="emailDomain")]
diff --git a/src/gitpod/types/organizations/sso_configuration_update_params.py b/src/gitpod/types/organizations/sso_configuration_update_params.py
@@ -27,6 +27,13 @@ class SSOConfigurationUpdateParams(TypedDict, total=False):
     claims: Dict[str, str]
     """claims are key/value pairs that defines a mapping of claims issued by the IdP."""
 
+    claims_expression: Annotated[Optional[str], PropertyInfo(alias="claimsExpression")]
+    """
+    claims_expression is a CEL expression evaluated against OIDC token claims during
+    login. When set, the expression must evaluate to true for the login to succeed.
+    When present with an empty string, the expression is cleared.
+    """
+
     client_id: Annotated[Optional[str], PropertyInfo(alias="clientId")]
     """client_id is the client ID of the SSO provider"""
 
diff --git a/tests/api_resources/organizations/test_sso_configurations.py b/tests/api_resources/organizations/test_sso_configurations.py
@@ -42,6 +42,7 @@ def test_method_create_with_all_params(self, client: Gitpod) -> None:
             issuer_url="https://accounts.google.com",
             organization_id="b0e12f6c-4c67-429d-a4a6-d9838b5da047",
             additional_scopes=["x"],
+            claims_expression="claimsExpression",
             display_name="displayName",
             email_domain="acme-corp.com",
             email_domains=["sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB"],
@@ -129,6 +130,7 @@ def test_method_update_with_all_params(self, client: Gitpod) -> None:
             sso_configuration_id="d2c94c27-3b76-4a42-b88c-95a85e392c68",
             additional_scopes={"scopes": ["x"]},
             claims={"foo": "string"},
+            claims_expression="claimsExpression",
             client_id="new-client-id",
             client_secret="new-client-secret",
             display_name="displayName",
@@ -273,6 +275,7 @@ async def test_method_create_with_all_params(self, async_client: AsyncGitpod) ->
             issuer_url="https://accounts.google.com",
             organization_id="b0e12f6c-4c67-429d-a4a6-d9838b5da047",
             additional_scopes=["x"],
+            claims_expression="claimsExpression",
             display_name="displayName",
             email_domain="acme-corp.com",
             email_domains=["sfN2.l.iJR-BU.u9JV9.a.m.o2D-4b-Jd.0Z-kX.L.n.S.f.UKbxB"],
@@ -360,6 +363,7 @@ async def test_method_update_with_all_params(self, async_client: AsyncGitpod) ->
             sso_configuration_id="d2c94c27-3b76-4a42-b88c-95a85e392c68",
             additional_scopes={"scopes": ["x"]},
             claims={"foo": "string"},
+            claims_expression="claimsExpression",
             client_id="new-client-id",
             client_secret="new-client-secret",
             display_name="displayName",
