feat(core,console,schemas): add interaction context to custom claims (#7437)

* feat(core,console,schemas): add interaction context to custom claims

add user interaction context to the custom token claims script

* fix(schemas): refine the context type

refine the context type

* fix(core): add jsonGuard swagger transformer

add jsonGuard swagger transformer

* chore(test): add interaction context to sample jwt customizer

add interaction context to sample jwt customizer

* refactor(test): update get access token test case

update get access token integration test case

* fix(test): add dev feature guard to test case

add dev feature guard to test case

Author: simeng-li

packages/console/scripts/generate-jwt-customizer-type-definition.ts

@@ -5,6 +5,7 @@ import {
   clientCredentialsPayloadGuard,
   jwtCustomizerGrantContextGuard,
   jwtCustomizerUserContextGuard,
+  jwtCustomizerUserInteractionContextGuard,
 } from '@logto/schemas';
 import prettier from 'prettier';
 import { type ZodTypeAny } from 'zod';
@@ -17,6 +18,7 @@ const filePath = 'src/consts/jwt-customizer-type-definition.ts';
 const typeIdentifiers = `export enum JwtCustomizerTypeDefinitionKey {
   JwtCustomizerUserContext = 'JwtCustomizerUserContext',
   JwtCustomizerGrantContext = 'JwtCustomizerGrantContext',
+  JwtCustomizerUserInteractionContext = 'JwtCustomizerUserInteractionContext',
   AccessTokenPayload = 'AccessTokenPayload',
   ClientCredentialsPayload = 'ClientCredentialsPayload',
   EnvironmentVariables = 'EnvironmentVariables',
@@ -41,6 +43,30 @@ const inferTsDefinitionFromZod = (zodSchema: ZodTypeAny, identifier: string): st
   return `type ${identifier} = ${typeDefinition};`;
 };
 
+/**
+ * EnterpriseSsoUserInfo zod guard uses `catchall(jsonGuard)` to extend the type to allow any additional properties.
+ * However, the `catchall()` schema is not recognized by zod-to-ts,
+ * so it will not generate the index signature for the type.
+ * To fix this, we manually add the index signature to the type definition.
+ *
+ * Map the `enterpriseSsoUserInfo?: { ... } | undefined;` to
+ * `enterpriseSsoUserInfo?: { ...; [k: string]?: unknown; } | undefined;`
+ */
+const addIndexSignatureToEnterpriseSsoUserInfo = (source: string) => {
+  // 1. Capture in segments: prefix = "enterpriseSsoUserInfo?: {"
+  //    body   = {...original properties...}
+  //    suffix = "} | undefined;" (may include a semicolon/space)
+  const blockReg = /(\benterpriseSsoUserInfo\?\s*:\s*{)([\S\s]*?)(}\s*\|\s*undefined\s*;?)/g;
+
+  return source.replaceAll(blockReg, (full, prefix: string, body: string, suffix: string) => {
+    // 2. Add the fallback index signature to the body
+    const indent = '    ';
+    const addition = `${indent}[k: string]?: unknown;\n`;
+
+    return `${prefix}${body}${addition}${suffix}`;
+  });
+};
+
 // Create the jwt-customizer-type-definition.ts file
 const createJwtCustomizerTypeDefinitions = async () => {
   const jwtCustomizerUserContextTypeDefinition = inferTsDefinitionFromZod(
@@ -53,6 +79,14 @@ const createJwtCustomizerTypeDefinitions = async () => {
     'JwtCustomizerGrantContext'
   );
 
+  const jwtCustomizerUserInteractionContextTypeDefinition =
+    addIndexSignatureToEnterpriseSsoUserInfo(
+      inferTsDefinitionFromZod(
+        jwtCustomizerUserInteractionContextGuard,
+        'JwtCustomizerUserInteractionContext'
+      )
+    );
+
   const accessTokenPayloadTypeDefinition = inferTsDefinitionFromZod(
     accessTokenPayloadGuard,
     'AccessTokenPayload'
@@ -70,6 +104,8 @@ export const jwtCustomizerUserContextTypeDefinition = \`${jwtCustomizerUserConte
 
 export const jwtCustomizerGrantContextTypeDefinition = \`${jwtCustomizerGrantContextTypeDefinition}\`;
 
+export const jwtCustomizerUserInteractionContextTypeDefinition = \`${jwtCustomizerUserInteractionContextTypeDefinition}\`;
+
 export const accessTokenPayloadTypeDefinition = \`${accessTokenPayloadTypeDefinition}\`;
 
 export const clientCredentialsPayloadTypeDefinition = \`${clientCredentialsPayloadTypeDefinition}\`;

packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/GuideCard/index.tsx

@@ -10,6 +10,7 @@ import styles from './index.module.scss';
 export enum CardType {
   UserData = 'user_data',
   GrantData = 'grant_data',
+  InteractionData = 'interaction_data',
   TokenData = 'token_data',
   FetchExternalData = 'fetch_external_data',
   EnvironmentVariables = 'environment_variables',

packages/console/src/pages/CustomizeJwtDetails/MainContent/SettingsSection/InstructionTab/index.tsx

@@ -5,6 +5,7 @@ import { useState } from 'react';
 import { useFormContext } from 'react-hook-form';
 import { useTranslation } from 'react-i18next';
 
+import { isDevFeaturesEnabled } from '@/consts/env';
 import { type JwtCustomizerForm } from '@/pages/CustomizeJwtDetails/type';
 import {
   denyAccessCodeExample,
@@ -18,6 +19,7 @@ import {
   clientCredentialsPayloadTypeDefinition,
   jwtCustomizerUserContextTypeDefinition,
   jwtCustomizerGrantContextTypeDefinition,
+  jwtCustomizerUserInteractionContextTypeDefinition,
 } from '@/pages/CustomizeJwtDetails/utils/type-definitions';
 
 import tabContentStyles from '../index.module.scss';
@@ -97,6 +99,24 @@ function InstructionTab({ isActive }: Props) {
           />
         </GuideCard>
       )}
+      {tokenType === LogtoJwtTokenKeyType.AccessToken && isDevFeaturesEnabled && (
+        <GuideCard
+          name={CardType.InteractionData}
+          isExpanded={expendCard === CardType.InteractionData}
+          setExpanded={(expand) => {
+            setExpendCard(expand ? CardType.InteractionData : undefined);
+          }}
+        >
+          <Editor
+            language="typescript"
+            className={styles.sampleCode}
+            value={`declare ${jwtCustomizerUserInteractionContextTypeDefinition}`}
+            height="400px"
+            theme="logto-dark"
+            options={typeDefinitionCodeEditorOptions}
+          />
+        </GuideCard>
+      )}
       <GuideCard
         name={CardType.FetchExternalData}
         isExpanded={expendCard === CardType.FetchExternalData}

packages/console/src/pages/CustomizeJwtDetails/utils/config.tsx

@@ -4,11 +4,15 @@ import {
   type ClientCredentialsPayload,
   type JwtCustomizerUserContext,
   type JwtCustomizerGrantContext,
+  type JwtCustomizerUserInteractionContext,
+  InteractionEvent,
 } from '@logto/schemas';
 import { type EditorProps } from '@monaco-editor/react';
+import { conditional } from '@silverhand/essentials';
 
 import TokenFileIcon from '@/assets/icons/token-file-icon.svg?react';
 import UserFileIcon from '@/assets/icons/user-file-icon.svg?react';
+import { isDevFeaturesEnabled } from '@/consts/env.js';
 
 import type { ModelSettings } from '../MainContent/MonacoCodeEditor/type.js';
 
@@ -29,6 +33,8 @@ declare interface CustomJwtClaims extends Record<string, any> {}
 /** Logto internal data that can be used to pass additional information
  * 
  * @param {${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserContext}} user - The user info associated with the token.
+ * @param {${JwtCustomizerTypeDefinitionKey.JwtCustomizerGrantContext}} [grant] - The grant context associated with the token.
+ * @param {${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserInteractionContext}} [interaction] - The user interaction context associated with the token.
  */
 declare type Context = {
   /**
@@ -39,6 +45,10 @@ declare type Context = {
    * The grant context associated with the token.
    */
   grant?: ${JwtCustomizerTypeDefinitionKey.JwtCustomizerGrantContext};
+  /**
+   * The user interaction context associated with the token.
+   */
+  interaction?: ${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserInteractionContext};
 }
 
 declare type Payload = {
@@ -51,6 +61,7 @@ declare type Payload = {
    *
    * @params {${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserContext}} user
    * @params {${JwtCustomizerTypeDefinitionKey.JwtCustomizerGrantContext}} [grant]
+   * @params {${JwtCustomizerTypeDefinitionKey.JwtCustomizerUserInteractionContext}} [interaction]
    */
   context: Context;
   /**
@@ -256,9 +267,15 @@ const defaultGrantContext: Partial<JwtCustomizerGrantContext> = {
   },
 };
 
+const defaultUserInteractionContext: Partial<JwtCustomizerUserInteractionContext> = {
+  interactionEvent: InteractionEvent.SignIn,
+  userId: '123',
+};
+
 export const defaultUserTokenContextData = {
   user: defaultUserContext,
   grant: defaultGrantContext,
+  ...conditional(isDevFeaturesEnabled && { interaction: defaultUserInteractionContext }),
 };
 
 export const accessTokenPayloadTestModel: ModelSettings = {

packages/console/src/pages/CustomizeJwtDetails/utils/type-definitions.ts

@@ -4,6 +4,7 @@ import {
   clientCredentialsPayloadTypeDefinition,
   jwtCustomizerUserContextTypeDefinition,
   jwtCustomizerGrantContextTypeDefinition,
+  jwtCustomizerUserInteractionContextTypeDefinition,
   jwtCustomizerApiContextTypeDefinition,
 } from '@/consts/jwt-customizer-type-definition';
 
@@ -15,6 +16,7 @@ export {
   clientCredentialsPayloadTypeDefinition,
   jwtCustomizerUserContextTypeDefinition,
   jwtCustomizerGrantContextTypeDefinition,
+  jwtCustomizerUserInteractionContextTypeDefinition,
 } from '@/consts/jwt-customizer-type-definition';
 
 export const buildAccessTokenJwtCustomizerContextTsDefinition = () => {
@@ -24,7 +26,9 @@ export const buildAccessTokenJwtCustomizerContextTsDefinition = () => {
 
   declare ${jwtCustomizerApiContextTypeDefinition}
 
-  declare ${accessTokenPayloadTypeDefinition}`;
+  declare ${accessTokenPayloadTypeDefinition}
+  
+  declare ${jwtCustomizerUserInteractionContextTypeDefinition}`;
 };
 
 export const buildClientCredentialsJwtCustomizerContextTsDefinition = () =>

packages/core/src/oidc/extra-token-claims.ts

@@ -7,11 +7,17 @@ import {
   type CustomJwtFetcher,
   GrantType,
   CustomJwtErrorCode,
+  jwtCustomizerUserInteractionContextGuard,
 } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
 import { conditional, trySafe } from '@silverhand/essentials';
 import { ResponseError } from '@withtyped/client';
-import { errors, type KoaContextWithOIDC, type UnknownObject } from 'oidc-provider';
+import {
+  type AccessToken,
+  errors,
+  type KoaContextWithOIDC,
+  type UnknownObject,
+} from 'oidc-provider';
 import { z } from 'zod';
 
 import { EnvSet } from '#src/env-set/index.js';
@@ -84,6 +90,42 @@ export const getExtraTokenClaimsForTokenExchange = async (
   return result.data;
 };
 
+/**
+ * Retrieves the user's lasted submitted interaction data from the OIDC session extension.
+ *
+ * @returns The formatted interaction data if available for the given session UID and account ID.
+ *  Otherwise, returns `undefined`.
+ *
+ */
+const getInteractionLastSubmission = async (
+  queries: Queries,
+  { accountId, sessionUid }: AccessToken
+) => {
+  if (!EnvSet.values.isDevFeaturesEnabled) {
+    return;
+  }
+
+  // Session UID and account ID are required to fetch the interaction data.
+  if (!accountId || !sessionUid) {
+    return;
+  }
+
+  const { oidcSessionExtensions } = queries;
+  const sessionExtension = await oidcSessionExtensions.findBySessionUid(sessionUid);
+  if (!sessionExtension || sessionExtension.accountId !== accountId) {
+    return;
+  }
+
+  const { lastSubmission } = sessionExtension;
+  const interactionData = jwtCustomizerUserInteractionContextGuard.safeParse(lastSubmission);
+
+  if (!interactionData.success) {
+    return;
+  }
+
+  return interactionData.data;
+};
+
 /* eslint-disable complexity */
 export const getExtraTokenClaimsForJwtCustomization = async (
   ctx: KoaContextWithOIDC,
@@ -147,6 +189,10 @@ export const getExtraTokenClaimsForJwtCustomization = async (
         (await libraries.jwtCustomizers.getUserContext(token.accountId))
     );
 
+    const interactionContext = isTokenClientCredentials
+      ? undefined
+      : await getInteractionLastSubmission(queries, token);
+
     const subjectTokenResult = z
       .object({
         subjectTokenId: z.string(),
@@ -180,6 +226,11 @@ export const getExtraTokenClaimsForJwtCustomization = async (
                   },
                 }
               ),
+              ...conditional(
+                interactionContext && {
+                  interaction: interactionContext,
+                }
+              ),
             },
           }),
     };

packages/core/src/queries/oidc-session-extensions.ts

@@ -1,4 +1,4 @@
-import { OidcSessionExtensions } from '@logto/schemas';
+import { OidcSessionExtensions, type OidcSessionExtension } from '@logto/schemas';
 import { sql, type CommonQueryMethods } from '@silverhand/slonik';
 
 import { buildInsertIntoWithPool } from '../database/insert-into.js';
@@ -30,4 +30,12 @@ export class OidcSessionExtensionsQueries {
         where ${fields.accountId} = ${accountId}
     `);
   }
+
+  async findBySessionUid(sessionUid: string) {
+    return this.pool.maybeOne<OidcSessionExtension>(sql`
+      select ${sql.join(Object.values(fields), sql`, `)}
+        from ${table}
+        where ${fields.sessionUid} = ${sessionUid}
+    `);
+  }
 }

packages/core/src/routes/experience/classes/verifications/enterprise-sso-verification.ts

@@ -6,7 +6,7 @@ import {
   type User,
   type UserSsoIdentity,
   type EnterpriseSsoVerificationRecordData,
-  enterPriseSsoVerificationRecordDataGuard,
+  enterpriseSsoVerificationRecordDataGuard,
 } from '@logto/schemas';
 import { generateStandardId } from '@logto/shared';
 import { conditional } from '@silverhand/essentials';
@@ -30,7 +30,7 @@ import { type IdentifierVerificationRecord } from './verification-record.js';
 
 export {
   type EnterpriseSsoVerificationRecordData,
-  enterPriseSsoVerificationRecordDataGuard,
+  enterpriseSsoVerificationRecordDataGuard,
 } from '@logto/schemas';
 
 export class EnterpriseSsoVerification
@@ -58,7 +58,7 @@ export class EnterpriseSsoVerification
     data: EnterpriseSsoVerificationRecordData
   ) {
     const { id, connectorId, enterpriseSsoUserInfo, issuer } =
-      enterPriseSsoVerificationRecordDataGuard.parse(data);
+      enterpriseSsoVerificationRecordDataGuard.parse(data);
 
     this.id = id;
     this.connectorId = connectorId;

packages/core/src/routes/experience/classes/verifications/index.ts

@@ -18,7 +18,7 @@ import {
 } from './code-verification.js';
 import {
   EnterpriseSsoVerification,
-  enterPriseSsoVerificationRecordDataGuard,
+  enterpriseSsoVerificationRecordDataGuard,
   type EnterpriseSsoVerificationRecordData,
 } from './enterprise-sso-verification.js';
 import {
@@ -100,7 +100,7 @@ export const verificationRecordDataGuard = z.discriminatedUnion('type', [
   emailCodeVerificationRecordDataGuard,
   phoneCodeVerificationRecordDataGuard,
   socialVerificationRecordDataGuard,
-  enterPriseSsoVerificationRecordDataGuard,
+  enterpriseSsoVerificationRecordDataGuard,
   totpVerificationRecordDataGuard,
   backupCodeVerificationRecordDataGuard,
   webAuthnVerificationRecordDataGuard,

packages/core/src/utils/zod.ts

@@ -1,5 +1,5 @@
 import { languages, languageTagGuard } from '@logto/language-kit';
-import { jsonObjectGuard, translationGuard } from '@logto/schemas';
+import { jsonGuard, jsonObjectGuard, translationGuard } from '@logto/schemas';
 import type { ValuesOf } from '@silverhand/essentials';
 import { conditional } from '@silverhand/essentials';
 import type { OpenAPIV3 } from 'openapi-types';
@@ -155,6 +155,36 @@ export const zodTypeToSwagger = (
     };
   }
 
+  if (config === jsonGuard) {
+    return {
+      oneOf: [
+        {
+          type: 'object',
+          description: 'arbitrary JSON object',
+        },
+        {
+          type: 'array',
+          items: {
+            oneOf: [
+              { type: 'string' },
+              { type: 'number' },
+              { type: 'boolean' },
+              { nullable: true },
+              {
+                type: 'object',
+                description: 'arbitrary JSON object',
+              },
+            ],
+          },
+        },
+        { type: 'string' },
+        { type: 'number' },
+        { type: 'boolean' },
+      ],
+      nullable: true,
+    };
+  }
+
   if (config === translationGuard) {
     return {
       $ref: '#/components/schemas/TranslationObject',

packages/integration-tests/src/__mocks__/jwt-customizer.ts

@@ -1,4 +1,11 @@
-import { type AccessTokenPayload, type ClientCredentialsPayload } from '@logto/schemas';
+import {
+  InteractionEvent,
+  type JwtCustomizerUserInteractionContext,
+  SignInIdentifier,
+  VerificationType,
+  type AccessTokenPayload,
+  type ClientCredentialsPayload,
+} from '@logto/schemas';
 
 const standardTokenPayloadData = {
   jti: 'f1d3d2d1-1f2d-3d4e-5d6f-7d8a9d0e1d2',
@@ -51,11 +58,30 @@ export const accessTokenJwtCustomizerPayload = {
       organizations: [],
       organizationRoles: [],
     },
+    interaction: {
+      interactionEvent: InteractionEvent.SignIn,
+      userId: '123',
+      verificationRecords: [
+        {
+          id: 'verification_123',
+          type: VerificationType.Password,
+          identifier: {
+            type: SignInIdentifier.Email,
+            value: 'foo@example.com',
+          },
+          verified: true,
+        },
+      ],
+    } satisfies JwtCustomizerUserInteractionContext,
   },
 };
 
 export const accessTokenSampleScript = `const getCustomJwtClaims = async ({ token, context, environmentVariables }) => {
-  return { user_id: context?.user?.id ?? 'unknown', hasPassword: context?.user?.hasPassword };
+  const { interaction } = context;
+
+  const verificationRecord = interaction?.verificationRecords?.[0];
+
+  return { user_id: context?.user?.id ?? 'unknown', hasPassword: context?.user?.hasPassword, interactionEvent: interaction?.interactionEvent, verificationType: verificationRecord?.type };
 };`;
 
 export const accessTokenAccessDeniedSampleScript = `const getCustomJwtClaims = async ({ token, context, environmentVariables, api }) => {

packages/integration-tests/src/tests/api/oidc/get-access-token.test.ts

@@ -1,7 +1,13 @@
 import path from 'node:path';
 
 import { fetchTokenByRefreshToken } from '@logto/js';
-import { InteractionEvent, type Resource, RoleType } from '@logto/schemas';
+import {
+  InteractionEvent,
+  type Resource,
+  RoleType,
+  SignInIdentifier,
+  VerificationType,
+} from '@logto/schemas';
 import { assert } from '@silverhand/essentials';
 import { createRemoteJWKSet, jwtVerify } from 'jose';
 
@@ -20,8 +26,8 @@ import {
 import { assignUsersToRole, createRole, deleteRole } from '#src/api/role.js';
 import { createScope, deleteScope } from '#src/api/scope.js';
 import MockClient, { defaultConfig } from '#src/client/index.js';
-import { logtoUrl } from '#src/constants.js';
-import { processSession } from '#src/helpers/client.js';
+import { isDevFeaturesEnabled, logtoUrl } from '#src/constants.js';
+import { initExperienceClient, processSession } from '#src/helpers/client.js';
 import { createUserByAdmin } from '#src/helpers/index.js';
 import { enableAllPasswordSignInMethods } from '#src/helpers/sign-in-experience.js';
 import { generateUsername, generatePassword, getAccessTokenPayload } from '#src/utils.js';
@@ -107,15 +113,24 @@ describe('get access token', () => {
       script: accessTokenSampleScript,
     });
 
-    const client = new MockClient({
-      resources: [testApiResourceInfo.indicator],
-      scopes: testApiScopeNames,
+    const client = await initExperienceClient({
+      config: {
+        resources: [testApiResourceInfo.indicator],
+        scopes: testApiScopeNames,
+      },
     });
-    await client.initSession();
-    await client.successSend(putInteraction, {
-      event: InteractionEvent.SignIn,
-      identifier: { username: guestUsername, password },
+
+    const { verificationId } = await client.verifyPassword({
+      identifier: {
+        type: SignInIdentifier.Username,
+        value: guestUsername,
+      },
+      password,
+    });
+    await client.identifyUser({
+      verificationId,
     });
+
     const { redirectTo } = await client.submitInteraction();
     await processSession(client, redirectTo);
     const accessToken = await client.getAccessToken(testApiResourceInfo.indicator);
@@ -128,6 +143,17 @@ describe('get access token', () => {
     // The guest user has password.
     expect(getAccessTokenPayload(accessToken)).toHaveProperty('hasPassword', true);
 
+    if (isDevFeaturesEnabled) {
+      expect(getAccessTokenPayload(accessToken)).toHaveProperty(
+        'interactionEvent',
+        InteractionEvent.SignIn
+      );
+      expect(getAccessTokenPayload(accessToken)).toHaveProperty(
+        'verificationType',
+        VerificationType.Password
+      );
+    }
+
     await deleteJwtCustomizer('access-token');
   });
 

packages/phrases/src/locales/en/translation/admin-console/jwt-claims.ts

@@ -35,6 +35,11 @@ const jwt_claims = {
     subtitle:
       'Use `context.grant` input parameter to provide vital grant info, only available for token exchange.',
   },
+  interaction_data: {
+    title: 'User interaction context',
+    subtitle:
+      "Use the context.interaction parameter to retrieve details about the user's sign-in interaction during the current session.",
+  },
   token_data: {
     title: 'Token payload',
     subtitle: 'Use `token` input parameter for current access token payload. ',

packages/schemas/src/types/logto-config/jwt-customizer.ts

@@ -1,4 +1,4 @@
-import { jsonObjectGuard } from '@logto/connector-kit';
+import { jsonGuard, jsonObjectGuard, socialUserInfoGuard } from '@logto/connector-kit';
 import { type ZodType, z } from 'zod';
 
 import {
@@ -10,9 +10,22 @@ import {
   type UserSsoIdentity,
 } from '../../db-entries/index.js';
 import { mfaFactorsGuard, type MfaFactors } from '../../foundations/index.js';
+import { InteractionEvent } from '../interactions.js';
 import { GrantType } from '../oidc-config.js';
 import { scopeResponseGuard, type ScopeResponse } from '../scope.js';
 import { userInfoGuard, type UserInfo } from '../user.js';
+import { backupCodeVerificationRecordDataGuard } from '../verification-records/backup-code-verification.js';
+import {
+  emailCodeVerificationRecordDataGuard,
+  phoneCodeVerificationRecordDataGuard,
+} from '../verification-records/code-verification.js';
+import { enterpriseSsoVerificationRecordDataGuard } from '../verification-records/enterprise-sso-verification.js';
+import { newPasswordIdentityVerificationRecordDataGuard } from '../verification-records/new-password-identity-verification.js';
+import { oneTimeTokenVerificationRecordDataGuard } from '../verification-records/one-time-token-verification.js';
+import { passwordVerificationRecordDataGuard } from '../verification-records/password-verification.js';
+import { socialVerificationRecordDataGuard } from '../verification-records/social-verification.js';
+import { totpVerificationRecordDataGuard } from '../verification-records/totp-verification.js';
+import { webAuthnVerificationRecordDataGuard } from '../verification-records/web-authn-verification.js';
 
 import { accessTokenPayloadGuard, clientCredentialsPayloadGuard } from './oidc-provider.js';
 
@@ -75,6 +88,50 @@ export const jwtCustomizerGrantContextGuard = z.object({
 
 export type JwtCustomizerGrantContext = z.infer<typeof jwtCustomizerGrantContextGuard>;
 
+// Unlike the verification record guard defined in experience interaction,
+// we need to omit sensitive fields like MFA code and secrets from some of the verification record.
+const jwtCustomizerUserInteractionVerificationRecordGuard = z.discriminatedUnion('type', [
+  passwordVerificationRecordDataGuard,
+  emailCodeVerificationRecordDataGuard,
+  phoneCodeVerificationRecordDataGuard,
+  socialVerificationRecordDataGuard.omit({
+    connectorSession: true,
+  }),
+  enterpriseSsoVerificationRecordDataGuard.extend({
+    // The original `enterpriseSsoUserInfo` field type is extended with `socialUserInfo` with `catchall(unknown)`.
+    // However, the unknown type may cause error when using the `sql.jsonb` function in Slonik.
+    // See {@logto/cli/src/queries/logto-config.ts#updateValueByKey} for more reference.
+    // So we use `socialUserInfoGuard.catchall(jsonGuard)` to ensure the type is JSON serializable.
+    enterpriseSsoUserInfo: socialUserInfoGuard.catchall(jsonGuard).optional(),
+  }),
+  totpVerificationRecordDataGuard.omit({
+    secret: true,
+  }),
+  backupCodeVerificationRecordDataGuard.omit({
+    backupCodes: true,
+  }),
+  webAuthnVerificationRecordDataGuard.omit({
+    registrationChallenge: true,
+    authenticationChallenge: true,
+    registrationInfo: true,
+  }),
+  oneTimeTokenVerificationRecordDataGuard,
+  newPasswordIdentityVerificationRecordDataGuard.omit({
+    passwordEncrypted: true,
+    passwordEncryptionMethod: true,
+  }),
+]);
+
+export const jwtCustomizerUserInteractionContextGuard = z.object({
+  interactionEvent: z.nativeEnum(InteractionEvent),
+  userId: z.string(),
+  verificationRecords: jwtCustomizerUserInteractionVerificationRecordGuard.array(),
+});
+
+export type JwtCustomizerUserInteractionContext = z.infer<
+  typeof jwtCustomizerUserInteractionContextGuard
+>;
+
 export const accessTokenJwtCustomizerGuard = jwtCustomizerGuard
   .extend({
     // Use partial token guard since users customization may not rely on all fields.
@@ -83,6 +140,7 @@ export const accessTokenJwtCustomizerGuard = jwtCustomizerGuard
       .object({
         user: jwtCustomizerUserContextGuard.partial(),
         grant: jwtCustomizerGrantContextGuard.partial().optional(),
+        interaction: jwtCustomizerUserInteractionContextGuard.partial().optional(),
       })
       .optional(),
   })

packages/schemas/src/types/verification-records/enterprise-sso-verification.ts

@@ -17,7 +17,7 @@ export type EnterpriseSsoVerificationRecordData = {
   issuer?: string;
 };
 
-export const enterPriseSsoVerificationRecordDataGuard = z.object({
+export const enterpriseSsoVerificationRecordDataGuard = z.object({
   id: z.string(),
   connectorId: z.string(),
   type: z.literal(VerificationType.EnterpriseSso),