Auth/ps 2298 reorg auth (#4564)

* Move auth service factories to Auth team

* Move authentication componenets to Auth team

* Move auth guard services to Auth team

* Move Duo content script to Auth team

* Move auth CLI commands to Auth team

* Move Desktop Account components to Auth Team

* Move Desktop guards to Auth team

* Move two-factor provider images to Auth team

* Move web Accounts components to Auth Team

* Move web settings components to Auth Team

* Move web two factor images to Auth Team

* Fix missed import changes for Auth Team

* Fix Linting errors

* Fix missed CLI imports

* Fix missed Desktop imports

* Revert images move

* Fix missed imports in Web

* Move angular lib components to Auth Team

* Move angular auth guards to Auth team

* Move strategy specs to Auth team

* Update .eslintignore for new paths

* Move lib common abstractions to Auth team

* Move services to Auth team

* Move common lib enums to Auth team

* Move webauthn iframe to Auth team

* Move lib common domain models to Auth team

* Move common lib requests to Auth team

* Move response models to Auth team

* Clean up whitelist

* Move bit web components to Auth team

* Move SSO and SCIM files to Auth team

* Revert move SCIM to Auth team

SCIM belongs to Admin Console team

* Move captcha to Auth team

* Move key connector to Auth team

* Move emergency access to auth team

* Delete extra file

* linter fixes

* Move kdf config to auth team

* Fix whitelist

* Fix duo autoformat

* Complete two factor provider request move

* Fix whitelist names

* Fix login capitalization

* Revert hint dependency reordering

* Revert hint dependency reordering

* Revert hint component

This components is being picked up as a move between clients

* Move web hint component to Auth team

* Move new files to auth team

* Fix desktop build

* Fix browser build

libs/common/src/auth/models/api/sso-config.api.ts

@@ -0,0 +1,136 @@
+import { BaseResponse } from "../../../models/response/base.response";
+import {
+  OpenIdConnectRedirectBehavior,
+  Saml2BindingType,
+  Saml2NameIdFormat,
+  Saml2SigningBehavior,
+  SsoType,
+} from "../../enums/sso";
+import { SsoConfigView } from "../view/sso-config.view";
+
+export class SsoConfigApi extends BaseResponse {
+  static fromView(view: SsoConfigView, api = new SsoConfigApi()) {
+    api.configType = view.configType;
+
+    api.keyConnectorEnabled = view.keyConnectorEnabled;
+    api.keyConnectorUrl = view.keyConnectorUrl;
+
+    if (api.configType === SsoType.OpenIdConnect) {
+      api.authority = view.openId.authority;
+      api.clientId = view.openId.clientId;
+      api.clientSecret = view.openId.clientSecret;
+      api.metadataAddress = view.openId.metadataAddress;
+      api.redirectBehavior = view.openId.redirectBehavior;
+      api.getClaimsFromUserInfoEndpoint = view.openId.getClaimsFromUserInfoEndpoint;
+      api.additionalScopes = view.openId.additionalScopes;
+      api.additionalUserIdClaimTypes = view.openId.additionalUserIdClaimTypes;
+      api.additionalEmailClaimTypes = view.openId.additionalEmailClaimTypes;
+      api.additionalNameClaimTypes = view.openId.additionalNameClaimTypes;
+      api.acrValues = view.openId.acrValues;
+      api.expectedReturnAcrValue = view.openId.expectedReturnAcrValue;
+    } else if (api.configType === SsoType.Saml2) {
+      api.spNameIdFormat = view.saml.spNameIdFormat;
+      api.spOutboundSigningAlgorithm = view.saml.spOutboundSigningAlgorithm;
+      api.spSigningBehavior = view.saml.spSigningBehavior;
+      api.spMinIncomingSigningAlgorithm = view.saml.spMinIncomingSigningAlgorithm;
+      api.spWantAssertionsSigned = view.saml.spWantAssertionsSigned;
+      api.spValidateCertificates = view.saml.spValidateCertificates;
+
+      api.idpEntityId = view.saml.idpEntityId;
+      api.idpBindingType = view.saml.idpBindingType;
+      api.idpSingleSignOnServiceUrl = view.saml.idpSingleSignOnServiceUrl;
+      api.idpSingleLogoutServiceUrl = view.saml.idpSingleLogoutServiceUrl;
+      api.idpX509PublicCert = view.saml.idpX509PublicCert;
+      api.idpOutboundSigningAlgorithm = view.saml.idpOutboundSigningAlgorithm;
+      api.idpAllowUnsolicitedAuthnResponse = view.saml.idpAllowUnsolicitedAuthnResponse;
+      api.idpWantAuthnRequestsSigned = view.saml.idpWantAuthnRequestsSigned;
+
+      // Value is inverted in the api model (disable instead of allow)
+      api.idpDisableOutboundLogoutRequests = !view.saml.idpAllowOutboundLogoutRequests;
+    }
+
+    return api;
+  }
+  configType: SsoType;
+
+  keyConnectorEnabled: boolean;
+  keyConnectorUrl: string;
+
+  // OpenId
+  authority: string;
+  clientId: string;
+  clientSecret: string;
+  metadataAddress: string;
+  redirectBehavior: OpenIdConnectRedirectBehavior;
+  getClaimsFromUserInfoEndpoint: boolean;
+  additionalScopes: string;
+  additionalUserIdClaimTypes: string;
+  additionalEmailClaimTypes: string;
+  additionalNameClaimTypes: string;
+  acrValues: string;
+  expectedReturnAcrValue: string;
+
+  // SAML
+  spNameIdFormat: Saml2NameIdFormat;
+  spOutboundSigningAlgorithm: string;
+  spSigningBehavior: Saml2SigningBehavior;
+  spMinIncomingSigningAlgorithm: string;
+  spWantAssertionsSigned: boolean;
+  spValidateCertificates: boolean;
+
+  idpEntityId: string;
+  idpBindingType: Saml2BindingType;
+  idpSingleSignOnServiceUrl: string;
+  idpSingleLogoutServiceUrl: string;
+  idpX509PublicCert: string;
+  idpOutboundSigningAlgorithm: string;
+  idpAllowUnsolicitedAuthnResponse: boolean;
+  idpDisableOutboundLogoutRequests: boolean;
+  idpWantAuthnRequestsSigned: boolean;
+
+  constructor(data: any = null) {
+    super(data);
+    if (data == null) {
+      return;
+    }
+
+    this.configType = this.getResponseProperty("ConfigType");
+
+    this.keyConnectorEnabled = this.getResponseProperty("KeyConnectorEnabled");
+    this.keyConnectorUrl = this.getResponseProperty("KeyConnectorUrl");
+
+    this.authority = this.getResponseProperty("Authority");
+    this.clientId = this.getResponseProperty("ClientId");
+    this.clientSecret = this.getResponseProperty("ClientSecret");
+    this.metadataAddress = this.getResponseProperty("MetadataAddress");
+    this.redirectBehavior = this.getResponseProperty("RedirectBehavior");
+    this.getClaimsFromUserInfoEndpoint = this.getResponseProperty("GetClaimsFromUserInfoEndpoint");
+    this.additionalScopes = this.getResponseProperty("AdditionalScopes");
+    this.additionalUserIdClaimTypes = this.getResponseProperty("AdditionalUserIdClaimTypes");
+    this.additionalEmailClaimTypes = this.getResponseProperty("AdditionalEmailClaimTypes");
+    this.additionalNameClaimTypes = this.getResponseProperty("AdditionalNameClaimTypes");
+    this.acrValues = this.getResponseProperty("AcrValues");
+    this.expectedReturnAcrValue = this.getResponseProperty("ExpectedReturnAcrValue");
+
+    this.spNameIdFormat = this.getResponseProperty("SpNameIdFormat");
+    this.spOutboundSigningAlgorithm = this.getResponseProperty("SpOutboundSigningAlgorithm");
+    this.spSigningBehavior = this.getResponseProperty("SpSigningBehavior");
+    this.spMinIncomingSigningAlgorithm = this.getResponseProperty("SpMinIncomingSigningAlgorithm");
+    this.spWantAssertionsSigned = this.getResponseProperty("SpWantAssertionsSigned");
+    this.spValidateCertificates = this.getResponseProperty("SpValidateCertificates");
+
+    this.idpEntityId = this.getResponseProperty("IdpEntityId");
+    this.idpBindingType = this.getResponseProperty("IdpBindingType");
+    this.idpSingleSignOnServiceUrl = this.getResponseProperty("IdpSingleSignOnServiceUrl");
+    this.idpSingleLogoutServiceUrl = this.getResponseProperty("IdpSingleLogoutServiceUrl");
+    this.idpX509PublicCert = this.getResponseProperty("IdpX509PublicCert");
+    this.idpOutboundSigningAlgorithm = this.getResponseProperty("IdpOutboundSigningAlgorithm");
+    this.idpAllowUnsolicitedAuthnResponse = this.getResponseProperty(
+      "IdpAllowUnsolicitedAuthnResponse"
+    );
+    this.idpDisableOutboundLogoutRequests = this.getResponseProperty(
+      "IdpDisableOutboundLogoutRequests"
+    );
+    this.idpWantAuthnRequestsSigned = this.getResponseProperty("IdpWantAuthnRequestsSigned");
+  }
+}

libs/common/src/auth/models/domain/auth-result.ts

@@ -0,0 +1,17 @@
+import { Utils } from "../../../misc/utils";
+import { TwoFactorProviderType } from "../../enums/two-factor-provider-type";
+
+export class AuthResult {
+  captchaSiteKey = "";
+  resetMasterPassword = false;
+  forcePasswordReset = false;
+  twoFactorProviders: Map<TwoFactorProviderType, { [key: string]: string }> = null;
+
+  get requiresCaptcha() {
+    return !Utils.isNullOrWhitespace(this.captchaSiteKey);
+  }
+
+  get requiresTwoFactor() {
+    return this.twoFactorProviders != null;
+  }
+}

libs/common/src/auth/models/domain/environment-urls.ts

@@ -0,0 +1,16 @@
+import { Jsonify } from "type-fest";
+
+export class EnvironmentUrls {
+  base: string = null;
+  api: string = null;
+  identity: string = null;
+  icons: string = null;
+  notifications: string = null;
+  events: string = null;
+  webVault: string = null;
+  keyConnector: string = null;
+
+  static fromJSON(obj: Jsonify<EnvironmentUrls>): EnvironmentUrls {
+    return Object.assign(new EnvironmentUrls(), obj);
+  }
+}

libs/common/src/auth/models/domain/kdf-config.ts

@@ -0,0 +1,11 @@
+export class KdfConfig {
+  iterations: number;
+  memory?: number;
+  parallelism?: number;
+
+  constructor(iterations: number, memory?: number, parallelism?: number) {
+    this.iterations = iterations;
+    this.memory = memory;
+    this.parallelism = parallelism;
+  }
+}

libs/common/src/auth/models/domain/log-in-credentials.ts

@@ -0,0 +1,45 @@
+import { SymmetricCryptoKey } from "../../../models/domain/symmetric-crypto-key";
+import { AuthenticationType } from "../../enums/authentication-type";
+import { TokenTwoFactorRequest } from "../request/identity-token/token-two-factor.request";
+
+export class PasswordLogInCredentials {
+  readonly type = AuthenticationType.Password;
+
+  constructor(
+    public email: string,
+    public masterPassword: string,
+    public captchaToken?: string,
+    public twoFactor?: TokenTwoFactorRequest
+  ) {}
+}
+
+export class SsoLogInCredentials {
+  readonly type = AuthenticationType.Sso;
+
+  constructor(
+    public code: string,
+    public codeVerifier: string,
+    public redirectUrl: string,
+    public orgId: string,
+    public twoFactor?: TokenTwoFactorRequest
+  ) {}
+}
+
+export class UserApiLogInCredentials {
+  readonly type = AuthenticationType.UserApi;
+
+  constructor(public clientId: string, public clientSecret: string) {}
+}
+
+export class PasswordlessLogInCredentials {
+  readonly type = AuthenticationType.Passwordless;
+
+  constructor(
+    public email: string,
+    public accessCode: string,
+    public authRequestId: string,
+    public decKey: SymmetricCryptoKey,
+    public localPasswordHash: string,
+    public twoFactor?: TokenTwoFactorRequest
+  ) {}
+}

libs/common/src/auth/models/request/captcha-protected.request.ts

@@ -0,0 +1,3 @@
+export abstract class CaptchaProtectedRequest {
+  captchaResponse: string = null;
+}

libs/common/src/auth/models/request/device-verification.request.ts

@@ -0,0 +1,7 @@
+export class DeviceVerificationRequest {
+  unknownDeviceVerificationEnabled: boolean;
+
+  constructor(unknownDeviceVerificationEnabled: boolean) {
+    this.unknownDeviceVerificationEnabled = unknownDeviceVerificationEnabled;
+  }
+}

libs/common/src/auth/models/request/email-token.request.ts

@@ -0,0 +1,6 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class EmailTokenRequest extends SecretVerificationRequest {
+  newEmail: string;
+  masterPasswordHash: string;
+}

libs/common/src/auth/models/request/email.request.ts

@@ -0,0 +1,7 @@
+import { EmailTokenRequest } from "./email-token.request";
+
+export class EmailRequest extends EmailTokenRequest {
+  newMasterPasswordHash: string;
+  token: string;
+  key: string;
+}

libs/common/src/auth/models/request/emergency-access-accept.request.ts

@@ -0,0 +1,3 @@
+export class EmergencyAccessAcceptRequest {
+  token: string;
+}

libs/common/src/auth/models/request/emergency-access-confirm.request.ts

@@ -0,0 +1,3 @@
+export class EmergencyAccessConfirmRequest {
+  key: string;
+}

libs/common/src/auth/models/request/emergency-access-invite.request.ts

@@ -0,0 +1,7 @@
+import { EmergencyAccessType } from "../../enums/emergency-access-type";
+
+export class EmergencyAccessInviteRequest {
+  email: string;
+  type: EmergencyAccessType;
+  waitTimeDays: number;
+}

libs/common/src/auth/models/request/emergency-access-password.request.ts

@@ -0,0 +1,4 @@
+export class EmergencyAccessPasswordRequest {
+  newMasterPasswordHash: string;
+  key: string;
+}

libs/common/src/auth/models/request/emergency-access-update.request.ts

@@ -0,0 +1,7 @@
+import { EmergencyAccessType } from "../../enums/emergency-access-type";
+
+export class EmergencyAccessUpdateRequest {
+  type: EmergencyAccessType;
+  waitTimeDays: number;
+  keyEncrypted?: string;
+}

libs/common/src/auth/models/request/identity-token/device.request.ts

@@ -0,0 +1,16 @@
+import { PlatformUtilsService } from "../../../../abstractions/platformUtils.service";
+import { DeviceType } from "../../../../enums/deviceType";
+
+export class DeviceRequest {
+  type: DeviceType;
+  name: string;
+  identifier: string;
+  pushToken?: string;
+
+  constructor(appId: string, platformUtilsService: PlatformUtilsService) {
+    this.type = platformUtilsService.getDevice();
+    this.name = platformUtilsService.getDeviceString();
+    this.identifier = appId;
+    this.pushToken = null;
+  }
+}

libs/common/src/auth/models/request/identity-token/password-token.request.ts

@@ -0,0 +1,37 @@
+import { ClientType } from "../../../../enums/clientType";
+import { Utils } from "../../../../misc/utils";
+import { CaptchaProtectedRequest } from "../captcha-protected.request";
+
+import { DeviceRequest } from "./device.request";
+import { TokenTwoFactorRequest } from "./token-two-factor.request";
+import { TokenRequest } from "./token.request";
+
+export class PasswordTokenRequest extends TokenRequest implements CaptchaProtectedRequest {
+  constructor(
+    public email: string,
+    public masterPasswordHash: string,
+    public captchaResponse: string,
+    protected twoFactor: TokenTwoFactorRequest,
+    device?: DeviceRequest
+  ) {
+    super(twoFactor, device);
+  }
+
+  toIdentityToken(clientId: ClientType) {
+    const obj = super.toIdentityToken(clientId);
+
+    obj.grant_type = "password";
+    obj.username = this.email;
+    obj.password = this.masterPasswordHash;
+
+    if (this.captchaResponse != null) {
+      obj.captchaResponse = this.captchaResponse;
+    }
+
+    return obj;
+  }
+
+  alterIdentityTokenHeaders(headers: Headers) {
+    headers.set("Auth-Email", Utils.fromUtf8ToUrlB64(this.email));
+  }
+}

libs/common/src/auth/models/request/identity-token/sso-token.request.ts

@@ -0,0 +1,26 @@
+import { DeviceRequest } from "./device.request";
+import { TokenTwoFactorRequest } from "./token-two-factor.request";
+import { TokenRequest } from "./token.request";
+
+export class SsoTokenRequest extends TokenRequest {
+  constructor(
+    public code: string,
+    public codeVerifier: string,
+    public redirectUri: string,
+    protected twoFactor: TokenTwoFactorRequest,
+    device?: DeviceRequest
+  ) {
+    super(twoFactor, device);
+  }
+
+  toIdentityToken(clientId: string) {
+    const obj = super.toIdentityToken(clientId);
+
+    obj.grant_type = "authorization_code";
+    obj.code = this.code;
+    obj.code_verifier = this.codeVerifier;
+    obj.redirect_uri = this.redirectUri;
+
+    return obj;
+  }
+}

libs/common/src/auth/models/request/identity-token/token-two-factor.request.ts

@@ -0,0 +1,9 @@
+import { TwoFactorProviderType } from "../../../enums/two-factor-provider-type";
+
+export class TokenTwoFactorRequest {
+  constructor(
+    public provider: TwoFactorProviderType = null,
+    public token: string = null,
+    public remember: boolean = false
+  ) {}
+}

libs/common/src/auth/models/request/identity-token/token.request.ts

@@ -0,0 +1,54 @@
+import { DeviceRequest } from "./device.request";
+import { TokenTwoFactorRequest } from "./token-two-factor.request";
+
+export abstract class TokenRequest {
+  protected device?: DeviceRequest;
+  protected passwordlessAuthRequest: string;
+
+  constructor(protected twoFactor: TokenTwoFactorRequest, device?: DeviceRequest) {
+    this.device = device != null ? device : null;
+  }
+
+  // eslint-disable-next-line
+  alterIdentityTokenHeaders(headers: Headers) {
+    // Implemented in subclass if required
+  }
+
+  setTwoFactor(twoFactor: TokenTwoFactorRequest) {
+    this.twoFactor = twoFactor;
+  }
+
+  setPasswordlessAccessCode(accessCode: string) {
+    this.passwordlessAuthRequest = accessCode;
+  }
+
+  protected toIdentityToken(clientId: string) {
+    const obj: any = {
+      scope: "api offline_access",
+      client_id: clientId,
+    };
+
+    if (this.device) {
+      obj.deviceType = this.device.type;
+      obj.deviceIdentifier = this.device.identifier;
+      obj.deviceName = this.device.name;
+      // no push tokens for browser apps yet
+      // obj.devicePushToken = this.device.pushToken;
+    }
+
+    //passswordless login
+    if (this.passwordlessAuthRequest) {
+      obj.authRequest = this.passwordlessAuthRequest;
+    }
+
+    if (this.twoFactor) {
+      if (this.twoFactor.token && this.twoFactor.provider != null) {
+        obj.twoFactorToken = this.twoFactor.token;
+        obj.twoFactorProvider = this.twoFactor.provider;
+        obj.twoFactorRemember = this.twoFactor.remember ? "1" : "0";
+      }
+    }
+
+    return obj;
+  }
+}

libs/common/src/auth/models/request/identity-token/user-api-token.request.ts

@@ -0,0 +1,24 @@
+import { DeviceRequest } from "./device.request";
+import { TokenTwoFactorRequest } from "./token-two-factor.request";
+import { TokenRequest } from "./token.request";
+
+export class UserApiTokenRequest extends TokenRequest {
+  constructor(
+    public clientId: string,
+    public clientSecret: string,
+    protected twoFactor: TokenTwoFactorRequest,
+    device?: DeviceRequest
+  ) {
+    super(twoFactor, device);
+  }
+
+  toIdentityToken() {
+    const obj = super.toIdentityToken(this.clientId);
+
+    obj.scope = this.clientId.startsWith("organization") ? "api.organization" : "api";
+    obj.grant_type = "client_credentials";
+    obj.client_secret = this.clientSecret;
+
+    return obj;
+  }
+}

libs/common/src/auth/models/request/key-connector-user-key.request.ts

@@ -0,0 +1,7 @@
+export class KeyConnectorUserKeyRequest {
+  key: string;
+
+  constructor(key: string) {
+    this.key = key;
+  }
+}

libs/common/src/auth/models/request/organization-sso.request.ts

@@ -0,0 +1,7 @@
+import { SsoConfigApi } from "../api/sso-config.api";
+
+export class OrganizationSsoRequest {
+  enabled = false;
+  identifier: string;
+  data: SsoConfigApi;
+}

libs/common/src/auth/models/request/password-hint.request.ts

@@ -0,0 +1,7 @@
+export class PasswordHintRequest {
+  email: string;
+
+  constructor(email: string) {
+    this.email = email;
+  }
+}

libs/common/src/auth/models/request/password.request.ts

@@ -0,0 +1,7 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class PasswordRequest extends SecretVerificationRequest {
+  newMasterPasswordHash: string;
+  masterPasswordHint: string;
+  key: string;
+}

libs/common/src/auth/models/request/passwordless-auth.request.ts

@@ -0,0 +1,8 @@
+export class PasswordlessAuthRequest {
+  constructor(
+    readonly key: string,
+    readonly masterPasswordHash: string,
+    readonly deviceIdentifier: string,
+    readonly requestApproved: boolean
+  ) {}
+}

libs/common/src/auth/models/request/passwordless-create-auth.request.ts

@@ -0,0 +1,12 @@
+import { AuthRequestType } from "../../enums/auth-request-type";
+
+export class PasswordlessCreateAuthRequest {
+  constructor(
+    readonly email: string,
+    readonly deviceIdentifier: string,
+    readonly publicKey: string,
+    readonly type: AuthRequestType,
+    readonly accessCode: string,
+    readonly fingerprintPhrase: string
+  ) {}
+}

libs/common/src/auth/models/request/secret-verification.request.ts

@@ -0,0 +1,5 @@
+export class SecretVerificationRequest {
+  masterPasswordHash: string;
+  otp: string;
+  authRequestAccessCode: string;
+}

libs/common/src/auth/models/request/set-key-connector-key.request.ts

@@ -0,0 +1,29 @@
+import { KdfType } from "../../../enums/kdfType";
+import { KeysRequest } from "../../../models/request/keys.request";
+import { KdfConfig } from "../domain/kdf-config";
+
+export class SetKeyConnectorKeyRequest {
+  key: string;
+  keys: KeysRequest;
+  kdf: KdfType;
+  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
+  orgIdentifier: string;
+
+  constructor(
+    key: string,
+    kdf: KdfType,
+    kdfConfig: KdfConfig,
+    orgIdentifier: string,
+    keys: KeysRequest
+  ) {
+    this.key = key;
+    this.kdf = kdf;
+    this.kdfIterations = kdfConfig.iterations;
+    this.kdfMemory = kdfConfig.memory;
+    this.kdfParallelism = kdfConfig.parallelism;
+    this.orgIdentifier = orgIdentifier;
+    this.keys = keys;
+  }
+}

libs/common/src/auth/models/request/set-password.request.ts

@@ -0,0 +1,36 @@
+import { KdfType } from "../../../enums/kdfType";
+import { KeysRequest } from "../../../models/request/keys.request";
+
+export class SetPasswordRequest {
+  masterPasswordHash: string;
+  key: string;
+  masterPasswordHint: string;
+  keys: KeysRequest;
+  kdf: KdfType;
+  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
+  orgIdentifier: string;
+
+  constructor(
+    masterPasswordHash: string,
+    key: string,
+    masterPasswordHint: string,
+    orgIdentifier: string,
+    keys: KeysRequest,
+    kdf: KdfType,
+    kdfIterations: number,
+    kdfMemory?: number,
+    kdfParallelism?: number
+  ) {
+    this.masterPasswordHash = masterPasswordHash;
+    this.key = key;
+    this.masterPasswordHint = masterPasswordHint;
+    this.kdf = kdf;
+    this.kdfIterations = kdfIterations;
+    this.kdfMemory = kdfMemory;
+    this.kdfParallelism = kdfParallelism;
+    this.orgIdentifier = orgIdentifier;
+    this.keys = keys;
+  }
+}

libs/common/src/auth/models/request/two-factor-email.request.ts

@@ -0,0 +1,7 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class TwoFactorEmailRequest extends SecretVerificationRequest {
+  email: string;
+  deviceIdentifier: string;
+  authRequestId: string;
+}

libs/common/src/auth/models/request/two-factor-provider.request.ts

@@ -0,0 +1,7 @@
+import { TwoFactorProviderType } from "../../enums/two-factor-provider-type";
+
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class TwoFactorProviderRequest extends SecretVerificationRequest {
+  type: TwoFactorProviderType;
+}

libs/common/src/auth/models/request/two-factor-recovery.request.ts

@@ -0,0 +1,6 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class TwoFactorRecoveryRequest extends SecretVerificationRequest {
+  recoveryCode: string;
+  email: string;
+}

libs/common/src/auth/models/request/update-profile.request.ts

@@ -0,0 +1,10 @@
+export class UpdateProfileRequest {
+  name: string;
+  masterPasswordHint: string;
+  culture = "en-US"; // deprecated
+
+  constructor(name: string, masterPasswordHint: string) {
+    this.name = name;
+    this.masterPasswordHint = masterPasswordHint ? masterPasswordHint : null;
+  }
+}

libs/common/src/auth/models/request/update-two-factor-authenticator.request.ts

@@ -0,0 +1,6 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class UpdateTwoFactorAuthenticatorRequest extends SecretVerificationRequest {
+  token: string;
+  key: string;
+}

libs/common/src/auth/models/request/update-two-factor-duo.request.ts

@@ -0,0 +1,7 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class UpdateTwoFactorDuoRequest extends SecretVerificationRequest {
+  integrationKey: string;
+  secretKey: string;
+  host: string;
+}

libs/common/src/auth/models/request/update-two-factor-email.request.ts

@@ -0,0 +1,6 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class UpdateTwoFactorEmailRequest extends SecretVerificationRequest {
+  token: string;
+  email: string;
+}

libs/common/src/auth/models/request/update-two-factor-web-authn-delete.request.ts

@@ -0,0 +1,5 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class UpdateTwoFactorWebAuthnDeleteRequest extends SecretVerificationRequest {
+  id: number;
+}

libs/common/src/auth/models/request/update-two-factor-web-authn.request.ts

@@ -0,0 +1,7 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class UpdateTwoFactorWebAuthnRequest extends SecretVerificationRequest {
+  deviceResponse: PublicKeyCredential;
+  name: string;
+  id: number;
+}

libs/common/src/auth/models/request/update-two-factor-yubio-otp.request.ts

@@ -0,0 +1,10 @@
+import { SecretVerificationRequest } from "./secret-verification.request";
+
+export class UpdateTwoFactorYubioOtpRequest extends SecretVerificationRequest {
+  key1: string;
+  key2: string;
+  key3: string;
+  key4: string;
+  key5: string;
+  nfc: boolean;
+}

libs/common/src/auth/models/request/verify-otp.request.ts

@@ -0,0 +1,7 @@
+export class VerifyOTPRequest {
+  OTP: string;
+
+  constructor(OTP: string) {
+    this.OTP = OTP;
+  }
+}

libs/common/src/auth/models/response/api-key.response.ts

@@ -0,0 +1,12 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class ApiKeyResponse extends BaseResponse {
+  apiKey: string;
+  revisionDate: Date;
+
+  constructor(response: any) {
+    super(response);
+    this.apiKey = this.getResponseProperty("ApiKey");
+    this.revisionDate = new Date(this.getResponseProperty("RevisionDate"));
+  }
+}

libs/common/src/auth/models/response/auth-request.response.ts

@@ -0,0 +1,58 @@
+import { DeviceType } from "../../../enums/deviceType";
+import { BaseResponse } from "../../../models/response/base.response";
+
+const RequestTimeOut = 60000 * 15; //15 Minutes
+
+export class AuthRequestResponse extends BaseResponse {
+  id: string;
+  publicKey: string;
+  requestDeviceType: DeviceType;
+  requestIpAddress: string;
+  key: string;
+  masterPasswordHash: string;
+  creationDate: string;
+  requestApproved?: boolean;
+  requestFingerprint?: string;
+  responseDate?: string;
+  isAnswered: boolean;
+  isExpired: boolean;
+
+  constructor(response: any) {
+    super(response);
+    this.id = this.getResponseProperty("Id");
+    this.publicKey = this.getResponseProperty("PublicKey");
+    this.requestDeviceType = this.getResponseProperty("RequestDeviceType");
+    this.requestIpAddress = this.getResponseProperty("RequestIpAddress");
+    this.key = this.getResponseProperty("Key");
+    this.masterPasswordHash = this.getResponseProperty("MasterPasswordHash");
+    this.creationDate = this.getResponseProperty("CreationDate");
+    this.requestApproved = this.getResponseProperty("RequestApproved");
+    this.requestFingerprint = this.getResponseProperty("RequestFingerprint");
+    this.responseDate = this.getResponseProperty("ResponseDate");
+
+    const requestDate = new Date(this.creationDate);
+    const requestDateUTC = Date.UTC(
+      requestDate.getUTCFullYear(),
+      requestDate.getUTCMonth(),
+      requestDate.getDate(),
+      requestDate.getUTCHours(),
+      requestDate.getUTCMinutes(),
+      requestDate.getUTCSeconds(),
+      requestDate.getUTCMilliseconds()
+    );
+
+    const dateNow = new Date(Date.now());
+    const dateNowUTC = Date.UTC(
+      dateNow.getUTCFullYear(),
+      dateNow.getUTCMonth(),
+      dateNow.getDate(),
+      dateNow.getUTCHours(),
+      dateNow.getUTCMinutes(),
+      dateNow.getUTCSeconds(),
+      dateNow.getUTCMilliseconds()
+    );
+
+    this.isExpired = dateNowUTC - requestDateUTC >= RequestTimeOut;
+    this.isAnswered = this.requestApproved != null && this.responseDate != null;
+  }
+}

libs/common/src/auth/models/response/captcha-protected.response.ts

@@ -0,0 +1,3 @@
+export interface ICaptchaProtectedResponse {
+  captchaBypassToken: string;
+}

libs/common/src/auth/models/response/device-verification.response.ts

@@ -0,0 +1,16 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class DeviceVerificationResponse extends BaseResponse {
+  isDeviceVerificationSectionEnabled: boolean;
+  unknownDeviceVerificationEnabled: boolean;
+
+  constructor(response: any) {
+    super(response);
+    this.isDeviceVerificationSectionEnabled = this.getResponseProperty(
+      "IsDeviceVerificationSectionEnabled"
+    );
+    this.unknownDeviceVerificationEnabled = this.getResponseProperty(
+      "UnknownDeviceVerificationEnabled"
+    );
+  }
+}

libs/common/src/auth/models/response/device.response.ts

@@ -0,0 +1,19 @@
+import { DeviceType } from "../../../enums/deviceType";
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class DeviceResponse extends BaseResponse {
+  id: string;
+  name: number;
+  identifier: string;
+  type: DeviceType;
+  creationDate: string;
+
+  constructor(response: any) {
+    super(response);
+    this.id = this.getResponseProperty("Id");
+    this.name = this.getResponseProperty("Name");
+    this.identifier = this.getResponseProperty("Identifier");
+    this.type = this.getResponseProperty("Type");
+    this.creationDate = this.getResponseProperty("CreationDate");
+  }
+}

libs/common/src/auth/models/response/emergency-access.response.ts

@@ -0,0 +1,89 @@
+import { KdfType } from "../../../enums/kdfType";
+import { BaseResponse } from "../../../models/response/base.response";
+import { CipherResponse } from "../../../vault/models/response/cipher.response";
+import { EmergencyAccessStatusType } from "../../enums/emergency-access-status-type";
+import { EmergencyAccessType } from "../../enums/emergency-access-type";
+
+export class EmergencyAccessGranteeDetailsResponse extends BaseResponse {
+  id: string;
+  granteeId: string;
+  name: string;
+  email: string;
+  type: EmergencyAccessType;
+  status: EmergencyAccessStatusType;
+  waitTimeDays: number;
+  creationDate: string;
+  avatarColor: string;
+
+  constructor(response: any) {
+    super(response);
+    this.id = this.getResponseProperty("Id");
+    this.granteeId = this.getResponseProperty("GranteeId");
+    this.name = this.getResponseProperty("Name");
+    this.email = this.getResponseProperty("Email");
+    this.type = this.getResponseProperty("Type");
+    this.status = this.getResponseProperty("Status");
+    this.waitTimeDays = this.getResponseProperty("WaitTimeDays");
+    this.creationDate = this.getResponseProperty("CreationDate");
+    this.avatarColor = this.getResponseProperty("AvatarColor");
+  }
+}
+
+export class EmergencyAccessGrantorDetailsResponse extends BaseResponse {
+  id: string;
+  grantorId: string;
+  name: string;
+  email: string;
+  type: EmergencyAccessType;
+  status: EmergencyAccessStatusType;
+  waitTimeDays: number;
+  creationDate: string;
+  avatarColor: string;
+
+  constructor(response: any) {
+    super(response);
+    this.id = this.getResponseProperty("Id");
+    this.grantorId = this.getResponseProperty("GrantorId");
+    this.name = this.getResponseProperty("Name");
+    this.email = this.getResponseProperty("Email");
+    this.type = this.getResponseProperty("Type");
+    this.status = this.getResponseProperty("Status");
+    this.waitTimeDays = this.getResponseProperty("WaitTimeDays");
+    this.creationDate = this.getResponseProperty("CreationDate");
+    this.avatarColor = this.getResponseProperty("AvatarColor");
+  }
+}
+
+export class EmergencyAccessTakeoverResponse extends BaseResponse {
+  keyEncrypted: string;
+  kdf: KdfType;
+  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
+
+  constructor(response: any) {
+    super(response);
+
+    this.keyEncrypted = this.getResponseProperty("KeyEncrypted");
+    this.kdf = this.getResponseProperty("Kdf");
+    this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
+  }
+}
+
+export class EmergencyAccessViewResponse extends BaseResponse {
+  keyEncrypted: string;
+  ciphers: CipherResponse[] = [];
+
+  constructor(response: any) {
+    super(response);
+
+    this.keyEncrypted = this.getResponseProperty("KeyEncrypted");
+
+    const ciphers = this.getResponseProperty("Ciphers");
+    if (ciphers != null) {
+      this.ciphers = ciphers.map((c: any) => new CipherResponse(c));
+    }
+  }
+}

libs/common/src/auth/models/response/identity-captcha.response.ts

@@ -0,0 +1,10 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class IdentityCaptchaResponse extends BaseResponse {
+  siteKey: string;
+
+  constructor(response: any) {
+    super(response);
+    this.siteKey = this.getResponseProperty("HCaptcha_SiteKey");
+  }
+}

libs/common/src/auth/models/response/identity-token.response.ts

@@ -0,0 +1,41 @@
+import { KdfType } from "../../../enums/kdfType";
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class IdentityTokenResponse extends BaseResponse {
+  accessToken: string;
+  expiresIn: number;
+  refreshToken: string;
+  tokenType: string;
+
+  resetMasterPassword: boolean;
+  privateKey: string;
+  key: string;
+  twoFactorToken: string;
+  kdf: KdfType;
+  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
+  forcePasswordReset: boolean;
+  apiUseKeyConnector: boolean;
+  keyConnectorUrl: string;
+
+  constructor(response: any) {
+    super(response);
+    this.accessToken = response.access_token;
+    this.expiresIn = response.expires_in;
+    this.refreshToken = response.refresh_token;
+    this.tokenType = response.token_type;
+
+    this.resetMasterPassword = this.getResponseProperty("ResetMasterPassword");
+    this.privateKey = this.getResponseProperty("PrivateKey");
+    this.key = this.getResponseProperty("Key");
+    this.twoFactorToken = this.getResponseProperty("TwoFactorToken");
+    this.kdf = this.getResponseProperty("Kdf");
+    this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
+    this.forcePasswordReset = this.getResponseProperty("ForcePasswordReset");
+    this.apiUseKeyConnector = this.getResponseProperty("ApiUseKeyConnector");
+    this.keyConnectorUrl = this.getResponseProperty("KeyConnectorUrl");
+  }
+}

libs/common/src/auth/models/response/identity-two-factor.response.ts

@@ -0,0 +1,23 @@
+import { BaseResponse } from "../../../models/response/base.response";
+import { TwoFactorProviderType } from "../../enums/two-factor-provider-type";
+
+export class IdentityTwoFactorResponse extends BaseResponse {
+  twoFactorProviders: TwoFactorProviderType[];
+  twoFactorProviders2 = new Map<TwoFactorProviderType, { [key: string]: string }>();
+  captchaToken: string;
+
+  constructor(response: any) {
+    super(response);
+    this.captchaToken = this.getResponseProperty("CaptchaBypassToken");
+    this.twoFactorProviders = this.getResponseProperty("TwoFactorProviders");
+    const twoFactorProviders2 = this.getResponseProperty("TwoFactorProviders2");
+    if (twoFactorProviders2 != null) {
+      for (const prop in twoFactorProviders2) {
+        // eslint-disable-next-line
+        if (twoFactorProviders2.hasOwnProperty(prop)) {
+          this.twoFactorProviders2.set(parseInt(prop, null), twoFactorProviders2[prop]);
+        }
+      }
+    }
+  }
+}

libs/common/src/auth/models/response/key-connector-user-key.response.ts

@@ -0,0 +1,10 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class KeyConnectorUserKeyResponse extends BaseResponse {
+  key: string;
+
+  constructor(response: any) {
+    super(response);
+    this.key = this.getResponseProperty("Key");
+  }
+}

libs/common/src/auth/models/response/organization-sso.response.ts

@@ -0,0 +1,37 @@
+import { BaseResponse } from "../../../models/response/base.response";
+import { SsoConfigApi } from "../api/sso-config.api";
+
+export class OrganizationSsoResponse extends BaseResponse {
+  enabled: boolean;
+  identifier: string;
+  data: SsoConfigApi;
+  urls: SsoUrls;
+
+  constructor(response: any) {
+    super(response);
+    this.enabled = this.getResponseProperty("Enabled");
+    this.identifier = this.getResponseProperty("Identifier");
+    this.data =
+      this.getResponseProperty("Data") != null
+        ? new SsoConfigApi(this.getResponseProperty("Data"))
+        : null;
+    this.urls = new SsoUrls(this.getResponseProperty("Urls"));
+  }
+}
+
+class SsoUrls extends BaseResponse {
+  callbackPath: string;
+  signedOutCallbackPath: string;
+  spEntityId: string;
+  spMetadataUrl: string;
+  spAcsUrl: string;
+
+  constructor(response: any) {
+    super(response);
+    this.callbackPath = this.getResponseProperty("CallbackPath");
+    this.signedOutCallbackPath = this.getResponseProperty("SignedOutCallbackPath");
+    this.spEntityId = this.getResponseProperty("SpEntityId");
+    this.spMetadataUrl = this.getResponseProperty("SpMetadataUrl");
+    this.spAcsUrl = this.getResponseProperty("SpAcsUrl");
+  }
+}

libs/common/src/auth/models/response/prelogin.response.ts

@@ -0,0 +1,17 @@
+import { KdfType } from "../../../enums/kdfType";
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class PreloginResponse extends BaseResponse {
+  kdf: KdfType;
+  kdfIterations: number;
+  kdfMemory?: number;
+  kdfParallelism?: number;
+
+  constructor(response: any) {
+    super(response);
+    this.kdf = this.getResponseProperty("Kdf");
+    this.kdfIterations = this.getResponseProperty("KdfIterations");
+    this.kdfMemory = this.getResponseProperty("KdfMemory");
+    this.kdfParallelism = this.getResponseProperty("KdfParallelism");
+  }
+}

libs/common/src/auth/models/response/register.response.ts

@@ -0,0 +1,12 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+import { ICaptchaProtectedResponse } from "./captcha-protected.response";
+
+export class RegisterResponse extends BaseResponse implements ICaptchaProtectedResponse {
+  captchaBypassToken: string;
+
+  constructor(response: any) {
+    super(response);
+    this.captchaBypassToken = this.getResponseProperty("CaptchaBypassToken");
+  }
+}

libs/common/src/auth/models/response/sso-pre-validate.response.ts

@@ -0,0 +1,10 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class SsoPreValidateResponse extends BaseResponse {
+  token: string;
+
+  constructor(response: any) {
+    super(response);
+    this.token = this.getResponseProperty("Token");
+  }
+}

libs/common/src/auth/models/response/two-factor-authenticator.response.ts

@@ -0,0 +1,12 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class TwoFactorAuthenticatorResponse extends BaseResponse {
+  enabled: boolean;
+  key: string;
+
+  constructor(response: any) {
+    super(response);
+    this.enabled = this.getResponseProperty("Enabled");
+    this.key = this.getResponseProperty("Key");
+  }
+}

libs/common/src/auth/models/response/two-factor-duo.response.ts

@@ -0,0 +1,16 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class TwoFactorDuoResponse extends BaseResponse {
+  enabled: boolean;
+  host: string;
+  secretKey: string;
+  integrationKey: string;
+
+  constructor(response: any) {
+    super(response);
+    this.enabled = this.getResponseProperty("Enabled");
+    this.host = this.getResponseProperty("Host");
+    this.secretKey = this.getResponseProperty("SecretKey");
+    this.integrationKey = this.getResponseProperty("IntegrationKey");
+  }
+}

libs/common/src/auth/models/response/two-factor-email.response.ts

@@ -0,0 +1,12 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class TwoFactorEmailResponse extends BaseResponse {
+  enabled: boolean;
+  email: string;
+
+  constructor(response: any) {
+    super(response);
+    this.enabled = this.getResponseProperty("Enabled");
+    this.email = this.getResponseProperty("Email");
+  }
+}

libs/common/src/auth/models/response/two-factor-provider.response.ts

@@ -0,0 +1,13 @@
+import { BaseResponse } from "../../../models/response/base.response";
+import { TwoFactorProviderType } from "../../enums/two-factor-provider-type";
+
+export class TwoFactorProviderResponse extends BaseResponse {
+  enabled: boolean;
+  type: TwoFactorProviderType;
+
+  constructor(response: any) {
+    super(response);
+    this.enabled = this.getResponseProperty("Enabled");
+    this.type = this.getResponseProperty("Type");
+  }
+}

libs/common/src/auth/models/response/two-factor-recover.response.ts

@@ -0,0 +1,10 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class TwoFactorRecoverResponse extends BaseResponse {
+  code: string;
+
+  constructor(response: any) {
+    super(response);
+    this.code = this.getResponseProperty("Code");
+  }
+}

libs/common/src/auth/models/response/two-factor-web-authn.response.ts

@@ -0,0 +1,59 @@
+import { Utils } from "../../../misc/utils";
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class TwoFactorWebAuthnResponse extends BaseResponse {
+  enabled: boolean;
+  keys: KeyResponse[];
+
+  constructor(response: any) {
+    super(response);
+    this.enabled = this.getResponseProperty("Enabled");
+    const keys = this.getResponseProperty("Keys");
+    this.keys = keys == null ? null : keys.map((k: any) => new KeyResponse(k));
+  }
+}
+
+export class KeyResponse extends BaseResponse {
+  name: string;
+  id: number;
+  migrated: boolean;
+
+  constructor(response: any) {
+    super(response);
+    this.name = this.getResponseProperty("Name");
+    this.id = this.getResponseProperty("Id");
+    this.migrated = this.getResponseProperty("Migrated");
+  }
+}
+
+export class ChallengeResponse extends BaseResponse implements PublicKeyCredentialCreationOptions {
+  attestation?: AttestationConveyancePreference;
+  authenticatorSelection?: AuthenticatorSelectionCriteria;
+  challenge: BufferSource;
+  excludeCredentials?: PublicKeyCredentialDescriptor[];
+  extensions?: AuthenticationExtensionsClientInputs;
+  pubKeyCredParams: PublicKeyCredentialParameters[];
+  rp: PublicKeyCredentialRpEntity;
+  timeout?: number;
+  user: PublicKeyCredentialUserEntity;
+
+  constructor(response: any) {
+    super(response);
+    this.attestation = this.getResponseProperty("attestation");
+    this.authenticatorSelection = this.getResponseProperty("authenticatorSelection");
+    this.challenge = Utils.fromUrlB64ToArray(this.getResponseProperty("challenge"));
+    this.excludeCredentials = this.getResponseProperty("excludeCredentials").map((c: any) => {
+      c.id = Utils.fromUrlB64ToArray(c.id).buffer;
+      return c;
+    });
+    this.extensions = this.getResponseProperty("extensions");
+    this.pubKeyCredParams = this.getResponseProperty("pubKeyCredParams");
+    this.rp = this.getResponseProperty("rp");
+    this.timeout = this.getResponseProperty("timeout");
+
+    const user = this.getResponseProperty("user");
+    user.id = Utils.fromUrlB64ToArray(user.id);
+
+    this.user = user;
+  }
+}

libs/common/src/auth/models/response/two-factor-yubi-key.response.ts

@@ -0,0 +1,22 @@
+import { BaseResponse } from "../../../models/response/base.response";
+
+export class TwoFactorYubiKeyResponse extends BaseResponse {
+  enabled: boolean;
+  key1: string;
+  key2: string;
+  key3: string;
+  key4: string;
+  key5: string;
+  nfc: boolean;
+
+  constructor(response: any) {
+    super(response);
+    this.enabled = this.getResponseProperty("Enabled");
+    this.key1 = this.getResponseProperty("Key1");
+    this.key2 = this.getResponseProperty("Key2");
+    this.key3 = this.getResponseProperty("Key3");
+    this.key4 = this.getResponseProperty("Key4");
+    this.key5 = this.getResponseProperty("Key5");
+    this.nfc = this.getResponseProperty("Nfc");
+  }
+}

libs/common/src/auth/models/view/sso-config.view.ts

@@ -0,0 +1,103 @@
+import { View } from "../../../models/view/view";
+import {
+  OpenIdConnectRedirectBehavior,
+  Saml2BindingType,
+  Saml2NameIdFormat,
+  Saml2SigningBehavior,
+  SsoType,
+} from "../../enums/sso";
+import { SsoConfigApi } from "../api/sso-config.api";
+
+export class SsoConfigView extends View {
+  configType: SsoType;
+
+  keyConnectorEnabled: boolean;
+  keyConnectorUrl: string;
+
+  openId: {
+    authority: string;
+    clientId: string;
+    clientSecret: string;
+    metadataAddress: string;
+    redirectBehavior: OpenIdConnectRedirectBehavior;
+    getClaimsFromUserInfoEndpoint: boolean;
+    additionalScopes: string;
+    additionalUserIdClaimTypes: string;
+    additionalEmailClaimTypes: string;
+    additionalNameClaimTypes: string;
+    acrValues: string;
+    expectedReturnAcrValue: string;
+  };
+
+  saml: {
+    spNameIdFormat: Saml2NameIdFormat;
+    spOutboundSigningAlgorithm: string;
+    spSigningBehavior: Saml2SigningBehavior;
+    spMinIncomingSigningAlgorithm: string;
+    spWantAssertionsSigned: boolean;
+    spValidateCertificates: boolean;
+
+    idpEntityId: string;
+    idpBindingType: Saml2BindingType;
+    idpSingleSignOnServiceUrl: string;
+    idpSingleLogoutServiceUrl: string;
+    idpX509PublicCert: string;
+    idpOutboundSigningAlgorithm: string;
+    idpAllowUnsolicitedAuthnResponse: boolean;
+    idpAllowOutboundLogoutRequests: boolean;
+    idpWantAuthnRequestsSigned: boolean;
+  };
+
+  constructor(api: SsoConfigApi) {
+    super();
+    if (api == null) {
+      return;
+    }
+
+    this.configType = api.configType;
+
+    this.keyConnectorEnabled = api.keyConnectorEnabled;
+    this.keyConnectorUrl = api.keyConnectorUrl;
+
+    if (this.configType === SsoType.OpenIdConnect) {
+      this.openId = {
+        authority: api.authority,
+        clientId: api.clientId,
+        clientSecret: api.clientSecret,
+        metadataAddress: api.metadataAddress,
+        redirectBehavior: api.redirectBehavior,
+        getClaimsFromUserInfoEndpoint: api.getClaimsFromUserInfoEndpoint,
+        additionalScopes: api.additionalScopes,
+        additionalUserIdClaimTypes: api.additionalUserIdClaimTypes,
+        additionalEmailClaimTypes: api.additionalEmailClaimTypes,
+        additionalNameClaimTypes: api.additionalNameClaimTypes,
+        acrValues: api.acrValues,
+        expectedReturnAcrValue: api.expectedReturnAcrValue,
+      };
+    } else if (this.configType === SsoType.Saml2) {
+      this.saml = {
+        spNameIdFormat: api.spNameIdFormat,
+        spOutboundSigningAlgorithm: api.spOutboundSigningAlgorithm,
+        spSigningBehavior: api.spSigningBehavior,
+        spMinIncomingSigningAlgorithm: api.spMinIncomingSigningAlgorithm,
+        spWantAssertionsSigned: api.spWantAssertionsSigned,
+        spValidateCertificates: api.spValidateCertificates,
+
+        idpEntityId: api.idpEntityId,
+        idpBindingType: api.idpBindingType,
+        idpSingleSignOnServiceUrl: api.idpSingleSignOnServiceUrl,
+        idpSingleLogoutServiceUrl: api.idpSingleLogoutServiceUrl,
+        idpX509PublicCert: api.idpX509PublicCert,
+        idpOutboundSigningAlgorithm: api.idpOutboundSigningAlgorithm,
+        idpAllowUnsolicitedAuthnResponse: api.idpAllowUnsolicitedAuthnResponse,
+        idpWantAuthnRequestsSigned: api.idpWantAuthnRequestsSigned,
+
+        // Value is inverted in the view model (allow instead of disable)
+        idpAllowOutboundLogoutRequests:
+          api.idpDisableOutboundLogoutRequests == null
+            ? null
+            : !api.idpDisableOutboundLogoutRequests,
+      };
+    }
+  }
+}