feat(customTokenExchange): promote actor_token, organization, requested_token_type to first-class options#834
Open
cschetan77 wants to merge 2 commits into
Open
feat(customTokenExchange): promote actor_token, organization, requested_token_type to first-class options#834cschetan77 wants to merge 2 commits into
cschetan77 wants to merge 2 commits into
Conversation
…ed_token_type to first-class options - Promote `actor_token`, `actor_token_type`, `requested_token_type`, and `organization` from `extra` passthrough to named first-class options on `customTokenExchange`, consistent with the CTE implementation in `@auth0/auth0-auth-js` and `@auth0/auth0-server-js` - Add all four to `PARAM_DENYLIST` so they cannot be accidentally double-set via `extra` (actor_token/type must be paired and validated together; organization affects tenant context and must be explicit) - Validate that `actor_token_type` is required when `actor_token` is provided, throwing HTTP 400 before hitting the network - Extract and expose the `act` claim on the response for delegation flows: checks `id_token` claims first (via openid-client's `claims()` helper), falls back to decoding the JWT access token, silently skips opaque tokens - Add `ActClaim` interface and `act` field to `TokenExchangeResponse` in `index.d.ts`; update `extra` type to accept `string[]` values - Update unit tests: migrate existing actor/organization tests to first-class options, add coverage for `requested_token_type`, `actor_token_type` validation, and `act` claim extraction
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
lib/context.jsactor_token,actor_token_type,requested_token_type, andorganizationfromextrapassthrough to named first-class options onreq.oidc.customTokenExchange()PARAM_DENYLIST—actor_token/actor_token_typemust be paired and validated together;organizationaffects tenant context and must be explicit;requested_token_typehas a dedicated field to make intent clearactor_token_typeis required whenactor_tokenis provided, throwing HTTP 400 before hitting the networkextractActClaim()helper that extracts theactclaim from delegation exchange responses — checksid_tokenclaims first (via openid-client'sclaims()helper), falls back to decoding the JWT access token for M2M flows, silently skips opaque tokensactclaim to the returned result whenactor_tokenwas providedindex.d.tsActClaiminterface ({ sub: string; [key: string]: unknown })actor_token,actor_token_type,requested_token_type,organizationtoCustomTokenExchangeOptionsact?: ActClaimtoTokenExchangeResponseextratype to acceptstring[]values (consistent with@auth0/auth0-auth-js)Updated usage
Unit tests updated
organizationtest fromextrato first-class optionextraactor test with dedicated first-class tests foractor_token/actor_token_typeandrequested_token_typeactor_tokenwithoutactor_token_type→ HTTP 400actclaim extraction tests: extracted whenactor_tokenprovided, absent when it is notTest plan
npm test— all 283 tests pass, no regressionscustomTokenExchangetests pass including 6 new/updated cases