Skip to content

feat: add actor token support for Custom Token Exchange impersonation & delegation#1595

Open
subhankarmaiti wants to merge 3 commits into
masterfrom
feat/custom-token-exchange-actor-token
Open

feat: add actor token support for Custom Token Exchange impersonation & delegation#1595
subhankarmaiti wants to merge 3 commits into
masterfrom
feat/custom-token-exchange-actor-token

Conversation

@subhankarmaiti

@subhankarmaiti subhankarmaiti commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

This PR adds support for delegation and impersonation in Custom Token Exchange flows, following RFC 8693 OAuth 2.0 Token Exchange.

You can now pass an actorToken (and its actorTokenType) to customTokenExchange to indicate the acting party in a delegation or impersonation scenario. When present, the issued tokens carry the act claim, which is now exposed on the user profile.

Supported on web, iOS, and Android.

  const credentials = await auth0.customTokenExchange({
    subjectToken: 'external-subject-token',                                                       
    subjectTokenType: 'urn:acme:legacy-token',
    actorToken: 'acting-party-token',                                                             
    actorTokenType: 'urn:ietf:params:oauth:token-type:id_token',                                
  });                                    

  // The acting-party claim is available on the decoded user profile:
  const user = auth0.auth.userInfo... // or via parseIdToken / useAuth0().user                    
  console.log(user.act); // { sub: '...', act: { ... } } for delegation chains    

Summary by CodeRabbit

  • New Features
    • Added delegation and impersonation support to RFC 8693 custom token exchange using optional actorToken/actorTokenType (web, iOS, Android).
    • Expose actor/impersonation details in the returned user’s act claim (including nested delegation information).
    • Updated sample app UI to collect and use actor tokens during custom token exchange.
  • Bug Fixes
    • Actor-token requests now fail immediately when only one of the paired parameters is provided.
    • Refresh token issuance is suppressed when an actor token is used.
  • Documentation
    • Added a new “Delegation & Impersonation (Actor Token)” subsection with prerequisites and behavior notes.
  • Tests
    • Added coverage for act preservation and actor-token validation/forwarding.

@subhankarmaiti subhankarmaiti requested a review from a team as a code owner July 15, 2026 07:20
@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 0fd0aa34-68e7-4801-a26a-eadd37332fd0

📥 Commits

Reviewing files that changed from the base of the PR and between 447a97e and da4a95b.

📒 Files selected for processing (3)
  • example/src/App.web.tsx
  • example/src/screens/class-based/ClassApiTests.tsx
  • src/core/utils/__tests__/validation.spec.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • example/src/screens/class-based/ClassApiTests.tsx
  • src/core/utils/tests/validation.spec.ts

📝 Walkthrough

Walkthrough

Custom token exchange now supports paired actor-token parameters across web, JavaScript, Android, and iOS paths. Validation prevents incomplete pairs, native requests construct actor tokens, user profiles expose act, and documentation and tests cover the new behavior.

Changes

Actor token custom exchange

Layer / File(s) Summary
Contracts and paired-parameter validation
src/types/parameters.ts, src/types/common.ts, src/specs/NativeA0Auth0.ts, src/platforms/native/bridge/INativeBridge.ts, src/core/utils/...
Public contracts include actor-token fields and the optional act claim; shared validation rejects incomplete pairs and is covered by tests.
Web exchange wiring
src/platforms/web/adapters/...
The web adapter validates actor parameters and conditionally sends actor_token and actor_token_type.
Native bridge and platform wiring
src/platforms/native/..., android/..., ios/...
Actor-token values are forwarded through native bridges and converted into Android and iOS actor-token objects, with bridge tests updated.
Example flow and documentation
example/src/..., EXAMPLES.md
The example apps expose actor-token exchange, and documentation describes setup, claims, and exchange constraints.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant App
  participant Auth0Client
  participant WebOrNativeBridge
  participant Auth0
  App->>Auth0Client: customTokenExchange(actorToken, actorTokenType)
  Auth0Client->>Auth0Client: validate paired parameters
  Auth0Client->>WebOrNativeBridge: forward actor-token parameters
  WebOrNativeBridge->>Auth0: exchange subject and actor tokens
Loading

Suggested reviewers: pmathew92

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: actor token support for Custom Token Exchange delegation and impersonation.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/custom-token-exchange-actor-token

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment thread ios/NativeBridge.swift Outdated
let finalScope = scope ?? "openid profile email"


var actor: ActorToken?

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

var actorToken: ActionToken?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated naming

Comment thread ios/NativeBridge.swift Outdated


var actor: ActorToken?
if let actorToken = actorToken, let actorTokenType = actorTokenType {

@NandanPrabhu NandanPrabhu Jul 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if let token = actorToken, let tokentype = actorTokenType {
actorToken = ActorToken(token: token, tokenType: tokenType)
}

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated naming

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
src/core/utils/__tests__/validation.spec.ts (1)

24-33: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Use Jest's built-in error matching.

The manual try/catch/throw pattern can be simplified into a single concise assertion using Jest's .toThrow() combined with expect.objectContaining().

♻️ Proposed fix
-  it('should throw with the invalid_actor_token_parameters code', () => {
-    try {
-      validateActorTokenParameters(undefined, 'urn:token-type');
-      throw new Error('Expected validateActorTokenParameters to throw');
-    } catch (e) {
-      expect(e).toBeInstanceOf(AuthError);
-      expect((e as AuthError).code).toBe('invalid_actor_token_parameters');
-    }
-  });
+  it('should throw with the invalid_actor_token_parameters code', () => {
+    expect(() => validateActorTokenParameters(undefined, 'urn:token-type')).toThrow(
+      expect.objectContaining({ code: 'invalid_actor_token_parameters' })
+    );
+  });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/core/utils/__tests__/validation.spec.ts` around lines 24 - 33, Replace
the manual try/catch and fallback throw in the validation test with Jest’s
built-in error assertion around validateActorTokenParameters, using toThrow with
expect.objectContaining to verify the AuthError instance and
invalid_actor_token_parameters code.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/platforms/native/adapters/__tests__/NativeAuth0Client.spec.ts`:
- Around line 281-283: Remove the any casts from both customTokenExchange
assertions in src/platforms/native/adapters/__tests__/NativeAuth0Client.spec.ts
at lines 281-283 and 306-308, using the typed mock function directly or
jest.mocked(mockBridgeInstance.customTokenExchange). In
src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts at lines
442-444, replace the any cast with an unknown-to-specific-type cast such as
Credentials, using the correct return type for the test.

In `@src/platforms/web/adapters/WebAuth0Client.ts`:
- Around line 265-266: Update the conditional property spreads in the
WebAuth0Client request payload to check actorToken and actorTokenType against
undefined rather than truthiness, ensuring empty-string values are included
consistently with validateActorTokenParameters and the paired fields are sent
together.

In `@src/types/common.ts`:
- Line 156: Update the act property in the relevant type definition to use
Record<string, unknown> instead of Record<string, any>, preserving its optional
nested actor-claim structure.

---

Nitpick comments:
In `@src/core/utils/__tests__/validation.spec.ts`:
- Around line 24-33: Replace the manual try/catch and fallback throw in the
validation test with Jest’s built-in error assertion around
validateActorTokenParameters, using toThrow with expect.objectContaining to
verify the AuthError instance and invalid_actor_token_parameters code.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 5e711f4b-b1ab-4117-804c-e1a9302fbd32

📥 Commits

Reviewing files that changed from the base of the PR and between 60d8ec7 and cc85b4e.

📒 Files selected for processing (16)
  • EXAMPLES.md
  • android/src/main/java/com/auth0/react/A0Auth0Module.kt
  • ios/NativeBridge.swift
  • src/core/models/__tests__/Auth0User.spec.ts
  • src/core/utils/__tests__/validation.spec.ts
  • src/core/utils/validation.ts
  • src/platforms/native/adapters/NativeAuth0Client.ts
  • src/platforms/native/adapters/__tests__/NativeAuth0Client.spec.ts
  • src/platforms/native/bridge/INativeBridge.ts
  • src/platforms/native/bridge/NativeBridgeManager.ts
  • src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts
  • src/platforms/web/adapters/WebAuth0Client.ts
  • src/platforms/web/adapters/__tests__/WebAuth0Client.spec.ts
  • src/specs/NativeA0Auth0.ts
  • src/types/common.ts
  • src/types/parameters.ts

Comment thread src/platforms/native/adapters/__tests__/NativeAuth0Client.spec.ts Outdated
Comment thread src/platforms/web/adapters/WebAuth0Client.ts Outdated
Comment thread src/types/common.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@example/src/screens/class-based/ClassApiTests.tsx`:
- Around line 238-253: Update the custom token exchange button’s disabled
condition in the actor-enabled test to also require actorTokenType, alongside
subjectToken, subjectTokenType, and actorToken. Keep the existing runTest and
customTokenExchange behavior unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 4a615615-4f7a-496a-bdba-9e1eae0ec5cb

📥 Commits

Reviewing files that changed from the base of the PR and between cc85b4e and 447a97e.

📒 Files selected for processing (9)
  • example/src/navigation/ClassDemoNavigator.tsx
  • example/src/screens/class-based/ClassApiTests.tsx
  • example/src/screens/class-based/ClassProfile.tsx
  • ios/A0Auth0.mm
  • ios/NativeBridge.swift
  • src/platforms/native/adapters/__tests__/NativeAuth0Client.spec.ts
  • src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts
  • src/platforms/web/adapters/WebAuth0Client.ts
  • src/types/common.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • src/platforms/web/adapters/WebAuth0Client.ts
  • src/types/common.ts
  • src/platforms/native/adapters/tests/NativeAuth0Client.spec.ts
  • src/platforms/native/bridge/tests/NativeBridgeManager.spec.ts

Comment thread example/src/screens/class-based/ClassApiTests.tsx
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants