feat: add actor token support for Custom Token Exchange impersonation & delegation#1595
feat: add actor token support for Custom Token Exchange impersonation & delegation#1595subhankarmaiti wants to merge 3 commits into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (3)
🚧 Files skipped from review as they are similar to previous changes (2)
📝 WalkthroughWalkthroughCustom token exchange now supports paired actor-token parameters across web, JavaScript, Android, and iOS paths. Validation prevents incomplete pairs, native requests construct actor tokens, user profiles expose ChangesActor token custom exchange
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant App
participant Auth0Client
participant WebOrNativeBridge
participant Auth0
App->>Auth0Client: customTokenExchange(actorToken, actorTokenType)
Auth0Client->>Auth0Client: validate paired parameters
Auth0Client->>WebOrNativeBridge: forward actor-token parameters
WebOrNativeBridge->>Auth0: exchange subject and actor tokens
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
| let finalScope = scope ?? "openid profile email" | ||
|
|
||
|
|
||
| var actor: ActorToken? |
There was a problem hiding this comment.
updated naming
|
|
||
|
|
||
| var actor: ActorToken? | ||
| if let actorToken = actorToken, let actorTokenType = actorTokenType { |
There was a problem hiding this comment.
if let token = actorToken, let tokentype = actorTokenType {
actorToken = ActorToken(token: token, tokenType: tokenType)
}
There was a problem hiding this comment.
updated naming
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
src/core/utils/__tests__/validation.spec.ts (1)
24-33: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueUse Jest's built-in error matching.
The manual
try/catch/throwpattern can be simplified into a single concise assertion using Jest's.toThrow()combined withexpect.objectContaining().♻️ Proposed fix
- it('should throw with the invalid_actor_token_parameters code', () => { - try { - validateActorTokenParameters(undefined, 'urn:token-type'); - throw new Error('Expected validateActorTokenParameters to throw'); - } catch (e) { - expect(e).toBeInstanceOf(AuthError); - expect((e as AuthError).code).toBe('invalid_actor_token_parameters'); - } - }); + it('should throw with the invalid_actor_token_parameters code', () => { + expect(() => validateActorTokenParameters(undefined, 'urn:token-type')).toThrow( + expect.objectContaining({ code: 'invalid_actor_token_parameters' }) + ); + });🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/core/utils/__tests__/validation.spec.ts` around lines 24 - 33, Replace the manual try/catch and fallback throw in the validation test with Jest’s built-in error assertion around validateActorTokenParameters, using toThrow with expect.objectContaining to verify the AuthError instance and invalid_actor_token_parameters code.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/platforms/native/adapters/__tests__/NativeAuth0Client.spec.ts`:
- Around line 281-283: Remove the any casts from both customTokenExchange
assertions in src/platforms/native/adapters/__tests__/NativeAuth0Client.spec.ts
at lines 281-283 and 306-308, using the typed mock function directly or
jest.mocked(mockBridgeInstance.customTokenExchange). In
src/platforms/native/bridge/__tests__/NativeBridgeManager.spec.ts at lines
442-444, replace the any cast with an unknown-to-specific-type cast such as
Credentials, using the correct return type for the test.
In `@src/platforms/web/adapters/WebAuth0Client.ts`:
- Around line 265-266: Update the conditional property spreads in the
WebAuth0Client request payload to check actorToken and actorTokenType against
undefined rather than truthiness, ensuring empty-string values are included
consistently with validateActorTokenParameters and the paired fields are sent
together.
In `@src/types/common.ts`:
- Line 156: Update the act property in the relevant type definition to use
Record<string, unknown> instead of Record<string, any>, preserving its optional
nested actor-claim structure.
---
Nitpick comments:
In `@src/core/utils/__tests__/validation.spec.ts`:
- Around line 24-33: Replace the manual try/catch and fallback throw in the
validation test with Jest’s built-in error assertion around
validateActorTokenParameters, using toThrow with expect.objectContaining to
verify the AuthError instance and invalid_actor_token_parameters code.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 5e711f4b-b1ab-4117-804c-e1a9302fbd32
📒 Files selected for processing (16)
EXAMPLES.mdandroid/src/main/java/com/auth0/react/A0Auth0Module.ktios/NativeBridge.swiftsrc/core/models/__tests__/Auth0User.spec.tssrc/core/utils/__tests__/validation.spec.tssrc/core/utils/validation.tssrc/platforms/native/adapters/NativeAuth0Client.tssrc/platforms/native/adapters/__tests__/NativeAuth0Client.spec.tssrc/platforms/native/bridge/INativeBridge.tssrc/platforms/native/bridge/NativeBridgeManager.tssrc/platforms/native/bridge/__tests__/NativeBridgeManager.spec.tssrc/platforms/web/adapters/WebAuth0Client.tssrc/platforms/web/adapters/__tests__/WebAuth0Client.spec.tssrc/specs/NativeA0Auth0.tssrc/types/common.tssrc/types/parameters.ts
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@example/src/screens/class-based/ClassApiTests.tsx`:
- Around line 238-253: Update the custom token exchange button’s disabled
condition in the actor-enabled test to also require actorTokenType, alongside
subjectToken, subjectTokenType, and actorToken. Keep the existing runTest and
customTokenExchange behavior unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 4a615615-4f7a-496a-bdba-9e1eae0ec5cb
📒 Files selected for processing (9)
example/src/navigation/ClassDemoNavigator.tsxexample/src/screens/class-based/ClassApiTests.tsxexample/src/screens/class-based/ClassProfile.tsxios/A0Auth0.mmios/NativeBridge.swiftsrc/platforms/native/adapters/__tests__/NativeAuth0Client.spec.tssrc/platforms/native/bridge/__tests__/NativeBridgeManager.spec.tssrc/platforms/web/adapters/WebAuth0Client.tssrc/types/common.ts
🚧 Files skipped from review as they are similar to previous changes (4)
- src/platforms/web/adapters/WebAuth0Client.ts
- src/types/common.ts
- src/platforms/native/adapters/tests/NativeAuth0Client.spec.ts
- src/platforms/native/bridge/tests/NativeBridgeManager.spec.ts
This PR adds support for delegation and impersonation in Custom Token Exchange flows, following RFC 8693 OAuth 2.0 Token Exchange.
You can now pass an
actorToken(and itsactorTokenType) tocustomTokenExchangeto indicate the acting party in a delegation or impersonation scenario. When present, the issued tokens carry theactclaim, which is now exposed on the user profile.Supported on web, iOS, and Android.
Summary by CodeRabbit
actorToken/actorTokenType(web, iOS, Android).actclaim (including nested delegation information).actpreservation and actor-token validation/forwarding.