Skip to content

feat: Adds Token Vault support#255

Merged
kailash-b merged 5 commits into
mainfrom
feat/SDK-9835
Jun 29, 2026
Merged

feat: Adds Token Vault support#255
kailash-b merged 5 commits into
mainfrom
feat/SDK-9835

Conversation

@kailash-b

@kailash-b kailash-b commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Description

This PR adds Token Vault (federated connection access token) retrieval to the SDK. It lets a web app obtain a third-party API access token (for a federated connection such as Google, GitHub, or Slack) for the logged-in user by exchanging the session's refresh token - without running a separate provider OAuth flow.

Public API added:

  • HttpContext.GetAccessTokenForConnectionAsync(AccessTokenForConnectionRequest request, string? scheme = null)Task<string?> — the caching entry point. Serves an unexpired cached connection token from the session, otherwise exchanges the refresh token and persists the result. Returns null (does not throw) when no refresh token is present or the exchange is rejected.
  • AccessTokenForConnectionRequest — request type with Connection (required), LoginHint (optional, the provider-side IdP user ID), and ForceRefresh (bypass cache).

References

Testing

New integration tests cover the load-bearing behaviors:

  • TokenClientTests - the federated-connection grant sends byte-exact grant parameters (grant_type, subject_token_type, requested_token_type, subject_token, connection, optional login_hint), explicitly asserts no scope is sent, and surfaces failures as TokenRefreshResult.Failure.

  • ConnectionTokenSetHelpersTests - find matches by connection only, upsert replaces (not duplicates) the same-connection entry, expired entries are pruned, and a single consistent timestamp is used for pruning and the new entry's expiry.

  • HttpContextExtensionsTests - cache hit serves without a backchannel call; ForceRefresh bypasses the cache and persists the new token; missing refresh token fires OnMissingRefreshToken and returns null; a rejected exchange fires OnAccessTokenRefreshFailed and returns null.

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not main

@kailash-b
kailash-b marked this pull request as ready for review June 26, 2026 05:51
@kailash-b
kailash-b requested a review from a team as a code owner June 26, 2026 05:51
@kailash-b
kailash-b merged commit 98f325d into main Jun 29, 2026
9 checks passed
@kailash-b
kailash-b deleted the feat/SDK-9835 branch June 29, 2026 08:52
@kailash-b kailash-b mentioned this pull request Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants