feat: Adds Token Vault support#255
Merged
Merged
Conversation
nandan-bhat
approved these changes
Jun 29, 2026
nandan-bhat
approved these changes
Jun 29, 2026
Merged
This was referenced Jul 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR adds Token Vault (federated connection access token) retrieval to the SDK. It lets a web app obtain a third-party API access token (for a federated connection such as Google, GitHub, or Slack) for the logged-in user by exchanging the session's refresh token - without running a separate provider OAuth flow.
Public API added:
HttpContext.GetAccessTokenForConnectionAsync(AccessTokenForConnectionRequest request, string? scheme = null)→Task<string?>— the caching entry point. Serves an unexpired cached connection token from the session, otherwise exchanges the refresh token and persists the result. Returnsnull(does not throw) when no refresh token is present or the exchange is rejected.AccessTokenForConnectionRequest— request type withConnection(required),LoginHint(optional, the provider-side IdP user ID), andForceRefresh(bypass cache).References
Testing
New integration tests cover the load-bearing behaviors:
TokenClientTests- the federated-connection grant sends byte-exact grant parameters (grant_type,subject_token_type,requested_token_type,subject_token,connection, optionallogin_hint), explicitly asserts noscopeis sent, and surfaces failures asTokenRefreshResult.Failure.ConnectionTokenSetHelpersTests- find matches by connection only, upsert replaces (not duplicates) the same-connection entry, expired entries are pruned, and a single consistent timestamp is used for pruning and the new entry's expiry.HttpContextExtensionsTests- cache hit serves without a backchannel call;ForceRefreshbypasses the cache and persists the new token; missing refresh token firesOnMissingRefreshTokenand returnsnull; a rejected exchange firesOnAccessTokenRefreshFailedand returnsnull.This change adds test coverage for new/changed/fixed functionality
Checklist
main