Skip to content

feat: Adds Custom Token Exchange support#258

Merged
kailash-b merged 4 commits into
mainfrom
feat/SDK-8842
Jun 30, 2026
Merged

feat: Adds Custom Token Exchange support#258
kailash-b merged 4 commits into
mainfrom
feat/SDK-8842

Conversation

@kailash-b

@kailash-b kailash-b commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR adds support for Custom Token Exchange (RFC 8693) to the SDK, letting an application exchange an existing external/custom security token for Auth0 tokens without a browser redirect. The primary use cases are delegation/impersonation and agent-identity scenarios. It requires a configured Custom Token Exchange Profile and a validation Action in the Auth0 tenant.

The feature is exposed through a new HttpContext.CustomTokenExchangeAsync(CustomTokenExchangeRequest) extension method:

  • CustomTokenExchangeRequest describes the exchange: SubjectToken and SubjectTokenType (required), plus optional Audience, Scope, ActorToken/ActorTokenType (delegation pair), and Organization.

  • CustomTokenExchangeResult returns the exchanged tokens (AccessToken, IdToken, RefreshToken, ExpiresIn, Scope) and the decoded act (actor) claim (Act) for delegation flows.

  • CustomTokenExchangeException is thrown on client-side validation failures or token-endpoint rejections, carrying StatusCode, Error, and ErrorDescription for the latter. It never carries token-bearing bytes.

  • Stateless by design. CustomTokenExchangeAsync performs the exchange and returns the tokens but has no session side-effects — it does not sign the user in or write any cookie. The caller decides what (if anything) to persist.

  • Client-side validation (CustomTokenExchangeRequestValidator) runs before any network call: subject_token must be non-empty and must not include a Bearer prefix; subject_token_type must be a valid URI (URL or URN), 10–100 characters, and the reserved urn:ietf: and urn:auth0: namespaces are rejected; an actor token requires its matching type and vice-versa.

  • Delegation / impersonation. When an actor token pair is supplied, the act claim from the returned ID token is decoded and exposed on result.Act (ActClaimReader). The outermost Sub is the current actor; nested Act values are prior actors and are informational only. Auth0 suppresses the refresh token in delegation flows.

The exchange is implemented on TokenClient (ExchangeCustomToken) and integrates with the SDK's existing domain resolution (including Multiple Custom Domain support) and backchannel client.

References

Testing

Unit/integration tests were added covering the new functionality:

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not main

@kailash-b
kailash-b marked this pull request as ready for review June 30, 2026 07:09
@kailash-b
kailash-b requested a review from a team as a code owner June 30, 2026 07:09
@kailash-b kailash-b changed the title Feat/sdk 8842 feat: Adds Custom Token Exchange support Jun 30, 2026
Comment thread src/Auth0.AspNetCore.Authentication/HttpContextExtensions.cs
Comment thread src/Auth0.AspNetCore.Authentication/CustomTokenExchangeRequestValidator.cs Outdated
Comment thread src/Auth0.AspNetCore.Authentication/HttpContextExtensions.cs
Comment thread src/Auth0.AspNetCore.Authentication/CustomTokenExchangeRequestValidator.cs Outdated
Comment thread src/Auth0.AspNetCore.Authentication/CustomTokenExchangeRequestValidator.cs Outdated
Comment thread src/Auth0.AspNetCore.Authentication/CustomTokenExchangeException.cs Outdated
@kailash-b
kailash-b requested a review from nandan-bhat June 30, 2026 08:55
@kailash-b
kailash-b enabled auto-merge (squash) June 30, 2026 09:45
@kailash-b
kailash-b merged commit c6c1f83 into main Jun 30, 2026
9 checks passed
@kailash-b
kailash-b deleted the feat/SDK-8842 branch June 30, 2026 10:03
@kailash-b kailash-b mentioned this pull request Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants