Skip to content

feat(skills): add auth0-custom-token-exchange skill#132

Open
brth31 wants to merge 1 commit into
mainfrom
feat/add-auth0-custom-token-exchange-skill
Open

feat(skills): add auth0-custom-token-exchange skill#132
brth31 wants to merge 1 commit into
mainfrom
feat/add-auth0-custom-token-exchange-skill

Conversation

@brth31

@brth31 brth31 commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

What this adds

Feature SKILL.md for Custom Token Exchange (RFC 8693) with @auth0/nextjs-auth0.

Teaches agents:

  • auth0.customTokenExchange() — server-side only, exact params
  • CustomTokenExchangeError + CustomTokenExchangeErrorCode — specific error handling from @auth0/nextjs-auth0/errors
  • Tenant config via CLI (POST /api/v2/token-exchange-profiles) and Terraform (auth0_token_exchange_profile)
  • subjectTokenType constraints (valid URI, 10–100 chars, no reserved namespaces)
  • Silent failure modes: token type mismatch, no profile, session assumption, delegation refresh token

Companion PR

Eval coverage: auth0/auth0-evals#57

Summary by CodeRabbit

  • Documentation
    • Added comprehensive guide for Auth0 custom token exchange, including configuration steps, server-side implementation examples, and troubleshooting documentation.

@github-actions

Copy link
Copy Markdown

❌ skillsaw — Issues found

Full report
Linting: /home/runner/work/agent-skills/agent-skills


Errors:
  ✗ ERROR [/home/runner/work/agent-skills/agent-skills/plugins/auth0/skills/auth0-custom-token-exchange]: Skill 'auth0-custom-token-exchange' exists but is not documented in README.md. Add an entry to the skills table linking to ./skills/auth0-custom-token-exchange/

Summary:
  Errors:   1
  Warnings: 0

skillsaw 0.4.3 · config · custom rules · run

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

No new commits to review since the last review.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 8f38dbd1-aaca-4419-9f6d-7cf7ba710a41

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

A new skill documentation file plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md is added. It documents the auth0.customTokenExchange() API (RFC 8693), a Next.js usage example with CustomTokenExchangeError handling, a delegation flow with actorToken, tenant configuration steps, Terraform snippets, failure modes, subjectTokenType validation rules, and an implementation checklist.

Changes

Auth0 Custom Token Exchange Skill Documentation

Layer / File(s) Summary
Frontmatter metadata and skill overview
plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md
Defines skill document frontmatter (name, description, license, author, version, runtime requirements) and the overview section describing auth0.customTokenExchange() behavior, server-side-only constraint, AUTH0_CLIENT_SECRET requirement, and absence of session creation.
Next.js usage and delegation flow examples
plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md
Documents a server-side Next.js route handler calling auth0.customTokenExchange() with CustomTokenExchangeError catch and HTTP status mapping, followed by the actorToken delegation flow noting act claim interpretation and result.refreshToken being undefined.
Tenant configuration, failure modes, and validation rules
plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md
Covers Step 1 (Custom Token Exchange Action deployment with subject_token validation), Step 2 (token exchange profile creation), Terraform equivalents, common failure modes table, subjectTokenType formatting/matching rules, and the implementation checklist.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

  • rmad17
  • nandan-bhat

Poem

🐇 A new skill hops into the tree,
Token exchanges, server-side free!
With Actions and profiles aligned just right,
The act claim gleams, the session stays light.
No refresh token? That's fine by me —
RFC 8693, hop along with glee! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(skills): add auth0-custom-token-exchange skill' clearly and directly summarizes the main change—adding a new Auth0 custom token exchange skill documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/add-auth0-custom-token-exchange-skill

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md`:
- Around line 25-35: The SKILL.md file for auth0-custom-token-exchange is
missing two required sections according to the skill spec guidelines. Add a
Prerequisites section that lists what is needed to use
auth0.customTokenExchange() (such as Auth0 configuration, required environment
variables, and setup steps), and add a When Not to Use section that briefly
describes scenarios where this skill should not be used. Insert both sections
near the top of the document, after the opening description but before the "What
this does" section, to provide users with critical context before they attempt
to use the skill.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 98890351-308c-416b-995f-c59c62dd8625

📥 Commits

Reviewing files that changed from the base of the PR and between 838a181 and e52d900.

📒 Files selected for processing (1)
  • plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md

Comment on lines +25 to +35
# Auth0 Custom Token Exchange

Exchange external tokens for Auth0 access tokens using RFC 8693. Works for legacy system migration, third-party federation, and agent delegation flows.

## What this does

`auth0.customTokenExchange()` calls Auth0's token endpoint server-side, presenting an external token (your `subjectToken`) and receiving an Auth0 access token in return. Auth0 validates the exchange via an Action you deploy, then issues the token scoped to your API audience.

**Critical constraint**: server-side only. The call requires `AUTH0_CLIENT_SECRET` — it cannot run in a Client Component.

**No session is created.** The exchange returns tokens only. `auth0.getSession()` will still return `null` after this call.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add the missing prerequisites and "when not to use" sections.

The skill spec calls for both, but this doc jumps straight into usage. Please add a short prerequisites block and a brief "when not to use" note near the top. As per coding guidelines, SKILL.md should document prerequisites and when NOT to use guidance.

🧰 Tools
🪛 SkillSpector (2.1.1)

[error] 3: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 27: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))


[error] 31: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.

Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.

(Privilege Escalation (PE3))

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md` around lines 25 -
35, The SKILL.md file for auth0-custom-token-exchange is missing two required
sections according to the skill spec guidelines. Add a Prerequisites section
that lists what is needed to use auth0.customTokenExchange() (such as Auth0
configuration, required environment variables, and setup steps), and add a When
Not to Use section that briefly describes scenarios where this skill should not
be used. Insert both sections near the top of the document, after the opening
description but before the "What this does" section, to provide users with
critical context before they attempt to use the skill.

Source: Coding guidelines

@sanchitmehtagit

Copy link
Copy Markdown
Contributor

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants