feat(skills): add auth0-custom-token-exchange skill#132
Conversation
❌ skillsaw — Issues foundFull report
|
|
Important Review skippedNo new commits to review since the last review. ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughA new skill documentation file ChangesAuth0 Custom Token Exchange Skill Documentation
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md`:
- Around line 25-35: The SKILL.md file for auth0-custom-token-exchange is
missing two required sections according to the skill spec guidelines. Add a
Prerequisites section that lists what is needed to use
auth0.customTokenExchange() (such as Auth0 configuration, required environment
variables, and setup steps), and add a When Not to Use section that briefly
describes scenarios where this skill should not be used. Insert both sections
near the top of the document, after the opening description but before the "What
this does" section, to provide users with critical context before they attempt
to use the skill.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 98890351-308c-416b-995f-c59c62dd8625
📒 Files selected for processing (1)
plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md
| # Auth0 Custom Token Exchange | ||
|
|
||
| Exchange external tokens for Auth0 access tokens using RFC 8693. Works for legacy system migration, third-party federation, and agent delegation flows. | ||
|
|
||
| ## What this does | ||
|
|
||
| `auth0.customTokenExchange()` calls Auth0's token endpoint server-side, presenting an external token (your `subjectToken`) and receiving an Auth0 access token in return. Auth0 validates the exchange via an Action you deploy, then issues the token scoped to your API audience. | ||
|
|
||
| **Critical constraint**: server-side only. The call requires `AUTH0_CLIENT_SECRET` — it cannot run in a Client Component. | ||
|
|
||
| **No session is created.** The exchange returns tokens only. `auth0.getSession()` will still return `null` after this call. |
There was a problem hiding this comment.
🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win
Add the missing prerequisites and "when not to use" sections.
The skill spec calls for both, but this doc jumps straight into usage. Please add a short prerequisites block and a brief "when not to use" note near the top. As per coding guidelines, SKILL.md should document prerequisites and when NOT to use guidance.
🧰 Tools
🪛 SkillSpector (2.1.1)
[error] 3: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
[error] 27: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
[error] 31: [PE3] Credential Access: Code accesses credential files (SSH keys, AWS credentials, etc.). This could indicate credential theft attempts.
Remediation: Remove references to credential paths. Use environment variables or secrets managers. For docs, use placeholder paths (e.g., /path/to/config). Never load .env or token files in production code paths.
(Privilege Escalation (PE3))
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@plugins/auth0/skills/auth0-custom-token-exchange/SKILL.md` around lines 25 -
35, The SKILL.md file for auth0-custom-token-exchange is missing two required
sections according to the skill spec guidelines. Add a Prerequisites section
that lists what is needed to use auth0.customTokenExchange() (such as Auth0
configuration, required environment variables, and setup steps), and add a When
Not to Use section that briefly describes scenarios where this skill should not
be used. Insert both sections near the top of the document, after the opening
description but before the "What this does" section, to provide users with
critical context before they attempt to use the skill.
Source: Coding guidelines
|
@coderabbitai review |
✅ Action performedReview finished.
|
What this adds
Feature SKILL.md for Custom Token Exchange (RFC 8693) with
@auth0/nextjs-auth0.Teaches agents:
auth0.customTokenExchange()— server-side only, exact paramsCustomTokenExchangeError+CustomTokenExchangeErrorCode— specific error handling from@auth0/nextjs-auth0/errorsPOST /api/v2/token-exchange-profiles) and Terraform (auth0_token_exchange_profile)subjectTokenTypeconstraints (valid URI, 10–100 chars, no reserved namespaces)Companion PR
Eval coverage: auth0/auth0-evals#57
Summary by CodeRabbit