feat(customTokenExchange): promote actor_token, organization, requested_token_type to first-class options#834
Merged
Merged
Conversation
…ed_token_type to first-class options - Promote `actor_token`, `actor_token_type`, `requested_token_type`, and `organization` from `extra` passthrough to named first-class options on `customTokenExchange`, consistent with the CTE implementation in `@auth0/auth0-auth-js` and `@auth0/auth0-server-js` - Add all four to `PARAM_DENYLIST` so they cannot be accidentally double-set via `extra` (actor_token/type must be paired and validated together; organization affects tenant context and must be explicit) - Validate that `actor_token_type` is required when `actor_token` is provided, throwing HTTP 400 before hitting the network - Extract and expose the `act` claim on the response for delegation flows: checks `id_token` claims first (via openid-client's `claims()` helper), falls back to decoding the JWT access token, silently skips opaque tokens - Add `ActClaim` interface and `act` field to `TokenExchangeResponse` in `index.d.ts`; update `extra` type to accept `string[]` values - Update unit tests: migrate existing actor/organization tests to first-class options, add coverage for `requested_token_type`, `actor_token_type` validation, and `act` claim extraction
38ac829 to
39d6552
Compare
nandan-bhat
approved these changes
Jul 1, 2026
This was referenced Jul 1, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Changes
lib/context.jsactor_token,actor_token_type,requested_token_type, andorganizationfromextrapassthrough to named first-class options onreq.oidc.customTokenExchange()PARAM_DENYLIST—actor_token/actor_token_typemust be paired and validated together;organizationaffects tenant context and must be explicit;requested_token_typehas a dedicated field to make intent clearactor_token_typeis required whenactor_tokenis provided, throwing HTTP 400 before hitting the networkvalidateSubjectToken()— fails fast on common mistakes before hitting the network: blank/whitespace-only values, leading/trailing whitespace, and accidentalBearerprefixorganizationis not blank when providedextractActClaim()helper that extracts theactclaim from delegation exchange responses — checksid_tokenclaims first (via openid-client'sclaims()helper), falls back to decoding the JWT access token for M2M flows, silently skips opaque tokensactclaim to the returned result whenactor_tokenwas providedindex.d.tsActClaiminterface ({ sub: string; [key: string]: unknown })actor_token,actor_token_type,requested_token_type,organizationtoCustomTokenExchangeOptionsact?: ActClaimtoTokenExchangeResponseextratype to acceptstring[]valuesUpdated usage
Unit tests updated
organizationtest fromextrato first-class optionextraactor test with dedicated first-class tests foractor_token/actor_token_typeandrequested_token_typeactor_tokenwithoutactor_token_type→ HTTP 400, blankorganization→ HTTP 400subject_tokenvalidation tests: whitespace, Bearer prefixactclaim extraction tests: extracted whenactor_tokenprovided, absent when it is notTest plan
npm test— all 320 tests pass, no regressionscustomTokenExchangetests pass including 9 new/updated cases