Skip to content

Commit a0100b7

Browse files
committed
Resolved merge conflicts
2 parents 22d2997 + f385b36 commit a0100b7

12 files changed

Lines changed: 632 additions & 598 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ jobs:
3636
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
3737

3838
- name: Checkout
39-
uses: actions/checkout@v6
39+
uses: actions/checkout@v7
4040

4141
- name: Initialize CodeQL
4242
uses: github/codeql-action/init@v4

.github/workflows/publish.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ jobs:
1212
if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
1313
runs-on: ubuntu-latest
1414
steps:
15-
- uses: actions/checkout@v6
15+
- uses: actions/checkout@v7
1616
with:
1717
fetch-depth: 0
1818
fetch-tags: true
@@ -61,7 +61,7 @@ jobs:
6161

6262
steps:
6363
- name: Checkout code
64-
uses: actions/checkout@v6
64+
uses: actions/checkout@v7
6565
with:
6666
fetch-depth: 0
6767
fetch-tags: true

.github/workflows/test.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ jobs:
2626

2727
steps:
2828
- name: Checkout code
29-
uses: actions/checkout@v6
29+
uses: actions/checkout@v7
3030

3131
- name: Set up Python ${{ matrix.python-version }}
3232
uses: actions/setup-python@v6
@@ -43,7 +43,7 @@ jobs:
4343

4444
- name: Load cached venv
4545
id: cached-poetry-dependencies
46-
uses: actions/cache@v5
46+
uses: actions/cache@v6
4747
with:
4848
path: ./.venv
4949
key: venv-${{ runner.os }}-${{ matrix.python-version }}-${{ hashFiles('**/poetry.lock') }}

.version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.0.0b10
1+
1.0.0b11

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,12 @@
11
# Change Log
22

3+
## [1.0.0b11](https://github.com/auth0/auth0-server-python/tree/1.0.0b11) (2026-06-25)
4+
[Full Changelog](https://github.com/auth0/auth0-server-python/compare/1.0.0b10...1.0.0b11)
5+
6+
**Added**
7+
- feat: Organisations support [\#114](https://github.com/auth0/auth0-server-python/pull/114) ([rmad17](https://github.com/rmad17))
8+
- feat: validate CTE actor token pairing and surface act claim for delegation/impersonation [\#122](https://github.com/auth0/auth0-server-python/pull/122) ([kishore7snehil](https://github.com/kishore7snehil))
9+
310
## [1.0.0b10](https://github.com/auth0/auth0-server-python/tree/1.0.0b10) (2026-04-24)
411
[Full Changelog](https://github.com/auth0/auth0-server-python/compare/1.0.0b9...1.0.0b10)
512

examples/CustomTokenExchange.md

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@ print(f"User logged in: {user['sub']}")
6464
6565
## 3. Actor Tokens (Delegation)
6666

67-
Enable delegation scenarios where one service acts on behalf of a user.
67+
Enable delegation scenarios where one party acts on behalf of a user. The acting party is supplied via `actor_token`, and Auth0 records it in the [`act` claim](https://datatracker.ietf.org/doc/html/rfc8693#section-4.1) on the issued tokens.
6868

6969
```python
7070
# Service acting on behalf of a user
@@ -77,8 +77,34 @@ response = await auth0.custom_token_exchange(
7777
audience="https://api.example.com"
7878
)
7979
)
80+
81+
# The actor claim is surfaced on the response. It may nest for delegation chains.
82+
if response.act:
83+
print(f"Acting party: {response.act['sub']}")
84+
```
85+
86+
> **NOTE**: `response.act` is read from the ID token. Auth0 writes the same `act` claim onto the issued access token as well, so they reflect the same acting party. The access token may be opaque, in which case `act` cannot be read off it directly - the ID token is where you read it.
87+
88+
When you establish a session with `login_with_custom_token_exchange()`, the `act` claim is persisted on the session user and can be read back later via `get_user()`:
89+
90+
```python
91+
result = await auth0.login_with_custom_token_exchange(
92+
LoginWithCustomTokenExchangeOptions(
93+
subject_token="user-access-token",
94+
subject_token_type="urn:ietf:params:oauth:token-type:access_token",
95+
actor_token="service-access-token",
96+
actor_token_type="urn:ietf:params:oauth:token-type:access_token",
97+
),
98+
store_options={"request": request, "response": response}
99+
)
100+
101+
user = result.state_data["user"]
102+
if user.get("act"):
103+
print(f"Acting party: {user['act']['sub']}")
80104
```
81105

106+
> **NOTE**: When an `actor_token` is present, Auth0 does not issue a refresh token (the `offline_access` scope is dropped). A subsequent refresh-token grant therefore cannot re-emit the `act` claim, so the acting party is fixed at exchange time.
107+
82108
## 4. Custom Authorization Parameters
83109

84110
Pass additional parameters to the token endpoint.
@@ -133,6 +159,7 @@ except CustomTokenExchangeError as e:
133159

134160
- `INVALID_TOKEN_FORMAT`: Token is empty, whitespace-only, or has "Bearer " prefix
135161
- `MISSING_ACTOR_TOKEN_TYPE`: `actor_token` provided without `actor_token_type`
162+
- `MISSING_ACTOR_TOKEN`: `actor_token_type` provided without `actor_token`
136163
- `TOKEN_EXCHANGE_FAILED`: General token exchange failure
137164
- `INVALID_RESPONSE`: Auth0 returned a non-JSON response
138165

0 commit comments

Comments
 (0)