You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: .github/workflows/codeql.yml
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -36,7 +36,7 @@ jobs:
36
36
run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection.
- feat: Organisations support [\#114](https://github.com/auth0/auth0-server-python/pull/114) ([rmad17](https://github.com/rmad17))
8
+
- feat: validate CTE actor token pairing and surface act claim for delegation/impersonation [\#122](https://github.com/auth0/auth0-server-python/pull/122) ([kishore7snehil](https://github.com/kishore7snehil))
Enable delegation scenarios where one service acts on behalf of a user.
67
+
Enable delegation scenarios where one party acts on behalf of a user. The acting party is supplied via `actor_token`, and Auth0 records it in the [`act` claim](https://datatracker.ietf.org/doc/html/rfc8693#section-4.1) on the issued tokens.
# The actor claim is surfaced on the response. It may nest for delegation chains.
82
+
if response.act:
83
+
print(f"Acting party: {response.act['sub']}")
84
+
```
85
+
86
+
> **NOTE**: `response.act` is read from the ID token. Auth0 writes the same `act` claim onto the issued access token as well, so they reflect the same acting party. The access token may be opaque, in which case `act` cannot be read off it directly - the ID token is where you read it.
87
+
88
+
When you establish a session with `login_with_custom_token_exchange()`, the `act` claim is persisted on the session user and can be read back later via `get_user()`:
89
+
90
+
```python
91
+
result =await auth0.login_with_custom_token_exchange(
> **NOTE**: When an `actor_token` is present, Auth0 does not issue a refresh token (the `offline_access` scope is dropped). A subsequent refresh-token grant therefore cannot re-emit the `act` claim, so the acting party is fixed at exchange time.
107
+
82
108
## 4. Custom Authorization Parameters
83
109
84
110
Pass additional parameters to the token endpoint.
@@ -133,6 +159,7 @@ except CustomTokenExchangeError as e:
133
159
134
160
-`INVALID_TOKEN_FORMAT`: Token is empty, whitespace-only, or has "Bearer " prefix
135
161
-`MISSING_ACTOR_TOKEN_TYPE`: `actor_token` provided without `actor_token_type`
162
+
-`MISSING_ACTOR_TOKEN`: `actor_token_type` provided without `actor_token`
136
163
-`TOKEN_EXCHANGE_FAILED`: General token exchange failure
137
164
-`INVALID_RESPONSE`: Auth0 returned a non-JSON response
0 commit comments