Skip to content

feat: Add Custom Token Exhange Support#253

Merged
tanya732 merged 4 commits into
feat/auth-for-ai-agentsfrom
feat/custom-token-exchange-support
Jul 7, 2026
Merged

feat: Add Custom Token Exhange Support#253
tanya732 merged 4 commits into
feat/auth-for-ai-agentsfrom
feat/custom-token-exchange-support

Conversation

@tanya732

@tanya732 tanya732 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR adds first-class support for Custom Token Exchange (CTE) the OAuth 2.0 Token Exchange grant (urn:ietf:params:oauth:grant-type:token-exchange, RFC 8693). This enables applications to exchange an external subject_token (for example, an M2M or partner-issued token) for Auth0 tokens.

What's Included

New AuthenticationController API

This PR introduces four new entry points:

Method Semantics Domain Source
customTokenExchange(token, type) Utility (no ID token verification) Configured domain
customTokenExchange(token, type, domain) Utility Explicit domain
loginWithCustomTokenExchange(token, type) Login (verifies ID token) Configured domain
loginWithCustomTokenExchange(token, type, domain) Login Explicit domain

Behavior

Login flow (loginWithCustomTokenExchange)

  • Verifies the returned ID token, including:
    • Signature
    • Issuer
    • org_id / org_name (when an organization is configured)
  • Uses the same verification path as the Authorization Code flow.
  • Requires an ID token. If the exchange response does not include one (for example, because the openid scope was not requested), the request fails with MISSING_ID_TOKEN instead of returning an unverified success.

Utility flow (customTokenExchange)

  • Does not verify the ID token, making it suitable for obtaining access tokens for downstream APIs.
  • Still validates organization claims when an organization is configured.

Domain resolution

The overloads that do not take an explicit domain throw IllegalStateException when the controller is configured with a DomainResolver.

Since a DomainResolver requires an HTTP request and Custom Token Exchange may execute outside an HTTP request context, callers must use the explicit-domain overload in this configuration.

Client-side validation

Introduced CustomTokenExchangeException to validate inputs before making the request.

Validation includes:

  • Rejecting empty subject tokens.
  • Rejecting Bearer-prefixed subject tokens.
  • Rejecting non-absolute URI token types.

Implementation

RequestProcessor.executeCustomTokenExchange(...) delegates to AuthAPI.exchangeToken(...), which is responsible for:

  • Configuring the Token Exchange grant type.
  • Performing client authentication (client secret or client assertion).

Files Changed

  • AuthenticationController.java
    • Added the four public CTE entry points.
  • TokenExchangeRequest.java (new)
    • Fluent request builder and client-side validation.
  • CustomTokenExchangeException.java (new)
    • Validation exception (INVALID_TOKEN_FORMAT, INVALID_TOKEN_TYPE_URI).
  • RequestProcessor.java
    • Added buildTokenExchangeRequest(...) and executeCustomTokenExchange(...).
  • build.gradle
    • Updated com.auth0:auth0 from 3.5.1 to 3.10.0.

Test Plan

  • AuthenticationControllerTest
    • CTE overloads
    • Login vs. utility flows
    • Explicit vs. configured domain
  • RequestProcessorTest
    • Request construction
    • DomainResolver guard
    • Verification and MISSING_ID_TOKEN behavior
  • TokenExchangeRequestTest
    • Client-side validation

@tanya732 tanya732 marked this pull request as ready for review July 7, 2026 08:09
@tanya732 tanya732 requested a review from a team as a code owner July 7, 2026 08:09
@tanya732

tanya732 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

@copilot

Copilot AI commented Jul 7, 2026

Copy link
Copy Markdown

@copilot

It looks like your comment only contains a mention with no specific request. The current implementation is in place and all tests are passing locally. Could you clarify what you'd like me to do? For example:

  • Is there a specific feature, fix, or improvement you'd like?
  • Are you seeing a CI failure or test failure you'd like me to investigate?
  • Is there something about the existing implementation you'd like changed?

@tanya732 tanya732 merged commit 38b46b0 into feat/auth-for-ai-agents Jul 7, 2026
1 check passed
@tanya732 tanya732 deleted the feat/custom-token-exchange-support branch July 7, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants