Skip to content

Support for On-behalf-of Token Exchange#1504

Merged
bkiran6398 merged 5 commits intomainfrom
DXCDT-1604/on_behalf_of
Apr 30, 2026
Merged

Support for On-behalf-of Token Exchange#1504
bkiran6398 merged 5 commits intomainfrom
DXCDT-1604/on_behalf_of

Conversation

@bkiran6398
Copy link
Copy Markdown
Contributor

@bkiran6398 bkiran6398 commented Apr 29, 2026
edited
Loading

🔧 Changes

Adds CLI support for three new Management API features across apis and apps commands:

APIs (Resource Servers):

  • --enforce-policies flag on auth0 apis create and auth0 apis update — enables authorization policy enforcement for the API.
  • --token-dialect flag on auth0 apis create and auth0 apis update — sets the access token dialect. Accepts access_token, access_token_authz, rfc9068_profile, or rfc9068_profile_authz.

Apps (Clients):

  • --allow-any-profile-of-type (-p) flag on auth0 apps create and auth0 apps update — sets enabled token exchange types on a client. Accepts a comma-separated list (e.g., custom_authentication, on_behalf_of_token_exchange). Passing an empty value on update clears the configuration.

Display output updated to show ENFORCE POLICIES, TOKEN DIALECT, and TOKEN EXCHANGE TYPES fields.

Examples

auth0 apis create --name "MCP Tools API" --identifier "http://localhost:3001/" \
  --signing-alg RS256 --token-dialect rfc9068_profile_authz --enforce-policies \
  --scopes "tool:whoami,tool:greet" --no-input
  
auth0 apis create --name "Protected First Party API" --identifier "http://localhost:8787/" \                             10s
  --signing-alg RS256 --enforce-policies --scopes "read:private" --no-input
  
auth0 apps create --name "MCP Server Client" --type resource_server \
  --resource-server-identifier "http://localhost:3001/" \
  --allow-any-profile-of-type custom_authentication --no-input

📚 References

🔬 Testing

  • Unit tests added for excludeEmptyEntries helper (apps_test.go).
  • Integration tests added for all new flags:
    • apis create/update with --enforce-policies and --token-dialect (test cases 024–032).
    • apps create/update/show with --allow-any-profile-of-type (test cases 042–044).
  • Manual verification:
    • Verified creation/updation of new api parameters.

📝 Checklist

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

@bkiran6398
feat(apis): add enforce policies and token dialect options
9f283df 
- Introduced new flags for enforcing authorization policies and specifying token dialects in API commands.
- Added `EnforcePolicies` and `TokenDialect` fields to the `apiView` struct for display purposes.
- Updated `createAPICmd` and `updateAPICmd` functions to handle new inputs for these fields.
- Enhanced command examples to demonstrate usage of the new flags.
@bkiran6398
test(apis): add tests for enforce-policies and token-dialect flags
6a6d222 
- Introduced new test cases for the 'apis create' and 'apis update' commands.
- Validated the behavior of the --enforce-policies flag with true and false values.
- Added checks for the --token-dialect flag with different dialects.
- Ensured that the output contains expected values for both flags.
@bkiran6398
test(apis): update tests for enforce-policies and token-dialect flags
5f96b97 
- Modified test cases to ensure proper handling of the --enforce-policies
  and --token-dialect flags in the apis create command.
- Adjusted command syntax to remove unnecessary scope parameters for clarity.
- Enhanced output validation to check JSON structure instead of plain text.
@bkiran6398 bkiran6398 changed the title Dxcdt 1604/on behalf of Support for On-behalf-of Token Exchange Apr 29, 2026
@bkiran6398
docs(apis): update examples and flags for create and update commands
b75768d 
- Added examples for using --enforce-policies and --token-dialect flags in both `auth0 apis create` and `auth0 apis update` commands.
- Clarified the purpose of the --enforce-policies flag, indicating that it enforces authorization policies for the API.
- Updated the documentation to reflect the new options available for token dialects.
@bkiran6398
feat(apps): add allow-any-profile-of-type option for app creation and…
cd8926e 
… update

- Introduced the `--allow-any-profile-of-type` flag for both `auth0 apps create` and `auth0 apps update` commands.
- This flag accepts a comma-separated list of token exchange types, enhancing flexibility in application configurations.
- Updated the application view to display the allowed token exchange types.
- Added tests to validate the new functionality and ensure proper behavior.
- Updated integration test cases to cover scenarios for creating and updating applications with the new flag.
@bkiran6398 bkiran6398 marked this pull request as ready for review April 29, 2026 12:27
@bkiran6398 bkiran6398 requested a review from a team as a code owner April 29, 2026 12:27
@bkiran6398 bkiran6398 merged commit 48fb3d3 into main Apr 30, 2026
9 of 10 checks passed
@bkiran6398 bkiran6398 deleted the DXCDT-1604/on_behalf_of branch April 30, 2026 07:46
@bkiran6398 bkiran6398 mentioned this pull request Apr 30, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ramya18101 ramya18101 ramya18101 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bkiran6398 @ramya18101