diff --git a/package-lock.json b/package-lock.json index eacb60615..d6e812099 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13,7 +13,7 @@ "auth0": "^4.36.0", "dot-prop": "^5.3.0", "fs-extra": "^10.1.0", - "js-yaml": "^4.1.0", + "js-yaml": "^4.1.1", "lodash": "^4.17.21", "mkdirp": "^1.0.4", "nconf": "^0.13.0", diff --git a/package.json b/package.json index 5f8c49460..d2ac79f87 100644 --- a/package.json +++ b/package.json @@ -36,7 +36,7 @@ "auth0": "^4.36.0", "dot-prop": "^5.3.0", "fs-extra": "^10.1.0", - "js-yaml": "^4.1.0", + "js-yaml": "^4.1.1", "lodash": "^4.17.21", "mkdirp": "^1.0.4", "nconf": "^0.13.0", diff --git a/src/tools/auth0/handlers/clients.ts b/src/tools/auth0/handlers/clients.ts index 85947c088..2c9c12a87 100644 --- a/src/tools/auth0/handlers/clients.ts +++ b/src/tools/auth0/handlers/clients.ts @@ -112,29 +112,46 @@ export const schema = { properties: { can_create_session_transfer_token: { type: 'boolean', + description: + "Indicates whether an app can issue a Session Transfer Token through Token Exchange. If set to 'false', the app will not be able to issue a Session Transfer Token. Usually configured in the native application.", default: false, + }, + enforce_cascade_revocation: { + type: 'boolean', description: - 'Specifies whether the application (Native app) can use the Token Exchange endpoint to create a session_transfer_token.', + 'Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.', + default: true, }, allowed_authentication_methods: { - type: 'array', + type: ['array', 'null'], + description: + 'Indicates whether an app can create a session from a Session Transfer Token received via indicated methods. Can include `cookie` and/or `query`. Usually configured in the web application.', items: { type: 'string', enum: ['cookie', 'query'], }, - default: [], - description: - 'Determines the methods allowed for a web application to create a session using a session_transfer_token.', }, enforce_device_binding: { type: 'string', - enum: ['none', 'ip', 'asn'], + description: + "Indicates whether device binding security should be enforced for the app. If set to 'ip', the app will enforce device binding by IP, meaning that consumption of Session Transfer Token must be done from the same IP of the issuer. Likewise, if set to 'asn', device binding is enforced by ASN, meaning consumption of Session Transfer Token must be done from the same ASN as the issuer. If set to 'null', device binding is not enforced. Usually configured in the web application.", + enum: ['ip', 'asn', 'none'], default: 'ip', + }, + allow_refresh_token: { + type: 'boolean', + description: + 'Indicates whether Refresh Tokens are allowed to be issued when authenticating with a Session Transfer Token. Usually configured in the web application.', + default: false, + }, + enforce_online_refresh_tokens: { + type: 'boolean', description: - 'Configures the level of device binding enforced when a session_transfer_token is consumed.', + "Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.", + default: true, }, }, - additionalProperties: false, + additionalProperties: true, }, app_type: { type: 'string', diff --git a/test/context/directory/clients.test.js b/test/context/directory/clients.test.js index 155383d05..c34dd914f 100644 --- a/test/context/directory/clients.test.js +++ b/test/context/directory/clients.test.js @@ -17,7 +17,7 @@ describe('#directory context clients', () => { 'someClient2.json': '{ "app_type": "@@appType@@", "name": "someClient2" }', 'customLoginClient.json': '{ "app_type": "@@appType@@", "name": "customLoginClient", "custom_login_page": "./customLoginClient_custom_login_page.html", ' + - '"session_transfer": { "can_create_session_transfer_token": true,"enforce_device_binding": "ip", "allowed_authentication_methods" : "@@allowedMethods@@"} }', + '"session_transfer": { "can_create_session_transfer_token": true, "enforce_cascade_revocation": true, "enforce_device_binding": "ip", "allowed_authentication_methods" : "@@allowedMethods@@", "allow_refresh_token": true, "enforce_online_refresh_tokens": true} }', 'customLoginClient_custom_login_page.html': 'html code ##appType## @@appType@@', }, }; @@ -39,8 +39,11 @@ describe('#directory context clients', () => { custom_login_page: 'html code spa "spa"', session_transfer: { can_create_session_transfer_token: true, + enforce_cascade_revocation: true, enforce_device_binding: 'ip', allowed_authentication_methods: ['cookie', 'query'], + allow_refresh_token: true, + enforce_online_refresh_tokens: true, }, }, { app_type: 'spa', name: 'someClient' }, @@ -101,8 +104,11 @@ describe('#directory context clients', () => { custom_login_page: 'html code', session_transfer: { can_create_session_transfer_token: false, + enforce_cascade_revocation: false, enforce_device_binding: 'asn', allowed_authentication_methods: ['cookie'], + allow_refresh_token: false, + enforce_online_refresh_tokens: false, }, }, ]; @@ -113,8 +119,11 @@ describe('#directory context clients', () => { custom_login_page: './customLoginClient_custom_login_page.html', session_transfer: { can_create_session_transfer_token: false, + enforce_cascade_revocation: false, enforce_device_binding: 'asn', allowed_authentication_methods: ['cookie'], + allow_refresh_token: false, + enforce_online_refresh_tokens: false, }, }; diff --git a/test/context/yaml/clients.test.js b/test/context/yaml/clients.test.js index 19033be6a..0c5af4492 100644 --- a/test/context/yaml/clients.test.js +++ b/test/context/yaml/clients.test.js @@ -25,8 +25,11 @@ describe('#YAML context clients', () => { custom_login_page: "./customLoginClient_custom_login_page.html" session_transfer: { can_create_session_transfer_token: false, + enforce_cascade_revocation: false, enforce_device_binding: 'none', - allowed_authentication_methods: ['query'] + allowed_authentication_methods: ['query'], + allow_refresh_token: false, + enforce_online_refresh_tokens: false } `; @@ -39,8 +42,11 @@ describe('#YAML context clients', () => { custom_login_page: 'html code spa "spa"', session_transfer: { can_create_session_transfer_token: false, + enforce_cascade_revocation: false, enforce_device_binding: 'none', allowed_authentication_methods: ['query'], + allow_refresh_token: false, + enforce_online_refresh_tokens: false, }, }, ]; @@ -80,8 +86,11 @@ describe('#YAML context clients', () => { custom_login_page: 'html code', session_transfer: { can_create_session_transfer_token: false, + enforce_cascade_revocation: false, enforce_device_binding: 'none', allowed_authentication_methods: ['cookie', 'query'], + allow_refresh_token: false, + enforce_online_refresh_tokens: false, }, }, ]; @@ -94,8 +103,11 @@ describe('#YAML context clients', () => { custom_login_page: './customLoginClient_custom_login_page.html', session_transfer: { can_create_session_transfer_token: false, + enforce_cascade_revocation: false, enforce_device_binding: 'none', allowed_authentication_methods: ['cookie', 'query'], + allow_refresh_token: false, + enforce_online_refresh_tokens: false, }, }, ]; diff --git a/test/tools/auth0/handlers/clients.tests.js b/test/tools/auth0/handlers/clients.tests.js index e30ae7fc6..bc53c00a1 100644 --- a/test/tools/auth0/handlers/clients.tests.js +++ b/test/tools/auth0/handlers/clients.tests.js @@ -29,8 +29,11 @@ const someNativeClient = { }, session_transfer: { can_create_session_transfer_token: true, + enforce_cascade_revocation: true, enforce_device_binding: 'ip', allowed_authentication_methods: ['cookie', 'query'], + allow_refresh_token: true, + enforce_online_refresh_tokens: true, }, }; @@ -126,8 +129,11 @@ describe('#clients handler', () => { }); expect(data.session_transfer).to.deep.equal({ can_create_session_transfer_token: true, + enforce_cascade_revocation: true, enforce_device_binding: 'ip', allowed_authentication_methods: ['cookie', 'query'], + allow_refresh_token: true, + enforce_online_refresh_tokens: true, }); return Promise.resolve({ data }); }, @@ -331,8 +337,11 @@ describe('#clients handler', () => { expect(data.description).to.equal('new description'); expect(data.session_transfer).to.deep.equal({ can_create_session_transfer_token: false, + enforce_cascade_revocation: false, enforce_device_binding: 'asn', allowed_authentication_methods: ['query'], + allow_refresh_token: false, + enforce_online_refresh_tokens: false, }); return Promise.resolve({ data }); @@ -360,8 +369,11 @@ describe('#clients handler', () => { description: 'new description', session_transfer: { can_create_session_transfer_token: false, + enforce_cascade_revocation: false, enforce_device_binding: 'asn', allowed_authentication_methods: ['query'], + allow_refresh_token: false, + enforce_online_refresh_tokens: false, }, }, ],