Skip to content

feat: updated session_transfer schema for clients #1211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kushalshit27 merged 1 commit into from
Nov 19, 2025
Merged

feat: updated session_transfer schema for clients #1211

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
"auth0": "^4.36.0",
"dot-prop": "^5.3.0",
"fs-extra": "^10.1.0",
"js-yaml": "^4.1.0",
"js-yaml": "^4.1.1",
"lodash": "^4.17.21",
"mkdirp": "^1.0.4",
"nconf": "^0.13.0",
Expand Down
33 changes: 25 additions & 8 deletions src/tools/auth0/handlers/clients.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,29 +112,46 @@ export const schema = {
properties: {
can_create_session_transfer_token: {
type: 'boolean',
description:
"Indicates whether an app can issue a Session Transfer Token through Token Exchange. If set to 'false', the app will not be able to issue a Session Transfer Token. Usually configured in the native application.",
default: false,
},
enforce_cascade_revocation: {
type: 'boolean',
description:
'Specifies whether the application (Native app) can use the Token Exchange endpoint to create a session_transfer_token.',
'Indicates whether revoking the parent Refresh Token that initiated a Native to Web flow and was used to issue a Session Transfer Token should trigger a cascade revocation affecting its dependent child entities. Usually configured in the native application.',
default: true,
},
allowed_authentication_methods: {
type: 'array',
type: ['array', 'null'],
description:
'Indicates whether an app can create a session from a Session Transfer Token received via indicated methods. Can include `cookie` and/or `query`. Usually configured in the web application.',
items: {
type: 'string',
enum: ['cookie', 'query'],
},
default: [],
description:
'Determines the methods allowed for a web application to create a session using a session_transfer_token.',
},
enforce_device_binding: {
type: 'string',
enum: ['none', 'ip', 'asn'],
description:
"Indicates whether device binding security should be enforced for the app. If set to 'ip', the app will enforce device binding by IP, meaning that consumption of Session Transfer Token must be done from the same IP of the issuer. Likewise, if set to 'asn', device binding is enforced by ASN, meaning consumption of Session Transfer Token must be done from the same ASN as the issuer. If set to 'null', device binding is not enforced. Usually configured in the web application.",
enum: ['ip', 'asn', 'none'],
default: 'ip',
},
allow_refresh_token: {
type: 'boolean',
description:
'Indicates whether Refresh Tokens are allowed to be issued when authenticating with a Session Transfer Token. Usually configured in the web application.',
default: false,
},
enforce_online_refresh_tokens: {
type: 'boolean',
description:
'Configures the level of device binding enforced when a session_transfer_token is consumed.',
"Indicates whether Refresh Tokens created during a native-to-web session are tied to that session's lifetime. This determines if such refresh tokens should be automatically revoked when their corresponding sessions are. Usually configured in the web application.",
default: true,
},
},
additionalProperties: false,
additionalProperties: true,
},
app_type: {
type: 'string',
Expand Down
11 changes: 10 additions & 1 deletion test/context/directory/clients.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ describe('#directory context clients', () => {
'someClient2.json': '{ "app_type": "@@appType@@", "name": "someClient2" }',
'customLoginClient.json':
'{ "app_type": "@@appType@@", "name": "customLoginClient", "custom_login_page": "./customLoginClient_custom_login_page.html", ' +
'"session_transfer": { "can_create_session_transfer_token": true,"enforce_device_binding": "ip", "allowed_authentication_methods" : "@@allowedMethods@@"} }',
'"session_transfer": { "can_create_session_transfer_token": true, "enforce_cascade_revocation": true, "enforce_device_binding": "ip", "allowed_authentication_methods" : "@@allowedMethods@@", "allow_refresh_token": true, "enforce_online_refresh_tokens": true} }',
'customLoginClient_custom_login_page.html': 'html code ##appType## @@appType@@',
},
};
Expand All @@ -39,8 +39,11 @@ describe('#directory context clients', () => {
custom_login_page: 'html code spa "spa"',
session_transfer: {
can_create_session_transfer_token: true,
enforce_cascade_revocation: true,
enforce_device_binding: 'ip',
allowed_authentication_methods: ['cookie', 'query'],
allow_refresh_token: true,
enforce_online_refresh_tokens: true,
},
},
{ app_type: 'spa', name: 'someClient' },
Expand Down Expand Up @@ -101,8 +104,11 @@ describe('#directory context clients', () => {
custom_login_page: 'html code',
session_transfer: {
can_create_session_transfer_token: false,
enforce_cascade_revocation: false,
enforce_device_binding: 'asn',
allowed_authentication_methods: ['cookie'],
allow_refresh_token: false,
enforce_online_refresh_tokens: false,
},
},
];
Expand All @@ -113,8 +119,11 @@ describe('#directory context clients', () => {
custom_login_page: './customLoginClient_custom_login_page.html',
session_transfer: {
can_create_session_transfer_token: false,
enforce_cascade_revocation: false,
enforce_device_binding: 'asn',
allowed_authentication_methods: ['cookie'],
allow_refresh_token: false,
enforce_online_refresh_tokens: false,
},
};

Expand Down
14 changes: 13 additions & 1 deletion test/context/yaml/clients.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,11 @@ describe('#YAML context clients', () => {
custom_login_page: "./customLoginClient_custom_login_page.html"
session_transfer: {
can_create_session_transfer_token: false,
enforce_cascade_revocation: false,
enforce_device_binding: 'none',
allowed_authentication_methods: ['query']
allowed_authentication_methods: ['query'],
allow_refresh_token: false,
enforce_online_refresh_tokens: false
}
`;

Expand All @@ -39,8 +42,11 @@ describe('#YAML context clients', () => {
custom_login_page: 'html code spa "spa"',
session_transfer: {
can_create_session_transfer_token: false,
enforce_cascade_revocation: false,
enforce_device_binding: 'none',
allowed_authentication_methods: ['query'],
allow_refresh_token: false,
enforce_online_refresh_tokens: false,
},
},
];
Expand Down Expand Up @@ -80,8 +86,11 @@ describe('#YAML context clients', () => {
custom_login_page: 'html code',
session_transfer: {
can_create_session_transfer_token: false,
enforce_cascade_revocation: false,
enforce_device_binding: 'none',
allowed_authentication_methods: ['cookie', 'query'],
allow_refresh_token: false,
enforce_online_refresh_tokens: false,
},
},
];
Expand All @@ -94,8 +103,11 @@ describe('#YAML context clients', () => {
custom_login_page: './customLoginClient_custom_login_page.html',
session_transfer: {
can_create_session_transfer_token: false,
enforce_cascade_revocation: false,
enforce_device_binding: 'none',
allowed_authentication_methods: ['cookie', 'query'],
allow_refresh_token: false,
enforce_online_refresh_tokens: false,
},
},
];
Expand Down
12 changes: 12 additions & 0 deletions test/tools/auth0/handlers/clients.tests.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,11 @@ const someNativeClient = {
},
session_transfer: {
can_create_session_transfer_token: true,
enforce_cascade_revocation: true,
enforce_device_binding: 'ip',
allowed_authentication_methods: ['cookie', 'query'],
allow_refresh_token: true,
enforce_online_refresh_tokens: true,
},
};

Expand Down Expand Up @@ -126,8 +129,11 @@ describe('#clients handler', () => {
});
expect(data.session_transfer).to.deep.equal({
can_create_session_transfer_token: true,
enforce_cascade_revocation: true,
enforce_device_binding: 'ip',
allowed_authentication_methods: ['cookie', 'query'],
allow_refresh_token: true,
enforce_online_refresh_tokens: true,
});
return Promise.resolve({ data });
},
Expand Down Expand Up @@ -331,8 +337,11 @@ describe('#clients handler', () => {
expect(data.description).to.equal('new description');
expect(data.session_transfer).to.deep.equal({
can_create_session_transfer_token: false,
enforce_cascade_revocation: false,
enforce_device_binding: 'asn',
allowed_authentication_methods: ['query'],
allow_refresh_token: false,
enforce_online_refresh_tokens: false,
});

return Promise.resolve({ data });
Expand Down Expand Up @@ -360,8 +369,11 @@ describe('#clients handler', () => {
description: 'new description',
session_transfer: {
can_create_session_transfer_token: false,
enforce_cascade_revocation: false,
enforce_device_binding: 'asn',
allowed_authentication_methods: ['query'],
allow_refresh_token: false,
enforce_online_refresh_tokens: false,
},
},
],
Expand Down