Org support for custom token exchange (#1035)

NandanPrabhu · web-flow · commit 1304fe93484f · 2025-12-10T16:26:49.000Z
Organization support for custom token exchange
diff --git a/Auth0/Auth0Authentication.swift b/Auth0/Auth0Authentication.swift
@@ -162,7 +162,11 @@ struct Auth0Authentication: Authentication {
                        telemetry: self.telemetry)
     }
 
-    func login(appleAuthorizationCode authorizationCode: String, fullName: PersonNameComponents?, profile: [String: Any]?, audience: String?, scope: String) -> Request<Credentials, AuthenticationError> {
+    func login(appleAuthorizationCode authorizationCode: String,
+               fullName: PersonNameComponents?,
+               profile: [String: Any]?,
+               audience: String?,
+               scope: String) -> Request<Credentials, AuthenticationError> {
         var parameters: [String: Any] = [:]
         var profile: [String: Any] = profile ?? [:]
 
@@ -185,7 +189,10 @@ struct Auth0Authentication: Authentication {
                                   parameters: parameters)
     }
 
-    func login(facebookSessionAccessToken sessionAccessToken: String, profile: [String: Any], audience: String?, scope: String) -> Request<Credentials, AuthenticationError> {
+    func login(facebookSessionAccessToken sessionAccessToken: String,
+               profile: [String: Any],
+               audience: String?,
+               scope: String) -> Request<Credentials, AuthenticationError> {
         var parameters: [String: String] = [:]
         if let jsonData = try? JSONSerialization.data(withJSONObject: profile, options: []),
             let json = String(data: jsonData, encoding: .utf8) {
@@ -499,11 +506,16 @@ struct Auth0Authentication: Authentication {
                        telemetry: self.telemetry)
     }
 
-    func customTokenExchange(subjectToken: String, subjectTokenType: String, audience: String?, scope: String) -> Request<Credentials, AuthenticationError> {
+    func customTokenExchange(subjectToken: String,
+                             subjectTokenType: String,
+                             audience: String?,
+                             scope: String,
+                             organization: String?) -> Request<Credentials, AuthenticationError> {
         return self.tokenExchange(subjectToken: subjectToken,
                                   subjectTokenType: subjectTokenType,
                                   scope: scope,
-                                  audience: audience)
+                                  audience: audience,
+                                  organization: organization)
     }
 
 }
@@ -535,14 +547,20 @@ private extension Auth0Authentication {
                        dpop: self.dpop)
     }
 
-    func tokenExchange(subjectToken: String, subjectTokenType: String, scope: String, audience: String?, parameters: [String: Any] = [:]) -> Request<Credentials, AuthenticationError> {
+    func tokenExchange(subjectToken: String,
+                       subjectTokenType: String,
+                       scope: String,
+                       audience: String?,
+                       organization: String? = nil,
+                       parameters: [String: Any] = [:]) -> Request<Credentials, AuthenticationError> {
         var parameters: [String: Any] = parameters
         parameters["client_id"] = self.clientId
         parameters["grant_type"] = "urn:ietf:params:oauth:grant-type:token-exchange"
         parameters["subject_token"] = subjectToken
         parameters["subject_token_type"] = subjectTokenType
         parameters["audience"] = audience
         parameters["scope"] = includeRequiredScope(in: scope)
+        parameters["organization"] = organization
 
         let token = URL(string: "oauth/token", relativeTo: self.url)!
         return Request(session: session,
diff --git a/Auth0/Authentication.swift b/Auth0/Authentication.swift
@@ -341,7 +341,11 @@ public protocol Authentication: SenderConstraining, Trackable, Loggable {
 
      - [Authentication API Endpoint](https://auth0.com/docs/api/authentication/token-exchange-for-native-social/token-exchange-native-social)
      */
-    func login(appleAuthorizationCode authorizationCode: String, fullName: PersonNameComponents?, profile: [String: Any]?, audience: String?, scope: String) -> Request<Credentials, AuthenticationError>
+    func login(appleAuthorizationCode authorizationCode: String,
+               fullName: PersonNameComponents?,
+               profile: [String: Any]?,
+               audience: String?,
+               scope: String) -> Request<Credentials, AuthenticationError>
 
     /**
      Logs a user in with their Facebook [session info access token](https://developers.facebook.com/docs/facebook-login/access-tokens/session-info-access-token/) and profile data.
@@ -386,7 +390,10 @@ public protocol Authentication: SenderConstraining, Trackable, Loggable {
 
      - [Authentication API Endpoint](https://auth0.com/docs/api/authentication/token-exchange-for-native-social/token-exchange-native-social)
      */
-    func login(facebookSessionAccessToken sessionAccessToken: String, profile: [String: Any], audience: String?, scope: String) -> Request<Credentials, AuthenticationError>
+    func login(facebookSessionAccessToken sessionAccessToken: String,
+               profile: [String: Any],
+               audience: String?,
+               scope: String) -> Request<Credentials, AuthenticationError>
 
     /**
      Logs a user in using a username and password in the default directory.
@@ -1113,7 +1120,7 @@ public protocol Authentication: SenderConstraining, Trackable, Loggable {
          }
      ```
 
-     You can also include additional parameters:
+     You can also include organization parameter:
 
      ```swift
      Auth0
@@ -1122,7 +1129,7 @@ public protocol Authentication: SenderConstraining, Trackable, Loggable {
                               subjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
                               audience: "https://example.com/api",
                               scope: "openid profile email",
-                              additionalParameters: ["custom_claim": "value"])
+                              organization: "org_id")
          .start { print($0) }
      ```
 
@@ -1131,17 +1138,20 @@ public protocol Authentication: SenderConstraining, Trackable, Loggable {
        - subjectTokenType: URI that identifies the type of the subject token.
        - audience: API Identifier that your application is requesting access to. Defaults to `nil`.
        - scope: Space-separated list of requested scope values. Defaults to `openid profile email`.
-       - additionalParameters: Additional parameters to include in the token exchange request. Defaults to empty dictionary.
+       - organization: Identifier of an organization the user is a member of.
      - Returns: A request that will yield Auth0 user's credentials.
-
+  
      ## See Also
 
      - [Authentication API Endpoint](https://auth0.com/docs/api/authentication/token-exchange)
      - [Custom Token Exchange Documentation](https://auth0.com/docs/authenticate/custom-token-exchange)
      - [RFC 8693: OAuth 2.0 Token Exchange](https://tools.ietf.org/html/rfc8693)
      */
-    func customTokenExchange(subjectToken: String, subjectTokenType: String, audience: String?, scope: String) -> Request<Credentials, AuthenticationError>
-
+    func customTokenExchange(subjectToken: String,
+                             subjectTokenType: String,
+                             audience: String?,
+                             scope: String,
+                             organization: String?) -> Request<Credentials, AuthenticationError>
 }
 
 public extension Authentication {
@@ -1166,12 +1176,26 @@ public extension Authentication {
         return self.multifactorChallenge(mfaToken: mfaToken, types: types, authenticatorId: authenticatorId)
     }
 
-    func login(appleAuthorizationCode authorizationCode: String, fullName: PersonNameComponents? = nil, profile: [String: Any]? = nil, audience: String? = nil, scope: String = defaultScope) -> Request<Credentials, AuthenticationError> {
-        return self.login(appleAuthorizationCode: authorizationCode, fullName: fullName, profile: profile, audience: audience, scope: scope)
+    func login(appleAuthorizationCode authorizationCode: String,
+               fullName: PersonNameComponents? = nil,
+               profile: [String: Any]? = nil,
+               audience: String? = nil,
+               scope: String = defaultScope) -> Request<Credentials, AuthenticationError> {
+        return self.login(appleAuthorizationCode: authorizationCode,
+                          fullName: fullName,
+                          profile: profile,
+                          audience: audience,
+                          scope: scope)
     }
 
-    func login(facebookSessionAccessToken sessionAccessToken: String, profile: [String: Any], audience: String? = nil, scope: String = defaultScope) -> Request<Credentials, AuthenticationError> {
-        return self.login(facebookSessionAccessToken: sessionAccessToken, profile: profile, audience: audience, scope: scope)
+    func login(facebookSessionAccessToken sessionAccessToken: String,
+               profile: [String: Any],
+               audience: String? = nil,
+               scope: String = defaultScope) -> Request<Credentials, AuthenticationError> {
+        return self.login(facebookSessionAccessToken: sessionAccessToken,
+                          profile: profile,
+                          audience: audience,
+                          scope: scope)
     }
 
     func loginDefaultDirectory(withUsername username: String, password: String, audience: String? = nil, scope: String = defaultScope) -> Request<Credentials, AuthenticationError> {
@@ -1251,8 +1275,16 @@ public extension Authentication {
         return self.renew(withRefreshToken: refreshToken, audience: audience, scope: scope)
     }
 
-    func customTokenExchange(subjectToken: String, subjectTokenType: String, audience: String? = nil, scope: String = defaultScope) -> Request<Credentials, AuthenticationError> {
-        return self.customTokenExchange(subjectToken: subjectToken, subjectTokenType: subjectTokenType, audience: audience, scope: scope)
+    func customTokenExchange(subjectToken: String,
+                             subjectTokenType: String,
+                             audience: String? = nil,
+                             scope: String = defaultScope,
+                             organization: String? = nil) -> Request<Credentials, AuthenticationError> {
+        return self.customTokenExchange(subjectToken: subjectToken,
+                                        subjectTokenType: subjectTokenType,
+                                        audience: audience,
+                                        scope: scope,
+                                        organization: organization)
     }
 
 }
diff --git a/Auth0/MyAccount/AuthenticationMethods/MyAccountAuthenticationMethods.swift b/Auth0/MyAccount/AuthenticationMethods/MyAccountAuthenticationMethods.swift
@@ -217,7 +217,7 @@ public protocol MyAccountAuthenticationMethods: MyAccountClient {
     ///
     /// - Returns: A request that will yield a totp enrollment challenge
     func enrollTOTP() -> Request<TOTPEnrollmentChallenge, MyAccountError>
-    
+
     /// Enrolls a new ToTP authentication method. This is the last part of the enrollment flow.
     ///
     /// ## Availability
diff --git a/Auth0Tests/AuthenticationSpec.swift b/Auth0Tests/AuthenticationSpec.swift
@@ -1928,6 +1928,7 @@ class AuthenticationSpec: QuickSpec {
         describe("customTokenExchange") {
             let subjectToken = "example-token"
             let subjectTokenType = "urn:ietf:params:oauth:token-type:jwt"
+            let orgId = "org_id"
             
             it("should exchange custom token for credentials") {
                 NetworkStub.addStub(condition: {
@@ -1974,6 +1975,29 @@ class AuthenticationSpec: QuickSpec {
                 }
             }
             
+            it("should exchange custom token with organization") {
+                NetworkStub.addStub(condition: {
+                    $0.isToken(Domain) && $0.hasAllOf([
+                        "grant_type": TokenExchangeGrantType,
+                        "subject_token": subjectToken,
+                        "subject_token_type": subjectTokenType,
+                        "scope": defaultScope,
+                        "organization": orgId,
+                        "client_id": ClientId
+                    ])
+                }, response: authResponse(accessToken: AccessToken, idToken: IdToken))
+                
+                waitUntil(timeout: Timeout) { done in
+                    auth.customTokenExchange(subjectToken: subjectToken,
+                                             subjectTokenType: subjectTokenType,
+                                             organization: orgId)
+                        .start { result in
+                            expect(result).to(haveCredentials(AccessToken, IdToken))
+                            done()
+                        }
+                }
+            }
+            
             it("should produce authentication error") {
                 let code = "invalid_grant"
                 let description = "Invalid subject token"
diff --git a/EXAMPLES.md b/EXAMPLES.md
@@ -3215,9 +3215,10 @@ Auth0
 Auth0
     .authentication()
     .customTokenExchange(subjectToken: "existing-token",
-                        subjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
-                        audience: "https://example.com/api",
-                        scope: "openid profile email")
+                         subjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
+                         audience: "https://example.com/api",
+                         scope: "openid profile email",
+                         organization: "org_id)
     .start { result in
         switch result {
         case .success(let credentials):
@@ -3235,9 +3236,10 @@ do {
     let credentials = try await Auth0
         .authentication()
         .customTokenExchange(subjectToken: "existing-token",
-                        subjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
-                        audience: "https://example.com/api",
-                        scope: "openid profile email")
+                            subjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
+                            audience: "https://example.com/api",
+                            scope: "openid profile email",
+                            organization: "org_id")
         .start()
     print("Obtained credentials: \(credentials)")
 } catch {
@@ -3253,9 +3255,10 @@ do {
 Auth0
     .authentication()
      .customTokenExchange(subjectToken: "existing-token",
-                        subjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
-                        audience: "https://example.com/api",
-                        scope: "openid profile email")
+                          subjectTokenType: "urn:ietf:params:oauth:token-type:jwt",
+                          audience: "https://example.com/api",
+                          scope: "openid profile email",
+                          organization: "org_id")
     .start()
     .sink(receiveCompletion: { completion in
         if case .failure(let error) = completion {
