feat: support for custom token exchange (#1232)

* Add token exchange profiles support and update dependencies

* update e2e test recording

* Update auth0 package resolution URL in package-lock.json

* Update examples and update ACTIONS_TRIGGERS

Author: ramya18101

examples/directory/README.md

@@ -40,6 +40,9 @@ repository =>
   resource-servers
     resource_server1.json
     resource_server2.json
+  token-exchange-profiles
+    profile1.json
+    profile2.json
   guardian
     factors
       sms.json

examples/directory/clients/My SPA.json

@@ -36,5 +36,10 @@
 	"token_endpoint_auth_method": "none",
 	"web_origins": [
 		"https://##ENV##.myapp.com"
-	]
+	],
+	 "token_exchange": {
+		"allow_any_profile_of_type": [
+			"custom_authentication"
+		]
+  	}
 }

examples/directory/token-exchange-profiles/Custom Authentication Profile.json

@@ -0,0 +1,6 @@
+{
+  "name": "Custom Authentication Profile",
+  "type": "custom_authentication",
+  "subject_token_type": "urn:ietf:params:oauth:token-type:custom",
+  "action": "custom-token-exchange-action"
+}

examples/yaml/tenant.yaml

@@ -42,6 +42,17 @@ clients:
     name: "My Resource Server Client"
     app_type: "resource_server"
     resource_server_identifier: "https://##ENV##.myapp.com/api/v1"
+  -
+    name: "My Token Exchange App"
+    app_type: "regular_web"
+    grant_types:
+      - "authorization_code"
+      - "refresh_token"
+      - "client_credentials"
+      - "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token"
+    token_exchange:
+      allow_any_profile_of_type:
+        - "custom_authentication"
 
 databases:
   - name: "users"
@@ -99,6 +110,12 @@ resourceServers:
     # client_id: "if linked to a resource server client (readonly)"
     # Add other resource server settings (https://auth0.com/docs/api/management/v2#!/Resource_Servers/post_resource_servers)
 
+tokenExchangeProfiles:
+  - name: "Custom Authentication Profile"
+    type: "custom_authentication"
+    subject_token_type: "urn:ietf:params:oauth:token-type:custom"
+    action: "custom-token-exchange-action"
+
 phoneProviders:
   - name: twilio
     configuration:

package-lock.json

@@ -33,7 +33,7 @@
   "homepage": "https://github.com/auth0/auth0-deploy-cli#readme",
   "dependencies": {
     "ajv": "^6.12.6",
-    "auth0": "^5.1.0",
+    "auth0": "^5.2.0",
     "dot-prop": "^5.3.0",
     "fs-extra": "^10.1.0",
     "js-yaml": "^4.1.1",

package.json

@@ -33,6 +33,7 @@ import flows from './flows';
 import flowVaultConnections from './flowVaultConnections';
 import networkACLs from './networkACLs';
 import userAttributeProfiles from './userAttributeProfiles';
+import tokenExchangeProfiles from './tokenExchangeProfiles';
 
 import DirectoryContext from '..';
 import { AssetTypes, Asset } from '../../../types';
@@ -82,6 +83,7 @@ const directoryHandlers: {
   selfServiceProfiles,
   networkACLs,
   userAttributeProfiles,
+  tokenExchangeProfiles,
 };
 
 export default directoryHandlers;

src/context/directory/handlers/index.ts

@@ -0,0 +1,51 @@
+import path from 'path';
+import fs from 'fs-extra';
+import { constants } from '../../../tools';
+import log from '../../../logger';
+import { getFiles, existsMustBeDir, dumpJSON, loadJSON, sanitize } from '../../../utils';
+import { DirectoryHandler } from '.';
+import DirectoryContext from '..';
+import { Asset, ParsedAsset } from '../../../types';
+
+type ParsedTokenExchangeProfiles = ParsedAsset<'tokenExchangeProfiles', Asset[]>;
+
+function parse(context: DirectoryContext): ParsedTokenExchangeProfiles {
+  const folder = path.join(context.filePath, constants.TOKEN_EXCHANGE_PROFILES_DIRECTORY);
+  if (!existsMustBeDir(folder)) return { tokenExchangeProfiles: null }; // Skip
+
+  const files = getFiles(folder, ['.json']);
+
+  const profiles = files.map((f) =>
+    loadJSON(f, {
+      mappings: context.mappings,
+      disableKeywordReplacement: context.disableKeywordReplacement,
+    })
+  );
+
+  return {
+    tokenExchangeProfiles: profiles,
+  };
+}
+
+async function dump(context: DirectoryContext) {
+  const { tokenExchangeProfiles } = context.assets;
+
+  if (!tokenExchangeProfiles || !Array.isArray(tokenExchangeProfiles)) return; // Skip
+
+  const folder = path.join(context.filePath, constants.TOKEN_EXCHANGE_PROFILES_DIRECTORY);
+  fs.ensureDirSync(folder);
+
+  tokenExchangeProfiles.forEach((profile) => {
+    const { id, created_at, updated_at, ...profileWithoutMetadata } = profile;
+    const fileName = path.join(folder, sanitize(`${profile.name}.json`));
+    log.info(`Writing ${fileName}`);
+    dumpJSON(fileName, profileWithoutMetadata);
+  });
+}
+
+const handler: DirectoryHandler<ParsedTokenExchangeProfiles> = {
+  parse,
+  dump,
+};
+
+export default handler;

src/context/directory/handlers/tokenExchangeProfiles.ts

@@ -33,6 +33,7 @@ import flows from './flows';
 import flowVaultConnections from './flowVaultConnections';
 import networkACLs from './networkACLs';
 import userAttributeProfiles from './userAttributeProfiles';
+import tokenExchangeProfiles from './tokenExchangeProfiles';
 
 import YAMLContext from '..';
 import { AssetTypes } from '../../../types';
@@ -80,6 +81,7 @@ const yamlHandlers: { [key in AssetTypes]: YAMLHandler<{ [key: string]: unknown
   selfServiceProfiles,
   networkACLs,
   userAttributeProfiles,
+  tokenExchangeProfiles,
 };
 
 export default yamlHandlers;

src/context/yaml/handlers/index.ts

@@ -0,0 +1,36 @@
+import { YAMLHandler } from '.';
+import YAMLContext from '..';
+import { Asset, ParsedAsset } from '../../../types';
+
+type ParsedTokenExchangeProfiles = ParsedAsset<'tokenExchangeProfiles', Asset[]>;
+
+async function parse(context: YAMLContext): Promise<ParsedTokenExchangeProfiles> {
+  const { tokenExchangeProfiles } = context.assets;
+
+  if (!tokenExchangeProfiles) return { tokenExchangeProfiles: null };
+
+  return {
+    tokenExchangeProfiles,
+  };
+}
+
+async function dump(context: YAMLContext): Promise<ParsedTokenExchangeProfiles> {
+  const { tokenExchangeProfiles } = context.assets;
+
+  if (!tokenExchangeProfiles) return { tokenExchangeProfiles: null };
+
+  return {
+    tokenExchangeProfiles: tokenExchangeProfiles.map((profile) => {
+      // Strip server-generated fields
+      const { id, created_at, updated_at, ...cleanProfile } = profile;
+      return cleanProfile;
+    }),
+  };
+}
+
+const handler: YAMLHandler<ParsedTokenExchangeProfiles> = {
+  parse,
+  dump,
+};
+
+export default handler;