Remove use_mrrt flag and have mrrt used by default

Author: sam-muncke

examples/ConnectedAccounts.md

@@ -12,15 +12,14 @@ This is particularly useful for applications that require access to different re
 
 The SDK must be configured with an audience (an API Identifier) - this will be the resource server that uses the tokens from the Token Vault.
 
-The SDK must also be configured to use refresh tokens and MRRT (Multiple Resource Refresh Tokens) since we will use the refresh token grant to get Access Tokens for the My Account API in addition to the API we are calling.
+The Auth0 client Application must be configured to use refresh tokens and MRRT (Multiple Resource Refresh Tokens) since we will use the refresh token grant to get Access Tokens for the My Account API in addition to the API we are calling.
 
 ```python
 server_client = ServerClient(
     domain="YOUR_AUTH0_DOMAIN",
     client_id="YOUR_CLIENT_ID",
     client_secret="YOUR_CLIENT_SECRET",
     secret="YOUR_SECRET",
-    use_mrrt=True,
     authorization_params={
         "redirect_uri":"YOUR_CALLBACK_URL",
     }

src/auth0_server_python/auth_server/server_client.py

@@ -31,7 +31,6 @@
     AccessTokenForConnectionError,
     AccessTokenForConnectionErrorCode,
     ApiError,
-    Auth0Error,
     BackchannelLogoutError,
     MissingRequiredArgumentError,
     MissingTransactionError,
@@ -68,7 +67,6 @@ def __init__(
         state_identifier: str = "_a0_session",
         authorization_params: Optional[dict[str, Any]] = None,
         pushed_authorization_requests: bool = False,
-        use_mrrt: bool = False,
     ):
         """
         Initialize the Auth0 server client.
@@ -85,7 +83,6 @@ def __init__(
             state_identifier: Identifier for state data
             authorization_params: Default parameters for authorization requests
             pushed_authorization_requests: Whether to use PAR for authorization requests
-            use_mrrt: Whether to allow use of Multi-Resource Refresh Tokens
         """
         if not secret:
             raise MissingRequiredArgumentError("secret")
@@ -97,7 +94,6 @@ def __init__(
         self._redirect_uri = redirect_uri
         self._default_authorization_params = authorization_params or {}
         self._pushed_authorization_requests = pushed_authorization_requests  # store the flag
-        self._use_mrrt = use_mrrt
 
         # Initialize stores
         self._transaction_store = transaction_store
@@ -617,14 +613,6 @@ async def get_access_token(
                     token_set = ts
                     break
 
-        # After loop: if no matching token found and MRRT disabled, check if we need to error
-        if not token_set and not self._use_mrrt and state_data_dict.get("token_sets"):
-            # We have tokens but none match, and we can't use RT to get a new one
-            raise AccessTokenError(
-                AccessTokenErrorCode.INCORRECT_AUDIENCE,
-                "The access token for the requested audience is not available and Multi-Resource Refresh Tokens are disabled."
-            )
-
         # If token is valid, return it
         if token_set and token_set.get("expires_at", 0) > time.time():
             return token_set["access_token"]
@@ -1316,9 +1304,6 @@ async def start_connect_account(
         Returns:
             The a connect URL containing a ticket to redirect the user to.
         """
-        if not self._use_mrrt:
-            raise Auth0Error("Multi-Resource Refresh Tokens (MRRT) is required to use Connected Accounts functionality.")
-
         # Use the default redirect_uri if none is specified
         redirect_uri = options.redirect_uri or self._redirect_uri
         # Ensure we have a redirect_uri
@@ -1387,9 +1372,6 @@ async def complete_connect_account(
         Returns:
             A response from the connect account flow.
         """
-        if not self._use_mrrt:
-            raise Auth0Error("Multi-Resource Refresh Tokens (MRRT) is required to use Connected Accounts functionality.")
-
         # Parse the URL to get query parameters
         parsed_url = urlparse(url)
         query_params = parse_qs(parsed_url.query)

src/auth0_server_python/tests/test_server_client.py

@@ -18,7 +18,6 @@
 from auth0_server_python.error import (
     AccessTokenForConnectionError,
     ApiError,
-    Auth0Error,
     BackchannelLogoutError,
     MissingRequiredArgumentError,
     MissingTransactionError,
@@ -1274,8 +1273,7 @@ async def test_start_connect_account_calls_connect_and_builds_url(mocker):
         client_secret="<client_secret>",
         state_store=mock_state_store,
         transaction_store=mock_transaction_store,
-        secret="some-secret",
-        use_mrrt=True
+        secret="some-secret"
     )
 
     mocker.patch.object(client, "get_access_token", AsyncMock(return_value="<access_token>"))
@@ -1339,8 +1337,7 @@ async def test_start_connect_account_default_redirect_uri(mocker):
         state_store=mock_state_store,
         transaction_store=mock_transaction_store,
         secret="some-secret",
-        redirect_uri="/default_redirect_uri",
-        use_mrrt=True
+        redirect_uri="/default_redirect_uri"
     )
 
     mocker.patch.object(client, "get_access_token", AsyncMock(return_value="<access_token>"))
@@ -1402,8 +1399,7 @@ async def test_start_connect_account_no_redirect_uri(mocker):
         client_secret="<client_secret>",
         state_store=mock_state_store,
         transaction_store=mock_transaction_store,
-        secret="some-secret",
-        use_mrrt=True
+        secret="some-secret"
     )
 
     # Act
@@ -1417,33 +1413,6 @@ async def test_start_connect_account_no_redirect_uri(mocker):
     # Assert
     assert "redirect_uri" in str(exc.value)
 
-@pytest.mark.asyncio
-async def test_start_connect_account_mrrt_disabled(mocker):
-    # Setup
-    mock_transaction_store = AsyncMock()
-    mock_state_store = AsyncMock()
-
-    client = ServerClient(
-        domain="auth0.local",
-        client_id="<client_id>",
-        client_secret="<client_secret>",
-        state_store=mock_state_store,
-        transaction_store=mock_transaction_store,
-        secret="some-secret",
-        use_mrrt=False
-    )
-
-    # Act
-    with pytest.raises(Auth0Error) as exc:
-        await client.start_connect_account(
-            options=ConnectAccountOptions(
-                connection="<connection>"
-            )
-        )
-
-    # Assert
-    assert "MRRT" in str(exc.value)
-
 @pytest.mark.asyncio
 async def test_complete_connect_account_calls_complete(mocker):
     # Setup
@@ -1457,8 +1426,7 @@ async def test_complete_connect_account_calls_complete(mocker):
         state_store=mock_state_store,
         transaction_store=mock_transaction_store,
         secret="some-secret",
-        redirect_uri="/test_redirect_uri",
-        use_mrrt=True
+        redirect_uri="/test_redirect_uri"
     )
 
     mocker.patch.object(client, "get_access_token", AsyncMock(return_value="<access_token>"))
@@ -1501,8 +1469,7 @@ async def test_complete_connect_account_no_connect_code(mocker):
         state_store=mock_state_store,
         transaction_store=mock_transaction_store,
         secret="some-secret",
-        redirect_uri="/test_redirect_uri",
-        use_mrrt=True
+        redirect_uri="/test_redirect_uri"
     )
 
     mock_my_account_client = AsyncMock(MyAccountClient)
@@ -1533,8 +1500,7 @@ async def test_complete_connect_account_no_state(mocker):
         state_store=mock_state_store,
         transaction_store=mock_transaction_store,
         secret="some-secret",
-        redirect_uri="/test_redirect_uri",
-        use_mrrt=True
+        redirect_uri="/test_redirect_uri"
     )
 
     mock_my_account_client = AsyncMock(MyAccountClient)
@@ -1565,8 +1531,7 @@ async def test_complete_connect_account_no_transactions(mocker):
         state_store=mock_state_store,
         transaction_store=mock_transaction_store,
         secret="some-secret",
-        redirect_uri="/test_redirect_uri",
-        use_mrrt=True
+        redirect_uri="/test_redirect_uri"
     )
 
     mock_my_account_client = AsyncMock(MyAccountClient)
@@ -1583,29 +1548,3 @@ async def test_complete_connect_account_no_transactions(mocker):
     # Assert
     assert "transaction" in str(exc.value)
     mock_my_account_client.complete_connect_account.assert_not_awaited()
-
-@pytest.mark.asyncio
-async def test_complete_connect_account_mrrt_disabled(mocker):
-    # Setup
-    mock_transaction_store = AsyncMock()
-    mock_state_store = AsyncMock()
-
-    client = ServerClient(
-        domain="auth0.local",
-        client_id="<client_id>",
-        client_secret="<client_secret>",
-        state_store=mock_state_store,
-        transaction_store=mock_transaction_store,
-        secret="some-secret",
-        redirect_uri="/test_redirect_uri",
-        use_mrrt=False
-    )
-
-    # Act
-    with pytest.raises(Auth0Error) as exc:
-        await client.complete_connect_account(
-            url="/test_redirect_uri?connect_code=<connect_code>&state=<state>"
-        )
-
-    # Assert
-    assert "MRRT" in str(exc.value)