CTE - delegated authorization#1215
Open
dlozlla wants to merge 4 commits into
Open
Conversation
lrzhou25
reviewed
May 18, 2026
|
|
||
| - When `actor_token` is present, refresh tokens are not issued. The `offline_access` scope is excluded from the response. | ||
|
|
||
| - MFA is not compatible with transactions where an actor is set via `setActor()`. If MFA is required and the Custom Token Exchange Action sets an actor, the request returns a `400` error: "MFA is not supported using actor_token with the requested token exchange profile." |
Contributor
There was a problem hiding this comment.
Suggested change
| - MFA is not compatible with transactions where an actor is set via `setActor()`. If MFA is required and the Custom Token Exchange Action sets an actor, the request returns a `400` error: "MFA is not supported using actor_token with the requested token exchange profile." | |
| - MFA is not compatible with transactions where an actor is set via `setActor()`. If MFA is required and the Custom Token Exchange Action sets an actor, the request returns a `400` error: `MFA is not supported using actor_token with the requested token exchange profile.` |
|
|
||
| - MFA is not compatible with transactions where an actor is set via `setActor()`. If MFA is required and the Custom Token Exchange Action sets an actor, the request returns a `400` error: "MFA is not supported using actor_token with the requested token exchange profile." | ||
|
|
||
| - When the Action calls `setActor()`, issued access tokens and ID tokens include an `act` claim representing the [delegation chain](https://auth0.com/docs/secure/call-apis-on-users-behalf/on-behalf-of-token-exchange#the-act-claim). The `act` claim is also included in the userinfo response. |
Contributor
There was a problem hiding this comment.
Suggested change
| - When the Action calls `setActor()`, issued access tokens and ID tokens include an `act` claim representing the [delegation chain](https://auth0.com/docs/secure/call-apis-on-users-behalf/on-behalf-of-token-exchange#the-act-claim). The `act` claim is also included in the userinfo response. | |
| - When the Action calls `setActor()`, issued access tokens and ID tokens include an `act` claim representing the [delegation chain](/docs/secure/call-apis-on-users-behalf/on-behalf-of-token-exchange#the-act-claim). The `act` claim is also included in the userinfo response. |
| feature="Custom Token Exchange (CTE)" | ||
| stage="ea" | ||
| plans="B2B Professional and Enterprise" | ||
| plans="B2C Professional, B2B Professional and Enterprise" |
Contributor
There was a problem hiding this comment.
Suggested change
| plans="B2C Professional, B2B Professional and Enterprise" | |
| plans="B2C Professional, B2B Professional, and Enterprise" |
| feature="Custom Token Exchange (CTE)" | ||
| stage="ea" | ||
| plans="B2B Professional and Enterprise" | ||
| plans="B2C Professional, B2B Professional and Enterprise" |
Contributor
There was a problem hiding this comment.
Suggested change
| plans="B2C Professional, B2B Professional and Enterprise" | |
| plans="B2C Professional, B2B Professional, and Enterprise" |
| feature="Custom Token Exchange (CTE)" | ||
| stage="ea" | ||
| plans="B2B Professional and Enterprise" | ||
| plans="B2C Professional, B2B Professional and Enterprise" |
Contributor
There was a problem hiding this comment.
Suggested change
| plans="B2C Professional, B2B Professional and Enterprise" | |
| plans="B2C Professional, B2B Professional, and Enterprise" |
|
|
||
| <Callout icon="file-lines" color="#0EA5E9" iconType="regular"> | ||
| Remember that `subject_tokens` used with Custom Token Exchange can be any token format or type, as long as your Action code can interpret them. | ||
| Remember that subject and actor tokens used with Custom Token Exchange can be any token format or type, as long as your Action code can interpret them. **You must implement strong validation of the tokens you receive and accept.** If you fail to do so, you open yourself up to different attack vectors, such as spoofing or replay attacks, resulting in bad actors being able to authenticate with someone else's user ID or acting on their behalf in an uncontrolled manner. |
Contributor
There was a problem hiding this comment.
Suggested change
| Remember that subject and actor tokens used with Custom Token Exchange can be any token format or type, as long as your Action code can interpret them. **You must implement strong validation of the tokens you receive and accept.** If you fail to do so, you open yourself up to different attack vectors, such as spoofing or replay attacks, resulting in bad actors being able to authenticate with someone else's user ID or acting on their behalf in an uncontrolled manner. | |
| Remember that subject and actor tokens used with Custom Token Exchange can be any token format or type, as long as your Action code can interpret them. You must implement strong validation of the tokens you receive and accept. If you fail to do so, you open yourself up to different attack vectors, such as spoofing or replay attacks, resulting in bad actors being able to authenticate with someone else's user ID or acting on their behalf in an unauthorized manner. |
| | `audience` | The API identifier defined in Auth0. The default tenant audience will be used when not present, as configured in [Tenant Settings](/docs/get-started/tenant-settings). | | ||
| | `scope` | (Optional) The OAuth2 scope parameter. | | ||
| | `organization` | (Optional) The organization identifier you want the request to be associated with. Alternatively, you can specify an organization name if [Use Organization Names in Authentication API](/docs/manage-users/organizations/configure-organizations/use-org-name-authentication-api) is allowed for your tenant. To learn more about how the request is processed, read about the [api.authentication.setOrganization() API method](/docs/customize/actions/explore-triggers/signup-and-login-triggers/custom-token-exchange-trigger/custom-token-exchange-api-object#api-authentication-setorganization-organization). | | ||
| | `actor_token` | (Optional) A token identifying the actor — the principal performing delegation on behalf of the subject user. Must be provided together with `actor_token_type`. | |
Contributor
There was a problem hiding this comment.
Suggested change
| | `actor_token` | (Optional) A token identifying the actor — the principal performing delegation on behalf of the subject user. Must be provided together with `actor_token_type`. | | |
| | `actor_token` | (Optional) A token identifying the actor or the principal performing delegation on behalf of the subject user. Must be provided together with `actor_token_type`. | |
| | `actor_token` | (Optional) A token identifying the actor — the principal performing delegation on behalf of the subject user. Must be provided together with `actor_token_type`. | | ||
| | `actor_token_type` | (Optional) The type of the actor token. Must be provided together with `actor_token`. For Auth0 ID tokens, use `urn:ietf:params:oauth:token-type:id_token` for automatic server-side validation. For other values, follow the same namespace restrictions as `subject_token_type`. | | ||
|
|
||
| <Note> |
Contributor
There was a problem hiding this comment.
Suggested change
| <Note> | |
| <Callout icon="file-lines" color="#0EA5E9" iconType="regular"> |
|
|
||
| Other extension parameters are ignored, although they are included in the `event.request.body` in the corresponding Action. | ||
| Your CTE Action is responsible for securely validating the `actor_token` — applying the same rigor (e.g., cryptographic signature verification) as you would for the `subject_token`. When `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token`, Auth0 performs this validation automatically. | ||
| </Note> |
Contributor
There was a problem hiding this comment.
Suggested change
| </Note> | |
| </Callout> |
| When an actor is set for the transaction, refresh tokens are not issued regardless of requested scopes. The `offline_access` scope is excluded from the response. This is by design: delegated tokens should not outlive the immediate exchange, ensuring that each subsequent access request goes through the CTE Action's authorization logic to re-validate the delegation. | ||
|
|
||
| Other extension parameters are ignored, although they are included in the `event.request.body` in the corresponding Action. | ||
| Your CTE Action is responsible for securely validating the `actor_token` — applying the same rigor (e.g., cryptographic signature verification) as you would for the `subject_token`. When `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token`, Auth0 performs this validation automatically. |
Contributor
There was a problem hiding this comment.
Suggested change
| Your CTE Action is responsible for securely validating the `actor_token` — applying the same rigor (e.g., cryptographic signature verification) as you would for the `subject_token`. When `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token`, Auth0 performs this validation automatically. | |
| Your CTE Action is responsible for securely validating the `actor_token` by applying the same rigor (e.g., cryptographic signature verification) as you would for the `subject_token`. When `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token`, Auth0 performs this validation automatically. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Doc changes for the Custom Token Exchange - Delegated Authorization feature
Consider this google docs with changes to be considered on CTE trigger point api and event objects to.
This PR also includes changes for https://auth0.com/docs/api/authentication/custom-token-exchange/get-token
References
https://auth0team.atlassian.net/browse/ROAD-1696
Checklist
CONTRIBUTING.md.