Skip to content

Chore: custom-token-exchange implementation #204

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ankita10119 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Chore: custom-token-exchange implementation #204

ankita10119 wants to merge 5 commits into from

Conversation

@ankita10119
Copy link

@ankita10119 ankita10119 commented Nov 24, 2025

Description

This PR adds comprehensive OAuth 2.0 Token Exchange (RFC 8693) support to the express-oauth2-jwt-bearer middleware, enabling secure token transformation and delegation scenarios.

Key Features

  • Full RFC 8693 Compliance - Complete token exchange specification implementation
  • Multi-Provider Support - Auth0, Google, Cognito, Azure AD, and custom IdPs
  • Actor Token Delegation - Support for impersonation and delegation workflows
  • Dynamic Audience/Scope Mapping - Flexible token claim transformation
  • RS256 & HS256 Support - Both symmetric and asymmetric key validation
  • Token Introspection - External token validation for third-party providers
  • Enhanced Error Handling - Proper RFC-compliant error responses

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@ankita10119 ankita10119 requested a review from a team as a code owner November 24, 2025 20:55
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 24, 2025
View reviewed changes
packages/examples/custom-token-exchange-example.ts
});

// Start the server
const server = app.listen(config.port, () => {

Check notice

Code scanning / CodeQL

Unused variable, import, function or class Note

Unused variable server.

Copilot Autofix

AI 14 days ago

To fix the problem, simply remove the assignment of the result of app.listen(config.port, ...) to the unused variable server. Call app.listen(config.port, ...) directly without assigning it to any variable. There is no need to make any additional code changes, imports, or definitions, as this fix is self-contained to the server startup code. Only the affected line needs to be changed in the packages/examples/custom-token-exchange-example.ts file.

Suggested changeset 1
packages/examples/custom-token-exchange-example.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/examples/custom-token-exchange-example.ts b/packages/examples/custom-token-exchange-example.ts
--- a/packages/examples/custom-token-exchange-example.ts
+++ b/packages/examples/custom-token-exchange-example.ts
@@ -607,7 +607,7 @@
 });
 
 // Start the server
-const server = app.listen(config.port, () => {
+app.listen(config.port, () => {
   console.log(`Custom Token Exchange Example Server running on port ${config.port}`);
   console.log('Available endpoints:');
   console.log('  POST /oauth/token/basic - Basic token exchange');
EOF
@@ -607,7 +607,7 @@
});

// Start the server
const server = app.listen(config.port, () => {
app.listen(config.port, () => {
console.log(`Custom Token Exchange Example Server running on port ${config.port}`);
console.log('Available endpoints:');
console.log(' POST /oauth/token/basic - Basic token exchange');
Copilot is powered by AI and may make mistakes. Always verify output.
packages/express-oauth2-jwt-bearer/test/custom-token-exchange.test.ts
@@ -0,0 +1,996 @@
import { Request, Response } from 'express';

Check notice

Code scanning / CodeQL

Unused variable, import, function or class Note test

Unused import Response.

Copilot Autofix

AI 14 days ago

To resolve the issue of the unused import, simply remove Response from the import statement on line 1. Retain only Request if it is used, otherwise if neither is used, remove the whole curly braces import. In this code, Request is not referenced either, so the curly brace import could be removed entirely unless Request is used elsewhere in the file not shown.

Since CodeQL only flagged Response as unused, and not Request, we make the minimal fix: remove Response from the import statement, leaving the import of Request intact.

Edit only line 1 of packages/express-oauth2-jwt-bearer/test/custom-token-exchange.test.ts, removing Response from the import.

Suggested changeset 1
packages/express-oauth2-jwt-bearer/test/custom-token-exchange.test.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/express-oauth2-jwt-bearer/test/custom-token-exchange.test.ts b/packages/express-oauth2-jwt-bearer/test/custom-token-exchange.test.ts
--- a/packages/express-oauth2-jwt-bearer/test/custom-token-exchange.test.ts
+++ b/packages/express-oauth2-jwt-bearer/test/custom-token-exchange.test.ts
@@ -1,4 +1,4 @@
-import { Request, Response } from 'express';
+import { Request } from 'express';
 import express from 'express';
 import request from 'supertest';
 import * as jwt from 'jsonwebtoken';
EOF
@@ -1,4 +1,4 @@
import { Request, Response } from 'express';
import { Request } from 'express';
import express from 'express';
import request from 'supertest';
import * as jwt from 'jsonwebtoken';
Copilot is powered by AI and may make mistakes. Always verify output.
@ankita10119 ankita10119 changed the title Chore: custome-token-exchange implementation Chore: custom-token-exchange implementation Nov 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kishore7snehil kishore7snehil Awaiting requested review from kishore7snehil

@nandan-bhat nandan-bhat Awaiting requested review from nandan-bhat

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ankita10119