CTE - delegated authorization#1215
Open
dlozlla wants to merge 7 commits into
Open
Conversation
lrzhou25
reviewed
May 18, 2026
|
|
||
| Other extension parameters are ignored, although they are included in the `event.request.body` in the corresponding Action. | ||
| Your CTE Action is responsible for securely validating the `actor_token` — applying the same rigor (e.g., cryptographic signature verification) as you would for the `subject_token`. When `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token`, Auth0 performs this validation automatically. | ||
| </Note> |
Contributor
There was a problem hiding this comment.
Suggested change
| </Note> | |
| </Callout> |
| When an actor is set for the transaction, refresh tokens are not issued regardless of requested scopes. The `offline_access` scope is excluded from the response. This is by design: delegated tokens should not outlive the immediate exchange, ensuring that each subsequent access request goes through the CTE Action's authorization logic to re-validate the delegation. | ||
|
|
||
| Other extension parameters are ignored, although they are included in the `event.request.body` in the corresponding Action. | ||
| Your CTE Action is responsible for securely validating the `actor_token` — applying the same rigor (e.g., cryptographic signature verification) as you would for the `subject_token`. When `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token`, Auth0 performs this validation automatically. |
Contributor
There was a problem hiding this comment.
Suggested change
| Your CTE Action is responsible for securely validating the `actor_token` — applying the same rigor (e.g., cryptographic signature verification) as you would for the `subject_token`. When `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token`, Auth0 performs this validation automatically. | |
| Your CTE Action is responsible for securely validating the `actor_token` by applying the same rigor (e.g., cryptographic signature verification) as you would for the `subject_token`. When `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token`, Auth0 performs this validation automatically. |
Co-authored-by: Lucy Zhou <141781699+lrzhou25@users.noreply.github.com>
dlozlla
commented
May 22, 2026
|
|
||
| `setActor()` can be called regardless of whether the request includes an `actor_token`. The `actor_token` parameter is one way for the calling application to pass actor information to the Action, but the actor identity can also be embedded in the `subject_token` itself or obtained through other custom means within the Action code. | ||
|
|
||
| When the request does include `actor_token` and `actor_token_type`, these values are available in [`event.transaction`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/custom-token-exchange-trigger/custom-token-exchange-event-object#event-transaction). If `actor_token_type` is `urn:ietf:params:oauth:token-type:id_token` and the token is a valid Auth0 ID token from the same tenant, the server automatically validates the token and populates `event.transaction.actor_token_user` with the actor’s user profile. |
Contributor
Author
There was a problem hiding this comment.
I guess we have the same issue for this link too
Contributor
Author
There was a problem hiding this comment.
Oh, no issue here as we reference an existing field.
Disregard my comment
Co-authored-by: Lucy Zhou <141781699+lrzhou25@users.noreply.github.com>
|
CI readback on the failing Lychee job: the link check itself appears clean from the log; it reports only two 200 redirects:
The failing line is from the comment-posting step, not from Lychee finding a broken URL: So this looks like a workflow/token-permission issue for the sticky PR comment action on this PR, rather than a docs link failure. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Doc changes for the Custom Token Exchange - Delegated Authorization feature
Consider this google docs with changes to be considered on CTE trigger point api and event objects to.
This PR also includes changes for https://auth0.com/docs/api/authentication/custom-token-exchange/get-token
References
https://auth0team.atlassian.net/browse/ROAD-1696
Checklist
CONTRIBUTING.md.