Skip to content

feat: Add Token Vault support to the Authentication API#894

Merged
kailash-b merged 3 commits into
masterfrom
feat/SDK-9839
Jul 10, 2026
Merged

feat: Add Token Vault support to the Authentication API#894
kailash-b merged 3 commits into
masterfrom
feat/SDK-9839

Conversation

@kailash-b

@kailash-b kailash-b commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR adds support for the Token Vault federated-connection token exchange grant
(urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token) to the
Authentication API. This lets a private client exchange an Auth0 refresh token for a federated
identity provider's access token (e.g. Google, Facebook), so applications can call those
providers' APIs on the user's behalf.

Changes

Token Vault token exchange

Added AuthAPI.getTokenForConnection(String connection, String refreshToken), which returns a TokenRequest.

  • Uses the Token Vault grant:
    urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token
  • Hardcodes subject_token_type to urn:ietf:params:oauth:token-type:refresh_token (the only
    value the endpoint currently supports) and requested_token_type to
    http://auth0.com/oauth/token-type/federated-connection-access-token.
  • Sends the caller-supplied connection and the refresh token as subject_token.
  • Requires client authentication (client secret or client assertion) - this must be a private client.

Added TokenRequest.setLoginHint(String) for the optional login_hint (the user's ID within the
federated identity provider), following the existing setScope / setAudience setter pattern.

Example

TokenHolder tokens = authAPI
    .getTokenForConnection("google-oauth2", refreshToken)
    .setLoginHint("google-user-id") // optional
    .execute()
    .getBody();

String federatedAccessToken = tokens.getAccessToken();

Test Plan

  • ./gradlew test --tests "com.auth0.client.auth.AuthAPITest"
  • ✅ Full test suite passes: ./gradlew test
  • ✅ Ran spotless: ./gradlew spotlessCheck
  • Added unit tests covering: all request parameters, login_hint present/absent,
    null-argument validation (connection, refreshToken), and the client-authentication requirement.

@kailash-b kailash-b changed the title feat: Adds Token Vault support in AuthApi feat: Add Token Vault support to the Authentication API Jul 9, 2026
@kailash-b kailash-b marked this pull request as ready for review July 10, 2026 10:32
@kailash-b kailash-b requested a review from a team as a code owner July 10, 2026 10:32
@kailash-b kailash-b merged commit 93d3100 into master Jul 10, 2026
6 of 7 checks passed
@kailash-b kailash-b deleted the feat/SDK-9839 branch July 10, 2026 12:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants