From c18d47623536b550fc17bd71db5fcb6c4b03448b Mon Sep 17 00:00:00 2001 From: Tushar Pandey Date: Mon, 21 Jul 2025 22:14:27 +0530 Subject: [PATCH] feat: add option to use urn:ietf:params:oauth:token-type:access_token as subject_token_type in getConnectionForToken to enable usecase for auth4genai --- src/server/auth-client.ts | 16 ++++++---------- src/types/index.ts | 32 +++++++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 11 deletions(-) diff --git a/src/server/auth-client.ts b/src/server/auth-client.ts index 34df3f72..5c9245b9 100644 --- a/src/server/auth-client.ts +++ b/src/server/auth-client.ts @@ -26,6 +26,7 @@ import { LogoutToken, SessionData, StartInteractiveLoginOptions, + SUBJECT_TOKEN_TYPES, TokenSet, User } from "../types/index.js"; @@ -80,15 +81,6 @@ const DEFAULT_SCOPES = ["openid", "profile", "email", "offline_access"].join( const GRANT_TYPE_FEDERATED_CONNECTION_ACCESS_TOKEN = "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token"; -/** - * Constant representing the subject type for a refresh token. - * This is used in OAuth 2.0 token exchange to specify that the token being exchanged is a refresh token. - * - * @see {@link https://tools.ietf.org/html/rfc8693#section-3.1 RFC 8693 Section 3.1} - */ -const SUBJECT_TYPE_REFRESH_TOKEN = - "urn:ietf:params:oauth:token-type:refresh_token"; - /** * A constant representing the token type for federated connection access tokens. * This is used to specify the type of token being requested from Auth0. @@ -1159,7 +1151,11 @@ export class AuthClient { const params = new URLSearchParams(); params.append("connection", options.connection); - params.append("subject_token_type", SUBJECT_TYPE_REFRESH_TOKEN); + params.append( + "subject_token_type", + options.subject_token_type || + SUBJECT_TOKEN_TYPES.SUBJECT_TYPE_REFRESH_TOKEN + ); params.append("subject_token", tokenSet.refreshToken); params.append( "requested_token_type", diff --git a/src/types/index.ts b/src/types/index.ts index bf926135..7c45d7a8 100644 --- a/src/types/index.ts +++ b/src/types/index.ts @@ -88,7 +88,10 @@ export type { SessionStoreOptions } from "../server/session/abstract-session-store.js"; -export type { CookieOptions, ReadonlyRequestCookies } from "../server/cookies.js"; +export type { + CookieOptions, + ReadonlyRequestCookies +} from "../server/cookies.js"; export type { TransactionStoreOptions, @@ -130,6 +133,22 @@ export interface AuthorizationParameters { [key: string]: unknown; } +export enum SUBJECT_TOKEN_TYPES { + /** + * Indicates that the token is an OAuth 2.0 refresh token issued by the given authorization server. + * + * @see {@link https://datatracker.ietf.org/doc/html/rfc8693#section-3-3.4 RFC 8693 Section 3-3.4} + */ + SUBJECT_TYPE_REFRESH_TOKEN = "urn:ietf:params:oauth:token-type:refresh_token", + + /** + * Indicates that the token is an OAuth 2.0 access token issued by the given authorization server. + * + * @see {@link https://datatracker.ietf.org/doc/html/rfc8693#section-3-3.2 RFC 8693 Section 3-3.2} + */ + SUBJECT_TYPE_ACCESS_TOKEN = "urn:ietf:params:oauth:token-type:access_token" +} + /** * Options for retrieving a connection access token. */ @@ -143,6 +162,17 @@ export interface AccessTokenForConnectionOptions { * An optional login hint to pass to the authorization server. */ login_hint?: string; + + /** + * The type of token that is being exchanged. + * + * Uses the {@link SUBJECT_TOKEN_TYPES} enum with the following allowed values: + * - `SUBJECT_TYPE_REFRESH_TOKEN`: `"urn:ietf:params:oauth:token-type:refresh_token"` + * - `SUBJECT_TYPE_ACCESS_TOKEN`: `"urn:ietf:params:oauth:token-type:access_token"` + * + * Defaults to `SUBJECT_TYPE_REFRESH_TOKEN`. + */ + subject_token_type?: SUBJECT_TOKEN_TYPES; } /**