PoC: add Session Transfer Token (STT) support for impersonation via session transfer#126
Open
kishore7snehil wants to merge 2 commits into
Open
PoC: add Session Transfer Token (STT) support for impersonation via session transfer#126kishore7snehil wants to merge 2 commits into
kishore7snehil wants to merge 2 commits into
Conversation
…session transfer (PoC)
Adds the initiator surface for CTE Impersonation via Session Transfer (Release 2):
- request_session_transfer_token(): mints an STT via custom token exchange against the
urn:{domain}:session_transfer audience (domain resolved per-request for MCD)
- build_session_transfer_redirect(): builds the redirect URL handing the STT to the
target app's login URL (reuses URL.build_url)
- SessionTransferTokenResult model and SESSION_TRANSFER_TOKEN_TYPE constant
- CustomTokenExchangeErrorCode: ACTOR_UNAVAILABLE, SETACTOR_REQUIRED, SESSION_TRANSFER_DISABLED
Additive and non-breaking. Explicit-actor scope; auto-source-from-session and tests deferred.
kishore7snehil
changed the title
actor_token_type is caller-supplied, so it no longer defaults to the id_token URN - the caller states the type matching their actor token (consistent with custom_token_exchange). Also sorts the auth_types import block (ruff I001). Lint clean.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📋 Changes
Custom Token Exchange Release 1 added the
actclaim for delegation. It adds the Session Transfer Token (STT) path: an application requests a short-lived, single-use STT via CTE, then redirects the agent's browser to a target app's login URL carrying the STT, which is redeemed at/authorizeto establish an impersonated web session as the customer. This PR implements the initiator side of that flow.✨ Features
request_session_transfer_token(...)- performs a custom token exchange against theurn:{domain}:session_transferaudience and returns the STT. The audience is built from the SDK's resolved request domain (so it is correct under multiple custom domains). Requires anactor_token; raisesCustomTokenExchangeError(ACTOR_UNAVAILABLE)client-side if none is provided.build_session_transfer_redirect(target_login_url, result, organization=None)—-pure helper that returns the redirect URL handing the STT (and optionalorganization) to the target app's login URL. Reuses the existingURL.build_urlhelper. Performs no network call and writes nothing to the session.🔧 API Changes
SessionTransferTokenResultmodel (session_transfer_token,issued_token_type,expires_in,token_type,scope)SESSION_TRANSFER_TOKEN_TYPE(urn:auth0:params:oauth:token-type:session_transfer_token)CustomTokenExchangeErrorCode:ACTOR_UNAVAILABLE(raised client-side),SETACTOR_REQUIRED,SESSION_TRANSFER_DISABLED(server-side cases; surfaced via the raw servererror/error_description)All additions are additive - no existing types, methods, or behavior change.
Contributor Checklist