Merge branch 'main' into retry-per-request

Author: developerkunal

management/client.go

@@ -142,6 +142,9 @@ type Client struct {
 	DefaultOrganization *ClientDefaultOrganization `json:"default_organization,omitempty"`
 
 	TokenExchange *ClientTokenExchange `json:"token_exchange,omitempty"`
+
+	// Session Transfer settings for the client - Allows Native to Web SSO
+	SessionTransfer *SessionTransfer `json:"session_transfer,omitempty"`
 }
 
 // ClientTokenExchange allows configuration for token exchange.
@@ -278,6 +281,18 @@ type ClientRefreshToken struct {
 
 	// Period in seconds after which inactive refresh tokens will expire.
 	IdleTokenLifetime *int `json:"idle_token_lifetime,omitempty"`
+
+	// A collection of policies governing multi-resource refresh token exchange (MRRT), defining how refresh tokens can be used across different resource servers
+	Policies *[]ClientRefreshTokenPolicy `json:"policies,omitempty"`
+}
+
+// ClientRefreshTokenPolicy is used to configure the Refresh Token policies for our Client.
+type ClientRefreshTokenPolicy struct {
+	// The identifier of the resource server to which the Multi Resource Refresh Token Policy applies
+	Audience *string `json:"audience,omitempty"`
+
+	// The resource server permissions granted under the Multi Resource Refresh Token Policy, defining the context in which an access token can be used
+	Scope *[]string `json:"scope,omitempty"`
 }
 
 // Credential is used to configure Client Credentials.
@@ -358,6 +373,13 @@ type BackChannelLogoutInitiators struct {
 	SelectedInitiators *[]string `json:"selected_initiators,omitempty"`
 }
 
+// SessionTransfer Transfer defines the setting to allow Native to Web SSO session transfer.
+type SessionTransfer struct {
+	CanCreateSessionTransferToken *bool     `json:"can_create_session_transfer_token,omitempty"`
+	AllowedAuthenticationMethods  *[]string `json:"allowed_authentication_methods,omitempty"`
+	EnforceDeviceBinding          *string   `json:"enforce_device_binding,omitempty"`
+}
+
 // ClientAddons defines the `addons` settings for a Client.
 type ClientAddons struct {
 	AWS                  *AWSClientAddon                  `json:"aws,omitempty"`

management/client_test.go

@@ -30,6 +30,61 @@ func TestClient_Create(t *testing.T) {
 	})
 }
 
+func TestClient_CreateWithClientRefreshToken(t *testing.T) {
+	configureHTTPTestRecordings(t)
+
+	// Create a Resource Server
+	resourceServer := &ResourceServer{
+		Name:       auth0.Stringf("Test Resource Server (%s)", time.Now().Format(time.StampMilli)),
+		Identifier: auth0.String("https://mrrt"),
+		Scopes: &[]ResourceServerScope{
+			{
+				Description: auth0.String("This is just a test client."),
+				Value:       auth0.String("create:bar"),
+			},
+			{
+				Description: auth0.String("This is just a test client."),
+				Value:       auth0.String("read:bar"),
+			},
+		},
+		SkipConsentForVerifiableFirstPartyClients: auth0.Bool(true),
+		AllowOfflineAccess:                        auth0.Bool(true),
+	}
+
+	err := api.ResourceServer.Create(context.Background(), resourceServer)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, resourceServer.GetID())
+	t.Cleanup(func() {
+		cleanupResourceServer(t, resourceServer.GetID())
+	})
+
+	// Create a Client with Refresh Token
+	expectedClient := &Client{
+		Name:         auth0.Stringf("Test Client (%s)", time.Now().Format(time.StampMilli)),
+		Description:  auth0.String("This is just a test client."),
+		IsFirstParty: auth0.Bool(true),
+		RefreshToken: &ClientRefreshToken{
+			ExpirationType: auth0.String("expiring"),
+			RotationType:   auth0.String("non-rotating"),
+			Policies: &[]ClientRefreshTokenPolicy{
+				{
+					Audience: auth0.String(resourceServer.GetIdentifier()),
+					Scope:    &[]string{"create:bar", "read:bar"},
+				},
+			},
+		},
+	}
+	err = api.Client.Create(context.Background(), expectedClient)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, expectedClient.GetClientID())
+	actualClient, err := api.Client.Read(context.Background(), expectedClient.GetClientID())
+	assert.NoError(t, err)
+	assert.Equal(t, expectedClient.GetRefreshToken(), actualClient.GetRefreshToken())
+	t.Cleanup(func() {
+		cleanupClient(t, expectedClient.GetClientID())
+	})
+}
+
 func TestClient_CreateWithTokenExchange(t *testing.T) {
 	configureHTTPTestRecordings(t)
 
@@ -45,7 +100,6 @@ func TestClient_CreateWithTokenExchange(t *testing.T) {
 	err := api.Client.Create(context.Background(), expectedClient)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, expectedClient.GetClientID())
-
 	actualClient, err := api.Client.Read(context.Background(), expectedClient.GetClientID())
 	assert.NoError(t, err)
 	assert.Equal(t, expectedClient.GetTokenExchange(), actualClient.GetTokenExchange())
@@ -54,6 +108,71 @@ func TestClient_CreateWithTokenExchange(t *testing.T) {
 	})
 }
 
+func TestClient_SessionTransfer(t *testing.T) {
+	configureHTTPTestRecordings(t)
+
+	ctx := context.Background()
+
+	clientName := auth0.Stringf("Test Client SessionTransfer (%s)", time.Now().Format(time.StampMilli))
+	expectedClient := &Client{
+		Name:        clientName,
+		Description: auth0.String("This is a test client with Session Transfer."),
+		SessionTransfer: &SessionTransfer{
+			CanCreateSessionTransferToken: auth0.Bool(true),
+			AllowedAuthenticationMethods:  &[]string{"cookie", "query"},
+			EnforceDeviceBinding:          auth0.String("ip"),
+		},
+	}
+
+	// Create client
+	require.NoError(t, api.Client.Create(ctx, expectedClient))
+	require.NotEmpty(t, expectedClient.GetClientID())
+
+	t.Cleanup(func() {
+		cleanupClient(t, expectedClient.GetClientID())
+	})
+
+	// Verify creation
+	created, err := api.Client.Read(ctx, expectedClient.GetClientID())
+	require.NoError(t, err)
+	require.NotNil(t, created.SessionTransfer)
+	assert.Equal(t, expectedClient.GetSessionTransfer(), created.GetSessionTransfer())
+
+	// Update session transfer
+	created.SessionTransfer = &SessionTransfer{
+		CanCreateSessionTransferToken: auth0.Bool(false),
+		AllowedAuthenticationMethods:  &[]string{"cookie"},
+		EnforceDeviceBinding:          auth0.String("none"),
+	}
+
+	// Strip fields not allowed on update
+	created.ClientID = nil
+	created.SigningKeys = nil
+	if created.JWTConfiguration != nil {
+		created.JWTConfiguration.SecretEncoded = nil
+	}
+
+	require.NoError(t, api.Client.Update(ctx, expectedClient.GetClientID(), created))
+
+	// Verify update
+	updated, err := api.Client.Read(ctx, expectedClient.GetClientID())
+	require.NoError(t, err)
+	require.NotNil(t, updated.SessionTransfer)
+	assert.Equal(t, created.GetSessionTransfer(), updated.GetSessionTransfer())
+
+	// Remove session transfer via PATCH
+	type clientPatch struct {
+		SessionTransfer *SessionTransfer `json:"session_transfer"`
+	}
+	patch := &clientPatch{SessionTransfer: nil}
+	require.NoError(t, api.Request(ctx, http.MethodPatch, api.URI("clients", expectedClient.GetClientID()), patch))
+
+	// Verify removal
+	final, err := api.Client.Read(ctx, expectedClient.GetClientID())
+	require.NoError(t, err)
+	assert.Nil(t, final.GetSessionTransfer())
+}
+
 func TestClient_CreateWithDefaultOrg(t *testing.T) {
 	configureHTTPTestRecordings(t)
 

management/connection.go

@@ -444,6 +444,9 @@ type ConnectionOptions struct {
 	//   - Combining `attributes` and `validation` in the same configuration is not allowed.
 	//   - If any identifier is required in the profile, it must be active during signup.
 	Attributes *ConnectionOptionsAttributes `json:"attributes,omitempty"`
+
+	// Set to true to consume feature only when connections_realm_fallback flag is enabled for tenant
+	RealmFallback *bool `json:"realm_fallback,omitempty"`
 }
 
 // ConnectionOptionsAttributes defines the structure for attribute configurations.