Skip to content

feat: support token exchange grant type with app-level control #8145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xiaoyijun wants to merge 7 commits into
base: master
Choose a base branch
from
Open

feat: support token exchange grant type with app-level control #8145

xiaoyijun wants to merge 7 commits into from

Conversation

@xiaoyijun
Copy link
Contributor

@xiaoyijun xiaoyijun commented Dec 31, 2025
edited
Loading

Summary

This PR adds application-level control for the token exchange grant type:

  • Add allowTokenExchange field to customClientMetadata to control whether an application can initiate token exchange requests
  • M2M and Traditional web apps have token exchange enabled by default
  • SPA and Native apps have token exchange disabled by default (with a warning when enabling due to security concerns for public clients)
  • Third-party applications are forbidden from using token exchange
  • Add Console UI toggle in application settings under a new "Token exchange" card
  • Include documentation links for user impersonation and personal access tokens features

Todo

  • Reorg application-related utils in oidc/ folder (unrelated to this PR, will be done separately)

Testing

  • Added integration tests for token exchange with the new app-level control
  • Verified existing token exchange tests still pass
  • Tested Console UI toggle behavior for different application types
image

Checklist

  • .changeset
  • unit tests
  • integration tests
  • necessary TSDoc comments

@github-actions github-actions bot added the feature Cool stuff label Dec 31, 2025
@github-actions
Copy link

github-actions bot commented Dec 31, 2025
edited
Loading

COMPARE TO master

Total Size Diff ⚠️ 📈 +27.48 KB

Diff by File
Name Diff
.changeset/hungry-goats-itch.md 📈 +742 Bytes
packages/console/src/consts/external-links.ts 📈 +67 Bytes
packages/console/src/pages/ApplicationDetails/ApplicationDetailsContent/TokenExchangeSettings.tsx 📈 +2.44 KB
packages/console/src/pages/ApplicationDetails/ApplicationDetailsContent/index.tsx 📈 +111 Bytes
packages/core/src/oidc/application.ts 📈 +1.27 KB
packages/core/src/oidc/grants/token-exchange/index.test.ts 📈 +105 Bytes
packages/core/src/oidc/grants/token-exchange/index.ts 📈 +28 Bytes
packages/core/src/oidc/utils.test.ts 📈 +25 Bytes
packages/core/src/oidc/utils.ts 📈 +721 Bytes
packages/core/src/routes/applications/application.test.ts 📈 +342 Bytes
packages/core/src/routes/applications/application.ts 📈 +618 Bytes
packages/integration-tests/src/tests/api/oidc/token-exchange/index.test.ts 📈 +3.61 KB
packages/phrases/src/locales/ar/errors/application.ts 📈 +192 Bytes
packages/phrases/src/locales/ar/translation/admin-console/application-details.ts 📈 +982 Bytes
packages/phrases/src/locales/de/errors/application.ts 📈 +134 Bytes
packages/phrases/src/locales/de/translation/admin-console/application-details.ts 📈 +759 Bytes
packages/phrases/src/locales/en/errors/application.ts 📈 +130 Bytes
packages/phrases/src/locales/en/translation/admin-console/application-details.ts 📈 +664 Bytes
packages/phrases/src/locales/es/errors/application.ts 📈 +138 Bytes
packages/phrases/src/locales/es/translation/admin-console/application-details.ts 📈 +804 Bytes
packages/phrases/src/locales/fr/errors/application.ts 📈 +147 Bytes
packages/phrases/src/locales/fr/translation/admin-console/application-details.ts 📈 +816 Bytes
packages/phrases/src/locales/it/errors/application.ts 📈 +137 Bytes
packages/phrases/src/locales/it/translation/admin-console/application-details.ts 📈 +779 Bytes
packages/phrases/src/locales/ja/errors/application.ts 📈 +163 Bytes
packages/phrases/src/locales/ja/translation/admin-console/application-details.ts 📈 +928 Bytes
packages/phrases/src/locales/ko/errors/application.ts 📈 +152 Bytes
packages/phrases/src/locales/ko/translation/admin-console/application-details.ts 📈 +792 Bytes
packages/phrases/src/locales/pl-pl/errors/application.ts 📈 +126 Bytes
packages/phrases/src/locales/pl-pl/translation/admin-console/application-details.ts 📈 +748 Bytes
packages/phrases/src/locales/pt-br/errors/application.ts 📈 +128 Bytes
packages/phrases/src/locales/pt-br/translation/admin-console/application-details.ts 📈 +757 Bytes
packages/phrases/src/locales/pt-pt/errors/application.ts 📈 +126 Bytes
packages/phrases/src/locales/pt-pt/translation/admin-console/application-details.ts 📈 +755 Bytes
packages/phrases/src/locales/ru/errors/application.ts 📈 +163 Bytes
packages/phrases/src/locales/ru/translation/admin-console/application-details.ts 📈 +1.04 KB
packages/phrases/src/locales/th/errors/application.ts 📈 +259 Bytes
packages/phrases/src/locales/th/translation/admin-console/application-details.ts 📈 +1.36 KB
packages/phrases/src/locales/tr-tr/errors/application.ts 📈 +131 Bytes
packages/phrases/src/locales/tr-tr/translation/admin-console/application-details.ts 📈 +748 Bytes
packages/phrases/src/locales/zh-cn/errors/application.ts 📈 +111 Bytes
packages/phrases/src/locales/zh-cn/translation/admin-console/application-details.ts 📈 +596 Bytes
packages/phrases/src/locales/zh-hk/errors/application.ts 📈 +111 Bytes
packages/phrases/src/locales/zh-hk/translation/admin-console/application-details.ts 📈 +598 Bytes
packages/phrases/src/locales/zh-tw/errors/application.ts 📈 +111 Bytes
packages/phrases/src/locales/zh-tw/translation/admin-console/application-details.ts 📈 +598 Bytes
packages/schemas/alterations/next-1767193412-allow-token-exchange.ts 📈 +787 Bytes
packages/schemas/src/foundations/jsonb-types/oidc-module.ts 📈 +418 Bytes
packages/schemas/src/seeds/application.ts 📈 +376 Bytes
packages/schemas/src/types/mapi-proxy.ts 📈 +67 Bytes

@xiaoyijun xiaoyijun changed the title feat(core): support token exchange grant type with app-level control feat: support token exchange grant type with app-level control Dec 31, 2025
@xiaoyijun xiaoyijun requested a review from a team December 31, 2025 23:44
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 31, 2025
@github-actions github-actions bot added size/xl and removed size/xl labels Dec 31, 2025
@github-actions github-actions bot added size/xl and removed size/xl labels Jan 1, 2026
@github-actions github-actions bot removed the size/xl label Jan 1, 2026
wangsijie
wangsijie reviewed Jan 1, 2026
View reviewed changes
.changeset/hungry-goats-itch.md

- Add `allowTokenExchange` field to `customClientMetadata` to control whether an application can initiate token exchange requests
- Existing first-party applications will have this enabled by default (via database alteration)
- New M2M and Traditional Web applications will have this enabled by default
Copy link
Contributor

@wangsijie wangsijie Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can make it disabled by default

packages/core/src/oidc/application.ts

// Third-party applications are not allowed to perform token exchange
if (application?.isThirdParty) {
return 'third-party applications are not allowed for this grant type';
Copy link
Contributor

@wangsijie wangsijie Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have i18n support for oidc error messages?

Copy link
Contributor Author

@xiaoyijun xiaoyijun Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aligned with existing OIDC error messages in the codebase. These are developer-facing, not end-user-facing. So keeping it in English is fine here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangsijie wangsijie wangsijie left review comments

@charIeszhao charIeszhao Awaiting requested review from charIeszhao charIeszhao is a code owner

@gao-sun gao-sun Awaiting requested review from gao-sun gao-sun is a code owner

@simeng-li simeng-li Awaiting requested review from simeng-li simeng-li is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@xiaoyijun xiaoyijun

Labels

feature Cool stuff size/xl

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@xiaoyijun @wangsijie