Skip to content

feat: add session-transfer delegation flags in apps (EA only)#1587

Open
bkiran6398 wants to merge 1 commit into
mainfrom
DXCDT-1967/session-transfer-delegation
Open

feat: add session-transfer delegation flags in apps (EA only)#1587
bkiran6398 wants to merge 1 commit into
mainfrom
DXCDT-1967/session-transfer-delegation

Conversation

@bkiran6398

@bkiran6398 bkiran6398 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🔧 Changes

Adds support for configuring the Early Access session-transfer delegation settings on an application, used for Custom Token Exchange (Impersonation via Session Transfer). This surfaces the new client.session_transfer.delegation Management API object in the CLI.

Two new flags on auth0 apps session-transfer update:

  • --delegation-allow-delegated-access (bool) — allow the application to accept Session Transfer Tokens containing an Actor, enabling delegated (impersonation) access. Defaults to false.
  • --delegation-enforce-device-binding (string) — device binding enforcement for delegated access. Accepts ip or asn only (defaults to ip).

Usage:

auth0 apps session-transfer update <app-id> --delegation-allow-delegated-access=true --delegation-enforce-device-binding=asn

Behavior notes:

  • Delegation is sent to the API only when one of its flags is explicitly set, so updates to the existing session-transfer settings leave delegation untouched. Clients not using the feature are unaffected.
  • The two delegation fields can be updated independently; the API merges within the delegation object, so setting one leaves the other intact.
  • --delegation-enforce-device-binding is validated as ip or asn before any API call. Unlike the parent --enforce-device-binding, it does not accept none, matching the Management API enum.
  • apps session-transfer show/update output includes the delegation fields only when the client has delegation configured, keeping output unchanged for existing clients.

The two fields are Early Access and gated by the cte_session_transfer_token tenant feature flag on the API side.

📚 References

🔬 Testing

  • Unit tests: Added display tests covering the delegation rows rendering when configured and their omission when absent.
  • Integration tests: Added a case asserting --delegation-enforce-device-binding rejects an invalid value (none). The successful update/show happy path is covered by unit tests rather than a live-tenant integration case, because delegation is gated behind the cte_session_transfer_token Early Access flag, which is not guaranteed on the CI test tenant.
  • Manual verification (live tenant with the EA flag enabled):
    • Set both fields, then updated only one and confirmed the other was preserved (independent updates, both directions).
    • Confirmed updating a legacy session-transfer flag does not introduce a delegation object for a client without one.
    • Confirmed session-transfer show renders the delegation rows only when configured.
    • Confirmed the API rejects delegation for clients with token-endpoint auth method none; the CLI surfaces this error verbatim.

To test end-to-end (requires a tenant with cte_session_transfer_token enabled and a confidential client):

auth0 apps session-transfer update <app-id> --delegation-allow-delegated-access=true --delegation-enforce-device-binding=asn --json
auth0 apps session-transfer update <app-id> --delegation-enforce-device-binding=ip --json   # allow_delegated_access preserved
auth0 apps session-transfer show <app-id>

📝 Checklist

  • All new/changed/fixed functionality is covered by tests (or N/A)
  • I have added documentation for all new/changed functionality (or N/A)

- Add --delegation-allow-delegated-access and --delegation-enforce-device-binding
  flags to `apps session-transfer update`, surfacing the Early Access Custom Token
  Exchange impersonation settings (client.session_transfer.delegation).
- Send delegation only when a flag is set, so updates to legacy session-transfer
  settings leave it untouched for clients not using the feature.
- Validate --delegation-enforce-device-binding as 'ip' or 'asn' before any API
  call, matching the Management API enum (no 'none', unlike the parent field).
- Render delegation in `session-transfer show`/`update` output only when the
  client has it configured, keeping output unchanged for existing clients.
- Add display unit tests plus an integration case for the validation error, and
  regenerate the command docs.
@bkiran6398 bkiran6398 changed the title feat: add session-transfer delegation flags in apps feat: add session-transfer delegation flags in apps (EA only) Jul 14, 2026
@bkiran6398 bkiran6398 marked this pull request as ready for review July 14, 2026 11:06
@bkiran6398 bkiran6398 requested a review from a team as a code owner July 14, 2026 11:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant