From 317a9f69373659cb33d83758ad662e469341886f Mon Sep 17 00:00:00 2001 From: tanya732 Date: Fri, 3 Jul 2026 15:10:04 +0530 Subject: [PATCH] feat: Add Custom Token Exchange Support --- .../java/com/auth0/client/auth/AuthAPI.java | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/src/main/java/com/auth0/client/auth/AuthAPI.java b/src/main/java/com/auth0/client/auth/AuthAPI.java index 7072aed2..acdb3c83 100644 --- a/src/main/java/com/auth0/client/auth/AuthAPI.java +++ b/src/main/java/com/auth0/client/auth/AuthAPI.java @@ -57,6 +57,8 @@ public class AuthAPI { private static final String KEY_MFA_TOKEN = "mfa_token"; private static final String KEY_CLIENT_ASSERTION = "client_assertion"; private static final String KEY_CLIENT_ASSERTION_TYPE = "client_assertion_type"; + private static final String KEY_SUBJECT_TOKEN = "subject_token"; + private static final String KEY_SUBJECT_TOKEN_TYPE = "subject_token_type"; private static final String PATH_OAUTH = "oauth"; private static final String PATH_TOKEN = "token"; private static final String PATH_DBCONNECTIONS = "dbconnections"; @@ -800,6 +802,44 @@ public TokenRequest requestToken(String audience, String org) { return request; } + /** + * Creates a request to exchange an external subject token for Auth0 tokens using the + * {@code urn:ietf:params:oauth:grant-type:token-exchange} grant (Custom Token Exchange). + * A Token Exchange Profile that maps the given {@code subjectTokenType} must be configured on the tenant, and + * client authentication (client secret or client assertion) is required. + *
+     * {@code
+     * try {
+     *      TokenHolder result = authAPI.exchangeToken("test-user123-john@example.com", "urn:mycompany:m2m-test-token")
+     *          .setAudience("https://myapi.me.auth0.com/users")
+     *          .setScope("openid profile email")
+     *          .execute()
+     *          .getBody();
+     * } catch (Auth0Exception e) {
+     *      //Something happened
+     * }
+     * }
+     * 
+ * + * @see Custom Token Exchange documentation + * @param subjectToken the external token representing the identity of the subject. Must not be null. + * @param subjectTokenType an identifier for the type of the {@code subjectToken}, matching a configured Token + * Exchange Profile (for example {@code urn:mycompany:m2m-test-token}). Must not be null. + * @return a Request to configure and execute. + */ + public TokenRequest exchangeToken(String subjectToken, String subjectTokenType) { + Asserts.assertNotNull(subjectToken, "subject token"); + Asserts.assertNotNull(subjectTokenType, "subject token type"); + + TokenRequest request = new TokenRequest(client, getTokenUrl()); + request.addParameter(KEY_CLIENT_ID, clientId); + request.addParameter(KEY_GRANT_TYPE, "urn:ietf:params:oauth:grant-type:token-exchange"); + request.addParameter(KEY_SUBJECT_TOKEN, subjectToken); + request.addParameter(KEY_SUBJECT_TOKEN_TYPE, subjectTokenType); + addClientAuthentication(request, true); + return request; + } + /** * Creates a request to revoke an existing Refresh Token. * Confidential clients (Regular Web Apps) must have a client secret configured on this {@code AuthAPI} instance.