feat: add session-transfer delegation flags in apps (EA only)#1587
Open
bkiran6398 wants to merge 1 commit into
Open
feat: add session-transfer delegation flags in apps (EA only)#1587bkiran6398 wants to merge 1 commit into
bkiran6398 wants to merge 1 commit into
Conversation
- Add --delegation-allow-delegated-access and --delegation-enforce-device-binding flags to `apps session-transfer update`, surfacing the Early Access Custom Token Exchange impersonation settings (client.session_transfer.delegation). - Send delegation only when a flag is set, so updates to legacy session-transfer settings leave it untouched for clients not using the feature. - Validate --delegation-enforce-device-binding as 'ip' or 'asn' before any API call, matching the Management API enum (no 'none', unlike the parent field). - Render delegation in `session-transfer show`/`update` output only when the client has it configured, keeping output unchanged for existing clients. - Add display unit tests plus an integration case for the validation error, and regenerate the command docs.
ramya18101
requested changes
Jul 15, 2026
| } | ||
| appSTDelegationAllowAccess = Flag{ | ||
| Name: "Allow Delegated Access", | ||
| LongForm: "delegation-allow-delegated-access", |
Contributor
There was a problem hiding this comment.
See if we can add shorter aliases for both of these flags, since we couldn't use the standard short-form flags.
| } | ||
|
|
||
| // Validate the delegation device binding before any API call. | ||
| if appSTDelegationDeviceBinding.IsSet(cmd) && |
Contributor
There was a problem hiding this comment.
We don't add validations on cli v1, Let the API return the error.
|
|
||
| // Delegation (EA) is sent only when a flag is set, leaving it untouched for | ||
| // others. The API merges sub-fields, so sending just the changed one is enough. | ||
| if appSTDelegationAllowAccess.IsSet(cmd) || appSTDelegationDeviceBinding.IsSet(cmd) { |
Contributor
There was a problem hiding this comment.
Where is the AskU logic..?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔧 Changes
Adds support for configuring the Early Access session-transfer delegation settings on an application, used for Custom Token Exchange (Impersonation via Session Transfer). This surfaces the new
client.session_transfer.delegationManagement API object in the CLI.Two new flags on
auth0 apps session-transfer update:--delegation-allow-delegated-access(bool) — allow the application to accept Session Transfer Tokens containing an Actor, enabling delegated (impersonation) access. Defaults tofalse.--delegation-enforce-device-binding(string) — device binding enforcement for delegated access. Acceptsiporasnonly (defaults toip).Usage:
Behavior notes:
--delegation-enforce-device-bindingis validated asiporasnbefore any API call. Unlike the parent--enforce-device-binding, it does not acceptnone, matching the Management API enum.apps session-transfer show/updateoutput includes the delegation fields only when the client has delegation configured, keeping output unchanged for existing clients.The two fields are Early Access and gated by the
cte_session_transfer_tokentenant feature flag on the API side.📚 References
🔬 Testing
--delegation-enforce-device-bindingrejects an invalid value (none). The successful update/show happy path is covered by unit tests rather than a live-tenant integration case, because delegation is gated behind thecte_session_transfer_tokenEarly Access flag, which is not guaranteed on the CI test tenant.session-transfer showrenders the delegation rows only when configured.none; the CLI surfaces this error verbatim.To test end-to-end (requires a tenant with
cte_session_transfer_tokenenabled and a confidential client):📝 Checklist