Skip to content

Add support for MRRT#704

Draft
martinml wants to merge 31 commits intoauth0:masterfrom
martinml:add-support-for-mrrt
Draft

Add support for MRRT#704
martinml wants to merge 31 commits intoauth0:masterfrom
martinml:add-support-for-mrrt

Conversation

@martinml
Copy link
Copy Markdown

@martinml martinml commented Sep 4, 2025
edited
Loading

Description

This PR adds support for Auth0's MRRT feature.

High-level overview of the changes this PR includes:

  1. Audience and organization are now saved within the tokenset.
  2. A "token history" feature that keeps inside the user session a list of previous but non-expired tokens. This is needed so the SDK can find "compatible" tokens when doing a MRRT refresh (i.e. if I have a token for audience A and I need a token for audience B, I can do a refresh from A to B). Can be enabled with the new tokenHistory option, but it's disabled by default.
  3. A refactor of the existing middlewares signatures so they accept an object instead of discrete arguments. This was made so routes can specify an authorizationParams argument that will override the one set at the SDK level. This is not a breaking change since I included a compatibility layer that detects old vs. new arguments and normalizes them (see requiresAuthLegacyArgs.js).
  4. A useMrrt option, to enable the potential usage of MRRT, depending on whatever it's in the token history. It requires tokenHistory to be enabled and proper configuration in Auth0. Disabled by default.
  5. An autoRefreshExpired option, to improve the DX when using MRRT. This way, requesting a series of tokens with different audiences/scopes to protect a route is a declarative operation, instead of having to check whether tokens are expired.
  6. A new cookie format. The previous one was storing the session data directly into the root of the data structure, which made impossible to store "sibling" properties. Old cookies are transparently converted into the new version, and a versioning schema is introduced. Note that this only applies when not using a custom store: we can store other properties adjacent to the session data one.

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

martinml added 27 commits May 15, 2025 18:41
@martinml
Save audience and organization params along with the tokenset
147bd6f
@martinml
Support overriding auth options at the route level
f034daa
@martinml
Add support for storing more than 1 tokenset
75a7a59
@martinml
Add support for autoRefreshIfExpired option
bd8b2e1
@martinml
Improve chances of finding a compatible token in the storage
67ee613
@martinml
Add support for MRRT when finding compatible tokens
4e18125
@martinml
Merge branch 'master' into add-support-for-mrrt
261a9a2
@martinml
autoRefreshIfExpired -> autoRefreshExpired
43ba416
@martinml
TokenSets -> TokenHistory
9150bb9
@martinml
Add and use new useMrrt and tokenHistory options
471b49d
@martinml
Exclude arbitrary session data from the token history entries
7a59b2f
@martinml
Add pruning logic for expired tokens
20030b0
@martinml
Pass tokenSets and config instead of fetching them every time
d6fd3d3
@martinml
Without token history, find compatibility over the current tokenset
d597d61
@martinml
Split _findMrrtable() to avoid side-effects in a find*() function
f761d00
@martinml
Split TokenSets into TokenSets + TokenSetUtils + TokenHistory
ca48ed9
@martinml
Make missing or not requested aud/org always compatible
cc62159
@martinml
Remove cruft, fix types & improve readability & formatting
f99196b
@martinml
Temporarily remove changes on tests to open a draft PR while I fix them
d7815fe
@martinml
Fix claimEquals and claimIncludes JSDoc
b31f57d
@martinml
Remove unused parameter in JSDoc
aaf04ff
@martinml
Add tests
95beeab
@martinml
Clear token history on logout
0336c64
@martinml
Make missing or not requested scope always compatible (like cc62159)
3b800a9
@martinml
Reduce test flakiness by avoiding the "breached password" Chrome dialog
4aff5d5
@martinml
Fix logout test
0b79227
@martinml
Add missing scopes in test OIDC provider
fe147bf
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 8, 2025
View reviewed changes
@martinml martinml force-pushed the add-support-for-mrrt branch from f5fb9f6 to 68868e6 Compare September 8, 2025 16:17
@martinml martinml force-pushed the add-support-for-mrrt branch from 68868e6 to 5126d4a Compare September 8, 2025 16:20
@martinml martinml marked this pull request as ready for review September 15, 2025 09:14
@martinml martinml requested a review from a team as a code owner September 15, 2025 09:14
aks96
aks96 reviewed Sep 15, 2025
View reviewed changes
lib/tokenSets.js
findCompatibleActive(tokenSets, authorizationParams) {
return tokenSets.find(
(ts) =>
!TokenSetUtils.isExpired(ts) &&
Copy link
Copy Markdown
Contributor

@aks96 aks96 Sep 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these 3 methods findCompatibleActive, findCompatibleExpired findCompatibleRefreshable looks similar. Could we refactor this?

aks96
aks96 reviewed Sep 15, 2025
View reviewed changes
lib/tokenSets.js

/** @type {import('..').TokenSetParameters | undefined} */
let found;

Copy link
Copy Markdown
Contributor

@aks96 aks96 Sep 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't we consider the most recent token? Could you re-check this once.

aks96
aks96 reviewed Sep 15, 2025
View reviewed changes
end-to-end/attempt-silent-login.test.js Outdated
* small enough that a token can't possibly fit inside.
*/
const loggedOutCookies = await context.cookies();
assert.isTrue(loggedOutCookies.find(({ name }) => name === 'appSession').size < 200);
Copy link
Copy Markdown
Contributor

@aks96 aks96 Sep 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here if loggedOutCookies.find does find the cookie it returns undefined
Shall we do something
const appSessionCookie = loggedOutCookies.find(({ name }) => name === 'appSession'); assert.isTrue(!appSessionCookie || appSessionCookie.size < 200);

Copy link
Copy Markdown
Author

@martinml martinml Sep 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is fixed now here. Some code was not expecting the possibility of optional props to actually be present in the tokenset but with a nullish value. This caused the cookie not to be properly cleared.

@gyaneshgouraw-okta
Copy link
Copy Markdown
Contributor

gyaneshgouraw-okta commented Oct 1, 2025

@claude

@github-actions
Copy link
Copy Markdown

github-actions bot commented Oct 1, 2025
edited
Loading

Claude encountered an error —— View job

Failed with exit code 128

I'll analyze this and get back to you.

@martinml martinml marked this pull request as draft October 29, 2025 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aks96 aks96 aks96 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@martinml @gyaneshgouraw-okta @aks96