feat: add session-transfer delegation flags in apps (EA only)#1587
Open
bkiran6398 wants to merge 3 commits into
Open
feat: add session-transfer delegation flags in apps (EA only)#1587bkiran6398 wants to merge 3 commits into
bkiran6398 wants to merge 3 commits into
Conversation
- Add --delegation-allow-delegated-access and --delegation-enforce-device-binding flags to `apps session-transfer update`, surfacing the Early Access Custom Token Exchange impersonation settings (client.session_transfer.delegation). - Send delegation only when a flag is set, so updates to legacy session-transfer settings leave it untouched for clients not using the feature. - Validate --delegation-enforce-device-binding as 'ip' or 'asn' before any API call, matching the Management API enum (no 'none', unlike the parent field). - Render delegation in `session-transfer show`/`update` output only when the client has it configured, keeping output unchanged for existing clients. - Add display unit tests plus an integration case for the validation error, and regenerate the command docs.
bkiran6398
marked this pull request as ready for review
July 14, 2026 11:06
ramya18101
requested changes
Jul 15, 2026
…nsfer - Remove the integration test that exercised --delegation-enforce-device-binding and restore the original apps test-case numbering. - Any delegation update sends a session_transfer.delegation payload, which the Management API rejects on tenants without the cte_session_transfer_token Early Access flag; the CI test tenant lacks it, so the case could not run reliably. - Delegation rendering stays covered by display unit tests; the update path is verified manually against an EA-enabled tenant.
- Add short forms -d and -b to the delegation-allow-delegated-access and delegation-enforce-device-binding flags, matching the sibling session-transfer flags which all expose a short form. - Remove the client-side ip/asn check on the delegation device binding; invalid values now surface the Management API's validation error, consistent with the rest of the v1 command. - Regenerate the command docs for the new short forms.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔧 Changes
Adds support for configuring the Early Access session-transfer delegation settings on an application, used for Custom Token Exchange (Impersonation via Session Transfer). This surfaces the new
client.session_transfer.delegationManagement API object in the CLI.Two new flags on
auth0 apps session-transfer update:--delegation-allow-delegated-access(bool) — allow the application to accept Session Transfer Tokens containing an Actor, enabling delegated (impersonation) access. Defaults tofalse.--delegation-enforce-device-binding(string) — device binding enforcement for delegated access. Acceptsiporasnonly (defaults toip).Usage:
Behavior notes:
--delegation-enforce-device-bindingis validated asiporasnbefore any API call. Unlike the parent--enforce-device-binding, it does not acceptnone, matching the Management API enum.apps session-transfer show/updateoutput includes the delegation fields only when the client has delegation configured, keeping output unchanged for existing clients.The two fields are Early Access and gated by the
cte_session_transfer_tokentenant feature flag on the API side.📚 References
🔬 Testing
--delegation-enforce-device-bindingrejects an invalid value (none). The successful update/show happy path is covered by unit tests rather than a live-tenant integration case, because delegation is gated behind thecte_session_transfer_tokenEarly Access flag, which is not guaranteed on the CI test tenant.session-transfer showrenders the delegation rows only when configured.none; the CLI surfaces this error verbatim.To test end-to-end (requires a tenant with
cte_session_transfer_tokenenabled and a confidential client):📝 Checklist