Add organization support to test token command for M2M Applications#1475
Add organization support to test token command for M2M Applications#1475ramya18101 merged 8 commits intoauth0:mainfrom
Conversation
ttstarck
changed the title
|
@ttstarck ,Thanks for raising the PR. |
ttstarck
force-pushed
the
feat/m2m-organization
branch
from
eba1beb to
d8191f7
Compare
Great @ramya18101, let me know if there is anything I need to address! |
| } | ||
|
|
||
| grant := list.ClientGrants[0] | ||
| if grant.GetOrganizationUsage() == "require" && organization == "" { |
There was a problem hiding this comment.
Since organization usage is required here, we should first validate whether the tenant has any organizations configured. If none exist, we can return a clear error to the user.
If organizations are available, instead of relying solely on the --organization flag, we could improve the UX by following a pattern similar to audiencePicker, prompting the user to select from the list of existing organizations.
There was a problem hiding this comment.
@ramya18101 so just to clarify this further:
If the --organization flag was not specified and the API client grant for the M2M app requires an organization, we should:
- Fail if no organizations exist in the tenant, with a clear error message.
- Else: Prompt the User to select from the list of existing organizations similar to the Audience Picker
There was a problem hiding this comment.
I'll spend some time working on this addition! Thanks for the feedback
There was a problem hiding this comment.
Added this feature in 4dbf75e
Here is the example output when the audience requires an organization but none is specified.
./out/auth0 test token $CLIENT_ID --audience $AUDIENCE
▸ Domain : <domain>
▸ Client ID : <client id>
▸ Type : Machine to Machine
Organization: [Use arrows to move, type to filter, ? for more help]
> org_name (<org_id>)
...
|
@ttstarck, I've tested the flow and working as expected, Added a minor comment. Please check it out! |
|
Hi @ttstarck, |
|
@bkiran6398 just pushed the fix to the linter issues ac5c2b7! Thank you for testing this out. |
…dd org support Moves checkClientIsAuthorizedForAPI out of test.go into utils_shared.go alongside the other flow helpers it depends on. Also adds organization support to the client credentials token request: - BuildOauthTokenParams now accepts an organization parameter - runClientCredentialsFlow forwards it to both the auth check and token request - checkClientIsAuthorizedForAPI errors early when organization_usage is "require" on the client grant but no organization was provided Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… flow Wires the --organization flag through to the client credentials token request for Machine to Machine applications. Auth0 ignores the scope parameter for client credentials grants (all granted scopes are always returned), so --scopes now shows a warning and is ignored for M2M apps. Also adds unit tests for checkClientIsAuthorizedForAPI covering the organization_usage=require validation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ganization When the client grant for the selected API has organization_usage=require and no --organization flag was provided, fetch the tenant's organizations and either fail with a descriptive error (if none exist) or open an interactive picker so the user can select one before the token request is made. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Covers three cases: API error propagation, no organizations exist (with descriptive error), and the happy path returning correctly shaped picker options. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
I see that commits require verified signatures. I will rebase all the commits to be signed. |
ttstarck
force-pushed
the
feat/m2m-organization
branch
from
ac5c2b7 to
3be6520
Compare
Rename receiver `cli` to `c` in `pickOrganizationForGrantIfRequired` and `organizationPickerOptionsForGrant` to be consistent with the rest of the file, and remove trailing blank lines to satisfy gofmt. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
ttstarck
force-pushed
the
feat/m2m-organization
branch
from
3be6520 to
ac0fcf9
Compare
3 participants
Summary
The
auth0 test tokencommand allows developers to fetch tokens for their applications directly from the CLI. For Machine-to-Machine (M2M) apps, this uses the OAuth client credentials flow. However, when an API requires tokens to be scoped to a specific Auth0 organization, there was no way to pass that organization through the CLI — the command simply didn't support it.This PR adds that missing --organization flag to auth0 test token for M2M apps, so developers can fetch organization-scoped tokens without leaving the terminal. It also adds a guardrail: if the client grant is configured to require an organization but none is provided, the CLI now surfaces a clear error pointing the user to the --organization flag, rather than silently failing.
🔧 Changes
internal/cli/utils_shared.go:checkClientIsAuthorizedForAPIhere (was intest.go);organizationparam toBuildOauthTokenParamsandrunClientCredentialsFlow;internal/cli/test.go: wiredorganizationthrough torunClientCredentialsFlowinternal/cli/utils_shared_test.go: Added test coverage forBuildOauthTokenParamswith organization, and a full table-driven test suite forcheckClientIsAuthorizedForAPIcovering all grant/org scenarios🔬 Testing
auth0 test token fetches a token with the organization claim
auth0 test token without
--organizationfails with a clear error when the client grant requires an organizationauth0 test token without
--organizationsucceeds when the grant does not require an organizationUnit Tests:
go test ./internal/cli/...I did not add an integration test as we cannot pass an
organizationparameter to the Auth0 Management API, and all the existing integration tests use the Management API.📝 Checklist