Support MRRT (EA): refresh token policies configuration (#1085)

* chore: update auth0 dependency to version 4.23.0

* test: add validation for client creation with refresh token policies

Author: kushalshit27

package-lock.json

@@ -33,7 +33,7 @@
   "homepage": "https://github.com/auth0/auth0-deploy-cli#readme",
   "dependencies": {
     "ajv": "^6.12.6",
-    "auth0": "^4.22.0",
+    "auth0": "^4.23.0",
     "dot-prop": "^5.3.0",
     "fs-extra": "^10.1.0",
     "js-yaml": "^4.1.0",

package.json

@@ -1,7 +1,29 @@
-import { ApiResponse, Assets, PagePaginationParams } from '../../../types';
+import { Assets } from '../../../types';
 import { paginate } from '../client';
 import DefaultAPIHandler from './default';
 
+const multiResourceRefreshTokenPolicies = {
+  type: ['array', 'null'],
+  description:
+    'A collection of policies governing multi-resource refresh token exchange (MRRT), defining how refresh tokens can be used across different resource servers',
+  items: {
+    type: 'object',
+    properties: {
+      audience: {
+        type: 'string',
+      },
+      scope: {
+        type: 'array',
+        items: {
+          type: 'string',
+        },
+        uniqueItems: true,
+      },
+    },
+    required: ['audience', 'scope'],
+  },
+};
+
 export const schema = {
   type: 'array',
   items: {
@@ -53,6 +75,13 @@ export const schema = {
           },
         },
       },
+      refresh_token: {
+        type: ['object', 'null'],
+        description: 'Refresh token configuration',
+        properties: {
+          policies: multiResourceRefreshTokenPolicies,
+        },
+      },
     },
     required: ['name'],
   },

src/tools/auth0/handlers/clients.ts

@@ -134,6 +134,56 @@ describe('#clients handler', () => {
       await stageFn.apply(handler, [{ clients: [someNativeClient] }]);
     });
 
+    it('should create client with refresh token policies', async () => {
+      const clientWithRefreshTokenPolicies = {
+        name: 'clientWithRefreshTokenPolicies',
+        refresh_token: {
+          policies: [
+            {
+              audience: 'https://api.example.com',
+              scope: ['read:users', 'write:users'],
+            },
+            {
+              audience: 'https://other-api.example.com',
+              scope: ['read:data'],
+            },
+          ],
+        },
+      };
+
+      const auth0 = {
+        clients: {
+          create: function (data) {
+            (() => expect(this).to.not.be.undefined)();
+            expect(data).to.be.an('object');
+            expect(data.name).to.equal('clientWithRefreshTokenPolicies');
+            expect(data.refresh_token).to.be.an('object');
+            expect(data.refresh_token.policies).to.be.an('array');
+            expect(data.refresh_token.policies).to.deep.equal([
+              {
+                audience: 'https://api.example.com',
+                scope: ['read:users', 'write:users'],
+              },
+              {
+                audience: 'https://other-api.example.com',
+                scope: ['read:data'],
+              },
+            ]);
+            return Promise.resolve({ data });
+          },
+          update: () => Promise.resolve({ data: [] }),
+          delete: () => Promise.resolve({ data: [] }),
+          getAll: (params) => mockPagedData(params, 'clients', []),
+        },
+        pool,
+      };
+
+      const handler = new clients.default({ client: pageClient(auth0), config });
+      const stageFn = Object.getPrototypeOf(handler).processChanges;
+
+      await stageFn.apply(handler, [{ clients: [clientWithRefreshTokenPolicies] }]);
+    });
+
     it('should get clients', async () => {
       const auth0 = {
         clients: {