Adding Support for Self Service Profiles

.github/actions/rl-scanner/action.yml

@@ -31,7 +31,7 @@ runs:
     - name: Install RL Wrapper
       shell: bash
       run: |
-        pip install rl-wrapper>=1.0.0 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+        pip install rl-wrapper>=1.0.6 --index-url "https://${{ env.PRODSEC_TOOLS_USER }}:${{ env.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
 
     - name: Run RL Scanner
       shell: bash

.github/workflows/docs.yml

@@ -22,7 +22,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
 
       - name: Configure Python
         uses: actions/setup-python@v5
@@ -42,7 +42,7 @@ jobs:
           sphinx-build ./docs/source ./docs/build --keep-going -n -a -b html
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v2
+        uses: actions/upload-pages-artifact@v3
         with:
           path: "./docs/build"
 
@@ -56,4 +56,4 @@ jobs:
     steps:
       - id: deployment
         name: Deploy to GitHub Pages
-        uses: actions/deploy-pages@v3
+        uses: actions/deploy-pages@v4

.github/workflows/publish.yml

@@ -12,17 +12,17 @@ permissions:
 
 jobs:
   rl-scanner:
-  uses: ./.github/workflows/rl-scanner.yml
-  with:
-    node-version: 18
-    artifact-name: "auth0-python.tgz"
-  secrets:
-    RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
-    RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
-    SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
-    PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
-    PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
-    PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
+    uses: ./.github/workflows/rl-scanner.yml
+    with:
+      python-version: "3.10"
+      artifact-name: "auth0-python.tgz"
+    secrets:
+      RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+      RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+      SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+      PRODSEC_TOOLS_USER: ${{ secrets.PRODSEC_TOOLS_USER }}
+      PRODSEC_TOOLS_TOKEN: ${{ secrets.PRODSEC_TOOLS_TOKEN }}
+      PRODSEC_TOOLS_ARN: ${{ secrets.PRODSEC_TOOLS_ARN }}
   publish-pypi:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     name: "PyPI"

.github/workflows/rl-scanner.yml

@@ -1,5 +1,4 @@
 name: RL-Secure Workflow
-name: RL-Secure Workflow
 
 on:
   workflow_call:
@@ -25,13 +24,12 @@ on:
         required: true
 
 jobs:
-  checkout-build-scan-only:
+  rl-scanner:
+    if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: ubuntu-latest
-
-    permissions:
-      pull-requests: write
-      id-token: write
-
+    outputs:
+      scan-status: ${{ steps.rl-scan-conclusion.outcome }}
+
     steps:
       - uses: actions/checkout@v4
         with:
@@ -65,7 +63,7 @@ jobs:
 
       - name: Get Artifact Version
         id: get_version
-        run: echo "version=$(cat .version)" >> $GITHUB_ENV
+        uses: ./.github/actions/get-version
 
       - name: Run RL Scanner
         id: rl-scan-conclusion

.github/workflows/snyk.yml

@@ -2,6 +2,7 @@ name: Snyk
 
 on:
   merge_group:
+  workflow_dispatch:
   pull_request:
     types:
       - opened
@@ -10,19 +11,19 @@ on:
     branches:
       - master
   schedule:
-    - cron: "30 0 1,15 * *"
+    - cron: '30 0 1,15 * *'
 
 permissions:
-  security-events: write
-  actions: read
   contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
 
 jobs:
+
   check:
+
     name: Check for Vulnerabilities
     runs-on: ubuntu-latest
 
@@ -34,14 +35,6 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha || github.ref }}
 
-      - uses: snyk/actions/python-3.8@4a528b5c534bb771b6e3772656a8e0e9dc902f8b # pinned 2023-06-13
-        continue-on-error: true # Make sure the SARIF upload is called
+      - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # [email protected]
         env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        with:
-          args: --sarif-file-output=snyk.sarif
-
-      - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: snyk.sarif
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

.github/workflows/test.yml

@@ -61,7 +61,7 @@ jobs:
           pipx install poetry
           poetry config virtualenvs.in-project true
           poetry install --with dev
-          poetry self add "poetry-dynamic-versioning[plugin]==1.1.1"
+          poetry self add "poetry-dynamic-versioning[plugin]"
 
       - name: Run tests
         run: |
@@ -80,4 +80,6 @@ jobs:
 
       - if: ${{ matrix.python-version == '3.10' }}
         name: Upload coverage
-        uses: codecov/codecov-action@4fe8c5f003fae66aa5ebb77cfd3e7bfbbda0b6b0 # [email protected]
+        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # [email protected]
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}

.snyk

@@ -9,4 +9,8 @@ ignore:
   SNYK-PYTHON-REQUESTS-40470:
     - '*':
         reason: 'patched in latest python versions: https://bugs.python.org/issue27568'
+  "snyk:lic:pip:certifi:MPL-2.0":
+    - '*':
+        reason: "Accepting certifi’s MPL-2.0 license for now"
+        expires: "2030-12-31T23:59:59Z"
 patch: {}

.version

@@ -1 +1 @@
-4.7.2
+4.9.0

CHANGELOG.md

@@ -1,5 +1,35 @@
 # Change Log
 
+## [4.9.0](https://github.com/auth0/auth0-python/tree/4.9.0) (2025-04-01)
+[Full Changelog](https://github.com/auth0/auth0-python/compare/4.8.1...4.9.0)
+
+**Added**
+- feat: Federated Connections Support [\#682](https://github.com/auth0/auth0-python/pull/682) ([kishore7snehil](https://github.com/kishore7snehil))
+- Adding Support For CIBA with RAR [\#679](https://github.com/auth0/auth0-python/pull/679) ([kishore7snehil](https://github.com/kishore7snehil))
+
+## [4.8.1](https://github.com/auth0/auth0-python/tree/4.8.1) (2025-02-24)
+[Full Changelog](https://github.com/auth0/auth0-python/compare/4.8.0...4.8.1)
+
+**Fixed**
+- Fix: Unauthorized Access Error For PAR [\#671](https://github.com/auth0/auth0-python/pull/671) ([kishore7snehil](https://github.com/kishore7snehil))
+
+## [4.8.0](https://github.com/auth0/auth0-python/tree/4.8.0) (2025-01-29)
+[Full Changelog](https://github.com/auth0/auth0-python/compare/4.7.2...4.8.0)
+
+**Added**
+- Adding Support For RAR and JAR Requests [\#659](https://github.com/auth0/auth0-python/pull/659) ([kishore7snehil](https://github.com/kishore7snehil))
+- Adding Support For Back Channel Login [\#643](https://github.com/auth0/auth0-python/pull/643) ([kishore7snehil](https://github.com/kishore7snehil))
+
+**Fixed**
+- Consolidated Community PRs and Dependency Upgrades [\#660](https://github.com/auth0/auth0-python/pull/660) ([kishore7snehil](https://github.com/kishore7snehil))
+  - [fix typo in docstring](https://github.com/auth0/auth0-python/pull/637) ([@CarlosEduR ](https://github.com/CarlosEduR))
+  - [Added support for "include_totals" to all_organization_member_roles](https://github.com/auth0/auth0-python/pull/635) ([@jpayton-cx](https://github.com/jpayton-cx))
+  - [Fixed Version Table](https://github.com/auth0/auth0-python/pull/633) ([@sanchez](https://github.com/sanchez))
+  - [Remove upper bounds on all python dependency versions](https://github.com/auth0/auth0-python/pull/628) ([@ngfeldman](https://github.com/ngfeldman))
+  - [Adding secrets to Codecov Action Upload](https://github.com/auth0/auth0-python/pull/624) ([@developerkunal](https://github.com/developerkunal))
+- Updating Dependancies And Workflow Action Versions [\#653](https://github.com/auth0/auth0-python/pull/653) ([kishore7snehil](https://github.com/kishore7snehil))
+- Fixing the Github Workflow Issues [\#644](https://github.com/auth0/auth0-python/pull/644) ([kishore7snehil](https://github.com/kishore7snehil))
+
 ## [4.7.2](https://github.com/auth0/auth0-python/tree/4.7.2) (2024-09-10)
 [Full Changelog](https://github.com/auth0/auth0-python/compare/4.7.1...4.7.2)
 

README.md

@@ -88,7 +88,9 @@ For more code samples on how to integrate the auth0-python SDK in your Python ap
 - Delegated ( `authentication.Delegated` )
 - Enterprise ( `authentication.Enterprise` )
 - API Authorization - Get Token ( `authentication.GetToken`)
+- BackChannelLogin ( `authentication.BackChannelLogin`)
 - Passwordless ( `authentication.Passwordless` )
+- PushedAuthorizationRequests ( `authentication.PushedAuthorizationRequests` )
 - RevokeToken ( `authentication.RevokeToken` )
 - Social ( `authentication.Social` )
 - Users ( `authentication.Users` )
@@ -120,6 +122,7 @@ For more code samples on how to integrate the auth0-python SDK in your Python ap
 - Roles() ( `Auth0().roles` )
 - RulesConfigs() ( `Auth0().rules_configs` )
 - Rules() ( `Auth0().rules` )
+- SelfServiceProfiles() ( `Auth0().self_service_profiles` )
 - Stats() ( `Auth0().stats` )
 - Tenants() ( `Auth0().tenants` )
 - Tickets() ( `Auth0().tickets` )
@@ -145,7 +148,7 @@ The following is a list of unsupported Python versions, and the last SDK version
 
 | Python Version | Last SDK Version Supporting |
 |----------------|-----------------------------|
-| <= 3.7         | 4.6.1                       |
+| >= 3.7         | 4.6.1                       |
 | >= 2.0, <= 3.6 | 3.x                         |
 
 You can determine what version of Python you have installed by running:

auth0/authentication/async_token_verifier.py

@@ -176,7 +176,7 @@ async def verify(
             token (str): The JWT to verify.
             nonce (str, optional): The nonce value sent during authentication.
             max_age (int, optional): The max_age value sent during authentication.
-            organization (str, optional): The expected organization ID (org_id) or orgnization name (org_name) claim value. This should be specified
+            organization (str, optional): The expected organization ID (org_id) or organization name (org_name) claim value. This should be specified
             when logging in to an organization.
 
         Returns:

auth0/authentication/back_channel_login.py

@@ -0,0 +1,38 @@
+from typing import Any
+
+from .base import AuthenticationBase
+
+
+class BackChannelLogin(AuthenticationBase):
+    """Back-Channel Login endpoint"""
+
+    def back_channel_login(
+        self, binding_message: str, login_hint: str, scope: str, **kwargs
+    ) -> Any:
+        """Send a Back-Channel Login.
+
+        Args:
+             binding_message (str): Human-readable string displayed on both the device calling /bc-authorize and the user’s 
+             authentication device to ensure the user is approves the correct request.
+
+             login_hint (str): String containing information about the user to contact for authentication.
+
+             scope(str): "openid" is a required scope.Multiple scopes are separated 
+             with whitespace.
+
+             **kwargs: Other fields to send along with the PAR.
+
+        Returns:
+            auth_req_id, expires_in, interval
+        """
+        return self.authenticated_post(
+            f"{self.protocol}://{self.domain}/bc-authorize",
+            data={
+                "client_id": self.client_id,
+                "binding_message": binding_message,
+                "login_hint": login_hint,
+                "scope": scope,
+                **kwargs,
+            },
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )

auth0/authentication/get_token.py

@@ -253,3 +253,62 @@ def passwordless_login(
                 "grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp",
             },
         )
+
+    def backchannel_login(
+        self, auth_req_id: str, grant_type: str = "urn:openid:params:grant-type:ciba",
+    ) -> Any:
+        """Calls /oauth/token endpoint with "urn:openid:params:grant-type:ciba" grant type
+
+        Args:
+            auth_req_id (str): The id received from /bc-authorize
+
+            grant_type (str): Denotes the flow you're using.For Back Channel login
+            use urn:openid:params:grant-type:ciba
+
+        Returns:
+            access_token, id_token
+        """
+
+        return self.authenticated_post(
+            f"{self.protocol}://{self.domain}/oauth/token",
+            data={
+                "client_id": self.client_id,
+                "auth_req_id": auth_req_id,
+                "grant_type": grant_type,
+            },
+        )
+
+    def access_token_for_connection(
+        self,
+        subject_token_type: str, 
+        subject_token: str,
+        requested_token_type: str,
+        connection: str | None = None,
+        grant_type: str = "urn:auth0:params:oauth:grant-type:token-exchange:federated-connection-access-token"
+    ) -> Any:
+        """Calls /oauth/token endpoint with federated-connection-access-token grant type
+
+        Args:
+            subject_token_type (str): String containing the type of token.
+
+            subject_token (str): String containing the value of subject_token_type.
+
+            requested_token_type (str): String containing the type of rquested token.
+
+            connection (str, optional): Denotes the name of a social identity provider configured to your application         
+
+        Returns:
+            access_token, scope, issued_token_type, token_type
+        """
+
+        return self.authenticated_post(
+            f"{self.protocol}://{self.domain}/oauth/token",
+            data={
+                "client_id": self.client_id,
+                "grant_type": grant_type,
+                "subject_token_type": subject_token_type,                
+                "subject_token": subject_token,
+                "requested_token_type": requested_token_type,
+                "connection": connection,
+            },
+        )

auth0/authentication/pushed_authorization_requests.py

@@ -3,6 +3,7 @@
 from .base import AuthenticationBase
 
 
+
 class PushedAuthorizationRequests(AuthenticationBase):
     """Pushed Authorization Request (PAR) endpoint"""
 
@@ -16,15 +17,19 @@ def pushed_authorization_request(
              redirect_uri (str): The URL to which Auth0 will redirect the browser after authorization has been granted
              by the user.
              **kwargs: Other fields to send along with the PAR.
+             For RAR requests, authorization_details parameter should be added in a proper format. See:https://datatracker.ietf.org/doc/html/rfc9396
+             For JAR requests, requests parameter should be send with the JWT as the value. See: https://datatracker.ietf.org/doc/html/rfc9126#name-the-request-request-paramet
 
         See: https://www.rfc-editor.org/rfc/rfc9126.html
         """
         return self.authenticated_post(
             f"{self.protocol}://{self.domain}/oauth/par",
             data={
-                "client_id": self.client_id,
+                "client_id":self.client_id,
+                "client_secret":self.client_secret,
                 "response_type": response_type,
                 "redirect_uri": redirect_uri,
                 **kwargs,
             },
-        )
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )

auth0/authentication/token_verifier.py

@@ -299,7 +299,7 @@ def verify(
             token (str): The JWT to verify.
             nonce (str, optional): The nonce value sent during authentication.
             max_age (int, optional): The max_age value sent during authentication.
-            organization (str, optional): The expected organization ID (org_id) or orgnization name (org_name) claim value. This should be specified
+            organization (str, optional): The expected organization ID (org_id) or organization name (org_name) claim value. This should be specified
             when logging in to an organization.
 
         Returns: