{"id":43566123,"url":"https://github.com/auth0-samples/auth0-cross-app-access-inspector","last_synced_at":"2026-02-03T21:33:11.998Z","repository":{"id":327669376,"uuid":"1075814982","full_name":"auth0-samples/auth0-cross-app-access-inspector","owner":"auth0-samples","description":"Sample implementation of a Requesting Application to demonstrate the Cross App Access flow","archived":false,"fork":false,"pushed_at":"2025-12-05T01:28:50.000Z","size":84,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-08T09:12:58.991Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/auth0-samples.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-14T03:04:43.000Z","updated_at":"2025-12-05T01:28:54.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/auth0-samples/auth0-cross-app-access-inspector","commit_stats":null,"previous_names":["auth0-samples/auth0-cross-app-access-inspector"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/auth0-samples/auth0-cross-app-access-inspector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0-samples%2Fauth0-cross-app-access-inspector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0-samples%2Fauth0-cross-app-access-inspector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0-samples%2Fauth0-cross-app-access-inspector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0-samples%2Fauth0-cross-app-access-inspector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/auth0-samples","download_url":"https://codeload.github.com/auth0-samples/auth0-cross-app-access-inspector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/auth0-samples%2Fauth0-cross-app-access-inspector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29058392,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T20:13:53.544Z","status":"ssl_error","status_checked_at":"2026-02-03T20:13:40.507Z","response_time":96,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-02-03T21:33:09.742Z","updated_at":"2026-02-03T21:33:11.991Z","avatar_url":"https://github.com/auth0-samples.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Auth0 Cross App Access Inspector\n\nThe Auth0 Cross App Access (XAA) Inspector is a sample Node/React implementation of a Requesting Application\nperforming the Cross App Access flow to obtain an access token from a Resource Application which uses\nAuth0 as its Authorization Server.\n\nThis implements the [Identity Assertion Authorization Grant](https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-00.html) protocol.\n\nFor more information, see the [Auth0 documentation](https://auth0.com/docs/xaa-resource-app).\n\n\n\u003e This sample app is a tool to test the Cross App Access end-to-end flow. Support of this flow is currently implemented by Auth0 as part of a private Beta program. To participate in this program, contact [Auth0 Support](http://support.auth0.com/) or your Technical Account Manager.\n\n## Overview\n\nThis application shows the steps required to perform the Cross App Access flow from a Requesting Application:\n\n1. Authenticate with the user's Enterprise IDP (Okta) to obtain an ID Token.\n2. Exchange the ID Token at the Enterprise IDP (Okta) for an ID-JAG assertion using the [RFC 8693 Token Exchange](https://datatracker.ietf.org/doc/html/rfc8693) protocol.\n3. Exchange the ID-JAG assertion at the Resource Application Authorization Server (Auth0) for an Auth0 access token using the [JWT-Bearer grant](https://datatracker.ietf.org/doc/html/rfc7523).\n4. Use the Auth0 access token to call the Resource Application API.\n\n## Prerequisites\n\n- Node.js 18 or higher\n- npm or yarn\n- Okta developer account\n- Auth0 developer account\n\n## Security Considerations\n\n⚠️ **Important**: This application is for demonstration purposes only. In production, you should not expose\nsensitive tokens like ID-JAG assertions to the frontend. Instead, keep them on the server side and use secure session storage.\n\n## Setup Instructions\n\n### 1. Clone and Install Dependencies\n\n```bash\ngit clone \u003crepository-url\u003e\ncd auth0-cross-app-access-inspector\nnpm install\n```\n\n### 2. Configure the Resource Application\n\nFollow the [Auth0 documentation](https://auth0.com/docs/xaa-resource-app) to set up your Resource Application in Auth0, making sure to:\n\n- Create an API to represent your Resource Application.\n- Create a Resource Application.\n- Register the Resource Application in Okta. For a quick test set up, we recommend to use the Todo0 application that is already registered in the OIN. In your Okta tenant, go to Applications \u003e Applications \u003e Browse App Catalog \u003e Search for “Todo0”. Select it and add the integration.\n\n### 3. Configure the Requesting Application\n\nFollow the [Auth0 documentation](https://auth0.com/docs/xaa-resource-app) to set up your Requesting Application, making sure to:\n\n- Create an application in your Auth0 tenant to represent the XAA Inspector, and enable Cross App Access for the application.\n- Register the Requesting Application in Okta. For a quick test set up, we recommend to use the Agent0 application that is already registered in the OIN. In your Okta tenant, go to Applications \u003e Applications \u003e Browse App Catalog \u003e Search for “Agent0”. Select it and add the integration.\n- In the `Sign On` tab of your registration in Okta, configure the `Redirect URI` to `http://localhost:3000/login/callback`.\n\n### 4. Configure the Okta Identity Provider\nFollow the [Auth0 documentation](https://auth0.com/docs/xaa-resource-app) to set up your Okta Identity Provider in Auth0, making sure to:\n- Create an Okta Workforce connection in your Auth0 tenant.\n\n### 5. Environment Configuration\n\nCopy the `.env.sample` file to a new `.env` file in the root directory, and update the placeholder values:\n\n- `SESSION_SECRET`: A long, random string for session encryption.\n- `OKTA_ISSUER`: The issuer URL for your Okta tenant (e.g., `https://your-domain.okta.com`).\n- `OKTA_CLIENT_ID`, `OKTA_CLIENT_SECRET`: the credentials of your Requesting App instance in your Okta tenant (found under the \"Sign On\" tab of your Okta application).\n- `AUTH0_DOMAIN`: Your Auth0 tenant domain (e.g., `your-domain.auth0.com`).\n- `AUTH0_CLIENT_ID`, `AUTH0_CLIENT_SECRET`: the credentials of your Requesting App instance in your Auth0 tenant (found under the \"Settings\" tab of your Auth0 application).\n- `AUTH0_AUDIENCE`: The audience identifier for the Resource Application API in Auth0.\n- `AUTH0_SCOPE`: The scopes required for the access token.\n\n\n### 6. Run the Application\n\n```bash\nnpm run dev\n```\n\nThis starts the development at `http://localhost:3000`\n\n\n## LICENSE\n\nThis project is licensed under the Apache License, Version 2.0. See the [LICENSE](LICENSE) file for more details.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauth0-samples%2Fauth0-cross-app-access-inspector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fauth0-samples%2Fauth0-cross-app-access-inspector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fauth0-samples%2Fauth0-cross-app-access-inspector/lists"}