Added changes to support mTLS authentication

EXAMPLES.md

@@ -6,6 +6,7 @@
   - [Use Refresh Tokens](#use-refresh-tokens)
   - [Complete the Authorization Code flow with PKCE](#complete-the-authorization-code-flow-with-pkce)
   - [Login with Passwordless](#login-with-passwordless)
+  - [mTLS request](#mtls-request)
 - [Management Client](#management-client)
   - [Paginate through a list of users](#paginate-through-a-list-of-users)
   - [Paginate through a list of logs using checkpoint pagination](#paginate-through-a-list-of-logs-using-checkpoint-pagination)
@@ -129,6 +130,24 @@ const { data: tokens } = await auth.passwordless.loginWithEmail({
 });
 ```
 
+### mTLS request
+
+```js
+import { AuthenticationClient } from 'auth0';
+
+// add mtls prefix to your domain name
+const auth = new AuthenticationClient({
+  domain: 'mtls.{YOUR_TENANT_AND REGION}.auth0.com',
+  clientId: '{YOUR_CLIENT_ID}',
+  agent: new https.Agent({ ... }),
+});
+
+const { data: tokens } = await auth.oauth.clientCredentialsGrant({
+  audience: 'you-api',
+});
+
+```
+
 ## Management Client
 
 ### Paginate through a list of users

src/auth/client-authentication.ts

@@ -26,6 +26,7 @@ interface AddClientAuthenticationOptions {
  * Adds `client_assertion` and `client_assertion_type` for Private Key JWT token endpoint auth method.
  *
  * If `clientAssertionSigningKey` is provided it takes precedent over `clientSecret` .
+ * Also skips  `client_secret` & `clientAssertionSigningKey` if request(domain) is of mTLS type
  */
 export const addClientAuthentication = async ({
   payload,
@@ -55,9 +56,17 @@ export const addClientAuthentication = async ({
   }
   if (
     (!payload.client_secret || payload.client_secret.trim().length === 0) &&
-    (!payload.client_assertion || payload.client_assertion.trim().length === 0)
+    (!payload.client_assertion || payload.client_assertion.trim().length === 0) &&
+    !isMTLSRequest(domain)
   ) {
     throw new Error('The client_secret or client_assertion field is required.');
   }
   return payload;
 };
+
+/**
+ * Checks if domain name starts with mTLS keyword for mTLS requests
+ */
+const isMTLSRequest = (domain: string): boolean => {
+  return domain.toLowerCase().startsWith('mtls');
+};

test/auth/client-authentication.test.ts

@@ -205,3 +205,49 @@ describe('client-authentication for par endpoint', () => {
     });
   });
 });
+
+describe('mTLS-authentication', () => {
+  const path = jest.fn();
+  const body = jest.fn();
+  const headers = jest.fn();
+  const clientAssertion = jest.fn();
+  const URL = 'https://mtls.tenant.auth0.com/';
+
+  beforeEach(() => {
+    async function handler(this: any, pathIn: unknown, bodyIn: string) {
+      const bodyParsed = Object.fromEntries(new URLSearchParams(bodyIn));
+      path(pathIn);
+      body(bodyParsed);
+      headers(this.req.headers);
+      if ((bodyParsed as any).client_assertion) {
+        clientAssertion(await verify(bodyParsed.client_assertion, TEST_PUBLIC_KEY, verifyOpts));
+      }
+      return {
+        access_token: 'test-access-token',
+      };
+    }
+
+    nock(URL, { encodedQueryParams: true }).post('/oauth/token').reply(200, handler).persist();
+  });
+
+  afterEach(() => {
+    nock.cleanAll();
+    jest.clearAllMocks();
+  });
+
+  it('should do client credentials grant without client secret or assertion', async () => {
+    const auth0 = new AuthenticationClient({
+      domain: 'mtls.tenant.auth0.com',
+      clientId,
+    });
+    await auth0.oauth.clientCredentialsGrant({
+      audience: 'my-api',
+    });
+    expect(path).toHaveBeenCalledWith('/oauth/token');
+    expect(body).toHaveBeenCalledWith({
+      grant_type: 'client_credentials',
+      client_id: clientId,
+      audience: 'my-api',
+    });
+  });
+});