feat(auth0-auth-js): add actor token support and act claim to Custom Token Exchange

[cschetan77]

Description

Extends the Custom Token Exchange (CTE) implementation in auth0-auth-js to support RFC 8693 delegation flows via actor tokens.

• Adds actorToken and actorTokenType optional fields to ExchangeProfileOptions, which are forwarded as actor_token and actor_token_type in the token request.
• Adds the ActClaim interface ({ sub: string; [key: string]: unknown }) per RFC 8693 Section 4.1, the index signature allows for additional server-provided fields (e.g. chained delegation, iss).
• Adds act?: ActClaim to TokenResponse, populated from the parsed ID token claims in fromTokenEndpointResponse() with a fallback to the access token payload, covering M2M delegation flows where no ID token is issued.
• Adds client-side syntactic URI validation for both subjectTokenType and actorTokenType via new URL(), throws TokenExchangeError before the network request if invalid, semantic namespace validation remains on the Auth0 server
• Removes actor_token and actor_token_type from PARAM_DENYLIST since they are now first-class typed parameters

Testing

Unit Tests

• should send actor_token and actor_token_type when provided: verifies request params and result.act are correctly wired
• should expose act claim from id_token on TokenResponse: verifies extra fields (e.g. iss) on act are accessible
• should not send actor_token or actor_token_type when omitted: verifies no regression on existing exchanges
• should throw TokenExchangeError for invalid token type URIs: covers both subjectTokenType and actorTokenType invalid URI cases
• should accept valid URI formats for subjectTokenType and actorTokenType: covers http:// URI forms
• should expose act claim from access token when no id_token is returned (M2M delegation): verifies that a token response with no id_token but an access token carrying act correctly populates TokenResponse.act.
• should throw TokenExchangeError when actorToken is provided without actorTokenType

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch

[nandan-bhat]

What will happen if Auth0 issues an opaque token.

[nandan-bhat]

Does that mean, tokenResponse would always have act ?
Because fromTokenEndpointResponse is called from multiple places.

[nandan-bhat]

• Please add tests for opaque token scenarios.
• Please update documentation (EXAMPLES.md) elaborating this feature.

[kishore7snehil]

The act claim is defined in Section 4.4 ("Delegation Semantics"), not 4.1. Section 4.1 is the token exchange response structure.

Should be #section-4.4. (Same fix landed on the Android and Swift CTE PRs.)

[kishore7snehil]

Same as the ActClaim interface above: act is defined in Section 4.4, not 4.1. Should be #section-4.4.

[kishore7snehil]

Two concerns here:

• The team aligned that token-type URI validation stays server-side, no other SDK (Swift, Android, spa-js) does client-side URI validation. Adding it here for subjectTokenType (which previously had none) breaks that alignment and is a behavior change for existing callers.

• new URL() is the wrong validator and risks false rejections. It can reject values the Auth0 server would actually accept, turning a server-side concern into a client-side breaking change on upgrade. (new URL('urn:acme:custom-token') happens to pass, but the general class of valid token-type identifiers isn't guaranteed to parse as a WHATWG URL.)

[kishore7snehil]

A caller can again pass actor_token through extra, which is no longer guarded. The typed param is the documented path.