feat: Support validating tokens with tenant domain in the case of custom domains #753
Conversation
When a token is issued, the token issuer is validated against the domain within the configuration. However, when a custom domain is provided within the SDK configuration, the issuer is validated against the custom domain. This fix will, in case of custom domain set in SDK configuration, validates the custom domain at first against the issuer within the token. Whenever this fails, fallback to the tenant domain set in the SDK Configuration. Use case: - A tenant domain is set - A custom domain is set All auth0 requests (e.g. token and validation) are sent to custom domain. In certain situations, the custom domain acts as a proxy that actually does some extended validation on the client request and redirects the requests to the actual tenant domain. Therefor, the tenant domain is the origin issuer of the token, while the requests are proxied through the custom domain.
ramonschriks
temporarily deployed
to
external
GitHub Actions
Inactive
ramonschriks
temporarily deployed
to
external
GitHub Actions
Inactive
ramonschriks
temporarily deployed
to
external
GitHub Actions
Inactive
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #753 +/- ##
=============================================
- Coverage 100.00% 99.97% -0.03%
- Complexity 1381 1383 +2
=============================================
Files 62 62
Lines 4776 4781 +5
=============================================
+ Hits 4776 4780 +4
- Misses 0 1 +1
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
|
Hey @evansims, Thanks for approving! Not hurry things up or something, but more out of curiosity, how long would it normally take for this to be included within the next release? And also for the auth0/wordpress plugin, which depends on this? Thanks in advance! |
|
Hey, @ramonschriks 👋 Happy New Year! Sorry for the delay. Usually, we'd cut a release immediately, but we've been on a code freeze this past week with the holidays. That'll be lifted at the end of this week, so I'll get a release cut after that. |
evansims
changed the title
**Added** - feat: Support validating tokens with tenant domain in the case of custom domains [\#753](#753) ([ramonschriks](https://github.com/ramonschriks))
|
Hey again, @ramonschriks just wanted to let you know this has shipped in 8.11. Thanks for your contribution, and sorry for the delay! |
Follow up of #753 --- What a failure.. After validating the issuer with the tenant domain, we still throw'd the exception... It must not fall through this validation succeeds. Perhaps a unit test is required for this. Signed-off-by: ramonschriks <ramon.nmgn@live.nl>
When a token is issued, the token issuer is validated against the (tenant)domain within the configuration. However, when a custom domain is provided within the SDK configuration, the issuer is validated against that custom domain.
This fix will, in case of custom domain set in SDK configuration, validates the custom domain at first against the issuer within the token (same as previous behaviour). However in case of failure fallback to the tenant domain set in the SDK Configuration.
Use case:
All auth0 requests (e.g. token and validation) are sent to custom domain. In certain situations, the custom domain acts as a proxy that actually does some extended validation on the client request and redirects the requests to the actual tenant domain. Therefor, the tenant domain is the origin issuer of the token, while the requests are proxied through the custom domain.
Changes
References
Testing
Contributor Checklist