New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deal with list of issuers in JwtAuthenticationProvider #30
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, thanks for the contribution.
First I'd like to understand your use case. You said:
When we wanted to switch to a custom domain, we had the requirement that the original auth0 subdomain still works for legacy applications.
If I understood correctly, you had your auth0 domain e.g. "sample.auth0.com" being the issuer of the tokens. When you migrated to a custom domain, e.g. "sample.com", the tokens are still being signed with the "auth0 domain". That looks just right, that's how auth0 behaves.
I guess you encountered verification issues because you've set up an application using this SDK passing your "custom domain" and the server is still signing with the "auth0 domain". Is that right? I'll wait on your response to continue, but I've already reviewed the PR so feel free to ignore those comments for now 👍
lib/src/main/java/com/auth0/spring/security/api/JwtAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
lib/src/main/java/com/auth0/spring/security/api/JwtAuthenticationProvider.java
Outdated
Show resolved
Hide resolved
lib/src/main/java/com/auth0/spring/security/api/JwtWebSecurityConfigurer.java
Outdated
Show resolved
Hide resolved
lib/src/main/java/com/auth0/spring/security/api/JwtWebSecurityConfigurer.java
Show resolved
Hide resolved
Hey, thanks for your review! The points you made are valid. Originally, I tried to modify as little as possible of the original code and to not introduce any breaking changes, but this results in code duplication. Unfortunately, I am currently very busy with other stuff. I try to find time, to address your comments in the code. Regarding your question:
During the transitional period, our legacy clients use the old domain "sample.auth0.com" and get an access token with |
9432f96
to
f050cb9
Compare
I refactored the code according to your suggestions. Additionally, I added a hint to the README.md |
@lbalmaceda Are you planning to merge this? Is anything unclear? Is there anything left which I could do / improve? |
@coperator sorry for the delay on the review. Now that I see that |
For true multi-tenant support, each tenant needs an individual list of audiences. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇♂️ |
Please do not close this issue. This is still something that we need. |
Yes, this would really make the transition to custom domain easier. I am hoping for a merge in the near future. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have not received a response for our team (apologies for the delay) and this is still a blocker, please reply with additional information or just a ping. Thank you for your contribution! 🙇♂️ |
This is still something that we need for migrating from auth0 domain to custom domain. |
👋@neshanjo Just a heads up that we're also tracking this internally. At first, for evaluating the changes and impact. |
@coperator, @neshanjo, @perlauvaas - just to confirm the use case this PR targets: This change is specific to the case when migrating to a new/custom domain within the same tenant, to support applications receiving access tokens issued both by the old and new domain. Is that correct? EDIT: |
This is cool, we had this issue in-house as well and wrote our own customized AuthenticationProvider for it. We'll have to see if we can remove that now. |
Changes
When we wanted to switch to a custom domain, we had the requirement that the original auth0 subdomain still works for legacy applications.
Thus, I refactored this Spring Security integration, so that it can deal with several issuers.
Since auth0/java-jwt#288 is merged in Java JWT, it is straightforward to do this.
One holding limitation is that all issuers need to have the same public key in case of RS256 and the same secret in case of HS256. Nevertheless, this is the case for Auth0 custom domains of the same tenant.
I want to stress here, that multiple tenants are not supported. We only cover the case of several issuers domains of one Auth0 tenant.
I decided to leave as much of the existing code as possible in order to guarantee backward compatibility.
The respective functions can now be called with a list of issuers or, as before, with one issuer.
I added tests to cover the cases of several issuers.
Testing
I tested the change with our API and several issuers.
Checklist