feat: support multiple auth0 issuers for JWT verification

[skwowet]

Summary

• Allows the OAuth2 middleware to accept JWTs from multiple auth0 issuers by splitting a comma-separated CROWD_AUTH0_ISSUER_BASE_URLS env var.
• Routes each request to the correct auth() handler by peeking at the JWT iss claim (base64 decode, no crypto overhead). Unknown issuers are rejected immediately.
• Enables staging CDP to accept tokens from staging and dev auth0 domains so both environments can share it without mixing auth credentials.

---

Note

High Risk
High risk because it changes JWT verification/issuer validation in the public API auth middleware; misconfiguration or parsing edge cases could cause unintended auth failures or issuer acceptance.

Overview
Auth0 JWT verification now supports multiple issuers. The OAuth2 middleware switches from a single issuerBaseURL to a comma-separated issuerBaseURLs list, selecting the correct express-oauth2-jwt-bearer verifier per request by decoding the JWT iss claim.

Configuration is updated accordingly (new CROWD_AUTH0_ISSUER_BASE_URLS env var and Auth0Configuration.issuerBaseURLs), and requests with missing/malformed tokens or unknown issuers are rejected early.

^{Written by Cursor Bugbot for commit 34ae438. This will update automatically on new commits. Configure here.}

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[Copilot]

Pull request overview

Adds support for validating JWTs from multiple Auth0 issuers by selecting the appropriate express-oauth2-jwt-bearer verifier based on the token’s iss claim.

Changes:

• Renames Auth0 config from a single issuerBaseURL to comma-separated issuerBaseURLs.
• Updates OAuth2 middleware to parse issuerBaseURLs, resolve iss from the JWT payload, and dispatch to the matching verifier.
• Updates environment variable mapping to use CROWD_AUTH0_ISSUER_BASE_URLS.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
backend/src/conf/configTypes.ts	Renames Auth0 issuer config field to support multiple issuers.
backend/src/api/public/middlewares/oauth2Middleware.ts	Routes verification to the correct Auth0 issuer handler using the JWT iss claim.
backend/config/custom-environment-variables.json	Maps new multi-issuer env var name into config.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.