linuxfoundation · skwowet · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026 · Mar 30, 2026
diff --git a/backend/.env.dist.local b/backend/.env.dist.local
@@ -165,5 +165,5 @@ CROWD_GITHUB_IS_SNOWFLAKE_ENABLED=false
 CROWD_TINYBIRD_BASE_URL=http://localhost:7181/
 
 # Auth0
-CROWD_AUTH0_ISSUER_BASE_URL=
+CROWD_AUTH0_ISSUER_BASE_URLS=
 CROWD_AUTH0_AUDIENCE=
diff --git a/backend/config/custom-environment-variables.json b/backend/config/custom-environment-variables.json
@@ -154,7 +154,7 @@
   "auth0": {
     "clientId": "CROWD_AUTH0_CLIENT_ID",
     "jwks": "CROWD_AUTH0_JWKS",
-    "issuerBaseURL": "CROWD_AUTH0_ISSUER_BASE_URL",
+    "issuerBaseURLs": "CROWD_AUTH0_ISSUER_BASE_URLS",
     "audience": "CROWD_AUTH0_AUDIENCE"
   },
   "sso": {

diff --git a/backend/src/api/public/middlewares/oauth2Middleware.ts b/backend/src/api/public/middlewares/oauth2Middleware.ts
@@ -6,6 +6,17 @@ import { UnauthorizedError } from '@crowd/common'
 import type { Auth0Configuration } from '@/conf/configTypes'
 import type { Auth0TokenPayload } from '@/types/api'
 
+function resolveIssuer(req: Request): string | undefined {
+  const token = req.headers.authorization?.split(' ')[1]
+  if (!token) return undefined
+  try {
+    const { iss } = JSON.parse(Buffer.from(token.split('.')[1], 'base64url').toString())
+    return typeof iss === 'string' ? iss : undefined
+  } catch {
+    return undefined
+  }
+}
+
 function resolveActor(req: Request, _res: Response, next: NextFunction): void {
   const payload = (req.auth?.payload ?? {}) as Auth0TokenPayload
 
@@ -26,11 +37,38 @@ function resolveActor(req: Request, _res: Response, next: NextFunction): void {
 }
 
 export function oauth2Middleware(config: Auth0Configuration): RequestHandler[] {
-  return [
-    auth({
-      issuerBaseURL: config.issuerBaseURL,
-      audience: config.audience,
-    }),
-    resolveActor,
-  ]
+  const issuers = config.issuerBaseURLs
+    .split(',')
+    .map((s) => s.trim())
+    .filter(Boolean)
+
+  if (issuers.length === 0) {
+    throw new Error('No auth0 issuers configured')
+  }
+
+  const handlersByIssuer = new Map(
+    issuers.map((issuerBaseURL) => [
+      issuerBaseURL.replace(/\/$/, ''),
+      auth({ issuerBaseURL, audience: config.audience }),
+    ]),
+  )
+
+  const verifyJwt: RequestHandler = (req, res, next) => {
+    const iss = resolveIssuer(req)
+    if (!iss) {
+      next(new UnauthorizedError('Missing or malformed bearer token'))
+      return
+    }
+
+    const handler = handlersByIssuer.get(iss.replace(/\/$/, ''))
+
+    if (!handler) {
+      next(new UnauthorizedError('Unknown token issuer'))
+      return
+    }
+
+    handler(req, res, next)
+  }
+
+  return [verifyJwt, resolveActor]
 }
diff --git a/backend/src/conf/configTypes.ts b/backend/src/conf/configTypes.ts
@@ -68,7 +68,7 @@ export interface ApiConfiguration {
 export interface Auth0Configuration {
   clientId: string
   jwks: string
-  issuerBaseURL: string
+  issuerBaseURLs: string
   audience: string
 }