Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support validating tokens with tenant domain in the case of custom domains #753

Merged
merged 2 commits into from
Dec 29, 2023
Merged

Conversation

ramonschriks
Copy link
Contributor

When a token is issued, the token issuer is validated against the (tenant)domain within the configuration. However, when a custom domain is provided within the SDK configuration, the issuer is validated against that custom domain.

This fix will, in case of custom domain set in SDK configuration, validates the custom domain at first against the issuer within the token (same as previous behaviour). However in case of failure fallback to the tenant domain set in the SDK Configuration.

Use case:

  • A tenant domain is set
  • A custom domain is set

All auth0 requests (e.g. token and validation) are sent to custom domain. In certain situations, the custom domain acts as a proxy that actually does some extended validation on the client request and redirects the requests to the actual tenant domain. Therefor, the tenant domain is the origin issuer of the token, while the requests are proxied through the custom domain.

Changes

References

Testing

Contributor Checklist

When a token is issued, the token issuer is validated against the domain within the configuration.
However, when a custom domain is provided within the SDK configuration, the issuer is validated against the custom domain.

This fix will, in case of custom domain set in SDK configuration, validates the custom domain at first against the issuer within the token.
Whenever this fails, fallback to the tenant domain set in the SDK Configuration.

Use case:
- A tenant domain is set
- A custom domain is set

All auth0 requests (e.g. token and validation) are sent to custom domain.
In certain situations, the custom domain acts as a proxy that actually does some extended validation on the client request and redirects the requests to the actual tenant domain.
Therefor, the tenant domain is the origin issuer of the token, while the requests are proxied through the custom domain.
@codecov-commenter
Copy link

codecov-commenter commented Dec 29, 2023

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (14b405e) 100.00% compared to head (d95cd7d) 99.97%.
Report is 1 commits behind head on main.

Files Patch % Lines
src/Token.php 85.71% 1 Missing ⚠️
Additional details and impacted files
@@              Coverage Diff              @@
##                main     #753      +/-   ##
=============================================
- Coverage     100.00%   99.97%   -0.03%     
- Complexity      1381     1383       +2     
=============================================
  Files             62       62              
  Lines           4776     4781       +5     
=============================================
+ Hits            4776     4780       +4     
- Misses             0        1       +1     
Flag Coverage Δ
unittestsvalidate 99.97% <85.71%> (-0.03%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

evansims
evansims previously approved these changes Dec 29, 2023
Copy link
Member

@evansims evansims left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @ramonschriks

@evansims evansims enabled auto-merge (squash) December 29, 2023 01:46
@evansims evansims disabled auto-merge December 29, 2023 01:48
@evansims evansims merged commit 5b4b867 into auth0:main Dec 29, 2023
22 of 23 checks passed
@ramonschriks
Copy link
Contributor Author

Hey @evansims,

Thanks for approving! Not hurry things up or something, but more out of curiosity, how long would it normally take for this to be included within the next release? And also for the auth0/wordpress plugin, which depends on this?

Thanks in advance!

@evansims
Copy link
Member

evansims commented Jan 2, 2024

Hey, @ramonschriks 👋 Happy New Year! Sorry for the delay. Usually, we'd cut a release immediately, but we've been on a code freeze this past week with the holidays. That'll be lifted at the end of this week, so I'll get a release cut after that.

@evansims evansims changed the title Validate token with tenant domain in case of custom domain feat: Support validating tokens with tenant domain in the case of custom domains Jan 9, 2024
@evansims evansims mentioned this pull request Jan 9, 2024
evansims added a commit that referenced this pull request Jan 9, 2024
**Added**
- feat: Support validating tokens with tenant domain in the case of
custom domains [\#753](#753)
([ramonschriks](https://github.com/ramonschriks))
@evansims
Copy link
Member

evansims commented Jan 9, 2024

Hey again, @ramonschriks just wanted to let you know this has shipped in 8.11. Thanks for your contribution, and sorry for the delay!

@ramonschriks
Copy link
Contributor Author

@evansims Thanks! However, i made a mistake and perhaps a unit test is still needed to be added to ensure correct functionality.
#755

evansims pushed a commit that referenced this pull request Jan 9, 2024
Follow up of #753

---

What a failure.. After validating the issuer with the tenant domain, we
still throw'd the exception...
It must not fall through this validation succeeds.

Perhaps a unit test is required for this.

Signed-off-by: ramonschriks <ramon.nmgn@live.nl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants