-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support use of Custom Issuer for ID Token verification [SDK-1910] #328
Conversation
@@ -1761,7 +1761,7 @@ public void shouldFailToResumeLoginWhenRSAKeyIsMissingFromJWKSet() throws Except | |||
|
|||
MockAuthCallback callback = new MockAuthCallback(); | |||
|
|||
Auth0 proxyAccount = new Auth0(EXPECTED_AUDIENCE, mockAPI.getDomain(), mockAPI.getDomain()); | |||
Auth0 proxyAccount = new Auth0(EXPECTED_AUDIENCE, mockAPI.getDomain()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
all these are not needed
public void shouldResumeLoginIgnoringEmptyCustomIDTokenVerificationIssuer() throws Exception { | ||
WebAuthProvider.init(account) | ||
.withResponseType(ResponseType.ID_TOKEN) | ||
.withIdTokenVerificationIssuer(null) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ensures that using "null" doesn't change the expected issuer to something different than the default value: the auth0 domain
|
||
Map<String, Object> jwtBody = createJWTBody(); | ||
jwtBody.put("nonce", sentNonce); | ||
jwtBody.put("iss", "https://some.different.issuer/"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
constructs an ID token with this custom issuer value
public void shouldResumeLoginUsingCustomIDTokenVerificationIssuer() throws Exception { | ||
WebAuthProvider.init(account) | ||
.withResponseType(ResponseType.ID_TOKEN) | ||
.withIdTokenVerificationIssuer("https://some.different.issuer/") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
expect a different issuer
55b5623
to
37bcf1b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, just a couple of docs questions.
README.md
Outdated
#### Token Validation | ||
The ID token received as part of this authentication flow is automatically verified following the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html). | ||
|
||
If your Auth0 account is set up to use Custom Domain but has not yet migrated from the [legacy behavior](https://auth0.com/docs/private-cloud/private-cloud-migrations/migrate-private-cloud-custom-domains#background), you need to override the expected issuer to match your Auth0 domain before starting the authentication. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If your Auth0 account is set up to use Custom Domain
Feels like this should be "Custom Domains" as that's what the high-level product feature is. Also, can we link to https://auth0.com/docs/custom-domains?
If so, there are a few instances in the diff below that should change to match (they don't all need the link though).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, does this only affect PSaaS? If so, we should clarify that here too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I pushed some changes. LMK
3b6a7e4
to
1d703cd
Compare
Changes
The ID token issuer is associated to the domain that initiated the authentication request. In a legacy scenario when Custom Domains were in use, the Auth0 domain was used instead of the Custom Domain as part of the issuer.
References
https://auth0.com/docs/private-cloud/private-cloud-migrations/migrate-private-cloud-custom-domains#background
Testing
This change adds unit test coverage
This change adds integration test coverage
This change has been tested on the latest version of the platform/language or why not
Checklist
I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors