Support use of Custom Issuer for ID Token verification [SDK-1910] #328
Conversation
| @@ -1761,7 +1761,7 @@ public void shouldFailToResumeLoginWhenRSAKeyIsMissingFromJWKSet() throws Except | |||
|
|
|||
| MockAuthCallback callback = new MockAuthCallback(); | |||
|
|
|||
| Auth0 proxyAccount = new Auth0(EXPECTED_AUDIENCE, mockAPI.getDomain(), mockAPI.getDomain()); | |||
| Auth0 proxyAccount = new Auth0(EXPECTED_AUDIENCE, mockAPI.getDomain()); | |||
There was a problem hiding this comment.
all these are not needed
| public void shouldResumeLoginIgnoringEmptyCustomIDTokenVerificationIssuer() throws Exception { | ||
| WebAuthProvider.init(account) | ||
| .withResponseType(ResponseType.ID_TOKEN) | ||
| .withIdTokenVerificationIssuer(null) |
There was a problem hiding this comment.
ensures that using "null" doesn't change the expected issuer to something different than the default value: the auth0 domain
|
|
||
| Map<String, Object> jwtBody = createJWTBody(); | ||
| jwtBody.put("nonce", sentNonce); | ||
| jwtBody.put("iss", "https://some.different.issuer/"); |
There was a problem hiding this comment.
constructs an ID token with this custom issuer value
| public void shouldResumeLoginUsingCustomIDTokenVerificationIssuer() throws Exception { | ||
| WebAuthProvider.init(account) | ||
| .withResponseType(ResponseType.ID_TOKEN) | ||
| .withIdTokenVerificationIssuer("https://some.different.issuer/") |
There was a problem hiding this comment.
expect a different issuer
lbalmaceda
force-pushed
the
custom-issuer
branch
from
55b5623
to
37bcf1b
Compare
lbalmaceda
changed the title
README.md
Outdated
| #### Token Validation | ||
| The ID token received as part of this authentication flow is automatically verified following the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html). | ||
|
|
||
| If your Auth0 account is set up to use Custom Domain but has not yet migrated from the [legacy behavior](https://auth0.com/docs/private-cloud/private-cloud-migrations/migrate-private-cloud-custom-domains#background), you need to override the expected issuer to match your Auth0 domain before starting the authentication. |
There was a problem hiding this comment.
If your Auth0 account is set up to use Custom Domain
Feels like this should be "Custom Domains" as that's what the high-level product feature is. Also, can we link to https://auth0.com/docs/custom-domains?
If so, there are a few instances in the diff below that should change to match (they don't all need the link though).
There was a problem hiding this comment.
Also, does this only affect PSaaS? If so, we should clarify that here too.
There was a problem hiding this comment.
I pushed some changes. LMK
lbalmaceda
force-pushed
the
custom-issuer
branch
from
3b6a7e4
to
1d703cd
Compare
Changes
The ID token issuer is associated to the domain that initiated the authentication request. In a legacy scenario when Custom Domains were in use, the Auth0 domain was used instead of the Custom Domain as part of the issuer.
References
https://auth0.com/docs/private-cloud/private-cloud-migrations/migrate-private-cloud-custom-domains#background
Testing
This change adds unit test coverage
This change adds integration test coverage
This change has been tested on the latest version of the platform/language or why not
Checklist
I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors