Skip to content

Feat/mcd initials#21

Open
tanya732 wants to merge 16 commits intomainfrom
feat/mcd-initials
Open

Feat/mcd initials#21
tanya732 wants to merge 16 commits intomainfrom
feat/mcd-initials

Conversation

@tanya732
Copy link
Copy Markdown
Contributor

@tanya732 tanya732 commented Mar 2, 2026
edited
Loading

Changes

  • Multi-Custom Domain (MCD) support — tokens can now be validated against multiple issuer domains, enabling multi-tenant. Three configuration modes are supported:

    a. Single domain (auth0.domain) — existing behavior, preserved for backward compatibility
    b. Static domains list (auth0.domains) — YAML-configured list of allowed issuers
    c. Dynamic resolver (Auth0DomainResolver bean) — resolve allowed issuers at request time based on headers, URL, or unverified iss claim

// Core API — dynamic resolver
AuthOptions options = new AuthOptions.Builder()
    .domainsResolver(context -> {
        String host = context.getHeaders().get("host");
        return lookupIssuersForHost(host);
    })
    .audience("https://api.example.com")
    .build();

# Spring Boot — static list
auth0:
  domains:
    - "https://tenant-a.us.auth0.com/"
    - "https://tenant-b.eu.auth0.com/"
  cacheMaxEntries: 200
  cacheTtlSeconds: 900
  • OIDC Discovery — JWTValidator now fetches /.well-known/openid-configuration for each issuer to obtain the jwks_uri dynamically, and validates that the discovery issuer matches the token's iss claim before trusting the signing keys
  • Unified caching layer — new AuthCache interface with a default thread-safe in-memory LRU implementation (InMemoryAuthCache) that caches both OIDC discovery metadata and JWKS providers using key prefixes (discovery: / jwks:). Configurable via auth0.cacheMaxEntries and auth0.cacheTtlSeconds, or replaceable with a custom AuthCache implementation (e.g., Redis)
  • Simplified API surface — AuthClient.verifyRequest() and all internal authentication strategies now take only HttpRequestInfo (which embeds headers) instead of separate headers + requestInfo parameters.
  • Spring Boot integration — Auth0AutoConfiguration wires up all three domain modes automatically, bridging the Spring-specific Auth0DomainResolver to the core DomainResolver interface. New properties: auth0.domains, auth0.cacheMaxEntries, auth0.cacheTtlSeconds
  • New model classes — RequestContext (request metadata for resolvers), OidcMetadata (parsed discovery response), Auth0RequestContext (Spring Boot adapter)

@tanya732
Copy link
Copy Markdown
Contributor Author

tanya732 commented Mar 16, 2026

@copilot

Copy link
Copy Markdown

Copilot AI commented Mar 16, 2026

@tanya732 I've opened a new pull request, #23, to work on those changes. Once the pull request is ready, I'll request review from you.

Copilot AI mentioned this pull request Mar 16, 2026
Closed
@tanya732 tanya732 marked this pull request as ready for review March 16, 2026 13:53
@tanya732 tanya732 requested a review from a team as a code owner March 16, 2026 13:53
@tanya732 tanya732 requested a review from Copilot March 16, 2026 13:54
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds Multi-Custom Domain (MCD) support to the Auth0 Java SDK, enabling token validation against multiple issuer domains. It also introduces OIDC Discovery, a unified caching layer, and simplifies the API surface by embedding headers into HttpRequestInfo.

Changes:

  • Multi-Custom Domain support with three modes: single domain (backward-compatible), static domains list, and dynamic resolver (DomainResolver/Auth0DomainResolver)
  • OIDC Discovery integration in JWTValidator to fetch .well-known/openid-configuration per issuer, with unified AuthCache (default InMemoryAuthCache LRU + TTL) for both discovery metadata and JWKS providers
  • Simplified API: AuthClient.verifyRequest() and authentication strategies now take only HttpRequestInfo (which embeds headers), removing the separate headers parameter

Reviewed changes

Copilot reviewed 42 out of 42 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
auth0-api-java/.../AuthClient.java Simplified verifyRequest to accept only HttpRequestInfo
auth0-api-java/.../AuthenticationOrchestrator.java Updated process signature to match new API
auth0-api-java/.../AbstractAuthentication.java Removed headers param from authenticate, validateBearerToken, validateDpopTokenAndProof
auth0-api-java/.../AllowedDPoPAuthentication.java Updated to use requestInfo.getHeaders()
auth0-api-java/.../DisabledDPoPAuthentication.java Updated authenticate; contains commented-out code
auth0-api-java/.../RequiredDPoPAuthentication.java Updated authenticate; contains commented-out code and wrong Javadoc
auth0-api-java/.../DomainResolver.java New core functional interface for dynamic domain resolution
auth0-api-java/.../models/AuthOptions.java Added domains, domainsResolver, cache settings; updated build validation
auth0-api-java/.../models/HttpRequestInfo.java Added headers field with normalization; replaced context; new single-arg constructor
auth0-api-java/.../models/OidcMetadata.java New model for OIDC discovery metadata
auth0-api-java/.../models/RequestContext.java New model for domain resolver context
auth0-api-java/.../cache/AuthCache.java New cache abstraction interface
auth0-api-java/.../cache/InMemoryAuthCache.java New thread-safe LRU+TTL cache implementation
auth0-api-java/.../validators/JWTValidator.java Major rework: OIDC discovery, MCD resolution, dynamic JwkProvider caching
auth0-api-java/.../validators/OidcDiscoveryFetcher.java New OIDC discovery fetcher with caching
auth0-api-java/.../validators/ClaimValidator.java Minor doc/comment cleanup
auth0-api-java/.../examples/Auth0ApiExample.java Removed
auth0-springboot-api/.../Auth0AutoConfiguration.java MCD wiring: resolver bean bridging, domains list, cache config
auth0-springboot-api/.../Auth0Properties.java Added domains, cacheMaxEntries, cacheTtlSeconds properties
auth0-springboot-api/.../Auth0AuthenticationFilter.java Updated to pass headers into HttpRequestInfo and use new verifyRequest
auth0-springboot-api/.../Auth0DomainResolver.java New Spring Boot functional interface for dynamic domain resolution
auth0-springboot-api/.../Auth0RequestContext.java New Spring Boot request context model
auth0-springboot-api-playground/.../SecurityConfig.java Formatting changes
auth0-springboot-api-playground/.../ProfileController.java Added MCD demo endpoint
auth0-springboot-api-playground/.../McdDomainResolverExample.java New MCD configuration example
Test files (multiple) Updated to match new API signatures, added MCD and cache tests
Comments suppressed due to low confidence (1)

auth0-api-java/src/main/java/com/auth0/validators/JWTValidator.java:162

  • The catch (Exception e) block on line 160 unconditionally wraps all exceptions — including VerifyAccessTokenException thrown earlier in this method (e.g., "Token issuer is not in the allowed list", "Symmetric algorithms are not supported", "Discovery metadata issuer does not match token issuer") — into a new generic VerifyAccessTokenException("signature verification failed", e). This masks the specific error messages introduced for MCD validation. Consider re-throwing BaseAuthException instances directly before the generic wrap, similar to how wrapAsValidationException works elsewhere in this class.
        } catch (Exception e) {
            throw new VerifyAccessTokenException("signature verification failed", e);
        }

kailash-b
kailash-b previously approved these changes Mar 19, 2026
View reviewed changes
nandan-bhat
nandan-bhat requested changes Apr 8, 2026
View reviewed changes
auth0-springboot-api/EXAMPLES.md
# Optional: Static list of allowed issuer domains (MCD)
# Mutually exclusive with domainsResolver bean
domains:
- "login.acme.com"
Copy link
Copy Markdown

@nandan-bhat nandan-bhat Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be custom domains of single tenant.
Better to keep the single domain with multiple sub-domains.

Copy link
Copy Markdown
Contributor Author

@tanya732 tanya732 Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated with -
- "brandA.acme.com"
- "brandB.acme.com"
- "brandC.acme.com"

auth0-springboot-api/EXAMPLES.md Outdated
auth0:
audience: "https://api.example.com"
domains:
- "login.acme.com"
Copy link
Copy Markdown

@nandan-bhat nandan-bhat Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as https://github.com/auth0/auth0-auth-java/pull/21/changes#r3051934111

Copy link
Copy Markdown
Contributor Author

@tanya732 tanya732 Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated with -

  • "brandA.acme.com"
  • "brandB.acme.com"
  • "brandC.acme.com"

nandan-bhat
nandan-bhat previously approved these changes Apr 8, 2026
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kailash-b kailash-b kailash-b left review comments

@nandan-bhat nandan-bhat nandan-bhat left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@tanya732 @kailash-b @nandan-bhat