From 6a2ecc4a65ec9ee3020dff6145452aca9b486deb Mon Sep 17 00:00:00 2001 From: Ramon Date: Fri, 29 Dec 2023 01:56:05 +0100 Subject: [PATCH] Validate token with tenant domain in case of custom domain When a token is issued, the token issuer is validated against the domain within the configuration. However, when a custom domain is provided within the SDK configuration, the issuer is validated against the custom domain. This fix will, in case of custom domain set in SDK configuration, validates the custom domain at first against the issuer within the token. Whenever this fails, fallback to the tenant domain set in the SDK Configuration. Use case: - A tenant domain is set - A custom domain is set All auth0 requests (e.g. token and validation) are sent to custom domain. In certain situations, the custom domain acts as a proxy that actually does some extended validation on the client request and redirects the requests to the actual tenant domain. Therefor, the tenant domain is the origin issuer of the token, while the requests are proxied through the custom domain. --- src/Token.php | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/Token.php b/src/Token.php index cede70ae..de125e9e 100644 --- a/src/Token.php +++ b/src/Token.php @@ -254,6 +254,7 @@ public function validate( ?int $tokenLeeway = null, ?int $tokenNow = null, ): self { + $tenantDomain = $this->configuration->formatDomain(true) . "/"; $tokenIssuer ??= $this->configuration->formatDomain() . '/'; $tokenAudience ??= $this->configuration->getAudience() ?? []; $tokenOrganization ??= $this->configuration->getOrganization() ?? null; @@ -275,8 +276,16 @@ public function validate( } } + try { + $validator->issuer($tokenIssuer); + } catch (InvalidTokenException $invalidTokenException) { + if($tenantDomain !== $tokenIssuer) { + $validator->issuer($tenantDomain); + } + throw $invalidTokenException; + } + $validator - ->issuer($tokenIssuer) ->audience($tokenAudience) ->expiration($tokenLeeway, $tokenNow);