Custom Domain with URL scheme (https://) causes token decoding to fail

[barasimumatik]

SDK Version

8.2

PHP Version

PHP 7.4

What happened?

Given this configuration

$configuration = new SdkConfiguration([
    "strategy" => SdkConfiguration::STRATEGY_API,
    "audience" => $settings["audience"],
    "domain" => $settings["domain"], // "https://tenant.eu.auth0.com/"
    "customDomain" => $settings["custom_domain"], // "https://auth.example.com/"
]);

and calling $this->auth0->decode($token); results in an exception due to the custom domain being invalid

[2022-05-13T15:09:59+00:00] [API] - DEBUG - Result of $this->auth0->configuration()->getDomain(): tenant.eu.auth0.com  {"uid":"9e07040"}
[2022-05-13T15:09:59+00:00] [API] - DEBUG - Result of $this->auth0->configuration()->getCustomDomain(): https://auth.example.com/  {"uid":"9e07040"}
[2022-05-13T15:09:59+00:00] [API] - DEBUG - Result of $this->auth0->configuration()->formatDomain(): https://https://auth.example.com/  {"uid":"9e07040"}
[2022-05-13T15:09:59+00:00] [API] - DEBUG - Result of $this->auth0->configuration()->formatCustomDomain(): https://https://auth.example.com/  {"uid":"9e07040"}
[2022-05-13T15:09:59+00:00] [API] - DEBUG - Decoding token  {"uid":"9e07040"}
[2022-05-13T15:10:04+00:00] [API] - ERROR - Unexpected exception when processing token [...]
Exception info: GuzzleHttp\Exception\ConnectException: cURL error 6: Could not resolve host: https (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://https//auth.example.com///auth.example.com//.well-known/jwks.json in /app/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:210

How can we reproduce this issue?

1. Configure the SDK as above (using suitable tenant and custom domains with URL scheme)
2. Get a token and try to decode it

Additional context

This is a bit of a side note, but when we added custom domains to our tenants we implemented support in our API for validating tokens by allowing both the tenant domain and the custom domain as token issuers (to ease migration for dependant applications).

To do this we simply parsed the token and checked which one of the domains (if any) was part of the 'iss' claim (otherwise we rejected the token) before calling the SDK to verify and decode the token (SDK version 7.x). Not very nice, but it worked. Since then it stayed that way even after migrating (and frankly, it wouldn't surprise me if something would break if we switched to exclusively use the custom domains instead of the tenant domains).

We are now in the process of migrating to PHP8.1 and one of the first dependencies we need to migrate is the SDK. I noticed that the SdkConfiguration allows setting the domain and customDomain individually, so I hoped the SDK would take care of checking that the issuer corresponds to one of them as part of verification/validation but it doesn't seem like it does (I would really appreciate a workaround if anyone has any suggestions).

Looking at the values returned from the SdkConfiguration, it looks like it strips the URL scheme from the domain, but not the customDomain, so the formatDomain/formatCustomDomain methods will get an extra "https://" tacked onto it.
Then I don't really know what is going on with the JWKS URL, but I guess that is related to the above.

Now, I can just remove the "https://" from the custom domain, but shouldn't it the behaviour be consistent between domain and customDomain (i.e. it strips the URL scheme in both)?

[evansims]

Hey @barasimumatik 👋 Good catch, and thanks for the detailed explanation. This is indeed an oversight on my part and should be considered a bug. I'm on vacation this coming week but I'll get a bug fix release out once I return to address this. Thanks for the heads up!

[barasimumatik]

No problem, I'm just glad I could help in some way 😃

[barasimumatik]

If anyone else has my problem regarding multiple issuers (in this case when it is either the Auth0 domain or the custom domain) this is what I do now:

// Parse the token
$parsedToken = new Token( $this->auth0->configuration(), $token, Token::TYPE_TOKEN );
    
// Verify the token before checking the issuer claim
$parsedToken->verify();
            
// Check the issuer against the Auth0 domain and/or the Auth0 custom domain
$issuer = $parsedToken->getIssuer(); 
if( !$this->isTrustedIssuer($issuer) ) {
    throw new InvalidTokenException("Untrusted issuer '$issuer'");
}

// Validate the token claims, but use the issuer from the token instead of relying on the 
// Auth0 SdkConfiguration since we can get tokens with either the domain _or_ the custom domain.
$parsedToken->validate($issuer);

return $parsedToken->toArray();

[evansims]

This should be resolved as of 8.2.1! Please let me know how it goes for you. Thanks again for bringing this to our attention 👍

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.