From 6a2ecc4a65ec9ee3020dff6145452aca9b486deb Mon Sep 17 00:00:00 2001
From: Ramon <ramon@xel.nl>
Date: Fri, 29 Dec 2023 01:56:05 +0100
Subject: [PATCH 1/2] Validate token with tenant domain in case of custom
 domain

When a token is issued, the token issuer is validated against the domain within the configuration.
However, when a custom domain is provided within the SDK configuration, the issuer is validated against the custom domain.

This fix will, in case of custom domain set in SDK configuration, validates the custom domain at first against the issuer within the token.
Whenever this fails, fallback to the tenant domain set in the SDK Configuration.

Use case:
- A tenant domain is set
- A custom domain is set

All auth0 requests (e.g. token and validation) are sent to custom domain.
In certain situations, the custom domain acts as a proxy that actually does some extended validation on the client request and redirects the requests to the actual tenant domain.
Therefor, the tenant domain is the origin issuer of the token, while the requests are proxied through the custom domain.
---
 src/Token.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/Token.php b/src/Token.php
index cede70ae..de125e9e 100644
--- a/src/Token.php
+++ b/src/Token.php
@@ -254,6 +254,7 @@ public function validate(
         ?int $tokenLeeway = null,
         ?int $tokenNow = null,
     ): self {
+        $tenantDomain = $this->configuration->formatDomain(true) . "/";
         $tokenIssuer ??= $this->configuration->formatDomain() . '/';
         $tokenAudience ??= $this->configuration->getAudience() ?? [];
         $tokenOrganization ??= $this->configuration->getOrganization() ?? null;
@@ -275,8 +276,16 @@ public function validate(
             }
         }
 
+        try {
+            $validator->issuer($tokenIssuer);
+        } catch (InvalidTokenException $invalidTokenException) {
+            if($tenantDomain !== $tokenIssuer) {
+                $validator->issuer($tenantDomain);
+            }
+            throw $invalidTokenException;
+        }
+
         $validator
-            ->issuer($tokenIssuer)
             ->audience($tokenAudience)
             ->expiration($tokenLeeway, $tokenNow);
 

From d95cd7d7251bd8a4c97cfdcaf7dc4be40d372f4d Mon Sep 17 00:00:00 2001
From: Evan Sims <hello@evansims.com>
Date: Thu, 28 Dec 2023 19:45:34 -0600
Subject: [PATCH 2/2] Apply code styling rules

---
 src/Token.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Token.php b/src/Token.php
index de125e9e..23c7e761 100644
--- a/src/Token.php
+++ b/src/Token.php
@@ -254,7 +254,7 @@ public function validate(
         ?int $tokenLeeway = null,
         ?int $tokenNow = null,
     ): self {
-        $tenantDomain = $this->configuration->formatDomain(true) . "/";
+        $tenantDomain = $this->configuration->formatDomain(true) . '/';
         $tokenIssuer ??= $this->configuration->formatDomain() . '/';
         $tokenAudience ??= $this->configuration->getAudience() ?? [];
         $tokenOrganization ??= $this->configuration->getOrganization() ?? null;
@@ -279,9 +279,10 @@ public function validate(
         try {
             $validator->issuer($tokenIssuer);
         } catch (InvalidTokenException $invalidTokenException) {
-            if($tenantDomain !== $tokenIssuer) {
+            if ($tenantDomain !== $tokenIssuer) {
                 $validator->issuer($tenantDomain);
             }
+
             throw $invalidTokenException;
         }