auth0 / .github Goto Github PK

Add one-of functionality to verification of list claims

Currently the verification of a claim implemented as a list using withArrayClaim() verifies the claim object using a containsAll()-function. Meaning the token must include all of the elements present in the list input to withArrayClaim().

Problem:

A "one-of" check when verifying a list claim is valid. (See for example: auth0/java-jwt#472 and the verification of Issuer. They both use the "one-of" verification. ) However it is now limited to only the hardcoded issuer and audience.

Use-case:

My company uses company-roles as a a claim in the token. ("roles: ["admin", "team-member"]). The roles I would like to verify a token with could be mutually exclusive, meaning a user only has one of them. For example: "grant access if user has either "admin" or "consultant" role.

Solution: Add "anyOf" methods in addition to the withArrayClaim()-methods.

Extend the interface to also include withAnyOfArrayClaim() similar to the withAnyOfAudience() that will verify if the claim in the token contains any of the elements in the given list.

Current workaround:

Currently we remove the withArrayClaim() from the JWTVerifier usage and rather validate the claim manually from the DecodedJWT. This has created some structural issues in the code and feels unsafe going outside the library for such an important validation step.

Additional context

This PR: auth0/java-jwt#472 essentially makes the changes, but only for audience. However audience is not the only valid "one-of" claim.

I realise withArrayClaim() is to be deprecated in the next version: auth0/java-jwt#403
This functionality will not easily be implemented with the map-based objects, as you'd have to specify each map-level as either a "one-of" or a "exact-match".

I've seen multiple attempts at "custom" or "map base" validation functionality being denied. In my eyes this is not added functionality so much as it should have been available from the get-go when withArrayClaim was added.

Description

When building a LogEventFilter object that adds a date range query via the LogEventsFilter.withQuery() method, and then passing this object to the ManagementAPI getLogEvents() method the resulting q query string parameter is being double encoded. This is causing a 400 Bad Request error.

I would expect the query to only be URLEncoded once.

Reproduction

Here's the code snippet for setting the query parameter and making the getLogEvents() call:

LocalDate date = LocalDate.now().minus(Period.ofDays(30));
String query = "date:[" + date + " TO *]";
LogEventFilter filter = new LogEventFilter()
    .withQuery(query)
    .withPage(pageNumber, 10);

Request<LogEventsPage> request = managementApi.users().getLogEvents(userId, filter);
request.execute();

Environment

• Version of this library used: Tested on 1.34.0 and 1.40.1
• Version of the platform or framework used, if applicable: Java 1.8
• Other relevant versions (language, server software, OS, browser): N/A
• Other modules/plugins/libraries that might be involved: N/A

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

Provide a clear and concise description of the issue, including what you expected to happen.

Reproduction

Detail the steps taken to reproduce this error, what was expected, and whether this issue can be reproduced consistently or if it is intermittent.

Where applicable, please include:

• Code sample to reproduce the issue
• Log files (redact/remove sensitive information)
• Application settings (redact/remove sensitive information)
• Screenshots

Environment

Please provide the following:

• Version of this library used:
• Version of the platform or framework used, if applicable:
• Other relevant versions (language, server software, OS, browser):
• Other modules/plugins/libraries that might be involved: