Fix org name verification logic (#673)

auth0 · Jul 18, 2023 · b938065 · b938065
1 parent 3761a13
commit b938065
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/auth0/src/main/java/com/auth0/android/provider/IdTokenVerifier.kt b/auth0/src/main/java/com/auth0/android/provider/IdTokenVerifier.kt
@@ -73,7 +73,7 @@ internal class IdTokenVerifier {
                 if (TextUtils.isEmpty(orgNameClaim)) {
                     throw OrgNameClaimMissingException()
                 }
-                if (!organizationInput.equals(orgNameClaim, true)) {
+                if (organizationInput.lowercase() != orgNameClaim) {
                     throw OrgNameClaimMismatchException(organizationInput, orgNameClaim)
                 }
             }

diff --git a/auth0/src/test/java/com/auth0/android/provider/IdTokenVerifierTest.java b/auth0/src/test/java/com/auth0/android/provider/IdTokenVerifierTest.java
@@ -305,12 +305,26 @@ public void shouldNotFailWhenOrganizationNameClaimIsRequiredAndHasSameValue() th
     }
 
     @Test
-    public void shouldNotFailWhenOrganizationNameClaimIsRequiredAndHasSameValueInDifferentCase() throws Exception {
+    public void shouldFailWhenInputClaimHasDifferentCaseThanOrgNameReceived() throws Exception {
+        String message = "Organization Name (org_name) claim mismatch in the ID token; expected \"__test_org_name__\", found \"__tESt_OrG_nAme__\"";
+        Exception e = Assert.assertThrows(message, OrgNameClaimMismatchException.class, () -> {
+            Map<String, Object> jwtBody = createJWTBody();
+            jwtBody.put("org_name", "__tESt_OrG_nAme__");
+            String token = createTestJWT("none", jwtBody);
+            Jwt jwt = new Jwt(token);
+            options.setOrganization(EXPECTED_ORGANIZATION_NAME);
+            idTokenVerifier.verify(jwt, options, true);
+        });
+        assertEquals("com.auth0.android.provider.TokenValidationException: " + message, e.toString());
+    }
+
+    @Test
+    public void shouldNotFailWhenOrgNameInputHasDifferentCaseThanClaimReceived() throws Exception {
         Map<String, Object> jwtBody = createJWTBody();
-        jwtBody.put("org_name", "__tESt_OrG_nAme__");
+        jwtBody.put("org_name", EXPECTED_ORGANIZATION_NAME);
         String token = createTestJWT("none", jwtBody);
         Jwt jwt = new Jwt(token);
-        options.setOrganization(EXPECTED_ORGANIZATION_NAME);
+        options.setOrganization("__tESt_OrG_nAme__");
         idTokenVerifier.verify(jwt, options, true);
     }