From 871ce9ca274c6d9a7985560a07af34fe763acd06 Mon Sep 17 00:00:00 2001 From: Steve Hobbs Date: Wed, 19 Jul 2023 09:15:57 +0100 Subject: [PATCH] chore: should not lowercase org_name claim (#499) --- EXAMPLES.md | 2 +- lib/auth0/mixins/validation.rb | 2 +- spec/lib/auth0/mixins/validation_spec.rb | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 4ed0d060..fe5f2fd9 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -178,7 +178,7 @@ In particular: - The issuer (iss) claim should be checked to ensure the token was issued by Auth0 -- the `org_id` or `org_name` claim should be checked to ensure it is a value that is already known to the application. Which claim you check depends on the organization value being validated: if it starts with `org_`, validate against the `org_id` claim. Otherwise, validate against `org_name`. Further, `org_name` validation should be done using a **case-insensitive** check, whereas `org_id` should be an exact case-sensitive match. +- the `org_id` or `org_name` claim should be checked to ensure it is a value that is already known to the application. Which claim you check depends on the organization value being validated: if it starts with `org_`, validate against the `org_id` claim. Otherwise, validate against `org_name`. Further, the value of the `org_name` claim will always be lowercase. To aid the developer experience, you may also lowercase the input organization name when checking against the `org_name`, but do not modify the `org_name` claim value. This could be validated against a known list of organization IDs or names, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the Access Token. diff --git a/lib/auth0/mixins/validation.rb b/lib/auth0/mixins/validation.rb index 8690abc9..f2596668 100644 --- a/lib/auth0/mixins/validation.rb +++ b/lib/auth0/mixins/validation.rb @@ -204,7 +204,7 @@ def validate_org(claims, expected) raise Auth0::InvalidIdToken, 'Organization Name (org_name) claim must be a string present in the ID token' end - unless expected.downcase == claims['org_name'].downcase + unless expected.downcase == claims['org_name'] raise Auth0::InvalidIdToken, "Organization Name (org_name) claim value mismatch in the ID token; expected \"#{expected}\","\ " found \"#{claims['org_name']}\"" end diff --git a/spec/lib/auth0/mixins/validation_spec.rb b/spec/lib/auth0/mixins/validation_spec.rb index 08094974..5d31a5a5 100644 --- a/spec/lib/auth0/mixins/validation_spec.rb +++ b/spec/lib/auth0/mixins/validation_spec.rb @@ -342,8 +342,8 @@ def build_id_token(payload = {}) end it 'is expected to NOT raise an error with organization name in different casing' do - token = build_id_token org_name: 'MY-ORGANIZATION' - instance = Auth0::Mixins::Validation::IdTokenValidator.new(CONTEXT.merge({ organization: 'my-organization' })) + token = build_id_token org_name: 'my-organization' + instance = Auth0::Mixins::Validation::IdTokenValidator.new(CONTEXT.merge({ organization: 'MY-ORGANIZATION' })) expect { instance.validate(token) }.not_to raise_exception end