Currently, if we define validIssuers=['https://topcoder-newauth.auth0.com'] while inside tokeniss="https://topcoder-newauth.auth0.com/" the issuer verification will fail. Because in validIssuers we defined URL without trailing slash, while inside token iss is defined as URL with trailing slash.
Also, probably possbile the reverse situation, when iss will be defined without trailing slash, and validIssuers will be defined with trailing slash.
When tc-core-library-js is used as dependency of other service it could be hard to understand where issues comes from as it could be not clear from the first sight why verification failed if URL looks same. I think it would be nice to enhance the verification process so it ignores the trailing slash. So far I don't see security issues if such enhancements is implemented.
Currently, if we define
validIssuers=['https://topcoder-newauth.auth0.com']while inside tokeniss="https://topcoder-newauth.auth0.com/"the issuer verification will fail. Because invalidIssuerswe defined URL without trailing slash, while inside tokenissis defined as URL with trailing slash.Also, probably possbile the reverse situation, when
isswill be defined without trailing slash, andvalidIssuerswill be defined with trailing slash.When
tc-core-library-jsis used as dependency of other service it could be hard to understand where issues comes from as it could be not clear from the first sight why verification failed if URL looks same. I think it would be nice to enhance the verification process so it ignores the trailing slash. So far I don't see security issues if such enhancements is implemented.Lines where we verify
validIssuers: