Closed hartimcwildfly closed 1 year ago
It's hardcoded here
Hi @hartimcwildfly - thanks for raising this
This SDK is only designed to connect to auth0.com
- the risk of allowing users to specify the protocol is that they may leave it on in production and start sending secrets over http to auth0.
Since your problem sounds like a temporary one during your migration phase, can you use a temporary solution like forking the repo or using https://github.com/ds300/patch-package?
Thanks for the hint. As the patch only needs to apply for the dev machine and it is more or less a standard solution, I am fine with this. Thanks!
Checklist
Describe the problem you'd like to have solved
We are currently migrating to Auth0. For local development I set up a mock authorization-server. I cannot use a another Auth0 instance for local development because in the migration phase we use a custom database in Auth0. And when local developing Auth0 cannot access the database on the dev machine. So this is why we need a mock authorization-server.
The problem is the auth0 library cannot connect to the authorization server because the protocol is hardcoded to HTTPS and in local development we only use HTTP. The custom port after the domain works. So we can see that the auth0 client tries to connect to our mock authorization-server but fails because of protocol mismatch.
In the library for the resource server express-oauth2-jwt-bearer one can set the whole URL.
Describe the ideal solution
Introduce a new property 'protocol'
or rename the existing property 'domain' to 'issuerBaseURL' like in the library 'express-oauth2-jwt-bearer'
Alternatives and current workarounds
but introducing TLS in development environments results in higher complexity when debugging.
Additional context
No response