Skip to content

feat: add Multiple Custom Domains (MCD) support and fix JWT verification #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kishore7snehil wants to merge 17 commits into
base: main
Choose a base branch
from
Open

feat: add Multiple Custom Domains (MCD) support and fix JWT verification #71

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
ac24ef7
feat: add Multiple Custom Domains (MCD) support and fix JWT verification
kishore7snehil Feb 2, 2026
1164848
Bump poetry version from latest to 2.2.1 in test workflow
kishore7snehil Feb 2, 2026
2646682
Fix linting errors
kishore7snehil Feb 2, 2026
307000b
test: improve cache verification in OIDC metadata and JWKS tests
kishore7snehil Feb 2, 2026
3f68c3c
refactor: rename cache size variable and reorganize test comments
kishore7snehil Feb 3, 2026
2e0ae17
chore: add cryptography package to Snyk license ignore list
kishore7snehil Feb 3, 2026
3b131d8
Merge remote-tracking branch 'origin/main' into feat/mcd-support
kishore7snehil Feb 6, 2026
daa6d35
Implement normalized issuer validation and add related tests
kishore7snehil Feb 8, 2026
74329ab
refactor: remove unused jwt import from test_server_client.py
kishore7snehil Feb 9, 2026
073c38b
refactor: remove requirement comments for OIDC metadata and JWKS caching
kishore7snehil Feb 11, 2026
75a8531
feat: improve caching mechanism and add more examples to the example doc
kishore7snehil Feb 13, 2026
0eb64b4
feat: enhance Multiple Custom Domains (MCD) support with dynamic doma…
kishore7snehil Feb 25, 2026
f8d8470
fix: update type hint for audience parameter in _verify_and_decode_jw…
kishore7snehil Feb 25, 2026
283377f
feat: add DOMAIN_MISMATCH error code for session domain validation in…
kishore7snehil Feb 26, 2026
e40942d
feat: implement domain validation for backchannel logout and enhance …
kishore7snehil Feb 27, 2026
1c5f2d8
chore: fix for review comments (set-1)
kishore7snehil Mar 3, 2026
a9debdd
fix: scoped logout, backchannel logout
kishore7snehil Mar 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,7 @@ test.py
test-script.py
.coverage
coverage.xml

examples/mcd-poc
IMPLEMENTATION_NOTES.md
examples/MCD_DEVELOPER_GUIDE.md
DESIGN_DOC_REVISED.md
139 changes: 139 additions & 0 deletions examples/MultipleCustomDomains.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
# Multiple Custom Domains (MCD) Guide

This guide explains how to implement Multiple Custom Domain (MCD) support using the Auth0 Python SDKs.

## What is MCD?

Multiple Custom Domains (MCD) allows your application to serve different organizations or tenants from different hostnames, each mapping to a different Auth0 tenant/domain.

**Example:**
- `https://acme.yourapp.com` β†’ Auth0 tenant: `acme.auth0.com`
- `https://globex.yourapp.com` β†’ Auth0 tenant: `globex.auth0.com`

Each tenant gets its own branded login experience while using a single application codebase.

## Configuration Methods

### Method 1: Static Domain (Single Tenant)

For applications with a single Auth0 domain:

```python
from auth0_server_python import ServerClient

client = ServerClient(
domain="your-tenant.auth0.com", # Static string
client_id="your_client_id",
client_secret="your_client_secret",
secret="your_encryption_secret"
)
```

### Method 2: Dynamic Domain Resolver (MCD)

For MCD support, provide a domain resolver function that receives a `DomainResolverContext`:

```python
from auth0_server_python import ServerClient
from auth0_server_python.auth_types import DomainResolverContext

# Map your app hostnames to Auth0 domains
DOMAIN_MAP = {
"acme.yourapp.com": "acme.auth0.com",
"globex.yourapp.com": "globex.auth0.com",
}
DEFAULT_DOMAIN = "default.auth0.com"

async def domain_resolver(context: DomainResolverContext) -> str:
"""
Resolve Auth0 domain based on request hostname.

Args:
context: Contains request_url and request_headers

Returns:
Auth0 domain string (e.g., "acme.auth0.com")
"""
# Extract hostname from request headers
if not context.request_headers:
return DEFAULT_DOMAIN

host = context.request_headers.get('host', DEFAULT_DOMAIN)
host_without_port = host.split(':')[0]

# Look up Auth0 domain
return DOMAIN_MAP.get(host_without_port, DEFAULT_DOMAIN)

client = ServerClient(
domain=domain_resolver, # Callable function
client_id="your_client_id",
client_secret="your_client_secret",
secret="your_encryption_secret"
)
```

## DomainResolverContext

The `DomainResolverContext` object provides request information to your resolver:

| Property | Type | Description |
|----------|------|-------------|
| `request_url` | `Optional[str]` | Full request URL (e.g., "https://acme.yourapp.com/auth/login") |
| `request_headers` | `Optional[dict[str, str]]` | Request headers dictionary |

**Common headers:**
- `host`: Request hostname (e.g., "acme.yourapp.com")
- `x-forwarded-host`: Original host when behind proxy/load balancer

**Example usage:**

```python
async def domain_resolver(context: DomainResolverContext) -> str:
# Check if we have request headers
if not context.request_headers:
return DEFAULT_DOMAIN

# Use x-forwarded-host if behind proxy, otherwise use host
host = (context.request_headers.get('x-forwarded-host') or
context.request_headers.get('host', ''))

# Remove port number if present
hostname = host.split(':')[0].lower()

# Look up in mapping
return DOMAIN_MAP.get(hostname, DEFAULT_DOMAIN)
```

## Error Handling

### DomainResolverError

The domain resolver should return a valid Auth0 domain string. Invalid returns will raise `DomainResolverError`:

```python
from auth0_server_python.error import DomainResolverError

async def domain_resolver(context: DomainResolverContext) -> str:
try:
domain = lookup_domain_from_db(context)

if not domain:
# Return default instead of None
return DEFAULT_DOMAIN

return domain # Must be a non-empty string

except Exception as e:
# Log error and return default
logger.error(f"Domain resolution failed: {e}")
return DEFAULT_DOMAIN
```

**Invalid return values that raise `DomainResolverError`:**
- `None`
- Empty string `""`
- Non-string types (int, list, dict, etc.)

**Exceptions raised by your resolver:**
- Automatically wrapped in `DomainResolverError`
- Original exception accessible via `.original_error`
Loading
Loading