Skip to content

feat: Add Multiple Custom Domains (MCD) support #218

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ankita10119 wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: Add Multiple Custom Domains (MCD) support #218

ankita10119 wants to merge 5 commits into from

Conversation

@ankita10119
Copy link
Contributor

@ankita10119 ankita10119 commented Jan 28, 2026
edited
Loading

Description

Implements support for validating JWT tokens from multiple Auth0 tenants or custom domains in a single API deployment. This addresses the need for multi-tenant architectures, domain migrations, and regional deployments without requiring separate API instances.

Implementation

New Configuration Pattern

Introduces auth0MCD configuration object that accepts three validation methods:

Static array:

auth0MCD: {
   issuers: ['https://tenant1.auth0.com', 'https://tenant2.auth0.com']
 }

Config objects:

auth0MCD: {
  issuers: [
    { issuer: 'https://tenant1.auth0.com', alg: 'RS256' },
    { issuer: 'https://tenant2.auth0.com', jwksUri: 'https://...' }
  ]
}

Dynamic resolver:

auth0MCD: {
  issuers: async (context) => {
    const tenantId = context.headers['x-tenant-id'];
    return await getTenantIssuers(tenantId);
  }
}

Changes

packages/access-token-jwt/src/jwt-verifier.ts

  • Added MCD types: Auth0MCDOptions, IssuerConfig, IssuerResolverContext
  • Implemented issuer validation before JWKS fetch
  • Added symmetric algorithm rejection for JWKS-based verification
  • Added discovery issuer double-validation
  • Support for per-issuer JWKS URI and algorithm configuration

packages/access-token-jwt/src/token-verifier.ts

  • Modified to pass request context (URL, headers) to dynamic resolver
  • Enables tenant-aware issuer validation

packages/access-token-jwt/src/discovery.ts

  • Refactored to support per-issuer discovery caching
  • Each issuer's metadata cached independently (10 min TTL)

packages/access-token-jwt/src/get-key-fn.ts

  • Updated JWKS caching to support multiple issuers
  • Maintains separate cache entries per JWKS URI

Backward Compatibility

Fully backward compatible. Existing configurations work unchanged:

// Still works exactly as before

app.use(auth({
  issuerBaseURL: 'https://tenant.auth0.com',
  audience: 'https://your-api.com'
}));

References

MCD GA requirements
MCD- express-oauth2-jwt-bearer-design-doc

Testing

  • Added 22 comprehensive MCD test cases in jwt-verifier.test.ts
  • All scenarios covered: static config, dynamic resolver, symmetric/asymmetric, error cases
  • 342 tests passing with 100% code coverage
  • Created test-mcd-app/ with working examples for all configuration methods

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@ankita10119 ankita10119 requested a review from a team as a code owner January 28, 2026 08:31
@ankita10119 ankita10119 marked this pull request as draft January 28, 2026 08:32
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 28, 2026
View reviewed changes
@ankita10119 ankita10119 marked this pull request as ready for review January 29, 2026 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ankita10119