Merge pull request #1 from auth0/feat/modified-method-signature

Feat: Updated the "validateToken" method signature

Author: tanya732

.github/workflows/build-and-test.yml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   gradle:
-    runs-on: ubuntu-22.04-2cpu-8ram-75ssd
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-java@v5

.github/workflows/claude-code-review.yml

@@ -8,4 +8,4 @@ on:
 
 jobs:
   claude-review:
-    uses: atko-cic/ai-pr-analyzer-gh-action/.github/workflows/claude-code-review.yml@main
+    uses: auth0/ai-pr-analyzer-gh-action/.github/workflows/claude-code-review.yml@main

README.md

@@ -51,45 +51,7 @@ The core library (`auth0-api-java`) is currently an internal module used by the
 - JWT validation with Auth0 JWKS integration
 - DPoP proof validation per [RFC 9449](https://datatracker.ietf.org/doc/html/rfc9449)
 - Flexible authentication strategies
-- Comprehensive claim validation
 
-## 🔧 Advanced Configuration
-
-### Custom Claim Validation
-
-While the Spring Boot integration provides automatic validation, developers can access the underlying `auth0-api-java` validation utilities for custom scenarios:
-
-```java
-@RestController
-public class AdvancedController {
-
-    @Autowired
-    private AuthClient authClient; 
-
-    @GetMapping("/api/custom-validation")
-    public ResponseEntity<String> customValidation(HttpServletRequest request) {
-        try {
-            String token = extractTokenFromRequest(request);
-            JWTValidator validator = new JWTValidator(authClient.getAuthOptions());
-
-            DecodedJWT jwt = validator.validateTokenWithClaimEquals(token, "role", "admin");
-            
-            return ResponseEntity.ok("Advanced validation passed");
-
-        } catch (BaseAuthException e) {
-            return ResponseEntity.status(401).body("Validation failed: " + e.getMessage());
-        }
-    }
-
-    private String extractTokenFromRequest(HttpServletRequest request) {
-        String authHeader = request.getHeader("Authorization");
-        if (authHeader != null && authHeader.startsWith("Bearer ")) {
-            return authHeader.substring(7);
-        }
-        throw new IllegalArgumentException("No Bearer token found");
-    }
-}
-```
 
 ## 📚 Documentation
 
@@ -135,7 +97,7 @@ The core library (`auth0-api-java`) is bundled as an internal dependency within
 4. Add tests for new functionality
 5. Ensure all tests pass: `./gradlew test`
 6. Ensure your commits are signed
-7. 7Submit a pull request
+7. Submit a pull request
 
 ## 📄 License
 

auth0-api-java/src/main/java/com/auth0/AbstractAuthentication.java

@@ -28,9 +28,9 @@ protected AbstractAuthentication(JWTValidator jwtValidator, TokenExtractor extra
     /**
      * Concrete method to validate Bearer token headers and JWT claims.
      */
-    protected DecodedJWT validateBearerToken(Map<String, String> headers) throws BaseAuthException {
+    protected DecodedJWT validateBearerToken(Map<String, String> headers, HttpRequestInfo httpRequestInfo) throws BaseAuthException {
         AuthToken authToken = extractor.extractBearer(headers);
-        return jwtValidator.validateToken(authToken.getAccessToken());
+        return jwtValidator.validateToken(authToken.getAccessToken(), headers, httpRequestInfo);
     }
 
     /**
@@ -42,7 +42,7 @@ protected DecodedJWT validateDpopTokenAndProof(Map<String, String> headers, Http
         AuthValidatorHelper.validateHttpMethodAndHttpUrl(requestInfo);
 
         AuthToken authToken = extractor.extractDPoPProofAndDPoPToken(headers);
-        DecodedJWT decodedJwtToken = jwtValidator.validateToken(authToken.getAccessToken());
+        DecodedJWT decodedJwtToken = jwtValidator.validateToken(authToken.getAccessToken(), headers, requestInfo);
 
         dpopProofValidator.validate(authToken.getProof(), decodedJwtToken, requestInfo);
 

auth0-api-java/src/main/java/com/auth0/AllowedDPoPAuthentication.java

@@ -37,7 +37,7 @@ public AuthenticationContext authenticate(Map<String, String> headers, HttpReque
             scheme = extractor.getScheme(normalizedHeader);
 
             if (scheme.equalsIgnoreCase(AuthConstants.BEARER_SCHEME)) {
-                DecodedJWT jwtToken = validateBearerToken(normalizedHeader);
+                DecodedJWT jwtToken = validateBearerToken(normalizedHeader, requestInfo);
                 AuthValidatorHelper.validateNoDpopPresence(normalizedHeader, jwtToken);
                 return buildContext(jwtToken);
             }

auth0-api-java/src/main/java/com/auth0/AuthClient.java

@@ -2,10 +2,10 @@
 
 import com.auth0.exception.BaseAuthException;
 import com.auth0.models.AuthenticationContext;
-import com.auth0.validators.DPoPProofValidator;
-import com.auth0.validators.JWTValidator;
 import com.auth0.models.AuthOptions;
 import com.auth0.models.HttpRequestInfo;
+import com.auth0.validators.DPoPProofValidator;
+import com.auth0.validators.JWTValidator;
 
 import java.util.Map;
 

auth0-api-java/src/main/java/com/auth0/DisabledDPoPAuthentication.java

@@ -28,7 +28,7 @@ public AuthenticationContext authenticate(Map<String, String> headers, HttpReque
 
         Map<String, String> normalizedHeader = normalize(headers);
         try {
-            DecodedJWT jwt = validateBearerToken(normalizedHeader);
+            DecodedJWT jwt = validateBearerToken(normalizedHeader, requestInfo);
 
             return buildContext(jwt);
         } catch (BaseAuthException ex){

auth0-api-java/src/main/java/com/auth0/examples/Auth0ApiExample.java

@@ -6,7 +6,6 @@
 import com.auth0.models.AuthOptions;
 import com.auth0.models.AuthenticationContext;
 import com.auth0.models.HttpRequestInfo;
-import com.auth0.validators.JWTValidator;
 import com.sun.net.httpserver.HttpExchange;
 import com.sun.net.httpserver.HttpHandler;
 import com.sun.net.httpserver.HttpServer;

auth0-api-java/src/main/java/com/auth0/validators/JWTValidator.java

@@ -11,7 +11,10 @@
 import com.auth0.jwk.UrlJwkProvider;
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.models.HttpRequestInfo;
+
 import java.security.interfaces.RSAPublicKey;
+import java.util.Map;
 
 import static com.auth0.jwt.JWT.require;
 
@@ -64,7 +67,7 @@ public JWTValidator(AuthOptions authOptions, JwkProvider jwkProvider) {
      * @return the decoded and verified JWT
      * @throws BaseAuthException if validation fails
      */
-    public DecodedJWT validateToken(String token) throws BaseAuthException {
+    public DecodedJWT validateToken(String token, Map<String, String> headers, HttpRequestInfo httpRequestInfo) throws BaseAuthException {
 
         if (token == null || token.trim().isEmpty()) {
             throw new MissingRequiredArgumentException("access_token");
@@ -89,9 +92,9 @@ public DecodedJWT validateToken(String token) throws BaseAuthException {
     /**
      * Validates a JWT and ensures all required scopes are present.
      */
-    public DecodedJWT validateTokenWithRequiredScopes(String token, String... requiredScopes)
+    public DecodedJWT validateTokenWithRequiredScopes(String token, Map<String, String> headers, HttpRequestInfo httpRequestInfo, String... requiredScopes)
             throws BaseAuthException {
-        DecodedJWT jwt = validateToken(token);
+        DecodedJWT jwt = validateToken(token, headers, httpRequestInfo);
         try {
             ClaimValidator.checkRequiredScopes(jwt, requiredScopes);
             return jwt;
@@ -103,9 +106,9 @@ public DecodedJWT validateTokenWithRequiredScopes(String token, String... requir
     /**
      * Validates a JWT and ensures it has *any* of the provided scopes.
      */
-    public DecodedJWT validateTokenWithAnyScope(String token, String... scopes)
+    public DecodedJWT validateTokenWithAnyScope(String token, Map<String, String> headers, HttpRequestInfo httpRequestInfo, String... scopes)
             throws BaseAuthException {
-        DecodedJWT jwt = validateToken(token);
+        DecodedJWT jwt = validateToken(token, headers, httpRequestInfo);
         try {
             ClaimValidator.checkAnyScope(jwt, scopes);
             return jwt;
@@ -117,9 +120,9 @@ public DecodedJWT validateTokenWithAnyScope(String token, String... scopes)
     /**
      * Validates a JWT and ensures a claim equals the expected value.
      */
-    public DecodedJWT validateTokenWithClaimEquals(String token, String claim, Object expected)
+    public DecodedJWT validateTokenWithClaimEquals(String token, Map<String, String> headers, HttpRequestInfo httpRequestInfo,  String claim, Object expected)
             throws BaseAuthException {
-        DecodedJWT jwt = validateToken(token);
+        DecodedJWT jwt = validateToken(token, headers, httpRequestInfo);
         try {
             ClaimValidator.checkClaimEquals(jwt, claim, expected);
             return jwt;
@@ -131,9 +134,9 @@ public DecodedJWT validateTokenWithClaimEquals(String token, String claim, Objec
     /**
      * Validates a JWT and ensures a claim includes all expected values.
      */
-    public DecodedJWT validateTokenWithClaimIncludes(String token, String claim, Object... expectedValues)
+    public DecodedJWT validateTokenWithClaimIncludes(String token, Map<String, String> headers, HttpRequestInfo httpRequestInfo, String claim, Object... expectedValues)
             throws BaseAuthException {
-        DecodedJWT jwt = validateToken(token);
+        DecodedJWT jwt = validateToken(token, headers, httpRequestInfo);
         try {
             ClaimValidator.checkClaimIncludes(jwt, claim, expectedValues);
             return jwt;
@@ -142,9 +145,9 @@ public DecodedJWT validateTokenWithClaimIncludes(String token, String claim, Obj
         }
     }
 
-    public DecodedJWT validateTokenWithClaimIncludesAny(String token, String claim, Object... expectedValues)
+    public DecodedJWT validateTokenWithClaimIncludesAny(String token, Map<String, String> headers, HttpRequestInfo httpRequestInfo, String claim, Object... expectedValues)
             throws BaseAuthException {
-        DecodedJWT jwt = validateToken(token);
+        DecodedJWT jwt = validateToken(token, headers, httpRequestInfo);
         try {
             ClaimValidator.checkClaimIncludesAny(jwt, claim, expectedValues);
             return jwt;

auth0-api-java/src/test/java/com/auth0/AbstractAuthenticationTest.java

@@ -80,12 +80,12 @@ public void validateBearerToken_shouldExtractAndValidate() throws Exception {
         DecodedJWT jwt = mock(DecodedJWT.class);
 
         when(extractor.extractBearer(anyMap())).thenReturn(token);
-        when(jwtValidator.validateToken("access")).thenReturn(jwt);
+        when(jwtValidator.validateToken(eq("access"), anyMap(), any())).thenReturn(jwt);
 
         Map<String, String> headers = new HashMap<>();
         headers.put("authorization", "Bearer access");
 
-        DecodedJWT result = authSystem.validateBearerToken(headers);
+        DecodedJWT result = authSystem.validateBearerToken(headers, null);
 
         assertThat(result).isSameAs(jwt);
     }
@@ -98,7 +98,7 @@ public void validateDpopTokenAndProof_shouldValidateEverything() throws Exceptio
                 new HttpRequestInfo("GET", "https://api.example.com", null);
 
         when(extractor.extractDPoPProofAndDPoPToken(anyMap())).thenReturn(token);
-        when(jwtValidator.validateToken("access")).thenReturn(jwt);
+        when(jwtValidator.validateToken(eq("access"), anyMap(), any())).thenReturn(jwt);
 
         Map<String, String> headers = new HashMap<>();
         headers.put("authorization", "DPoP access");