Add test cases for edge cases

Author: kailash-b

src/Auth0.AspNetCore.Authentication/Auth0Constants.cs

@@ -15,6 +15,9 @@ public class Auth0Constants
         /// </summary>
         internal static string DefaultCallbackPath = "/callback";
 
-        public static readonly string ResolvedDomainKey = "auth0:resolved-domain";
+        /// <summary>
+        /// Key used to store the resolved domain in the authentication properties.
+        /// </summary>
+        internal static readonly string ResolvedDomainKey = "auth0:resolved-domain";
     }
 }

src/Auth0.AspNetCore.Authentication/CustomDomains/Auth0CustomDomainsOpenIdConnectConfigurationManager.cs

@@ -18,7 +18,7 @@ namespace Auth0.AspNetCore.Authentication.CustomDomains;
 /// Resolves configurations dynamically based on the domain associated with each request,
 /// enabling support for multiple Auth0 custom domains within a single application instance.
 /// Each domain's configuration is cached independently using the provided <see cref="IConfigurationManagerCache"/>.
-/// Registered as a singleton and maintain its cache throughout the application lifetime.
+/// Is registered as a singleton and maintain its cache throughout the application lifetime.
 /// </remarks>
 internal sealed class Auth0CustomDomainsOpenIdConnectConfigurationManager : IConfigurationManager<OpenIdConnectConfiguration>, IDisposable
 {
@@ -108,10 +108,41 @@ public void RequestRefresh()
     /// <exception cref="InvalidOperationException">Thrown when domain resolution fails.</exception>
     internal async Task<string> ResolveAuthorityAsync(HttpContext context)
     {
+        var hasState = TryGetState(context, out var state);
+
         // In case of a callback request, extracts the issuer from the state parameter.
-        if (TryGetState(context, out var state) && TryGetIssuerFromState(state, out var stateIssuer))
+        if (hasState && TryGetIssuerFromState(state, out var stateIssuer))
         {
-            return Utils.ToAuthority(stateIssuer);
+            var stateAuthority = Utils.ToAuthority(stateIssuer);
+
+            // Cross-validate: if the StartupFilter already resolved a domain for this request,
+            // ensure it matches the domain stored in the encrypted state. A mismatch indicates
+            // the request arrived on a different domain than the one that initiated the flow.
+            if (context.Items[Auth0Constants.ResolvedDomainKey] is string middlewareDomain &&
+                !string.IsNullOrWhiteSpace(middlewareDomain))
+            {
+                var middlewareAuthority = Utils.ToAuthority(middlewareDomain);
+                if (!stateAuthority.Equals(middlewareAuthority, StringComparison.OrdinalIgnoreCase))
+                {
+                    throw new InvalidOperationException(
+                        $"Domain mismatch: the callback request arrived on domain '{middlewareDomain}' " +
+                        $"but the authentication transaction was initiated with domain '{stateIssuer}'. " +
+                        "This may indicate a cross-domain replay or misconfigured routing.");
+                }
+            }
+
+            return stateAuthority;
+        }
+
+        // If the request carries a state parameter (i.e. it looks like a callback) but the domain
+        // could not be extracted from state, fail explicitly rather than falling back to the
+        // DomainResolver, which could return a different domain than the one that started the flow.
+        if (hasState)
+        {
+            throw new InvalidOperationException(
+                "The request contains a 'state' parameter but the resolved domain could not be " +
+                "extracted from it. This may indicate a tampered, expired, or malformed state. " +
+                "The authentication transaction cannot be safely completed.");
         }
 
         // Check if the domain was already resolved earlier in the request pipeline

src/Auth0.AspNetCore.Authentication/OpenIdConnectEventsFactory.cs

@@ -168,21 +168,33 @@ private static Func<TokenValidatedContext, Task> CreateOnTokenValidated(Auth0Web
                     .GetService<IOptionsMonitor<Auth0CustomDomainsOptions>>()
                     ?.Get(context.Scheme.Name);
 
-                if (customDomainsOptions is { IsMultipleCustomDomainsEnabled: true } &&
-                    context.Properties?.Items != null &&
-                    context.Properties.Items.TryGetValue(Auth0Constants.ResolvedDomainKey, out var expectedIssuer) &&
-                    !string.IsNullOrWhiteSpace(expectedIssuer))
+                if (customDomainsOptions is { IsMultipleCustomDomainsEnabled: true })
                 {
-                    var tokenIssuer = context.SecurityToken.Issuer;
-                    var expectedAuthority = Utils.ToAuthority(expectedIssuer);
-
-                    var ok = tokenIssuer.Equals(expectedAuthority, StringComparison.OrdinalIgnoreCase) ||
-                             tokenIssuer.Equals(expectedAuthority + "/", StringComparison.OrdinalIgnoreCase);
-
-                    if (!ok)
+                    if (context.Properties?.Items == null ||
+                        !context.Properties.Items.TryGetValue(Auth0Constants.ResolvedDomainKey, out var expectedIssuer) ||
+                        string.IsNullOrWhiteSpace(expectedIssuer))
                     {
+                        // In multi-domain mode, static issuer validation is disabled (ValidateIssuer = false).
+                        // The domain MUST be present in state to validate the token issuer.
+                        // If it's missing, we cannot verify the token came from the expected authority.
                         context.Fail(
-                            $"Token issuer '{tokenIssuer}' does not match expected issuer '{expectedAuthority}'.");
+                            "Token validation failed: the resolved domain was not found in the authentication state. " +
+                            "In multi-domain mode, the domain must be stored in state during the authorization request " +
+                            "to validate the token issuer on callback.");
+                    }
+                    else
+                    {
+                        var tokenIssuer = context.SecurityToken.Issuer;
+                        var expectedAuthority = Utils.ToAuthority(expectedIssuer);
+
+                        var ok = tokenIssuer.Equals(expectedAuthority, StringComparison.OrdinalIgnoreCase) ||
+                                 tokenIssuer.Equals(expectedAuthority + "/", StringComparison.OrdinalIgnoreCase);
+
+                        if (!ok)
+                        {
+                            context.Fail(
+                                $"Token issuer '{tokenIssuer}' does not match expected issuer '{expectedAuthority}'.");
+                        }
                     }
                 }
 

tests/Auth0.AspNetCore.Authentication.IntegrationTests/Auth0CustomDomainsOpenIdConnectConfigurationManagerTests.cs

@@ -699,4 +699,158 @@ public async Task GetConfigurationAsync_WithMemoryCacheAndSlidingExpiration_Uses
 
         Assert.NotNull(config);
     }
+
+    [Fact]
+    public async Task ResolveAuthorityAsync_WithStateButNoIssuerInState_ThrowsInvalidOperationException()
+    {
+        // State parameter is present but doesn't contain the resolved domain key
+        var state = "protected-state";
+        _httpContext.Request.QueryString = new QueryString($"?state={state}");
+
+        var props = new AuthenticationProperties(); // No ResolvedDomainKey
+        _stateDataFormatMock.Setup(x => x.Unprotect(state)).Returns(props);
+
+        var manager = CreateManager();
+
+        var exception = await Assert.ThrowsAsync<InvalidOperationException>(
+            () => manager.ResolveAuthorityAsync(_httpContext));
+
+        Assert.Contains("state", exception.Message);
+        Assert.Contains("resolved domain could not be extracted", exception.Message);
+    }
+
+    [Fact]
+    public async Task ResolveAuthorityAsync_WithStateButCorruptedState_ThrowsInvalidOperationException()
+    {
+        // State parameter is present but decryption throws (tampered state)
+        var state = "corrupted-state";
+        _httpContext.Request.QueryString = new QueryString($"?state={state}");
+
+        _stateDataFormatMock.Setup(x => x.Unprotect(state))
+            .Throws<System.Security.Cryptography.CryptographicException>();
+
+        var manager = CreateManager();
+
+        var exception = await Assert.ThrowsAsync<InvalidOperationException>(
+            () => manager.ResolveAuthorityAsync(_httpContext));
+
+        Assert.Contains("state", exception.Message);
+        Assert.Contains("resolved domain could not be extracted", exception.Message);
+    }
+
+    [Fact]
+    public async Task ResolveAuthorityAsync_WithStateButNullProperties_ThrowsInvalidOperationException()
+    {
+        // State parameter is present but Unprotect returns null
+        var state = "protected-state";
+        _httpContext.Request.QueryString = new QueryString($"?state={state}");
+
+        _stateDataFormatMock.Setup(x => x.Unprotect(state)).Returns((AuthenticationProperties)null!);
+
+        var manager = CreateManager();
+
+        var exception = await Assert.ThrowsAsync<InvalidOperationException>(
+            () => manager.ResolveAuthorityAsync(_httpContext));
+
+        Assert.Contains("state", exception.Message);
+    }
+
+    [Fact]
+    public async Task ResolveAuthorityAsync_DoesNotFallBackToDomainResolver_WhenStatePresent()
+    {
+        // Verify that when state is present but issuer extraction fails,
+        // the domain resolver is NOT called (preventing domain swap attacks)
+        var state = "protected-state";
+        _httpContext.Request.QueryString = new QueryString($"?state={state}");
+
+        _stateDataFormatMock.Setup(x => x.Unprotect(state)).Returns((AuthenticationProperties)null!);
+        _domainResolverMock.Setup(x => x(_httpContext)).ReturnsAsync("attacker-domain.auth0.com");
+
+        var manager = CreateManager();
+
+        await Assert.ThrowsAsync<InvalidOperationException>(
+            () => manager.ResolveAuthorityAsync(_httpContext));
+
+        _domainResolverMock.Verify(x => x(It.IsAny<HttpContext>()), Times.Never);
+    }
+
+    [Fact]
+    public async Task ResolveAuthorityAsync_CrossValidation_MatchingDomains_Succeeds()
+    {
+        var issuer = "tenant.auth0.com";
+        var state = "protected-state";
+        _httpContext.Request.QueryString = new QueryString($"?state={state}");
+
+        // StartupFilter already resolved the same domain
+        _httpContext.Items[Auth0Constants.ResolvedDomainKey] = issuer;
+
+        var props = new AuthenticationProperties();
+        props.Items[Auth0Constants.ResolvedDomainKey] = issuer;
+        _stateDataFormatMock.Setup(x => x.Unprotect(state)).Returns(props);
+
+        var manager = CreateManager();
+
+        var authority = await manager.ResolveAuthorityAsync(_httpContext);
+
+        Assert.Equal($"https://{issuer}/", authority);
+    }
+
+    [Fact]
+    public async Task ResolveAuthorityAsync_CrossValidation_MismatchedDomains_ThrowsInvalidOperationException()
+    {
+        var stateIssuer = "tenant-a.auth0.com";
+        var middlewareIssuer = "tenant-b.auth0.com";
+        var state = "protected-state";
+        _httpContext.Request.QueryString = new QueryString($"?state={state}");
+
+        // StartupFilter resolved a different domain than what's in state
+        _httpContext.Items[Auth0Constants.ResolvedDomainKey] = middlewareIssuer;
+
+        var props = new AuthenticationProperties();
+        props.Items[Auth0Constants.ResolvedDomainKey] = stateIssuer;
+        _stateDataFormatMock.Setup(x => x.Unprotect(state)).Returns(props);
+
+        var manager = CreateManager();
+
+        var exception = await Assert.ThrowsAsync<InvalidOperationException>(
+            () => manager.ResolveAuthorityAsync(_httpContext));
+
+        Assert.Contains("Domain mismatch", exception.Message);
+        Assert.Contains("tenant-a.auth0.com", exception.Message);
+        Assert.Contains("tenant-b.auth0.com", exception.Message);
+    }
+
+    [Fact]
+    public async Task ResolveAuthorityAsync_CrossValidation_NoMiddlewareDomain_StillSucceeds()
+    {
+        // When the StartupFilter hasn't cached a domain yet (e.g., no middleware ran),
+        // the cross-validation is skipped and the state domain is trusted.
+        var issuer = "tenant.auth0.com";
+        var state = "protected-state";
+        _httpContext.Request.QueryString = new QueryString($"?state={state}");
+
+        var props = new AuthenticationProperties();
+        props.Items[Auth0Constants.ResolvedDomainKey] = issuer;
+        _stateDataFormatMock.Setup(x => x.Unprotect(state)).Returns(props);
+
+        var manager = CreateManager();
+
+        var authority = await manager.ResolveAuthorityAsync(_httpContext);
+
+        Assert.Equal($"https://{issuer}/", authority);
+    }
+
+    [Fact]
+    public async Task ResolveAuthorityAsync_WithoutState_StillUsesResolver()
+    {
+        // Non-callback requests (no state parameter) should still work via DomainResolver
+        var expectedDomain = "tenant.auth0.com";
+        _domainResolverMock.Setup(x => x(_httpContext)).ReturnsAsync(expectedDomain);
+        var manager = CreateManager();
+
+        var authority = await manager.ResolveAuthorityAsync(_httpContext);
+
+        Assert.Equal($"https://{expectedDomain}/", authority);
+        _domainResolverMock.Verify(x => x(_httpContext), Times.Once);
+    }
 }