Feat/mcd initials

[tanya732]

Changes

• Multi-Custom Domain (MCD) support — tokens can now be validated against multiple issuer domains, enabling multi-tenant. Three configuration modes are supported:

  a. Single domain (auth0.domain) — existing behavior, preserved for backward compatibility
  b. Static domains list (auth0.domains) — YAML-configured list of allowed issuers
  c. Dynamic resolver (Auth0DomainResolver bean) — resolve allowed issuers at request time based on headers, URL, or unverified iss claim

// Core API — dynamic resolver
AuthOptions options = new AuthOptions.Builder()
    .domainsResolver(context -> {
        String host = context.getHeaders().get("host");
        return lookupIssuersForHost(host);
    })
    .audience("https://api.example.com")
    .build();

# Spring Boot — static list
auth0:
  domains:
    - "https://tenant-a.us.auth0.com/"
    - "https://tenant-b.eu.auth0.com/"
  cacheMaxEntries: 200
  cacheTtlSeconds: 900

• OIDC Discovery — JWTValidator now fetches /.well-known/openid-configuration for each issuer to obtain the jwks_uri dynamically, and validates that the discovery issuer matches the token's iss claim before trusting the signing keys
• Unified caching layer — new AuthCache interface with a default thread-safe in-memory LRU implementation (InMemoryAuthCache) that caches both OIDC discovery metadata and JWKS providers using key prefixes (discovery: / jwks:). Configurable via auth0.cacheMaxEntries and auth0.cacheTtlSeconds, or replaceable with a custom AuthCache implementation (e.g., Redis)
• Simplified API surface — AuthClient.verifyRequest() and all internal authentication strategies now take only HttpRequestInfo (which embeds headers) instead of separate headers + requestInfo parameters.
• Spring Boot integration — Auth0AutoConfiguration wires up all three domain modes automatically, bridging the Spring-specific Auth0DomainResolver to the core DomainResolver interface. New properties: auth0.domains, auth0.cacheMaxEntries, auth0.cacheTtlSeconds
• New model classes — RequestContext (request metadata for resolvers), OidcMetadata (parsed discovery response), Auth0RequestContext (Spring Boot adapter)

[tanya732]

@copilot

[Copilot]

@tanya732 I've opened a new pull request, #23, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

This PR adds Multi-Custom Domain (MCD) support to the Auth0 Java SDK, enabling token validation against multiple issuer domains. It also introduces OIDC Discovery, a unified caching layer, and simplifies the API surface by embedding headers into HttpRequestInfo.

Changes:

• Multi-Custom Domain support with three modes: single domain (backward-compatible), static domains list, and dynamic resolver (DomainResolver/Auth0DomainResolver)
• OIDC Discovery integration in JWTValidator to fetch .well-known/openid-configuration per issuer, with unified AuthCache (default InMemoryAuthCache LRU + TTL) for both discovery metadata and JWKS providers
• Simplified API: AuthClient.verifyRequest() and authentication strategies now take only HttpRequestInfo (which embeds headers), removing the separate headers parameter

Reviewed changes

Copilot reviewed 42 out of 42 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
auth0-api-java/.../AuthClient.java	Simplified verifyRequest to accept only HttpRequestInfo
auth0-api-java/.../AuthenticationOrchestrator.java	Updated process signature to match new API
auth0-api-java/.../AbstractAuthentication.java	Removed headers param from authenticate, validateBearerToken, validateDpopTokenAndProof
auth0-api-java/.../AllowedDPoPAuthentication.java	Updated to use requestInfo.getHeaders()
auth0-api-java/.../DisabledDPoPAuthentication.java	Updated authenticate; contains commented-out code
auth0-api-java/.../RequiredDPoPAuthentication.java	Updated authenticate; contains commented-out code and wrong Javadoc
auth0-api-java/.../DomainResolver.java	New core functional interface for dynamic domain resolution
auth0-api-java/.../models/AuthOptions.java	Added domains, domainsResolver, cache settings; updated build validation
auth0-api-java/.../models/HttpRequestInfo.java	Added headers field with normalization; replaced context; new single-arg constructor
auth0-api-java/.../models/OidcMetadata.java	New model for OIDC discovery metadata
auth0-api-java/.../models/RequestContext.java	New model for domain resolver context
auth0-api-java/.../cache/AuthCache.java	New cache abstraction interface
auth0-api-java/.../cache/InMemoryAuthCache.java	New thread-safe LRU+TTL cache implementation
auth0-api-java/.../validators/JWTValidator.java	Major rework: OIDC discovery, MCD resolution, dynamic JwkProvider caching
auth0-api-java/.../validators/OidcDiscoveryFetcher.java	New OIDC discovery fetcher with caching
auth0-api-java/.../validators/ClaimValidator.java	Minor doc/comment cleanup
auth0-api-java/.../examples/Auth0ApiExample.java	Removed
auth0-springboot-api/.../Auth0AutoConfiguration.java	MCD wiring: resolver bean bridging, domains list, cache config
auth0-springboot-api/.../Auth0Properties.java	Added domains, cacheMaxEntries, cacheTtlSeconds properties
auth0-springboot-api/.../Auth0AuthenticationFilter.java	Updated to pass headers into HttpRequestInfo and use new verifyRequest
auth0-springboot-api/.../Auth0DomainResolver.java	New Spring Boot functional interface for dynamic domain resolution
auth0-springboot-api/.../Auth0RequestContext.java	New Spring Boot request context model
auth0-springboot-api-playground/.../SecurityConfig.java	Formatting changes
auth0-springboot-api-playground/.../ProfileController.java	Added MCD demo endpoint
auth0-springboot-api-playground/.../McdDomainResolverExample.java	New MCD configuration example
Test files (multiple)	Updated to match new API signatures, added MCD and cache tests

Comments suppressed due to low confidence (1)

auth0-api-java/src/main/java/com/auth0/validators/JWTValidator.java:162

• The catch (Exception e) block on line 160 unconditionally wraps all exceptions — including VerifyAccessTokenException thrown earlier in this method (e.g., "Token issuer is not in the allowed list", "Symmetric algorithms are not supported", "Discovery metadata issuer does not match token issuer") — into a new generic VerifyAccessTokenException("signature verification failed", e). This masks the specific error messages introduced for MCD validation. Consider re-throwing BaseAuthException instances directly before the generic wrap, similar to how wrapAsValidationException works elsewhere in this class.

        } catch (Exception e) {
            throw new VerifyAccessTokenException("signature verification failed", e);
        }