Feat: Added MCD Support

[tanya732]

Changes

Please describe both what is changing and why this is important. Include:

• Endpoints added, deleted, deprecated, or changed
• Classes and methods added, deleted, deprecated, or changed
• Screenshots of new or changed UI, if applicable
• A summary of usage if this is a new feature or change to a public API (this should also be added to relevant documentation once released)
• Any alternative designs or approaches considered

References

Please include relevant links supporting this change such as a:

• support ticket
• community post
• StackOverflow post
• support forum thread

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

• This change adds test coverage
• This change has been tested on the latest version of Java or why not

Checklist

• I have read the Auth0 general contribution guidelines
• I have read the Auth0 Code of Conduct
• All existing and new tests complete without errors

In general, the fix is to stop calling the deprecated AuthAPI.setLoggingEnabled(boolean) method and instead configure logging using the non-deprecated mechanism provided by the Auth0 Java SDK. In recent versions, HTTP/logging behavior is configured via HttpOptions rather than on AuthAPI directly, so the correct approach is to ensure that an HttpOptions instance with the desired logging configuration is supplied to the AuthAPI constructor.

Within RequestProcessor.createClientForDomain, the behavior today is:

• If httpOptions is non-null, use it to build the AuthAPI.
• Otherwise, create an AuthAPI with the 3-arg constructor.
• Then, regardless, call client.setLoggingEnabled(loggingEnabled).

To preserve behavior without using the deprecated method, we can:

1. When httpOptions is null, create a new HttpOptions instance and set its logging flag according to loggingEnabled, then pass it into the 4-arg AuthAPI constructor.
2. When httpOptions is non-null, derive a new HttpOptions (or mutate the existing one if that is acceptable in this context) with the logging flag set based on loggingEnabled, and then pass that into the constructor.
3. Remove the direct call to client.setLoggingEnabled(loggingEnabled) entirely.

Because we cannot assume other parts of the code, we will keep the logic local and simple: if httpOptions is null, we create a fresh HttpOptions and configure logging; if it is not null, we reuse it and simply set logging on it before using it. This preserves existing semantics (a single HttpOptions object shared across clients, if that is what the rest of the code expects) while routing logging configuration through the non-deprecated HttpOptions API. No new imports are needed because HttpOptions is already imported.

Concretely, in createClientForDomain:

• Introduce a local variable HttpOptions localHttpOptions that is either the existing httpOptions or a new one.
• Set logging on localHttpOptions according to loggingEnabled.
• Always use the 4-arg AuthAPI constructor with localHttpOptions.
• Remove line 179: client.setLoggingEnabled(loggingEnabled);.

[tanya732]

Ignore for now

[kailash-b]

Is commenting this piece of code intended?

[tanya732]

Removed!!

[kailash-b]

Can this cause issues? Similar to how Domain was causing issues?

Looks like the verifyOptions is tied to the RequestProcessor instance that is created during init using the AuthenticationController.

If we modify the verifyOptions in-flight, will it cause problems when multiple calls are happening, since this is a common instance across?

Need to verify this once.

[tanya732]

Yes, that's correct I have updated verifyOptions

[kailash-b]

Minor suggestion, since we are actually constructing the Issuer here, we can name this better. Something like ToIssuer()?

Also, consider moving this to a Utils class?

[tanya732]

Have renamed to constructIssuer

[kailash-b]

Is this change intended? There already is a test folder.

If yes, it would be easier if some detail is added as to what we are trying to test

[tanya732]

I have added a note.. before merging will remove the test and docker file

In general, the fix is to ensure that parsing the expires_in request parameter into a Long does not allow a NumberFormatException to propagate unchecked. This is best achieved by surrounding the Long.parseLong(...) call with a try/catch that handles NumberFormatException and falls back to a safe behavior (e.g., treating the value as absent) or, if appropriate, wrapping it in a domain-specific exception.

The single best way to fix this, without changing existing functionality for valid inputs, is to catch NumberFormatException inside getFrontChannelTokens. When KEY_EXPIRES_IN is present but not parseable as a Long, the behavior that least surprises callers is to treat it the same as if the parameter were missing and set expiresIn to null. That keeps the method’s signature and returned Tokens construction unchanged while making it robust against malformed client input. Concretely, in src/main/java/com/auth0/RequestProcessor.java, adjust lines 475–479 so that the computation of expiresIn is enclosed in a try/catch (NumberFormatException e) that sets expiresIn to null on failure, then pass that expiresIn to the Tokens constructor as before. No new imports or methods are required, as NumberFormatException is in java.lang.

To fix the problem, the test should stop invoking the deprecated InvalidRequestException.getDescription() method and instead use the non-deprecated accessor that exposes the same error description. In most Auth0 Java APIs, InvalidRequestException (or similar OAuth error exception classes) provide a getErrorDescription() method that replaces getDescription(). The test should assert against this new accessor rather than the deprecated one. This removes the need for @SuppressWarnings("deprecation") and resolves the CodeQL finding while preserving the assertion on the error description.

Concretely, in src/test/java/com/auth0/RequestProcessorTest.java, within the shouldThrowExceptionWhenErrorInRequest test (around lines 381–396), remove the comment and the @SuppressWarnings("deprecation") annotation that justify using the deprecated method, replace the call to exception.getDescription() with exception.getErrorDescription(), and keep the assertion checking that the description equals "The user denied the request". No other parts of the test need to change, and no new imports are required.