chore: should not lowercase org_name claim (#499)

stevehobbsdev · web-flow · commit 871ce9ca274c · 2023-07-19T09:15:57.000+01:00
diff --git a/EXAMPLES.md b/EXAMPLES.md
@@ -178,7 +178,7 @@ In particular:
 
 - The issuer (iss) claim should be checked to ensure the token was issued by Auth0
 
-- the `org_id` or `org_name` claim should be checked to ensure it is a value that is already known to the application. Which claim you check depends on the organization value being validated: if it starts with `org_`, validate against the `org_id` claim. Otherwise, validate against `org_name`. Further, `org_name` validation should be done using a **case-insensitive** check, whereas `org_id` should be an exact case-sensitive match.
+- the `org_id` or `org_name` claim should be checked to ensure it is a value that is already known to the application. Which claim you check depends on the organization value being validated: if it starts with `org_`, validate against the `org_id` claim. Otherwise, validate against `org_name`. Further, the value of the `org_name` claim will always be lowercase. To aid the developer experience, you may also lowercase the input organization name when checking against the `org_name`, but do not modify the `org_name` claim value.
 
 This could be validated against a known list of organization IDs or names, or perhaps checked in conjunction with the current request URL. e.g. the sub-domain may hint at what organization should be used to validate the Access Token.
 
diff --git a/lib/auth0/mixins/validation.rb b/lib/auth0/mixins/validation.rb
@@ -204,7 +204,7 @@ def validate_org(claims, expected)
               raise Auth0::InvalidIdToken, 'Organization Name (org_name) claim must be a string present in the ID token'
             end
 
-            unless expected.downcase == claims['org_name'].downcase
+            unless expected.downcase == claims['org_name']
               raise Auth0::InvalidIdToken, "Organization Name (org_name) claim value mismatch in the ID token; expected \"#{expected}\","\
                                           " found \"#{claims['org_name']}\""
             end
diff --git a/spec/lib/auth0/mixins/validation_spec.rb b/spec/lib/auth0/mixins/validation_spec.rb
@@ -342,8 +342,8 @@ def build_id_token(payload = {})
       end
 
       it 'is expected to NOT raise an error with organization name in different casing' do
-        token = build_id_token org_name: 'MY-ORGANIZATION'
-        instance = Auth0::Mixins::Validation::IdTokenValidator.new(CONTEXT.merge({ organization: 'my-organization' }))
+        token = build_id_token org_name: 'my-organization'
+        instance = Auth0::Mixins::Validation::IdTokenValidator.new(CONTEXT.merge({ organization: 'MY-ORGANIZATION' }))
 
         expect { instance.validate(token) }.not_to raise_exception
       end
