UsersEntity incorrectly handles user ID encoding in multiple methods in Java library

Multiple methods in UsersEntity.java incorrectly handle user ID parameters when constructing API URLs. This causes failures when user IDs contain forward slashes or other special characters that require URL encoding.

Affected Methods

  1. listPermissions(String userId, PageFilter filter) - uses addPathSegments(userId)

  2. removePermissions(String userId, List<Permission> permissions) - uses addPathSegments(userId)

  3. addPermissions(String userId, List<Permission> permissions) - uses addPathSegments(userId)

  4. listRoles(String userId, PageFilter filter) - uses addPathSegments(userId)

  5. removeRoles(String userId, List<String> roleIds) - uses addPathSegments(userId)

  6. addRoles(String userId, List<String> roleIds) - uses addPathSegments(userId)

  7. deleteAllAuthenticators(String userId) - uses String.format("api/v2/users/%s/authenticators", userId)

Technical Details

Two distinct URL construction issues are present:

  1. Methods 1-6: Use addPathSegments() which treats the input as pre-separated path segments and does not encode forward slashes, when they should use addPathSegment() which properly encodes special characters.

  2. Method 7: Uses String.format("api/v2/users/%s/authenticators", userId) inside withPathSegments(), which provides no URL encoding and then treats the result as multiple segments.

Code Example

From deleteAllAuthenticators:

return voidRequest(HttpMethod.DELETE, RequestBuilder<Void> builder -> 
    builder.withPathSegments(String.format("api/v2/users/%s/authenticators", userId)));

This should be:

return voidRequest(HttpMethod.DELETE, RequestBuilder<Void> builder -> 
    builder.addPathSegments("api/v2/users")
           .addPathSegment(userId)
           .addPathSegment("authenticators"));

Example Failure

For a user ID like google-oauth2|123456/789:

  • Current implementation produces: /api/v2/users/google-oauth2%7C123456/789/roles

  • Correct encoding should be: /api/v2/users/google-oauth2%7C123456%2F789/roles

Proposed Solution

  1. For methods 1-6: Replace addPathSegments(userId) with addPathSegment(userId)

  2. For method 7: Replace the String.format() approach with proper URL builder methods using addPathSegment(userId)

This change would align these methods with others in the same class that correctly handle user IDs, such as get(), delete(), update(), etc.

Hi there!

Welcome to the Auth0 Community!

Thank you for creating this feedback card. Please make sure to upvote it so that it gets as many votes as possible and attracts as many community members as possible.

Thanks
Dawid