UsersEntity incorrectly handles user ID encoding in multiple methods in Java library

ignatrozhko · September 23, 2025, 9:04am

Multiple methods in UsersEntity.java incorrectly handle user ID parameters when constructing API URLs. This causes failures when user IDs contain forward slashes or other special characters that require URL encoding.

Affected Methods

listPermissions(String userId, PageFilter filter) - uses addPathSegments(userId)
removePermissions(String userId, List<Permission> permissions) - uses addPathSegments(userId)
addPermissions(String userId, List<Permission> permissions) - uses addPathSegments(userId)
listRoles(String userId, PageFilter filter) - uses addPathSegments(userId)
removeRoles(String userId, List<String> roleIds) - uses addPathSegments(userId)
addRoles(String userId, List<String> roleIds) - uses addPathSegments(userId)
deleteAllAuthenticators(String userId) - uses String.format("api/v2/users/%s/authenticators", userId)

Technical Details

Two distinct URL construction issues are present:

Methods 1-6: Use addPathSegments() which treats the input as pre-separated path segments and does not encode forward slashes, when they should use addPathSegment() which properly encodes special characters.
Method 7: Uses String.format("api/v2/users/%s/authenticators", userId) inside withPathSegments(), which provides no URL encoding and then treats the result as multiple segments.

Code Example

From deleteAllAuthenticators:

return voidRequest(HttpMethod.DELETE, RequestBuilder<Void> builder -> 
    builder.withPathSegments(String.format("api/v2/users/%s/authenticators", userId)));

This should be:

return voidRequest(HttpMethod.DELETE, RequestBuilder<Void> builder -> 
    builder.addPathSegments("api/v2/users")
           .addPathSegment(userId)
           .addPathSegment("authenticators"));

Example Failure

For a user ID like google-oauth2|123456/789:

Current implementation produces: /api/v2/users/google-oauth2%7C123456/789/roles
Correct encoding should be: /api/v2/users/google-oauth2%7C123456%2F789/roles

Proposed Solution

For methods 1-6: Replace addPathSegments(userId) with addPathSegment(userId)
For method 7: Replace the String.format() approach with proper URL builder methods using addPathSegment(userId)

This change would align these methods with others in the same class that correctly handle user IDs, such as get(), delete(), update(), etc.

dawid.matuszczyk · September 30, 2025, 9:54pm

Hi there!

Welcome to the Auth0 Community!

Thank you for creating this feedback card. Please make sure to upvote it so that it gets as many votes as possible and attracts as many community members as possible.

Thanks
Dawid

Topic		Replies	Views
Path error when trying to create (assign) permissions to a user via the management api Get Help auth0 , api , management-api	5	3133	May 19, 2021
Delete user with space in ID Get Help user-creation , delete-user , user , delete , user-id	3	4198	July 25, 2019
Object didn't pass validation for format user-id: 5bcdd68e49b84629ca644761, "errorCode":"invalid_uri" Get Help	2	15727	November 21, 2018
Updating users via Management API in Ruby fails because user IDs contain "\|" characters Get Help management-api , users	2	1016	February 8, 2023
User Search with multiple user_ids not working Get Help management-api , user-id , search	4	5455	March 2, 2018