feat(jwt): support AIH-issued JWT token validation

Enhance JWT validation to properly extract project ID from
Agentic Identity Hub (AIH) issued tokens.

The issuer format for AIH tokens is:
https://api.descope.com/v1/apps/agentic/{projectId}/{resourceId}

Previously, using .pop() on the split issuer would incorrectly
extract the resourceId instead of the projectId, causing validation
to fail.

This change implements smart project ID extraction that supports:
1. Direct project ID: "project-id"
2. Standard URL format: "https://api.descope.com/v1/{projectId}"
3. AIH format: "https://api.descope.com/v1/apps/agentic/{projectId}/{resourceId}"

The fix checks for the presence of 'agentic' in the issuer path and
extracts the segment immediately following it as the project ID,
ensuring correct validation for AIH-issued tokens.

Tests added for both valid and invalid AIH issuer formats.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: talaharoni

lib/index.test.ts

@@ -13,7 +13,9 @@ import { getCookieValue } from './helpers';
 
 let validToken: string;
 let validTokenIssuerURL: string;
+let validTokenAIHIssuer: string;
 let invalidTokenIssuer: string;
+let invalidTokenAIHIssuer: string;
 let expiredToken: string;
 let publicKeys: JWK;
 // Audience-specific tokens
@@ -70,12 +72,24 @@ describe('sdk', () => {
       .setIssuer('https://descope.com/bla/project-id')
       .setExpirationTime(1981398111)
       .sign(privateKey);
+    validTokenAIHIssuer = await new SignJWT({})
+      .setProtectedHeader({ alg: 'ES384', kid: '0ad99869f2d4e57f3f71c68300ba84fa' })
+      .setIssuedAt()
+      .setIssuer('https://api.descope.com/v1/apps/agentic/project-id/resource-id-123')
+      .setExpirationTime(1981398111)
+      .sign(privateKey);
     invalidTokenIssuer = await new SignJWT({})
       .setProtectedHeader({ alg: 'ES384', kid: '0ad99869f2d4e57f3f71c68300ba84fa' })
       .setIssuedAt()
       .setIssuer('https://descope.com/bla/bla')
       .setExpirationTime(1981398111)
       .sign(privateKey);
+    invalidTokenAIHIssuer = await new SignJWT({})
+      .setProtectedHeader({ alg: 'ES384', kid: '0ad99869f2d4e57f3f71c68300ba84fa' })
+      .setIssuedAt()
+      .setIssuer('https://api.descope.com/v1/apps/agentic/wrong-project/resource-id')
+      .setExpirationTime(1981398111)
+      .sign(privateKey);
     expiredToken = await new SignJWT({})
       .setProtectedHeader({ alg: 'ES384', kid: '0ad99869f2d4e57f3f71c68300ba84fa' })
       .setIssuedAt(1181398100)
@@ -134,12 +148,28 @@ describe('sdk', () => {
       });
     });
 
+    it('should return the token payload when issuer is AIH format and valid', async () => {
+      const resp = await sdk.validateJwt(validTokenAIHIssuer);
+      expect(resp).toMatchObject({
+        token: {
+          exp: 1981398111,
+          iss: 'project-id',
+        },
+      });
+    });
+
     it('should reject with a proper error message when token issuer invalid', async () => {
       await expect(sdk.validateJwt(invalidTokenIssuer)).rejects.toThrow(
         'unexpected "iss" claim value',
       );
     });
 
+    it('should reject with a proper error message when AIH token issuer invalid', async () => {
+      await expect(sdk.validateJwt(invalidTokenAIHIssuer)).rejects.toThrow(
+        'unexpected "iss" claim value',
+      );
+    });
+
     it('should reject with a proper error message when token expired', async () => {
       await expect(sdk.validateJwt(expiredToken)).rejects.toThrow(
         '"exp" claim timestamp check failed',

lib/index.ts

@@ -184,14 +184,42 @@ const nodeSdk = ({
       const token = res.payload;
 
       if (token) {
-        token.iss = token.iss?.split('/').pop(); // support both url and project id as issuer
-        if (token.iss !== projectId) {
-          // We must do the verification here, since issuer can be either project ID or URL
-          throw new errors.JWTClaimValidationFailed(
-            'unexpected "iss" claim value',
-            'iss',
-            'check_failed',
-          );
+        // Extract project ID from issuer claim
+        // Supports:
+        // 1. Direct project ID: "project-id"
+        // 2. Standard URL format: "https://api.descope.com/v1/{projectId}"
+        // 3. AIH format: "https://api.descope.com/v1/apps/agentic/{projectId}/{resourceId}"
+        const issuer = token.iss;
+        if (issuer) {
+          const parts = issuer.split('/');
+          let extractedProjectId: string;
+
+          if (parts.length === 1) {
+            // Case 1: Direct project ID
+            extractedProjectId = issuer;
+          } else {
+            // Cases 2 and 3: URL format
+            // Check if this is an AIH issuer (contains '/apps/agentic/')
+            const agenticIndex = parts.indexOf('agentic');
+            if (agenticIndex !== -1 && agenticIndex < parts.length - 1) {
+              // AIH format: project ID is right after 'agentic'
+              extractedProjectId = parts[agenticIndex + 1];
+            } else {
+              // Standard URL format: project ID is the last segment
+              extractedProjectId = parts[parts.length - 1];
+            }
+          }
+
+          token.iss = extractedProjectId;
+
+          if (token.iss !== projectId) {
+            // We must do the verification here, since issuer can be either project ID or URL
+            throw new errors.JWTClaimValidationFailed(
+              'unexpected "iss" claim value',
+              'iss',
+              'check_failed',
+            );
+          }
         }
       }