Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Description

Multiple methods in UsersEntity.java incorrectly handle user ID parameters when constructing API URLs. This causes failures when user IDs contain forward slashes or other special characters that require URL encoding.

Affected Methods

Based on code review, the following methods are affected:

listPermissions(String userId, PageFilter filter) - uses addPathSegments(userId)

removePermissions(String userId, List permissions) - uses addPathSegments(userId)

addPermissions(String userId, List permissions) - uses addPathSegments(userId)

listRoles(String userId, PageFilter filter) - uses addPathSegments(userId)

removeRoles(String userId, List roleIds) - uses addPathSegments(userId)

addRoles(String userId, List roleIds) - uses addPathSegments(userId)

deleteAllAuthenticators(String userId) - uses String.format("api/v2/users/%s/authenticators", userId)

Technical Details

Two distinct URL construction issues are present:

Methods 1-6: Use addPathSegments() which treats the input as pre-separated path segments and does not encode forward slashes, when they should use addPathSegment() which properly encodes special characters.

Method 7: Uses String.format("api/v2/users/%s/authenticators", userId) inside withPathSegments(), which provides no URL encoding and then treats the result as multiple segments.

Proposed Solution

For methods 1-6: Replace addPathSegments(userId) with addPathSegment(userId)

For method 7: Replace the String.format() approach with proper URL builder methods using addPathSegment(userId)

This change would align these methods with others in the same class that correctly handle user IDs, such as get(), delete(), update(), and getEnrollments().

Reproduction

Reproduction

Steps to Reproduce

1. Create a user with an ID containing a forward slash (common with social providers like Google OAuth2)
2. Attempt to call any of the affected methods with such a user ID

Example Code to Reproduce

ManagementAPI mgmt = ManagementAPI.newBuilder("{DOMAIN}", "{API_TOKEN}").build();

// User ID with forward slash (example from Google OAuth2)
String userId = "google-oauth2|123456/789";

// This will fail with 404 or hit wrong endpoint
mgmt.users().addRoles(userId, Arrays.asList("role_id")).execute();
mgmt.users().listPermissions(userId, new PageFilter()).execute();
mgmt.users().deleteAllAuthenticators(userId).execute();

Expected Result

API call should succeed with the user ID properly encoded as:
/api/v2/users/google-oauth2%7C123456%2F789/roles

Actual Result

API call fails because the URL is incorrectly constructed as:
/api/v2/users/google-oauth2%7C123456/789/roles

The forward slash is not encoded, causing it to be interpreted as a path separator rather than part of the user ID.

Current Implementation

Example from listPermissions:

Example from deleteAllAuthenticators:

return voidRequest(HttpMethod.DELETE, RequestBuilder<Void> builder -> 
    builder.withPathSegments(String.format("api/v2/users/%s/authenticators", userId)));

Additional context

No response

auth0-java version

2.24.0

Java version

17