Auth0-js v9 - popup authorize - invalid issuer problem

hektor-test · February 15, 2018, 3:54pm

Hi everyone,

I am trying to migrate to the brand new OIDC flow, switched to the latest v9.2.2 auth-js version and modified the requested parameters, but unfortunately I am stuck with a mysterious error message.

WebAuth instance is initialized with proper domain & clientID as far as i know.

My request is:
webAuth.popup.authorize({
clientID: ,
connection:“google-oauth2”,
device:“webapp”,
nonce:“_x1imhEtnDwZQmz8”, (this is a random string)
redirectUri:“http://localhost:8088/#//”,
responseType:“id_token token”,
scope:“openid offline_access”,
state:“{“page”:“login”}”
});

(I have also tried without “openid” scope, i got the same error.)

I got the following response:
{code:“invalid_token”, description:“Issuer https://hektor-test.eu.auth0.com/ is not valid.” , original: Object{error:“invalid_token”, errorDescription:“Issuer https://hektor-test.eu.auth0.com/ is not valid.”}}

What am I missing?

Any help is appreciated, thank you!!

ricardo.batista · February 16, 2018, 1:11am

@hektor-test Are you using an OIDC conformant client? Which request it triggering the error? Do get an id token and access token from the authentication request? If so, could you decode them in https://jwt.io/ and share the iss values?

hektor-test · February 16, 2018, 11:59pm

Dear Ricardo:

Yes, I am using an OIDC conformant client (Client – Advanced Settings etc).

That request triggers the error what I have already mentioned: webAuth.popup.authorize().

I do not get any response, but the error message above.

Since then I have tried the following:

adding the ‘audience’ param to the request with the value of my API Identifier “https://hektor-test.eu.auth0.com/api/v2”
adding ‘popupOrigin’ parameter, with the value of ‘http://localhost:8088’
without any luck, I still get the very same error message.

Do you have any idea, what should I try?

hektor-test · February 17, 2018, 12:13am

Additional info: if I remove the “id_token” from response type, I do get response, but it includes only the access token. Is it possible the acquire an id_token this way?

Many thanks!!

ricardo.batista · February 17, 2018, 12:42am

Can you check your rules (and also try authenticating with all disabled) to see if any of them are the source of the issue?

Can you also try adding the audience with the value https://hektor-test.eu.auth0.com/userinfo in the WebAuth initialization, instead of putting all the attributes in the authorize request? Something like:

var webAuth = new auth0.WebAuth({
  domain: ' hektor-test.eu.auth0.com', 
  clientID: {YOUR_CLIENT_ID},
  audience: 'https://hektor-test.eu.auth0.com/userinfo',
  redirectUri: 'http://localhost:8088/#//', 
  scope: 'openid offline_access',
  responseType: 'token id_token'
});

(…)

webAuth.popup.authorize({ 
  connection:"google-oauth2", 
  device:"webapp", 
  nonce:"_x1imhEtnDwZQmz8", 
  state:"{\"page\":\"login\"}" 
});

You can also create a custom API and use it as the audience (this will allow you to get a JWT access token), see this for more info: APIs

hektor-test · February 18, 2018, 11:02pm

Dear Ricardo,

thank you again for the tips.

I have disabled all the rules, just to be sure.
I have moved all the relevant settings in the initialization section of webAuth.

Now it looks all like this:
webAuth0 = new auth0.WebAuth({
domain: “hektor-test.eu.auth0.com”,
clientID: ,
audience: “https://hektor-test.eu.auth0.com/userinfo”,
redirectUri: “http://localhost:8088/#/pub/sign_up”,
scope: “openid offline_access”
});

After this, I call:
webAuth0.popup,authorize({
connection: “google-oauth2”,
device: “webapp”,
state: “{“page”:“login”}”,
nonce: “ATVJQ0TvNCobCg1k”
});

Unfortunately all this leads to the very same known error message

All I have discovered, that after the initialization, that auth0.WebAuth() adds the token_issuer value to my init object, and its value is always “https://hektor-test.eu.auth0.com”, no matter what :S

hektor-test · February 18, 2018, 11:45pm

Okay, I have found another interesting piece:

If I try to authorize without the popup, it works!!
So if I call: webAuth0.authorize() instead of webAuth0.popup.authorize(), everything works fine.

Should I assume, that there is a bug in the auth0-js library itself?

aymeric.grail · July 12, 2018, 10:27pm

I have the same problem.
When requesting the id_token, the token_issuer validation fails. In the options, the token_issuer has one too many ‘/’ (“https://aymeric-apcurium.auth0.com//”) whereas in the jwt, the issuer has the proper value (“https://aymeric-apcurium.auth0.com/”)

Is this a know bug? I don’t know how to retrieve the id_token at the moment.
Note that when only requesting the token but not the id_token, the authentication works…

kim.maida · October 26, 2018, 2:11pm

Hello, I’m not sure if this is still an issue for folks participating in the thread above, but since the question is unresolved, here is the likely reason:

The invalid issuer error is likely being caused by mismatched Auth0 configurations between the static popup callback HTML page and the rest of the Auth0 configurations in the front end and/or API. If changes were made to the configuration that the front end uses and the same changes were not made to the static popup-closing HTML page’s instance of WebAuth, then this error is the result of that mismatch. (It’s tricky to debug because the issuer looks correct in a console error.) If you’re running into this error, i would recommend going through all places in your application stack where you’re defining your Auth0 credentials and ensuring they are ALL consistent. These places might include:

front end app (WebAuth instance using Auth0 domain and client ID)
backend API configuration for verifying secure requests (middleware using Auth0 domain)
popup close static HTML page (WebAuth instance using Auth0 domain and client ID)

system · November 25, 2018, 2:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.