The process.env.SERVER_URL matches the audience of the protected server.
API is using RS256 signing algorithm
The access code that is produced is valid when I check with jwt.io. It is not expired, the “iss” matches the Auth0 domain, the API audience is included in the “aud” array.
I’m pretty lost lost as to what to try next, so any help is appreciated.
We’re running into a similar issue but only when deploying the API with IISNode on a Windows IIS server.
We’re using the same RS256 signing algo and have confirmed that this works via localhost.
The problem comes up when we host it with a domain name served to us via the IIS Server, and try to access a protected API route using the domain name.
When running a localhost version of said API and trying to hit it via http://localhost:3001, it accepts the token and makes the authentication call.
hey past me. im writing this response in case future me forgets and comes back here, a third time. or in case someone else has this issue w/ IISNode in their hosting stack.
Root Issue
we have our IIS node looking at a specific build folder, but our custom web.config was kept in the src directory and not part of the build process.
Solution
move the web.config over.
And in case your issue is on the config stuff; we had to update our location node’s system.webServer child-node to add an iisnode handler. that’s all I’ll say on the matter.