We have an Angular 10 app front-end with a .Net 6 Web API backend. We are using Auth0 as the Authentication Provider. We’ve been having some clients complain (mainly on Safari browser) that they cannot log onto our app due to cross-site tracking being disabled. I read that using an Auth0 custom domain would help, as we could make it that our front-end, back-end and Auth0 are all on the same domain. So we upgraded to a paid license, and activated custom domain. However, when the user logs in now (using the new custom domain), and is redirected back to the web app after successfully logging in, as soon as the web app tries to make any calls to our API, the API returns a 401 Unauthorized response.
As far as I can see, nothing needed to be changed on the back-end API when we switched to using Auth0 custom domain. The only change that was required was on the front-end Angular app, where we had to update the “domain” to point to the new custom domain. The client id remains the same. I also whitelisted the new custom domain URL on Auth0 “allowed callback URL”, “allowed logout URL” and “allowed web origins”, just in case.
Any idea why the front-end receives a 401 Unauthorized response from our API whenever it tries to call it?
This can be due to a change in iss claim inside the access token. Prior to custom domain it used to be a conical domain provided by Auth0, but now it is your custom domain. If that is the case then simply update your API to look for your new custom domain as the trusted issuer.
So I updated Auth0:Domain in appsettings.json to point to the new custom domain, but it didn’t make a difference not sure if I maybe misunderstood your comment?