ASP.NET Core 3 + Custom Domain = Invalid Issuer


I’ve followed the specific tutorial for setting up ASP.NET Core 3, and it works swimmingly with Auth0. Until I try to change my config “Auth0:Domain” setting to reflect the custom domain – then it throws an invalid issuer exception after redirecting to the application callback.

Any insights?

Thank you,

I should add – I’ve also verified that the custom domain is setup working, and passing the test portion successfully.

Hey there!

Can you share the link to the tutorial? Thanks!

I’d prefer if you would ask more specific troubleshooting questions.

The following should be enough to identify which tutorials I should be using, and to identify what steps I should be taking, or what I may have missed.

"ASP.NET Core 3 MVC App + Custom Domain = Invalid Issuer"

I’ll leave it to you to find the correct tutorials, as you are an Auth0 Senior Community Engineer.

Additionally, if this is the wrong avenue for a paying customer to expect to find more proactive troubleshooting, then please let me know. I will lower my expectations of this forum, and rely on official support channels.

If you are a paying customer Phil, then you should open a support ticket using our Support Center to get quicker support for your issue. You can find it here:

I already did that, prior to posting here. I had hoped for a quicker response here. Alas, to no avail.

Additionally, you took the time to direct me to official support channels, and completely dodged my request. I’m not sure what the role of an Auth0 Senior Community Engineer is, but I feel like the title should have higher expectations placed on it.

Hey there Phil!

As I was finishing my day (I’m not based in US), directing you towards our support center as you are a paying customer was in my opinion the most reliable way of support I could provide at that time.

I asked about thee tutorial you used as I wanted to reproduce all the steps with the tutorial and track where the issue is. Let me know if someone from our developer support team already started working on it or if I should. Thank you!

Well, they started to. And then they stopped responding altogether. I’m having an increasing number of negative experiences with Auth0.

I’ll ping the person already working on your issue. Sorry for the inconvenience!

Konrad, you just closed my other topic regarding the inconsistent error models for login validation. So I was unable to reply.

Please stop asking me for information that is readily available to you. I’m thoroughly unimpressed with your support quality.

I just asked you and provided you with two ways of relaying as the feedback as there’s certainly the issue with our error messages. I would like to relay that to appropriate team but backing it up with specific examples that I asked you about. You haven’t been replying for a few days that’s why I guided you toward relaying that through our product feedback form. Thank you!

I’m telling you that you don’t need me to provide you with examples – you can look at the models I indicated yourselves and see exactly what I’m talking about.

So – do not wait for me to do your job. Please be proactive.

I had this same problem after implementing a custom domain. The fix for me was to set the TokenValidationParameters.ValidIssuer = [CUSTOM_DOMAIN] in the Startup.cs class of my web service app.

public void ConfigureServices(IServiceCollection services)
services.AddAuthentication(options =>
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
.AddJwtBearer(options =>
options.Authority = Configuration[“Auth0:Authority”];
options.Audience = Configuration[“Auth0:ApiIdentifier”];
options.TokenValidationParameters.ValidIssuer = Configuration[“Auth0:Issuer”];

Here is my appsettings.config for my server:
“AllowedHosts”: “*”,
“Auth0”: {
“Authority”: “[AUTH0_TENANT_DOMAIN]”, (i.e.
“Issuer”: “[CUSTOM_DOMAIN]”, (i.e.
“ApiIdentifier”: “[MY_API_DOMAIN]” (i.e.

IMPORTANT! => I had to include a trailing “/” in the URL for my custom domain like this:". You can verify if you need a trailing “/” by looking at the ISS value found in the bearer token (@ or passed during the call to your web service.

1 Like

Thanks for sharing it with the rest of community!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.