Auth0 Home Blog Docs

auth0-js v9 - popup authorize - invalid issuer problem

social
popup
authorize
invalid
invalid_token

#1

Hi everyone,

I am trying to migrate to the brand new OIDC flow, switched to the latest v9.2.2 auth-js version and modified the requested parameters, but unfortunately I am stuck with a mysterious error message.

WebAuth instance is initialized with proper domain & clientID as far as i know.

My request is:
webAuth.popup.authorize({
clientID: ,
connection:“google-oauth2”,
device:“webapp”,
nonce:"_x1imhEtnDwZQmz8", (this is a random string)
redirectUri:“http://localhost:8088/#//”,
responseType:“id_token token”,
scope:“openid offline_access”,
state:"{“page”:“login”}"
});

(I have also tried without “openid” scope, i got the same error.)

I got the following response:
{code:“invalid_token”, description:“Issuer https://hektor-test.eu.auth0.com/ is not valid.” , original: Object{error:“invalid_token”, errorDescription:“Issuer https://hektor-test.eu.auth0.com/ is not valid.”}}

What am I missing?

Any help is appreciated, thank you!! :slight_smile:


#2

@hektor-test Are you using an OIDC conformant client? Which request it triggering the error? Do get an id token and access token from the authentication request? If so, could you decode them in https://jwt.io/ and share the iss values?


#3

Dear Ricardo:

Yes, I am using an OIDC conformant client (Client – Advanced Settings etc).

That request triggers the error what I have already mentioned: webAuth.popup.authorize().

I do not get any response, but the error message above.

Since then I have tried the following:

Do you have any idea, what should I try?


#4

Additional info: if I remove the “id_token” from response type, I do get response, but it includes only the access token. Is it possible the acquire an id_token this way?

Many thanks!!


#5

Can you check your rules (and also try authenticating with all disabled) to see if any of them are the source of the issue?

Can you also try adding the audience with the value https://hektor-test.eu.auth0.com/userinfo in the WebAuth initialization, instead of putting all the attributes in the authorize request? Something like:

var webAuth = new auth0.WebAuth({
  domain: ' hektor-test.eu.auth0.com', 
  clientID: {YOUR_CLIENT_ID},
  audience: 'https://hektor-test.eu.auth0.com/userinfo',
  redirectUri: 'http://localhost:8088/#//', 
  scope: 'openid offline_access',
  responseType: 'token id_token'
});

(…)

webAuth.popup.authorize({ 
  connection:"google-oauth2", 
  device:"webapp", 
  nonce:"_x1imhEtnDwZQmz8", 
  state:"{\"page\":\"login\"}" 
});

You can also create a custom API and use it as the audience (this will allow you to get a JWT access token), see this for more info: https://auth0.com/docs/apis#how-to-configure-an-api-in-auth0


#6

Dear Ricardo,

thank you again for the tips.

I have disabled all the rules, just to be sure.
I have moved all the relevant settings in the initialization section of webAuth.

Now it looks all like this:
webAuth0 = new auth0.WebAuth({
domain: “hektor-test.eu.auth0.com”,
clientID: ,
audience: “https://hektor-test.eu.auth0.com/userinfo”,
redirectUri: “http://localhost:8088/#/pub/sign_up”,
scope: “openid offline_access”
});

After this, I call:
webAuth0.popup,authorize({
connection: “google-oauth2”,
device: “webapp”,
state: “{“page”:“login”}”,
nonce: “ATVJQ0TvNCobCg1k”
});

Unfortunately all this leads to the very same known error message :frowning:

All I have discovered, that after the initialization, that auth0.WebAuth() adds the token_issuer value to my init object, and its value is always “https://hektor-test.eu.auth0.com”, no matter what :S


#7

Okay, I have found another interesting piece:

If I try to authorize without the popup, it works!!
So if I call: webAuth0.authorize() instead of webAuth0.popup.authorize(), everything works fine.

Should I assume, that there is a bug in the auth0-js library itself?


#8

I have the same problem.
When requesting the id_token, the token_issuer validation fails. In the options, the token_issuer has one too many ‘/’ (“https://aymeric-apcurium.auth0.com//”) whereas in the jwt, the issuer has the proper value (“https://aymeric-apcurium.auth0.com/”)

Is this a know bug? I don’t know how to retrieve the id_token at the moment.
Note that when only requesting the token but not the id_token, the authentication works… :frowning: