Back-channel JWT decoded error

edgar.saavedra · December 8, 2023, 2:24am

Hello, I am configuring the back-channel and in my code (node.js 18.x) I am trying to decode the JWT that I receive through the request (logout_token), I am having problems with the “issuer”.
I am dealing with the two urls of auth0:

issuer: custom domain
issuer: https://{organization}.{code}.auth0.com

 // get remote key set for token verification
    const JWKS = jose.createRemoteJWKSet(
      new URL(`https://${process.env.ISSUER_URL}/.well-known/jwks.json`)
    );

    const { payload } = await jose.jwtVerify(logoutToken, JWKS, {
      issuer: process.env.ISSUER_URL + '/',
      audience: process.env.CLIENT_ID,
      typ: 'JWT',
      maxTokenAge: '2 minutes'
    });

and this is the error:

Error on back channel logout:  JWTClaimValidationFailed: unexpected "iss" claim value.
code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
claim: 'iss',
reason: 'check_failed'

tyf · December 8, 2023, 11:04pm

Hey @edgar.saavedra welcome to the community!

While I’m not super familiar with this particular flow, the error is typically related to a misconfiguration or mismatch of the issuer values. The issuer claim in the token needs to match the issuer you are setting in your code. In this case it should most likely be your custom domain in both places.

edgar.saavedra · December 9, 2023, 12:33am

Thanks for the info, I have already reviewed it and indeed the custom domain has to go in both if it is enabled.

system · December 23, 2023, 12:33am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.