Back-channel JWT decoded error

Hello, I am configuring the back-channel and in my code (node.js 18.x) I am trying to decode the JWT that I receive through the request (logout_token), I am having problems with the “issuer”.
I am dealing with the two urls of auth0:

issuer: custom domain
issuer: https://{organization}.{code}.auth0.com

 // get remote key set for token verification
    const JWKS = jose.createRemoteJWKSet(
      new URL(`https://${process.env.ISSUER_URL}/.well-known/jwks.json`)
    );

    const { payload } = await jose.jwtVerify(logoutToken, JWKS, {
      issuer: process.env.ISSUER_URL + '/',
      audience: process.env.CLIENT_ID,
      typ: 'JWT',
      maxTokenAge: '2 minutes'
    });

and this is the error:

Error on back channel logout:  JWTClaimValidationFailed: unexpected "iss" claim value.
code: 'ERR_JWT_CLAIM_VALIDATION_FAILED',
claim: 'iss',
reason: 'check_failed'

Hey @edgar.saavedra welcome to the community!

While I’m not super familiar with this particular flow, the error is typically related to a misconfiguration or mismatch of the issuer values. The issuer claim in the token needs to match the issuer you are setting in your code. In this case it should most likely be your custom domain in both places.

1 Like

Thanks for the info, I have already reviewed it and indeed the custom domain has to go in both if it is enabled.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.