Last Updated: Nov 12, 2024
Overview
When the create/reset password link is used to log in for a user who is already logged in, Auth0 redirects to the Application login URI value. When this occurs, an iss parameter is also added. Example:
https://domain/login?iss=https%3A%2F%2Fexample.auth0.com%2F
This URL triggers the configured third-party service Google Cloud Armour firewall rules and gets blocked with a 403. This article clarifies whether the iss parameter can be omitted instead of disabling this firewall rule.
Prerequisites
- Use New Universal Login Experience
- Configure the default login route
Steps to Reproduce
(Capture the network logs while following the below steps)
- Request a password reset from the New Universal Login page (Forgot password?)
- Receive the email and click the password reset link.
- Input the new password. Click the Reset password button, then the Back to (application name) button.
- See the network logs and find the URL
https://(default login route)?iss=(your tenant's domain)
Applies To
- Redirect URL
- Parameter in URL
- Exclude Parameter
Solution
The iss claim cannot be omitted.
The iss value is a hint to the relying party (the application) so that the app can identify which OIDC identity provider is requesting the login.
Refer to Initiating Login from a Third Party for more details.
In this instance, the firewall should be configured to ignore that value from the URL.