Can the 'iss' Parameter Be Excluded From the Redirect URL

Problem statement

When the create/reset password link is used to log in for a user who is already logged in, Auth0 redirects to the Application login URI value. When this occurs, there is also an iss parameter added. Example:


This URL is triggering the configured third party service Google Cloud Armour firewall rules and gets blocked with a 403. Instead of disabling this firewall rule, can the iss parameter be omitted?


The iss claim cannot be omitted.

The iss value is a hint to the relying party (the application) so that the app can identify which OIDC identity provider is requesting the login.

Refer to Initiating Login from a Third Party for more details.

In this instance, the firewall should be configured to ignore that value from the URL.