Configuring a token endpoint that is not exposed in an IdP's well-known discovery endpoint

Problem statement

Our Okta Workforce connection is throwing a JWKS_URI Error. This issue was the result of a misconfiguration. The IdP had a custom authorization and key endpoint that needed to be configured. However, we are now receiving an error due to the token not matching.

I see that there is nowhere in the Auth0 dashboard to configure a custom token endpoint like there is an issuer, authorization, and JWKS URL endpoint.

Any idea on how we can mitigate that? Would we need to use the OpenID Connect generic enterprise connection instead?

Solution

While it is uncommon for an IDP to require a token endpoint that is not exposed in your well-known discovery document (https://yourDomain.region.auth0.com/.well-known/jwks.json), the most configurable connection we have that could suit this use case is the Custom Social Connection.

In this case, you can specify a token endpoint with a custom social connection (generic oauth2 connection). When doing so, you will need to implement a script on the Connection that retrieves the user’s profile and returns it to Auth0.

See the documentation below for more details:
https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/oauth2