We have 3 Tenants, Production, Staging and Development. Production uses a paid account for the custom domain feature, amongst others.
While upgrading our App (a React/Typescript SPA + Laravel BE API) we were using the default domains eg: foobar-test.uk.auth0.com and foobar-staging.uk.auth0.com and got the app working with Auth0.
But for Prod, we also made a custom domain, eg auth.foobar.app
In the FE we have:
import { Auth0Provider } from '@auth0/auth0-react';
...
<Auth0Provider
domain={auth0Domain}
clientId={auth0ClientID}
authorizationParams={{
audience: `${auth0Audience}`,
redirect_uri: `${window.location.protocol}//${window.location.host}/callback`
}}>
...
</Auth0Provider>
and In the BE .auth0.api.json:
{
"id": "123abc123abc123abc123abc",
"name": "Test App API",
"identifier": "https://test.foobar.app/api",
"signing_alg": "RS256",
"allow_offline_access": true,
"token_lifetime": 86400,
"token_lifetime_for_web": 7200,
"skip_consent_for_verifiable_first_party_clients": false
}
auth0Audience in FE matches “identifier” in BE .auth0.api.json
auth0Domain in FE is foobar-test.uk.auth0.com, foobar-staging.uk.auth0.com and auth.foobar.app for Dev, Staging and Prod respectively.
For Test and Staging, we get successful API calls returning data, but for Prod we get 401 unauthorised.
Reverting Prod to use default domain, eg: foobar.uk.auth0.com works.
One added complexity might be we are also using the the Management API in the BE to retrieve user data.
use Auth0\Laravel\Facade\Auth0;
$endpoint = Auth0::management()->users();
$profile = $endpoint->get($user['sub']);
$profile = Auth0::json($profile);
We’ve been through https://auth0.com/docs/customize/custom-domains/configure-features-to-use-custom-domains but it’s not obvious how it applies in our scenario and can’t figure out the root cause of the 401.
We’ve also been through https://github.com/auth0/laravel-auth0/blob/main/docs/Configuration.md and noticed there is a value called AUTH0_CUSTOM_DOMAIN but it’s not clear how this should be used when our configuration is via .auth0.api.json (and .auth0.app.json).
Any help on how to get this working for Prod/Custom Domain would be appreciated.
Also, it seems we have no way to test this without upgrading the Test or Staging Tenant to a paid service so we can use a custom domain there, which seems like overkill just for testing this. Is there any alternative way to test?
Many thanks.