Problem statement
When the create/reset password link is used to log in for a user who is already logged in, Auth0 redirects to the Application login URI value. When this occurs, there is also an iss parameter added. Example:
https://domain/login?iss=https%3A%2F%2Fexample.auth0.com%2F
This URL is triggering the configured third party service Google Cloud Armour firewall rules and gets blocked with a 403. Instead of disabling this firewall rule, can the iss parameter be omitted?
Solution
The iss claim cannot be omitted.
The iss value is a hint to the relying party (the application) so that the app can identify which OIDC identity provider is requesting the login.
Refer to Initiating Login from a Third Party for more details.
In this instance, the firewall should be configured to ignore that value from the URL.