Exclude the 'iss' parameter from the Redirect URL

Problem statement

When the create/reset password link is used to log in for a user that is already logged in Auth0, it redirects to the Application login URI value which has the iss parameter. Example:

https://shop.example.dev/login?iss=https%3A%2F%2Fexample.eu.auth0.com%2F

This URL is triggering our Google Cloud Armour firewall rules and gets blocked with a 403. We would rather not disable the firewall rule. Can we somehow omit the iss parameter?

Solution

The iss value is a hint to the relying party (the application) so that the app can identify which OIDC identity provider is requesting the login and it can not be omitted.

Refer to Final: OpenID Connect Core 1.0 incorporating errata set 1 for more details.

Therefore, please configure the firewall to ignore that value from the URL.