When the create/reset password link is used to log in for a user that is already logged in Auth0, it redirects to the Application login URI value which has the iss parameter. Example:
This URL is triggering our Google Cloud Armour firewall rules and gets blocked with a 403. We would rather not disable the firewall rule. Can we somehow omit the iss parameter?
iss value is a hint to the relying party (the application) so that the app can identify which OIDC identity provider is requesting the login and it can not be omitted.
Refer to Final: OpenID Connect Core 1.0 incorporating errata set 1 for more details.
Therefore, please configure the firewall to ignore that value from the URL.