Forbidden from Cloudflare using custom domain during jwt decoding

Hello!

I am following the Spring Security 5 Java API: Authorization tutorial located at (Auth0 Spring Security 5 Java API SDK Quickstarts: Authorization).

I was able to implement and everything WORKS, EXCEPT when I use my custom domain.

The API configured as resource server fails when getting information from https://custom-domain/.well-known/jwks.json during JWT decoding.

Inspecting the logs we find (I masked my custom domain):

2021-01-30 20:37:09.265 DEBUG 26468 --- [nio-8080-exec-9] o.s.web.client.RestTemplate : HTTP GET https://my-custom-domain/.well-known/jwks.json

2021-01-30 20:37:09.265 DEBUG 26468 --- [nio-8080-exec-9] o.s.web.client.RestTemplate : Accept=[text/plain, application/json, application/*+json, */*]

2021-01-30 20:37:09.466 DEBUG 26468 --- [nio-8080-exec-9] s.n.www.protocol.http.HttpURLConnection : sun.net.www.MessageHeader@7a8fd0665 pairs: {GET /.well-known/jwks.json HTTP/1.1: null}{Accept: application/json, application/jwk-set+json}{User-Agent: Java/11}{Host: <CUSTOM_DOMAIN>}{Connection: keep-alive}

2021-01-30 20:37:09.499 DEBUG 26468 --- [nio-8080-exec-9] s.n.www.protocol.http.HttpURLConnection : sun.net.www.MessageHeader@3f8d51537 pairs: {null: HTTP/1.1 403 Forbidden}{Server: cloudflare}{Date: Sat, 30 Jan 2021 22:37:09 GMT}{Content-Type: text/html}{Content-Length: 151}{Connection: keep-alive}{CF-RAY: 619ead07b8f2f663-GRU}

2021-01-30 20:37:09.499 DEBUG 26468 --- [nio-8080-exec-9] o.s.web.client.RestTemplate : Response 403 FORBIDDEN

The problem appears to be related to CloudFlare refusing something the java client is sending through headers. But why is it okay with the original Auth0 domain? I am not using Cloudflare, the only reference to Cloudflare I see is that maybe Auth0 does SSL termination on Cloudflare (I see the custom domain certificated is related)? And why only with the Java Spring Security Library? I saw some other posts over the Internet suggesting that the “User-Agent” header could be missing during request or could be denied for being named “Java/Version”. But that does not appear to be the case. If I test outside the Java application (ie. using Postman) it works, even specifiyng the user agent as Java/11.

The only way I was able to reproduce the problem was specifying an invalid “Host” header in Postman (an IP for example). But again, it works with the custom domain using Postman.

The only think I can think of is that something is changing during the java client request, but what?

Update:
NOTE-1: I tried to use a local dev IDP (keycloak) just to serve as a dummy location using HTTP (not HTTPS) to be able to inspect packets with Wireshark. The Host header is being sent correctly to IDP and matches the issuer-uri when using.

NOTE-2: Another observation/reminder is that using the custom domain, the application starts correctly and indeed pull its information from https://my-custom-domain/.well-known/openid-configuration without any issues. The problem is only when trying to pull https://my-custom-domain/.well-known/jwks.json (which then I receive 403 Forbidden CloudFlare).

This is such a downer, since everithing is working just fine. I really wish I could use my custom domain.

Is anyone experiencing a similar problem when following the aforementioned tutorial?

Thanks in advance!
Luiz Eduardo Giampaoli