Problem statement
During an Actions Redirect flow, when the application redirects back to Auth0’s /continue
endpoint with a JWT, Auth0 gives the following error:
Missing or invalid standard claims
Symptoms
- This happens during the return of an Actions Redirect flow
- A JWT is present in the /continue request
- The onContinuePostLogin method in the Action includes a call to
api.redirect.validateToken()
Cause
This is caused by a mandatory claim missing from the JWT body.
Solution
When an application generates the JWT to be sent to Auth0 after the redirect, make sure the following claims are present in the token payload:
iat
(Unix timestamp)exp
(Unix timestamp - set this to at least 1 minute beyond the creation time)sub
(Must match the user_id of incoming token’s sub)iss
state
(Must match state sent by Auth0 during redirect)
Some standard claims like iat
will be implicitly added by some JWT libraries.