Getting Error of "Missing or invalid standard claims" during Actions Redirect

Problem statement

During an Actions Redirect flow, when the application redirects back to Auth0’s /continue endpoint with a JWT, Auth0 gives the following error:

Missing or invalid standard claims

Symptoms

  • This happens during the return of an Actions Redirect flow
  • A JWT is present in the /continue request
  • The onContinuePostLogin method in the Action includes a call to api.redirect.validateToken()

Cause

This is caused by a mandatory claim missing from the JWT body.

Solution

When an application generates the JWT to be sent to Auth0 after the redirect, make sure the following claims are present in the token payload:

  • iat (Unix timestamp)
  • exp (Unix timestamp - set this to at least 1 minute beyond the creation time)
  • sub (Must match the user_id of incoming token’s sub)
  • iss
  • state (Must match state sent by Auth0 during redirect)

Some standard claims like iat will be implicitly added by some JWT libraries.