Thanks for pointing me in that direction. After reviewing the suggestions in the post, I ended up with the following for my Go API .env file:
# The URL of our Auth0 Tenant Domain.
AUTH0_TENANT='dev-my-auth-domain.us.auth0.com'
# If you're using a Custom Domain, be sure to set this to that value instead.
AUTH0_DOMAIN='auth.my-custom-domain.com'
# Our Auth0 API's Identifier.
AUTH0_AUDIENCE='https://dev-my-auth0-domain.us.auth0.com/api/v2/'
TOKEN_AUDIENCE='https://dev-api.my-custom-domain.com/'
...
Deviating from the quickstart sample, I added the TOKEN_AUDIENCE and use that value in the EnsureValidToken() function,:
func EnsureValidToken() func(next http.Handler) http.Handler {
issuerURL, err := url.Parse("https://" + os.Getenv("AUTH0_DOMAIN") + "/")
if err != nil {
log.Fatalf("[ERROR] Failed to parse the issuer url: %v", err)
}
provider := jwks.NewCachingProvider(issuerURL, 5*time.Minute)
jwtValidator, err := validator.New(
provider.KeyFunc,
validator.RS256,
issuerURL.String(),
[]string{os.Getenv("TOKEN_AUDIENCE")},
validator.WithCustomClaims(
func() validator.CustomClaims {
return &CustomClaims{}
},
),
validator.WithAllowedClockSkew(30 * time.Minute), // Increase the allowed clock skew
)
...
The reason I made those changes was after interrogating the returned aud from the tokens during the various jwt exchanges, I was able to match the expected audience values and successfully authenticate protected endpoints in my API utilizing my custom auth domain.
Thanks for the help.