Thank you for your patience.
After collaborating with my colleagues on this one, we concluded that the 403
error is happening because of your add-permissions-to-id-token action script as provided in your error log, more specifically, the rejecting request with JWT token signed with untrusted key
error message.
After testing the script on my side, I could not reproduce the same errors and suspect that it may involve the values set in your script’s event.secrets
for the domain, clientId, and clientSecret. Because of this, could you please make sure that these values are correct?
Adding on, I noticed that your tenant does not have a separate Machine-to-Machine application created that is linked to the Management API with the necessary scopes. As a good practice, we recommend creating a separate M2M app with only the necessary Management API scopes to limit the permissions of the access token in the event that a malicious actor gains access. This helps improve the security of our applications by granting only the permissions that we need.
Lastly, I recommend checking out our How can I use the Management API in Actions? FAQ for more instructions.
Please let me know how this goes for you.
Thanks,
Rueben