When we started we just had users in our dev application and we set the issuer to auth.abc.com. Recently we added client grants and the issuer is different: abc.auth0.com.
Now, when validating access tokens if we set the issuer to auth.abc.com then clients won’t work, and if we set the issuer to abc.auth0.com users won’t work. So we are running into the issue we cannot validate tokens for both users and clients.
I can think of two way to solve this, which brings about two questions.
Update existing users to abc.auth0.com. (Preferred) How would we do that?
Validate tokens against multiple issuers. How would we do that using the SDKs (java)?
1 . Can you clarify what you mean with “updating users”? User profiles (see Auth0 Dashboard > Users > User Details > Raw JSON) don’t contain an issuer. Do you instead mean, you want to update existing ID tokens or Access Tokens?
2 .
Which SDK are you using, because there are multiple ones for Java. Do you mean this one?
Do you have a code snippet of how you’re currently verifying one audience.
I want to update the issuer in the access token from auth.abc.com to abc.auth0.com so that when new access tokens are generated for users the updated issuer is provided.
Yes we are using the JWT library Auth0 has. The questions is how do we check against multiple issuers? In JWT.require(algorithm).withIssuer("abc.auth0.com") there is no withIssuers("abc.auth0.com", "auth.abc.com")
updating an existing access token (or refresh token) isn’t possible. Also, a refresh token from one issuer cannot ask for an access token from another issuer. So, you would need to make an entirely new authorization request against that new domain that you want to use and which shall be the issuer.
Why not simply create two verifiers, one for each issuer, and check against both? Maybe not most elegant, but a way.
I am asking how to update the issuer so that new access tokens requests have the correct issuer.
Do I have to recreate users against a new issuer (which I cant really do) or can I just update the issuer?
Just to confirm, because so far I just made assumptions for myself:
abc.auth0.com and auth.abc.com are both pointing to the same authorization server, which is Auth0, right? So, auth.abc.com is just a CNAME for abc.auth0.com, is that correct, or not the case?
IF it’s the case, then: you can keep the users. Just next time when you make an authorization request from that user, you’d point that to the authorization endpoint of the new issuer. So, instead of https://abc.auth0.com/authorize it would be https://auth.abc.com/authorize - this way the returned token gets the correct issuer.
