Implicit grant custom domain: identitity provider login returns auth0 domain iss

daviddw · August 2, 2018, 1:25pm

I am in the process of switching to a custom domain for our SPA with implicit grant authorization method, using auth0-js v9.7.2. Authentication on auth0 domain works fine with username/password as well as identity providers. However when using the custom domain it seems that the token issuer value differs when attempting to login via an identity provider, so username/password still works, but via identity provider I get the following error:

{error: “invalid_token”, errorDescription: “Issuer https://mydomain.eu.auth0.com/ is not valid.”}

Explicitly setting the token issuer by adding __token_issuer: ‘https://mydomain.eu.auth0.com/’ as an option resolves the issue for authentication via identity provider, but then introduces a similar error for username/password authentication stating:

{error: “invalid_token”, errorDescription: “Issuer https://login.mydomain.com/ is not valid.”}

Due to this, I can not get both authentication methods functioning via a custom domain at the same time. The document on Custom Domains states that the iss claim should always be the domain via which the request was done, but this does not appear to be the case here.

lucasdchamps · February 20, 2019, 3:11pm

Hello, I’m having the exact same problem. Did you find a solution?

konrad.sopala · August 29, 2019, 11:55am

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?

daviddw · August 29, 2019, 2:39pm

Hi @lucasdchamps and @konrad.sopala, we eventually figured this out: in order for this to work, we resolved this by configuring the Google social connection with our own credentials. By default the Google social connection uses auth0 default development credentials, but these do not seem to work for some reason in an implicit grant authorization with a custom domain, if you want simultaneously username/password and social login.

This doesn’t seem to be stated anywhere in the documentation, took us quite a while to figure it out.

konrad.sopala · August 29, 2019, 3:05pm

Gotchya! Thanks a lot for providing that feedback, will relay it to appropriate team and get it implemented!

Topic		Replies	Views
Changing issuer value in JWT when account is accessed using custom domain Help login-experience , new-universal-login-experience	4	847	March 22, 2024
Invalid Issuer, with a custom domain Help configuration , application	3	2615	July 7, 2023
Issuer mismatch in ID token Knowledge Articles custom-domain , id-token , canonical-domain , issuer	1	2632	October 4, 2022
Invalid ID token: Issuer (iss) claim mismatch in the ID token Help login-experience , signup-prompt-new-experience	3	4441	May 27, 2023
Custom domains failing with iss issue Help custom-domain	2	3265	July 15, 2022

Implicit grant custom domain: identitity provider login returns auth0 domain iss

Related Topics