Intermittent "OIDC discovery endpoint communication error" when using JWT Authorizer with AWS HTTP API

Hi,

I am having an intermittent error when using Auth0 with an AWS HTTP API. I have a JWT Authorizer on each of the endpoints for my API, with different Authorization scopes for each. I’m getting a frustrating error in the single-page application, intermittent 401 errors. The
The www-authenticate response header provides some clues, but not much.

Bearer scope=“manage:users modules:*” error=“invalid_token” error_description=“OIDC discovery endpoint communication error”

I can’t seem to find a pattern for why the error is occurring sometimes and not other times.

Any help would be very much appreciated!

1 Like

I am experiencing the same issue. Unable to replicate it manually or find patterns in relation to when it occurs. Have you found anything since making this post @windsor114 ?

2 Likes

Yes I have! The JWT Authorizer on AWS seems to have an undocumented timeout. Occasionally reaching out to fetch the public key from auth0 times out and the request to the API fails. Super annoying. I ended up using a custom authorizer with lambda. I copied the public key from Auth0 and use a jwt library to check tokens against that public key. I believe there’s a setting in Auth0 where you can prevent the signing keys rotating, otherwise you can periodically fetch the public keys in the lambda and store them somewhere on the AWS side.

This was the only way around the problem for me.

My app just experience this issue on-and-off for the majority of the afternoon. I’m definitely going to be looking at building a custom authorizer so I can have more visibility and control over this issue.

FWIW I get two intermittent errors: “OIDC discovery endpoint communication error” and “JWKS communication error”. It’s super frustrating that this is still an issue.

Should be noted this seems to be an AWS side issue

API Gateway has the timeouts for Authorizers documented here: Amazon API Gateway quotas and important notes - Amazon API Gateway

The timeout is 1500ms for both OIDC and JWKS endpoints.

IMO I would say that if the Auth0 endpoints are consistently taking more than 1500ms, that’s an Auth0 issue. That being said, it would be nice if AWS allowed you to increase the timeout, but I understand why they don’t. Auth0 should be able to provide a JWKS/OIDC endpoint that respond in a deterministic amount of time.

Thank you for finding that documentation and linking it here. The symptoms of auth failure I am having are identical to yours. Sometimes JWKS failure, and other times OIDC failure. Spent the afternoon working on a custom authorizer and it wasn’t too bad luckily

@chad.holmes Did you end up implementing something like this? https://auth0.com/docs/customize/integrations/aws/aws-api-gateway-custom-authorizers#create-the-custom-authorizers

I am recently encountering this issue as well. About 5% of our requests are (seemingly) randomly returning 401s due to “OIDC discovery endpoint communication error” or “JWKS communication error”. Need a solution

@chad.holmes, mind sharing your custom authorizer?

@patrick.gold @matt20 sent you both a message including a snippet of how I set up the custom authorizer. Went as simple as possible only verifying using the JWT package and not necessarily using Auth0 to verify.

2 Likes

@chad.holmes I’m experiencing the exact same problem since a few days ago. I’m not sure what’s wrong since only my production environment with a custom domain seems to be failing.

If you can, please also send me the code you are using for your custom authorizer. Thank you!