I am having an intermittent error when using Auth0 with an AWS HTTP API. I have a JWT Authorizer on each of the endpoints for my API, with different Authorization scopes for each. I’m getting a frustrating error in the single-page application, intermittent 401 errors. The
The www-authenticate response header provides some clues, but not much.
Bearer scope=“manage:users modules:*” error=“invalid_token” error_description=“OIDC discovery endpoint communication error”
I can’t seem to find a pattern for why the error is occurring sometimes and not other times.
I am experiencing the same issue. Unable to replicate it manually or find patterns in relation to when it occurs. Have you found anything since making this post @windsor114 ?
Yes I have! The JWT Authorizer on AWS seems to have an undocumented timeout. Occasionally reaching out to fetch the public key from auth0 times out and the request to the API fails. Super annoying. I ended up using a custom authorizer with lambda. I copied the public key from Auth0 and use a jwt library to check tokens against that public key. I believe there’s a setting in Auth0 where you can prevent the signing keys rotating, otherwise you can periodically fetch the public keys in the lambda and store them somewhere on the AWS side.
My app just experience this issue on-and-off for the majority of the afternoon. I’m definitely going to be looking at building a custom authorizer so I can have more visibility and control over this issue.
FWIW I get two intermittent errors: “OIDC discovery endpoint communication error” and “JWKS communication error”. It’s super frustrating that this is still an issue.
The timeout is 1500ms for both OIDC and JWKS endpoints.
IMO I would say that if the Auth0 endpoints are consistently taking more than 1500ms, that’s an Auth0 issue. That being said, it would be nice if AWS allowed you to increase the timeout, but I understand why they don’t. Auth0 should be able to provide a JWKS/OIDC endpoint that respond in a deterministic amount of time.
Thank you for finding that documentation and linking it here. The symptoms of auth failure I am having are identical to yours. Sometimes JWKS failure, and other times OIDC failure. Spent the afternoon working on a custom authorizer and it wasn’t too bad luckily
I am recently encountering this issue as well. About 5% of our requests are (seemingly) randomly returning 401s due to “OIDC discovery endpoint communication error” or “JWKS communication error”. Need a solution
@patrick.gold@matt20 sent you both a message including a snippet of how I set up the custom authorizer. Went as simple as possible only verifying using the JWT package and not necessarily using Auth0 to verify.
@chad.holmes I’m experiencing the exact same problem since a few days ago. I’m not sure what’s wrong since only my production environment with a custom domain seems to be failing.
If you can, please also send me the code you are using for your custom authorizer. Thank you!