?iss= after logout causes login form to re-render instead of completing login — only with Custom Domain, resolves after some time

aravind.ps · June 3, 2026, 4:59am

Setup

Angular SPA, auth0-spa-js v1.13.6, New Universal Login
Custom domain with OIDC proxy behind it
initiate_login_uri set to <APP_URL>/login

The problem

After logout + re-login immediately:

User submits credentials on the Auth0 login form
Instead of redirecting back to the app with ?code=&state=, the browser receives:
```
<APP_URL>/?iss=https://<CUSTOM_DOMAIN>/
```
Angular app loads, LoginComponent fires loginWithRedirect() again
The Auth0 login form re-renders — user has to log in a second time
On the second attempt it usually succeeds and lands on /policies

However — if the user waits a few minutes after logout and then tries to login, the issue does not occur. Login completes in one attempt as expected.

This never happens with the standard tenant domain (xxx.eu.auth0.com) regardless of timing.

What we have tried — none fully resolved it

Removed / blanked initiate_login_uri → no effect
prompt: 'login' + max_age: 0 on loginWithRedirect() → reduces frequency, not eliminated
federated: true on logout() → helps but issue still occurs immediately after logout
Passing iss back in subsequent loginWithRedirect() → intermittent improvement
Clearing browser cookies for custom domain → fixes it temporarily

Key observations

Issue is timing dependent — happens immediately after logout, not after a wait. Suggests a stale session or token in the OIDC proxy that takes time to expire/clear
?iss= lands on app root (/?iss=), not /login?iss= — suggests the OIDC proxy behind the custom domain generates it, not Auth0’s initiate_login_uri
prompt=login does not suppress the ?iss= redirect — proxy appears to ignore it
Opening the login URL in a second browser window during an active login reliably triggers the issue

Questions

Is the ?iss= redirect caused by a stale session in the OIDC proxy not yet cleared after federated: true logout?
Why does this only happen with the custom domain and not the standard tenant domain?
Is the OIDC proxy behind the custom domain responsible for generating ?iss=, not Auth0 itself?
Is there a way to force the proxy session to clear immediately on logout rather than waiting for natural expiry?
Does upgrading to auth0-spa-js v2.x resolve this?

Topic		Replies	Views
Custom domain - login.us.auth0.com redirectors to tenant.us.auth0.com and fails Get Help bug , spa , custom-domain	2	1944	December 27, 2024
New Universal Login — SPA redirects back to login page immediately after successful authentication Get Help login-experience , new-universal-login-experience	1	18	May 29, 2026
Universal Login goes directly to OTP Get Help auth0 , login	3	2309	December 21, 2022
Custom domains auth redirects to login page Get Help login-experience , new-universal-login-experience	2	806	September 11, 2023
I created a new tenant and set up it's domain, but I am redirected to old tenant's domain when I log in Get Help auth0 , login	2	1974	February 8, 2022

?iss= after logout causes login form to re-render instead of completing login — only with Custom Domain, resolves after some time

Related topics