Issuer difference between access token and session token

asauray · September 22, 2023, 2:42pm

Hi, I have a question regarding the content of the “iss” field on access tokens.

In practice, it appears to be https://{{tenant}}.{{region}}.auth0.com when the access token is obtained via the Auth0 login process.

I recently experimented with the post login actions, and generated a token to pass information securely to an application, following this post: Login Flow

const token = api.redirect.encodeToken({
    secret: event.secrets.MY_SHARED_SECRET,
    payload: {
      email: event.user.email,
    },
  });

It appears that token created contains an issuer which is not an absolute URI but the domain name: {{tenant}}.auth0.com instead of https://{{tenant}}.{{region}}.auth0.com

Is that an expected behaviour ? why is the issuer different ?

Topic		Replies	Views
Changing issuer value in JWT when account is accessed using custom domain Help login-experience , new-universal-login-experience	4	900	March 22, 2024
Invalid ID token: Issuer (iss) claim mismatch in the ID token Help login-experience , signup-prompt-new-experience	3	4582	May 27, 2023
Issuer mismatch in ID token Knowledge Articles custom-domain , id-token , canonical-domain , issuer	1	2637	October 4, 2022
A (most likely) simple question about iss Help user-management , user-password-management	3	621	March 1, 2024
Implicit grant custom domain: identitity provider login returns auth0 domain iss Help jwt , auth0 , login	5	3883	August 29, 2019

Issuer difference between access token and session token

Related Topics