Issuer mismatch in ID token

lihua.zhang · October 4, 2022, 5:12pm

Problem Statement

The issuer of the ID token is the Canonical Domain. We want the Custom Domain.

Token object:

{
   ...,
   iss: https://tenant.us.auth0.com/,
}

Troubleshooting

Check iss property inside the payload of the ID token with jwt.io
Check Custom Domain configuration
Check Allowed Web Origins and Allowed Origins (CORS)

Cause

The /authorize call is made from the canonical domain so it’s placed as the issuer. Also, this could happen with /oauth/token endpoint requests.

Solution

Auth0 issues tokens with the iss claim of whichever domain you used with the request. For example, if you used https://tenant.us.auth0.com/authorize… to obtain an Access Token, the iss claim of the token you receive will be https://tenant.us.auth0.com/. If you used your custom domain https://your.domain.com/authorize…, the iss claim value will be https://your.domain.com/.

Topic		Replies	Views
Changing issuer value in JWT when account is accessed using custom domain Help login-experience , new-universal-login-experience	4	900	March 22, 2024
Invalid ID token: Issuer (iss) claim mismatch in the ID token Help login-experience , signup-prompt-new-experience	3	4582	May 27, 2023
Invalid ID token: Issuer (iss) claim mismatch in the ID token on Wordpress Help wordpress	4	4345	August 22, 2020
Implicit grant custom domain: identitity provider login returns auth0 domain iss Help jwt , auth0 , login	5	3883	August 29, 2019
Issuer with custom domain in M2M token Help	6	3317	August 26, 2021

Issuer mismatch in ID token

Problem Statement

Troubleshooting

Cause

Solution

Reference

Related Topics