Problem Statement
The issuer of the ID token is the Canonical Domain. We want the Custom Domain.
Token object:
{
...,
iss: https://tenant.us.auth0.com/,
}
Troubleshooting
- Check iss property inside the payload of the ID token with jwt.io
- Check Custom Domain configuration
- Check Allowed Web Origins and Allowed Origins (CORS)
Cause
The /authorize call is made from the canonical domain so it’s placed as the issuer. Also, this could happen with /oauth/token endpoint requests.
Solution
Auth0 issues tokens with the iss claim of whichever domain you used with the request. For example, if you used https://tenant.us.auth0.com/authorize… to obtain an Access Token, the iss claim of the token you receive will be https://tenant.us.auth0.com/. If you used your custom domain https://your.domain.com/authorize…, the iss claim value will be https://your.domain.com/.