Issuer with custom domain in M2M token

smirauta · July 13, 2021, 6:24am

Hello Auth0 team,

We have M2M applications and our tenants are configured with custom domains. We read in the Auth0 documentation that, in order to generate access tokens having the issuer containing the custom domain, we must call the /token endpoint using the custom domain URL:

That’s what we do, but the M2M tokens still contain the auth0 default domain, the “iss” claim ends in “auth0.com”. These tokens go to customers and we need to have the custom domain instead. How to achieve that?

Thank you!

sidharth.chaudhary · July 14, 2021, 1:03am

Hey @smirauta ,

I just tested with my custom domain and client_credentials exchange grant, I was
able to see iss as the custom domain in the Access Token

Example: 
URL : https://my_custom_domain/oauth/token
{"client_id":"my_client_id","client_secret":"my_client_secret","audience":"my_sudience","grant_type":"client_credentials"}

Can you DM me your command and payload to check?

Regards,
Sid

smirauta · July 14, 2021, 7:54am

Thank you, Sidharth,

I rechecked. My application is an M2M application. We have an own API defined in Auth0 which is enabled for that M2M app. We enabled the “Token Endpoint Authentication Method Basic” on our M2M app, so that we call the token endpoint like that:

curl --request POST --url https://my_gateway/security/oauth/token --header 'content-type: application/json' --header 'Authorization: Basic NF...TQ==' --data '{"audience":"https://my_api.com","grant_type":"client_credentials"}'

I have identified the cause: the problem is that we have put the Auth0 /token endpoint behind a gateway. The gateway forwards the request to the Auth0 /token endpoint with the custom domain. But the issuer in the token contains the Auth0 default domain “https://tenant.auth0.com/”. If I call the /token endpoint directly with the custom domain (without going through the gateway), it works, the issuer is then “https://my_custom_domain.com”.

But still the question remains: do you have an idea how to solve that? Since the gateway forwards to Auth0 using the custom domain, I don’t understand why Auth0 doesn’t recognize it in this case.

sidharth.chaudhary · July 15, 2021, 5:14am

Hey @smirauta Calling Auth0 with custom domain will lead to token being issued with iss as custom domain as well. Can you please DM me your tenant name and a exact UTC time stamp sample when your gateway makes the request to Auth0?

smirauta · August 10, 2021, 10:51am

Hi Sidharth,
Just letting you know that the issue was fixed on our side in the gateway configuration.
Thank you!

konrad.sopala · August 11, 2021, 10:29am

Perfect! Glad to hear that!