Hello Auth0 team,
We have M2M applications and our tenants are configured with custom domains. We read in the Auth0 documentation that, in order to generate access tokens having the issuer containing the custom domain, we must call the /token endpoint using the custom domain URL:
That’s what we do, but the M2M tokens still contain the auth0 default domain, the “iss” claim ends in “auth0.com”. These tokens go to customers and we need to have the custom domain instead. How to achieve that?
Thank you!
1 Like
Hey @smirauta ,
I just tested with my custom domain and client_credentials exchange grant, I was
able to see iss
as the custom domain in the Access Token
Example:
URL : https://my_custom_domain/oauth/token
{"client_id":"my_client_id","client_secret":"my_client_secret","audience":"my_sudience","grant_type":"client_credentials"}
Can you DM me your command and payload to check?
Regards,
Sid
1 Like
Thank you, Sidharth,
I rechecked. My application is an M2M application. We have an own API defined in Auth0 which is enabled for that M2M app. We enabled the “Token Endpoint Authentication Method Basic” on our M2M app, so that we call the token endpoint like that:
curl --request POST --url https://my_gateway/security/oauth/token --header 'content-type: application/json' --header 'Authorization: Basic NF...TQ==' --data '{"audience":"https://my_api.com","grant_type":"client_credentials"}'
I have identified the cause: the problem is that we have put the Auth0 /token endpoint behind a gateway. The gateway forwards the request to the Auth0 /token endpoint with the custom domain. But the issuer in the token contains the Auth0 default domain “https://tenant.auth0.com/”. If I call the /token endpoint directly with the custom domain (without going through the gateway), it works, the issuer is then “https://my_custom_domain.com”.
But still the question remains: do you have an idea how to solve that? Since the gateway forwards to Auth0 using the custom domain, I don’t understand why Auth0 doesn’t recognize it in this case.
Hey @smirauta Calling Auth0 with custom domain will lead to token being issued with iss
as custom domain as well. Can you please DM me your tenant name and a exact UTC time stamp sample when your gateway makes the request to Auth0?
1 Like
Hi Sidharth,
Just letting you know that the issue was fixed on our side in the gateway configuration.
Thank you!
2 Likes
Perfect! Glad to hear that!