JWT verification from a backend API

Problem statement

When attempting to validate the issued JWT Token by a backend system, an error regarding an ‘invalid issuer’ is being thrown. How can this issue be resolved?

Symptoms

  • Getting a 401 in the backend when trying to implement middleware to validate JWTs on the backend
  • Changed the issuer value multiple times with no success

Steps to Reproduce

  • Use a simple JWT validation function to test different formats of the issuer URL.
  • The issuer should match the public ‘/.well-known’ endpoint but modifying that value should return a similar error regarding an invalid issuer value.

Cause

The issuer value was missing a trailing slash ‘/’ and protocol on the issuer URL when configuring the backend middleware.

Solution

Make sure the keys used in the backend to validate the JWT are an exact match of the ones from the well-known endpoint for the appropriate Auth0 tenant. If any of those values fail, there is typically a descriptive error along with the 401 status code such as “invalid issuer” to help with debugging efforts.