Login transaction redirects to apps login route with 'iss' param such as 'https://mydomain.com/login?iss='

Problem statement

An authentication flow is ending with this redirection and we don’t understand what is causing it:



There’s an unexpected 302 redirect when application is redirected to the ‘/u/login’ route on their Auth0 Domain.


Redirecting that endpoint is expected when initiating a login from a 3rd party application (such as curl in this instance). The ‘iss’ param being returned is to let the client (application) know which OIDC IdP the request had been intended for. More on that spec can be found here:


This is expected behavior when attempting to login using a 3rd party app/service. Login transactions should be initiated by the RP (application) itself and not on behalf of another service.