Receiving 403 Forbidden from .well-known/jwks.json endpoint

I am following this tutorial by auth0 to implement access token verification in a python flask app running on Google App Engine (flex).

However I am receiving HTTP 403 Forbidden from this code:

jwks = requests.get(f"https://{domain}/.well-known/jwks.json").json()

I can confirm that the URL being sent is the correct one, and that when I call this with this python on my local system I receive the correct JSON. It is only when being run on the server does this return 403 forbidden.

Good afternoon,

I see that you submitted a support ticket as well. Were you able to try to remove the f before the url? https://{domain}/.well-known/jwks.json โ€‹โ€‹โ€‹โ€‹โ€‹โ€‹ is a public URL so it should be accessible.

Thanks!

I believe the cause of this was that I was proxying the custom domain through CloudFlare. I could access the data I needed by using the direct domain provided by auth0, and if I used a different User-Agent I could stop the 403. I suspect Cloudflare is blocking ranges from Google Cloud Platform with a generic user agent from making these requests.

1 Like

Glad you have found it and thank you for sharing with the rest of community!