I’m building a ChatGPT custom action and using Auth0 for user authentication with OAuth. I’m running into a persistent issue where I’m receiving encrypted JWTs (JWE) with alg: dir and enc: A256GCM instead of the expected RS256-signed JWTs. I’ve working on this a day and a half
Here’s a breakdown of my setup:
- Auth0 Application Type: Regular Web Application
- Grant Types: Authorization Code, Refresh Token (Client Credentials DISABLED)
- Custom Domain: Yes (login.bidoptimize.ai), verified with valid SSL. ( I will want to revert back to a non-custom domain, if it is not worth it).
- OpenAI Custom GPT Actions Configuration: Configured with OAuth, Client ID, Client Secret, correct authorization URL, and token URL.
What I’ve Tried:
- Double-checked the Token Signature Algorithm settings in Auth0 (set to RS256 at API settings and checked for any other global settings).
- Disabled the Client Credentials grant type on my Auth0 application.
- Manually inspected the redirect URL to ensure the redirect_uri parameter matches my allowed callback URLs.
- Verified my DNS and SSL configuration for the custom domain using online checkers.
- Force re-authentication and Cleared my Cache.
Additional Details:
- My Auth0 account is a free account.
- The “Application Login URI” is currently empty, as I am not using Classic Universal Login.
- We used Resource Owner Password flow which returned an RS256 signed JWT.
Despite the basic things, the tokens given are still in JWE format, which causes authentication errors in my FastAPI backend (which expects RS256).
Any assistance on where to investigate further would be greatly appreciated!