Overview
This article explains a potential cause for isAuthenticated
to remain false incorrectly when a user authenticates to a tenant with multiple custom domains that use self-managed certificates using only the secondary.
- During the authentication, the code exchange is performed, and a valid access token and ID token are returned, but
isAuthenticated
remains false. - The primary domain authenticates successfully.
Applies To
- Custom Domains
- Self-managed Certificates
- Authentication
Cause
When using another custom domain, the iss
claim will still be set to the configured custom domain. The SPA SDK and its wrappers, like auth0-react, auth0-angular, etc., will use the domain to construct the issuer (for example, https://<domain>/
) and use this during verification of the ID token. As the domain specified is a secondary domain and not the one that is configured, token verification will fail due to an issuer mismatch.
Solution
It is required to explicitly set the issuer by passing it in the options alongside the client_id, domain, and other required fields.
Please note that using multiple custom domains per tenant is not officially supported, even when using self-managed certificates. It is recommended that multiple custom domains be avoided if possible.