Goal: Auth0 M2M authentication stopped working after we set up custom domain in our Auth0 instance. The ISS is no longer matching and there is no way to set that up in the resource configuration. All queries throw a 400 error in the console claiming the Bearer is not valid due to invalid ISS.
Steps: Everything was out-of-the-box working for years and now that we configured custom domain for Auth0 it stopped working. We tried changing the provided fields in the config form of Auth0 Client Credentials authentication option for a resource with no luck.
Details:
"Bearer error=\"invalid_token\", error_description=\"An error occurred while attempting to decode the Jwt: The iss claim is not valid\", error_uri=\"https://tools.ietf.org/html/rfc6750#section-3.1\""
The whole issue boild down to - where can we configure issuer...?
To be clear, you get the above error when actually firing off a resource query, right? That makes me think that you need to update the AUTH0_DOMAIN environment variable on your API server.
You are correct that this happens when I try to call my resource. But it has nothing to do with the configuration of our API server because this error happens during the authentication step (i.e. prior to actually calling the resource). Retool Auth0 config is missing "iss" field - it should be in the setup as an optional field in these exact cases because the issuer is different than the domain. Just to be clear - the error I have copy-pasted is not one that our server returns, it's Retool. Our servers are not even called in that instance.
Since custom domains are not supported, I suggest you update the documentation and point people to using the full "manual" OAuth2 Authentication. I managed to get it working just fine, but it took me a while before I realized, that I could do that.
Got it - thanks for clarifying. I was going to recommend building out a generic client credentials flow, so I'm glad it's a valid alternative.
I'll definitely talk to the team about adding support for custom domains and, in the meantime, making that limitation clear. I'll provide an update here as soon as I have news to share.
UPDATE: The below configuration should work. The trick is setting the audience correctly.
I was going to recommend building out a generic client credentials flow, so I'm glad it's a valid alternative.