Auth0 authorizor rejects JWT token from service - "jwt issuer invalid. expected: https://myservice.auth0.com"

Question

I'm walking through the tutorials for setting up auth0 as an API gateway authorizer for AWS listed here: https://auth0.com/docs/integrations/aws-api-gateway/custom-authorizers

I am using the recommended authorizer from here: https://github.com/auth0-samples/jwt-rsa-aws-custom-authorizer

The only modification has been to the config files.

However, when testing the authorizer function, I get the following error:

{"name":"JsonWebTokenError","message":"jwt issuer invalid. expected: https://MYSERVICE.auth0.com"}

Where MYSERVICE is the auth0 api I have set up. This is confusing, because I've gotten the jwt token through this method:

curl --request POST \
--url https://MYSERVICE.auth0.com/oauth/token \
--header 'content-type: application/json' \
--data '{"client_id":"MY_ID","client_secret":"MY_SECRET","audience":"TestApi","grant_type":"client_credentials"}'

The resulting token can be loaded into the debugger tool at https://jwt.io/ , and it reports the iss field as https://MYSERVICE.auth0.com

Is there a misconfiguration that might cause this issue?

Answer 1

Went through the entire tutorial after reading your question, and this worked for me (had already done this recently).

Unclear, but from your error message reported in question, it looks like expected issuer does not have a trailing / on the end.

However, mine definitely DID have that. Here a screenshot from JWT.IO of a token that is working.

Can simply send that the API (using postman) and appending it as Authorization Bearer {{token}} header. using the tutorial's api (AWS petshop), receive the output:

[
    {
        "id": 1,
        "type": "dog",
        "price": 249.99
    },
    {
        "id": 2,
        "type": "cat",
        "price": 124.99
    },
    {
        "id": 3,
        "type": "fish",
        "price": 0.99
    }
]

Be helpful to see your JWT token iss and aud (audience) values.

Answer 2

Little late to the party, but this is worked for my Blazor WASM ASP.Net Core 3.1 Web API project when I setup a custom domain and received the same error.

The fix for me was to set the TokenValidationParameters.ValidIssuer = [MY_CUSTOM_DOMAIN] in the Startup.cs class of my web service app.

public void ConfigureServices(IServiceCollection services)
{
  services.AddAuthentication(options =>
  {
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
  })
  .AddJwtBearer(options =>
  {
    options.Authority = Configuration[“Auth0:Authority”];
    options.Audience = Configuration[“Auth0:ApiIdentifier”];
    options.TokenValidationParameters.ValidIssuer = Configuration[“Auth0:Issuer”];
  });
}

Here is my appsettings.config for my server:

{
  “AllowedHosts”: “*”,
  “Auth0”: {
    “Authority”: “[AUTH0_TENANT_DOMAIN]”, (i.e. https://prod-mydomain.us.auth0.com)
    “Issuer”: “[MY_CUSTOM_DOMAIN]”, (i.e. https://login.mycustomdomain.net/)
    “ApiIdentifier”: “[MY_API_DOMAIN]” (i.e. https://example.net/api)
  }
}

IMPORTANT: => I had to include a trailing “/” in the URL for my custom domain like this: https://login.mycustomdomain.net/" . You can verify if you need a trailing “/” by looking at the ISS value found in the bearer token (@ jwt.io or jwt.ms) passed during the call to your web service.