When the create/reset password link is used to log in for a user who is already logged in, Auth0 redirects to the Application login URI value. When this occurs, an iss parameter is also added.

Example:  https://domain/login?iss=https%3A%2F%2Fexample.auth0.com%2F

This URL triggers the configured third-party service Google Cloud Armour firewall rules and gets blocked with a 403. This article clarifies whether the iss parameter can be omitted instead of disabling this firewall rule.

Prerequisites

• Use New Universal Login Experience
• Configure the default login route 

Steps to Reproduce

Capture the network logs while following the below steps.

1. Request a password reset from the New Universal Login page (Forgot password?)
2. Receive the email and click the password reset link.
3. Input the new password. Click the Reset password button, then the Back to (application name) button.
4. See the network logs and locate the URL 
   https://{default login route}?iss={tenant's domain}

• OpenID Connect (OIDC)
• Identity Provider (IdP)
• Redirect URL
• URL Parameter
• Exclude Parameter

The iss claim cannot be omitted.

The iss value is a hint to the relying party (the application) so that the app can identify which OIDC identity provider is requesting the login.

Refer to Initiating Login from a Third Party for more details.

In this instance, the firewall should be configured to ignore that value from the URL.