Issuer Mismatch in ID Token
Last Updated:
Overview
This article explains why the issuer of the ID token is the Canonical Domain instead of the Custom Domain.
Token object:
{
...,
iss: https://<tenant>.us.auth0.com/,
}Cause
The /authorize call is made from the canonical domain, so it is placed as the issuer. This can also happen with /oauth/token endpoint requests.
Solution
Auth0 issues tokens with the iss claim of whichever domain you used with the request. For example, if https://<tenant>.us.auth0.com/authorize... is used to obtain an Access Token, the iss claim of the token received will be https://<tenant>.us.auth0.com/. If the custom domain https://your.domain.com/authorize... is used the iss claim value will be https://your.domain.com/.
