graphql-engine
graphql-engine copied to clipboard
Auth0 with custom domain causes FST_JWT_AUTHORIZATION_TOKEN_INVALID
Version Information
Server Version: hasura/graphql-engine v2.10.1
Environment
Docker image running on GCP Cloud Run
What is the current behaviour?
When trying to validate a JWT token generated by Auth0 using a custom domain I get back:
{
"errors": [{
"extensions": {
"code": "FST_JWT_AUTHORIZATION_TOKEN_INVALID",
"path": "$"
},
"message": "Authorization token is invalid: The iss claim value is not allowed."
}]
}
I tried the following values in HASURA_GRAPHQL_JWT_SECRET to no success
- Using jwk url In this case we use the JWK URL as follows:
{"jwk_url": "https://my.custom-domain.com/.well-known/jwks.json", "issuer": "https://my.custom-domain.com/" }
- Using the key
{"type": "RS512", "key": "abc", "issuer": "https://my.custom-domain.com/" }
In both cases Hasura seems to fail to validate the custom issuer, this SEEMS to be due to the trailing slash in the issuer, the token generated by Auth0 does use trailing slashes in the iss
field as detailed here
Other information:
- This does work fine with the default Auth0 domain (not custom)
- This throws a different error if the value on "issuer" has no trailing slash that is:
https://my.custom-domain.com
This second point leads me to believe there is something wrong with the way the "issuer" field works internally, I can't control the way the tokens get generated with Auth0 so I need to define the issuer in Hasura
What is the expected behaviour?
The token is correctly validated
How to reproduce the issue?
- Create a new tenant in Auth0
- Define a custom domain
- Create a new application
- Configure Hasura to use JWT tokens
- Create a token where the issuer is the custom domain
- Try to call hasura endpoint
Screenshots or Screencast
N/A
Please provide any traces or logs that could help here.
N/A
Any possible solutions?
Understand if it is the trailing slash causing issues with the JWT verification
Can you identify the location in the source code where the problem exists?
No
If the bug is confirmed, would you be willing to submit a PR?
No
Keywords
auth0, domain, jwt, FST_JWT_AUTHORIZATION_TOKEN_INVALID
Any updates on this?
@nahueld-owners We are looking into this. May take couple more days. Appreciate your patience.
hi @tirumaraiselvan is there anything I can do to help on this? were you able to reproduce? thanks a lot for your help