Unknown iss claim in authorization token

We’re getting the following error trying to sign up a new user with our own auth server:

Unknown iss claim in authorization token. Unable to find authentication profile with discovery endpoint https://xxxxxxx.com.

The auth profile has been created as an OpenID profile and definitely exists. The id_token sent to 8base contains the iss claim as the correct (and same as the auth profile) URL.

I’ve just enabled every single Role on the auth profile just to be certain, so there should be no role-based issues.

Any ideas where to start looking?

Can you give us more details on your auth server verify endpoint?

The openid-configuration is here: https://staging.puntclub.com/.well-known/openid-configuration

The auth profile has been set up with the OpenID Provider URL set to “https://staging.puntclub.com

Everything goes smoothly until I query the current user and then receive an error:

await ctx.api.gqlRequest(CURRENT_USER_QUERY, {}, {
            headers: {
                "Authorization": `Bearer ${token}`

@evgeny.semushin can you please help verify that https://staging.puntclub.com/.well-known/openid-configuration is a valid configuration/url for the OpenID set up to work?

1 Like

Looks like it was due to a missing kid header in the JWT. I really wish the error messages returned from 8base were a little more verbose :slight_smile:

1 Like