Modifying the issuer claim



  • When inspecting the discovery info of a FusionAuth server, we find the value of issuer does not match the domain name of your authorization server. The issuer you are sending is example.com.

    We expect the issuer claim to match the domain of your discovery URL. In other words, the value for issuer we are expecting is https://login.example.com. This is based on the spec found here:

    https://openid.net/specs/openid-connect-discovery-1_0.html

    OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer



  • It sounds like you're asking if you can modify the issuer claim.

    You can control the "Issuer", or iss claim, in two different ways:

    • You can set it in the tenant config, where it will apply for all JWTs issued for that tenant. You'd modify that by navigating to "Tenants", then your tenant, then "General". Modify the "Issuer" field value to be login.example.com.
    • You can set it at the individual JWT level by modifying the JWT populate lambda. You would do this if you wanted to have a different issuer based on some information from the user or registration data. (This does not appear to be the case here, just including this for completeness.)

    I'm not clear if you have more than one tenant in your system; if you do, you can either change the "Issuer" setting for the default tenant (which is what is provided when no tenantId is on the URL) or request the endpoint with a tenantId appended, like this:

    https://login.example.com/.well-known/openid-configuration?tenantId=<tenantid>