Cannot Sign in with Auth0 'issuer not set in claims.'

[DavidBenavidez]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When trying to login via oidc - Auth0, I'm getting an error 'issuer not set in claims.'. No identity has been created yet since /whoami is still empty. Upon checking the code, it looks like it is expecting an 'iss' field to be returned from auth0's /userinfo endpoint:

kratos/selfservice/strategy/oidc/provider.go

Lines 59 to 67 in f905408

	func (c *Claims) Validate() error {
	if c.Subject == "" {
	return errors.WithStack(herodot.ErrInternalServerError.WithReasonf("provider did not return a subject"))
	}
	if c.Issuer == "" {
	return errors.WithStack(herodot.ErrInternalServerError.WithReasonf("issuer not set in claims"))
	}
	return nil
	}

Correct me if I'm wrong, but this doesn't seem to align with oidc's standards for the /userinfo endpoint: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims.

Reproducing the bug

Steps to reproduce the behavior:

1. Configure Auth0 in the kratos config
2. Login with auth0
3. Complete login with auth0
4. Kratos redirects to error hook with error 'issuer not set in claims'

Relevant log output

{"audience":"application","level":"info","msg":"[DEBUG] GET https://<readacted>auth0.com/userinfo","service_name":"Ory Kratos","service_version":"v0.11.1","time":"2023-03-22T14:44:18.218011359Z"}
{"error":{"debug":"","message":"An internal server error occurred, please contact the system administrator","reason":"issuer not set in claims","status":"Internal Server Error","status_code":500},"http_request":{"headers":{"accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9","cache-control":"max-age=0","cookie":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".","sec-ch-ua":"\"Google Chrome\";v=\"111\", \"Not(A:Brand\";v=\"8\", \"Chromium\";v=\"111\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"cross-site","sec-fetch-user":"?1","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36","x-request-id":"0bc82826-4e8a-47b0-b8ab-556345cedb93"},"host":"<redacted>","method":"GET","path":"/self-service/methods/oidc/callback/auth0","query":"Value is sensitive and has been redacted. To see the value set config key \"log.leak_sensitive_values = true\" or environment variable \"LOG_LEAK_SENSITIVE_VALUES=true\".","scheme":"http"},"login_flow":{"id":"eb58fa1e-e19c-4d5a-81a2-ce0c958d7856","oauth2_login_challenge":null,"type":"browser","expires_at":"2023-03-22T15:44:07.336003Z","issued_at":"2023-03-22T14:44:07.336003Z","request_url":"https://<redacted>/self-service/login/browser?return_to=https%3A%2F%2F<redacted>%2F<redacted>%2Flogin%3Flogin_challenge%3D7d6d994d23ef45748c670046796c03c2","return_to":"https://<redacted>/<redacted>/login?login_challenge=7d6d994d23ef45748c670046796c03c2","active":"oidc","ui":{"action":"https://<redacted>/self-service/login?flow=eb58fa1e-e19c-4d5a-81a2-ce0c958d7856","method":"POST","nodes":[{"type":"input","group":"oidc","attributes":{"name":"provider","type":"submit","value":"auth0","disabled":false,"node_type":"input"},"messages":[],"meta":{"label":{"id":1010002,"text":"Sign in with auth0","type":"info","context":{"provider":"auth0"}}}},{"type":"input","group":"default","attributes":{"name":"csrf_token","type":"hidden","value":"d2Q5j/WBoVtbsYa6s4rkTd6e64t8S2yV6FovsSWmwqRXSWdgSAoKyfwEYjlO3Y3OsepQeld5jYA6AVzqotdTJw==","required":true,"disabled":false,"node_type":"input"},"messages":[],"meta":{}}]},"created_at":"2023-03-22T14:44:07.339343Z","updated_at":"2023-03-22T14:44:07.339343Z","refresh":false,"requested_aal":"aal1"},"msg":"Encountered self-service login error.","service_version":"v0.11.1","time":"2023-03-22T14:44:18.304260818Z"}

Relevant configuration

selfservice:
  allowed_return_urls:
  - <redacted>
  default_browser_return_url: https://<redacted>/demo
  methods:
    oidc:
      config:
        providers:
        - auth_url: https://<redacted>auth0.com/authorize
          client_id: <redacted>
          client_secret: <redacted>
          id: auth0
          issuer_url: https://<redacted>auth0.com/
          mapper_url: base64://<redacted>
          provider: auth0
          scope:
          - email
          - profile
          - openid
          token_url: https://<redacted>auth0.com//oauth/token
      enabled: true

Version

v0.11.1

On which operating system are you observing this issue?

Windows

In which environment are you deploying?

Kubernetes

Additional Context

No response

[vinckr]

Hm the configuration looks fine.
Can you double check all domains and if the redirects are set correctly?
Otherwise what would be steps to reproduce this?

[DavidBenavidez]

Yup the domains and redirect are correct. To reproduce, just setup auth0 as an oidc login method then login via auth0. After logging in with auth0, Kratos will not be able to create an identity and will instead redirect to the error hook with an 'issuer not set in claims' error.

I forgot to mention this: we're upgrading from kratos v0.10.1 to v0.11.1 and I can't seem to find any relevant updates to the config that would cause this

[aeneasr]

I think this is a regression of the recent security improvements we have made to the social sign in providers. It's probably similar to #3040

[DavidBenavidez]

Ah - looks like it's the same issue. We can mark this one as a duplicate then. Thank you!