Hello everyone, I am having issue with using custom domain/cname for oauth2 token endpoint but couldn’t find anything in slack, github issues…etc. I have a custom domain set up and was trying to use it for my oauth2 flow (jwt-bearer grant type - https://datatracker.ietf.org/doc/html/rfc7523#section-2.1). i.e. make an access token request to https://[custome_domain]/oauth2/token with grant_type and assertion parameters. This worked with the Ory oauth2 token endpoint (https://[project_slug].projects.oryapis.com/oauth2/token) but not with the cname/custom domain. This is the error that I got: { “error”: “invalid_grant”, “error_description”: “The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The JWT in ‘assertion’ request parameter MUST contain an ‘aud’ (audience) claim containing a value ‘https://[custome_domain]/oauth2/token’ that identifies the authorization server as an intended audience.” } I have confirmed that the JWT sent in assertion has the audience (aud) set to the token endpoint. Also, it works when a JWT with “aud” set to the project-slug token endpoint was sent to the cname’d endpoint. It looks like the token endpoint doesn’t recognize the cname (as the “aud”) and refused to process the request.

https://github.com/ory/docs/pull/1522 :)

thanks!

Can you please create an issue in github.com/ory/network with as much detail as possible?

Yes, thank you https://github.com/ory/network/issues/335