Background

We have recently resolved a bug related to the issuance of access tokens when using custom domain endpoints. Previously, even when a custom domain endpoint was used to request an access token, the issuer (the iss field) would still default to our standard domain (tenant-id.logto.app). We are pleased to announce that this issue has been fixed, and now the iss field will automatically reflect the domain used in the request.

Action required

If you are using a custom domain and have implemented iss field validation in your code, you will need to make an update. This change is critical for those who are validating the iss field against the expected issuer URL.

How to proceed

To align with this update, please ensure that the expected value for the iss field in your resource server or any relevant components is set to your custom domain format. For example, if your Logto custom domain is https://auth.your-domain.com/, it should now be https://auth.your-domain.com/oidc.

This change was intended as a bug fix; however, it may lead to a breaking change in your existing code. If you are affected, please do not hesitate to contact us so we can make things right. We apologize for any inconvenience it may have caused.